Real valued negative selection for anomaly detection in wireless ad hoc networks

Wireless ad hoc network is one of the network technologies that have gained lots of attention from computer scientists for the future telecommunication applications. However it has inherits the major vulnerabilities from its ancestor (i.e., the fixed wired networks) but cannot inherit all the conventional intrusion detection capabilities due to its features and characteristics. Wireless ad hoc network has the potential to become the de facto standard for future wireless networking because of its open medium and dynamic features. Non-infrastructure network such as wireless ad hoc networks are expected to become an important part of 4G architecture in the future. In this paper, we study the use of an Artificial Immune System (AIS) as anomaly detector in a wireless ad hoc network. The main goal of our research is to build a system that can learn and detect new and unknown attacks. To achieve our goal, we studied how the real-valued negative selection algorithm can be applied in wireless ad hoc network network and finally we proposed the enhancements to real-valued negative selection algorithm for anomaly detection in wireless ad hoc network

Метод формування базових детекційних правил для систем виявлення вторгнень

Due to the intensive development of digital business, malicious software and other cyber threats become more and more common. To increase the security level there is a need of relevant special control, which can remain effective when new types of threats are appeared and allows to detect the cyber attacks in fuzzy conditions targeting on many different resources of information systems. The various attacking effects on appropriate resources, generate different sets of anomalies in the heterogeneous parametric environment. It is also known the tuple model of set formation of basic components allowing us to detect cyber attacks. For its effective use it is required a formal approach implementation towards the sets formation of basic detection rules. With this objective the method focused on cyber attacks detection in computer systems was developed. This method is realized through three basic stages: formation of subsets of the anomalous IDs; the formation of critical functions; formation of a conditional detection expression. Using this method, it is possible to generate the necessary set of detection rules that determine the level of abnormal condition of values in the heterogeneous parametric environment. The implementation of this method in building intrusion detection systems will expand their functionality with respect to the cyber attacks detection in the weakly-formalized fuzzy environment.Вследствие интенсивного развития цифрового бизнеса, вредоносное программное обеспечение и другие киберугрозы становятся все более распространенными. Для повышения уровня безопасности необходимы соответствующие специальные средства противодействия, которые способны оставаться эффективными при появлении новых видов угроз и позволяющие в нечетких условиях выявить кибератаки, ориентированные на множество ресурсов информационных систем. Различные атакующие воздействия на соответствующие ресурсы порождают различные множества аномалий в гетерогенной параметрической среде окружения. Известна кортежная модель формирования набора базовых компонент, которые позволяют выявить кибератаки. Для ее эффективного применения необходима формальная реализация подхода к формированию наборов базовых детекционных правил. С этой целью разработан метод, ориентированный на решение задач выявления кибератак в компьютерных системах, который реализуется посредством трех базовых этапов: формирование подмножеств идентификаторов аномальности; формирование решающих функций; формирование условных детекционных выражений. С помощью такого метода можно сформировать необходимое множество детекционных правил, по которым определяется уровень аномального состояния величин в гетерогенной параметрической среде окружения, характерный для воздействия определенного типа атак. Использование данного метода при построении систем обнаружения вторжений позволит расширить их функциональные возможности относительно выявления кибератак в слабоформализованной нечеткой среде окружения.Внаслідок інтенсивного розвитку цифрового бізнесу, шкідливе програмне забезпечення та інші кіберзагрози стають все більш поширеними. Для підвищення рівня безпеки необхідні відповідні спеціальні засоби протидії, які здатні залишатися ефективними при появі нових видів загроз і дозволяють в нечітких умовах виявити кібератаки орієнтовані на множини ресурсів інформаційних систем. Різні атакуючі впливи на відповідні ресурси породжують різні множини аномалій в гетерогенному параметричному середовищі оточення. Відома кортежна модель формування набору базових компонент, що дозволяють виявити кібератаки. Для її ефективного застосування необхідна формальна реалізація підходу до формування наборів базових детекційних правил. З цією метою розроблено метод, орієнтований на вирішення задач виявлення кібератак в комп'ютерних системах, який реалізується за допомогою трьох базових етапів: формування підмножин ідентифікаторів аномальності; формування вирішальних функцій; формування умовних детекційних виразів. За допомогою такого методу можна сформувати необхідну множину детекційних правил, за якими визначається рівень аномального стану величин в гетерогенному параметричному середовищі оточення, характерний для впливу певного типу атак. Використання даного методу при побудові систем виявлення вторгнень дозволить розширити їх функціональні можливості, щодо виявлення кібератак в слабоформалізованому нечіткому середовищі оточення

Fault detection and prediction with application to rotating machinery

In this thesis, the detection and prediction of faults in rotating machinery is undertaken and presented in two papers. In the first paper, Principal Component Analysis (PCA), a well known data-driven dimension reduction technique, is applied to data for normal operation and four fault conditions from a one-half horsepower centrifugal water pump. Fault isolation in this scheme is done by observing the location of the data points in the Principal Component domain, and the time to failure (TTF) is calculated by applying statistical regression on the resulting PC scores. The application of the proposed scheme demonstrated that PCA was able to detect and isolate all four faults. Additionally, the TTF calculation for the impeller failure was found to yield satisfactory results. On the other hand, in the second paper, the fault detection and failure prediction are done by using a model based approach which utilizes a nonlinear observer consisting of an online approximator in discrete-time (OLAD) and a robust adaptive term. Once a fault has been detected, both the OLAD and the robust adaptive term are initiated and the OLAD then utilizes its update law to learn the unknown dynamics of the encountered fault. While in similar applications it is common to use neural networks to be used for the OLAD, in this paper an Artificial Immune System (AIS) is used for the OLAD. The proposed approach was verified through implementation on data from an axial piston pump. The scheme was able to satisfactorily detect and learn both an incipient piston wear fault and an abrupt sensor failure --Abstract, page iv

A prototype for network intrusion detection system using danger theory

Network Intrusion Detection System (NIDS) is considered as one of the last defense mechanisms for any organization. NIDS can be broadly classified into two approaches: misuse-based detection and anomaly-based detection. Misuse-based intrusion detection builds a database of the well-defined patterns of the attacks that exploit weaknesses in systems and network protocols, and uses that database to identify the intrusions. Although this approach can detect all the attacks included in the database, it leads to false negative errors where any new attack not included in that database can’t be detected. The other approach is the anomaly-based NIDS which is developed to emulate the Human Immune System (HIS) and overcome the limitation of the misuse-based approach. The anomaly-based detection approach is based on Negative Selection (NS) mechanism. NS is based on building a database of the normal self patterns, and identifying any pattern not included in that database as a non-self pattern and hence the intrusion is detected. Unfortunately, NS concept has also its drawbacks. Although any attack pattern can be detected as a non-self pattern and this leads to low false negative rate, non-self patterns would not necessarily indicate the existence of intrusions. So, NS has a high false positive error rate caused from that assumption. Danger Theory (DT) is a new concept in HIS, which shows that the response mechanism in HIS is more complicated and beyond the simple NS concept. So, is it possible to utilize the DT to minimize the high false positive detection rate of NIDS? This paper answers this question by developing a prototype for NIDS based on DT and evaluating that prototype using DARPA99 Intrusion Detection dataset

Unsupervised Intrusion Detection with Cross-Domain Artificial Intelligence Methods

Cybercrime is a major concern for corporations, business owners, governments and citizens, and it continues to grow in spite of increasing investments in security and fraud prevention. The main challenges in this research field are: being able to detect unknown attacks, and reducing the false positive ratio. The aim of this research work was to target both problems by leveraging four artificial intelligence techniques. The first technique is a novel unsupervised learning method based on skip-gram modeling. It was designed, developed and tested against a public dataset with popular intrusion patterns. A high accuracy and a low false positive rate were achieved without prior knowledge of attack patterns. The second technique is a novel unsupervised learning method based on topic modeling. It was applied to three related domains (network attacks, payments fraud, IoT malware traffic). A high accuracy was achieved in the three scenarios, even though the malicious activity significantly differs from one domain to the other. The third technique is a novel unsupervised learning method based on deep autoencoders, with feature selection performed by a supervised method, random forest. Obtained results showed that this technique can outperform other similar techniques. The fourth technique is based on an MLP neural network, and is applied to alert reduction in fraud prevention. This method automates manual reviews previously done by human experts, without significantly impacting accuracy

An Evolutionary Algorithm to Generate Ellipsoid Detectors for Negative Selection

Negative selection is a process from the biological immune system that can be applied to two-class (self and nonself) classification problems. Negative selection uses only one class (self) for training, which results in detectors for the other class (nonself). This paradigm is especially useful for problems in which only one class is available for training, such as network intrusion detection. Previous work has investigated hyper-rectangles and hyper-spheres as geometric detectors. This work proposes ellipsoids as geometric detectors. First, the author establishes a mathematical model for ellipsoids. He develops an algorithm to generate ellipsoids by training on only one class of data. Ellipsoid mutation operators, an objective function, and a convergence technique are described for the evolutionary algorithm that generates ellipsoid detectors. Testing on several data sets validates this approach by showing that the algorithm generates good ellipsoid detectors. Against artificial data sets, the detectors generated by the algorithm match more than 90% of nonself data with no false alarms. Against a subset of data from the 1999 DARPA MIT intrusion detection data, the ellipsoids generated by the algorithm detected approximately 98% of nonself (intrusions) with an approximate 0% false alarm rate

Metabolic profiling on 2D NMR TOCSY spectra using machine learning

Due to the dynamicity of biological cells, the role of metabolic profiling in discovering biological fingerprints of diseases, and their evolution, as well as the cellular pathway of different biological or chemical stimuli is most significant. Two-dimensional nuclear magnetic resonance (2D NMR) is one of the fundamental and strong analytical instruments for metabolic profiling. Though, total correlation spectroscopy (2D NMR 1H -1H TOCSY) can be used to improve spectral overlap of 1D NMR, strong peak shift, signal overlap, spectral crowding and matrix effects in complex biological mixtures are extremely challenging in 2D NMR analysis. In this work, we introduce an automated metabolic deconvolution and assignment based on the deconvolution of 2D TOCSY of real breast cancer tissue, in addition to different differentiation pathways of adipose tissue-derived human Mesenchymal Stem cells. A major alternative to the common approaches in NMR based machine learning where images of the spectra are used as an input, our metabolic assignment is based only on the vertical and horizontal frequencies of metabolites in the 1H-1H TOCSY. One- and multi-class Kernel null foley–Sammon transform, support vector machines, polynomial classifier kernel density estimation, and support vector data description classifiers were tested in semi-supervised learning and novelty detection settings. The classifiers’ performance was evaluated by comparing the conventional human-based methodology and automatic assignments under different initial training sizes settings. The results of our novel metabolic profiling methods demonstrate its suitability, robustness, and speed in automated nontargeted NMR metabolic analysis

A control-theoretical fault prognostics and accommodation framework for a class of nonlinear discrete-time systems

Fault diagnostics and prognostics schemes (FDP) are necessary for complex industrial systems to prevent unscheduled downtime resulting from component failures. Existing schemes in continuous-time are useful for diagnosing complex industrial systems and no work has been done for prognostics. Therefore, in this dissertation, a systematic design methodology for model-based fault prognostics and accommodation is undertaken for a class of nonlinear discrete-time systems. This design methodology, which does not require any failure data, is introduced in six papers. In Paper I, a fault detection and prediction (FDP) scheme is developed for a class of nonlinear system with state faults by assuming that all the states are measurable. A novel estimator is utilized for detecting a fault. Upon detection, an online approximator in discrete-time (OLAD) and a robust adaptive term are activated online in the estimator wherein the OLAD learns the unknown fault dynamics while the robust adaptive term ensures asymptotic performance guarantee. A novel update law is proposed for tuning the OLAD parameters. Additionally, by using the parameter update law, time to reach an a priori selected failure threshold is derived for prognostics. Subsequently, the FDP scheme is used to estimate the states and detect faults in nonlinear input-output systems in Paper II and to nonlinear discrete-time systems with both state and sensor faults in Paper III. Upon detection, a novel fault isolation estimator is used to identify the faults in Paper IV. It was shown that certain faults can be accommodated via controller reconfiguration in Paper V. Finally, the performance of the FDP framework is demonstrated via Lyapunov stability analysis and experimentally on the Caterpillar hydraulics test-bed in Paper VI by using an artificial immune system as an OLAD --Abstract, page iv

Quality of service analysis of internet links with minimal information

Tesis doctoral inédita. Universidad Autónoma de Madrid, Escuela Politécnica Superior, julio de 201