The Cooperative Defense Overlay Network: A Collaborative Automated Threat Information Sharing Framework for a Safer Internet

With the ever-growing proliferation of hardware and software-based computer security exploits and the increasing power and prominence of distributed attacks, network and system administrators are often forced to make a difficult decision: expend tremendous resources on defense from sophisticated and continually evolving attacks from an increasingly dangerous Internet with varying levels of success; or expend fewer resources on defending against common attacks on "low hanging fruit," hoping to avoid the less common but incredibly devastating zero-day worm or botnet attack. Home networks and small organizations are usually forced to choose the latter option and in so doing are left vulnerable to all but the simplest of attacks. While automated tools exist for sharing information about network-based attacks, this sharing is typically limited to administrators of large networks and dedicated security-conscious users, to the exclusion of smaller organizations and novice home users. In this thesis we propose a framework for a cooperative defense overlay network (CODON) in which participants with varying technical abilities and resources can contribute to the security and health of the internet via automated crowdsourcing, rapid information sharing, and the principle of collateral defense

Web spider defense technique in wireless sensor networks

Wireless sensor networks (WSNs) are currently widely used in many environments. Some of them gather many critical data, which should be protected from intruders. Generally, when an intruder is detected in the WSN, its connection is immediately stopped. But this way does not let the network administrator gather information about the attacker and/or its purposes. In this paper, we present a bioinspired system that uses the procedure taken by the web spider when it wants to catch its prey. We will explain how all steps performed by the web spider are included in our system and we will detail the algorithm and protocol procedure. A real test bench has been implemented in order to validate our system. It shows the performance for different response times, the CPU and RAM consumption, and the average and maximum values for ping and tracert time responses using constant delay and exponential jitter.This work has been partially supported by the "Ministerio de Ciencia e Innovacion", through the "Plan Nacional de I+D+i 2008-2011" in the "Subprograma de Proyectos de Investigacion Fundamental", Project TEC2011-27516.Cánovas Solbes, A.; Lloret, J.; Macias Lopez, EM.; Suarez Sarmiento, A. (2014). Web spider defense technique in wireless sensor networks. International Journal of Distributed Sensor Networks. 2014:1-7. https://doi.org/10.1155/2014/348606S172014Bri, D., Garcia, M., Lloret, J., & Dini, P. (2009). Real Deployments of Wireless Sensor Networks. 2009 Third International Conference on Sensor Technologies and Applications. doi:10.1109/sensorcomm.2009.69Sendra, S., Lloret, J., Garcia, M., & Toledo, J. F. (2011). Power Saving and Energy Optimization Techniques for Wireless Sensor Neworks (Invited Paper). Journal of Communications, 6(6). doi:10.4304/jcm.6.6.439-459Xie, M., Han, S., Tian, B., & Parvin, S. (2011). Anomaly detection in wireless sensor networks: A survey. Journal of Network and Computer Applications, 34(4), 1302-1325. doi:10.1016/j.jnca.2011.03.004Yu, Y., Li, K., Zhou, W., & Li, P. (2012). Trust mechanisms in wireless sensor networks: Attack analysis and countermeasures. Journal of Network and Computer Applications, 35(3), 867-880. doi:10.1016/j.jnca.2011.03.005Zhu, W. T., Zhou, J., Deng, R. H., & Bao, F. (2012). Detecting node replication attacks in wireless sensor networks: A survey. Journal of Network and Computer Applications, 35(3), 1022-1034. doi:10.1016/j.jnca.2012.01.002Maleh, Y., & Ezzati, A. (2013). A Review of Security Attacks and Intrusion Detection Schemes in Wireless Sensor Network. International Journal of Wireless & Mobile Networks, 5(6), 79-90. doi:10.5121/ijwmn.2013.5606Alrajeh, N. A., Khan, S., & Shams, B. (2013). Intrusion Detection Systems in Wireless Sensor Networks: A Review. International Journal of Distributed Sensor Networks, 9(5), 167575. doi:10.1155/2013/167575Sun, B., Osborne, L., Xiao, Y., & Guizani, S. (2007). Intrusion detection techniques in mobile ad hoc and wireless sensor networks. IEEE Wireless Communications, 14(5), 56-63. doi:10.1109/mwc.2007.4396943Fatema, N., & Brad, R. (2013). Attacks and Counterattacks on Wireless Sensor Networks. International Journal of Ad hoc, Sensor & Ubiquitous Computing, 4(6), 1-15. doi:10.5121/ijasuc.2013.4601Ankala, R. P., Kavitha, D., & Haritha, D. (2011). MOBILE AGENT BASED ROUTING in MANETS –ATTACKS & DEFENCES. Network Protocols and Algorithms, 3(4). doi:10.5296/npa.v3i4.1351Hylsberg Jacobsen, R., Zhang, Q., & Skjødeberg Toftegaard, T. (2011). Bioinspired Principles for Large-Scale Networked Sensor Systems: An Overview. Sensors, 11(4), 4137-4151. doi:10.3390/s110404137Kofahi, N. (2013). An Empirical Study to Compare the Performance of some Symmetric and Asymmetric Ciphers. International Journal of Security and Its Applications, 7(5), 1-16. doi:10.14257/ijsia.2013.7.5.01Sisodia, M. S., & Raghuwanshi, V. (2011). Anomaly Base Network Intrusion Detection by Using Random Decision Tree and Random Projection: A Fast Network Intrusion Detection Technique. Network Protocols and Algorithms, 3(4). doi:10.5296/npa.v3i4.1342Zhijie, H., & Ruchuang, W. (2012). Intrusion Detection for Wireless Sensor Network Based on Traffic Prediction Model. Physics Procedia, 25, 2072-2080. doi:10.1016/j.phpro.2012.03.352Al-Gharabally, N., El-Sayed, N., Al-Mulla, S., & Ahmad, I. (2009). Wireless honeypots. Proceedings of the 2009 conference on Information Science, Technology and Applications - ISTA ’09. doi:10.1145/1551950.1551969Gopinath V.Success analysis of deception in wireless sensor networks [M.S. thesis]2010Oklahoma State UniversityZhongshan Zhang, Keping Long, Jianping Wang, & Dressler, F. (2014). On Swarm Intelligence Inspired Self-Organized Networking: Its Bionic Mechanisms, Designing Principles and Optimization Approaches. IEEE Communications Surveys & Tutorials, 16(1), 513-537. doi:10.1109/surv.2013.062613.00014Rathore, H., & Jha, S. (2013). Bio-inspired machine learning based Wireless Sensor Network security. 2013 World Congress on Nature and Biologically Inspired Computing. doi:10.1109/nabic.2013.6617852Alrajeh, N. A., & Lloret, J. (2013). Intrusion Detection Systems Based on Artificial Intelligence Techniques in Wireless Sensor Networks. International Journal of Distributed Sensor Networks, 9(10), 351047. doi:10.1155/2013/351047Amirkolaei M. K.Enhancing bio-inspired intrusion response in Ad-hoc networks [Ph.D. thesis]August 2013Edinburgh, UKEdinburgh Napier Universityhttp://researchrepository.napier.ac.uk/6533/Muraleedharan, R., & Osadciw, L. A. (2009). An intrusion detection framework for Sensor Networks using Honeypot and Swarm Intelligence. Proceedings of the 6th Annual International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services. doi:10.4108/icst.mobiquitous2009.7084Hortos, W. S. (2012). Bio-inspired, cross-layer protocol design for intrusion detection and identification in wireless sensor networks. 37th Annual IEEE Conference on Local Computer Networks -- Workshops. doi:10.1109/lcnw.2012.6424040Benahmed, K., Merabti, M., & Haffaf, H. (2012). Inspired Social Spider Behavior for Secure Wireless Sensor Networks. International Journal of Mobile Computing and Multimedia Communications, 4(4), 1-10. doi:10.4018/jmcmc.2012100101Herberstein, M. E. (Ed.). (2009). Spider Behaviour. doi:10.1017/cbo9780511974496Ficco, M. (2010). Achieving Security by Intrusion-Tolerance Based on Event Correlation. Network Protocols and Algorithms, 2(3). doi:10.5296/npa.v2i3.42

Improving intrusion detection systems using data mining techniques

Recent surveys and studies have shown that cyber-attacks have caused a lot of damage to organisations, governments, and individuals around the world. Although developments are constantly occurring in the computer security field, cyber-attacks still cause damage as they are developed and evolved by hackers. This research looked at some industrial challenges in the intrusion detection area. The research identified two main challenges; the first one is that signature-based intrusion detection systems such as SNORT lack the capability of detecting attacks with new signatures without human intervention. The other challenge is related to multi-stage attack detection, it has been found that signature-based is not efficient in this area. The novelty in this research is presented through developing methodologies tackling the mentioned challenges. The first challenge was handled by developing a multi-layer classification methodology. The first layer is based on decision tree, while the second layer is a hybrid module that uses two data mining techniques; neural network, and fuzzy logic. The second layer will try to detect new attacks in case the first one fails to detect. This system detects attacks with new signatures, and then updates the SNORT signature holder automatically, without any human intervention. The obtained results have shown that a high detection rate has been obtained with attacks having new signatures. However, it has been found that the false positive rate needs to be lowered. The second challenge was approached by evaluating IP information using fuzzy logic. This approach looks at the identity of participants in the traffic, rather than the sequence and contents of the traffic. The results have shown that this approach can help in predicting attacks at very early stages in some scenarios. However, it has been found that combining this approach with a different approach that looks at the sequence and contents of the traffic, such as event- correlation, will achieve a better performance than each approach individually

Honeypot for Wireless Sensor Networks

People have understood that computer systems need safeguarding and require knowledge of security principles for their protection. While this has led to solutions for system components such as malware-protection, firewalls and intrusion detection systems, the ubiquitous usage of tiny microcomputers appeared at the same time. A new interconnectivity is on the rise in our lives. Things become “smart” and increasingly build new networks of devices. In this context the wireless sensor networks here interact with users and also, vice versa as well; unprivileged users able to interact with the wireless sensor network may harm the privileged user as a result. The problem that needs to be solved consists of possible harm that may be caused by an unprivileged user interacting with the wireless sensor network of a privileged user and may come via an attack vector targeting a vul- nerability that may take as long as it is needed and the detection of such mal-behaviour can only be done if a sensing component is implemented as a kind of tool detecting the status of the attacked wireless sensor network component and monitors this problem happening as an event that needs to be researched further on. Innovation in attack detection comprehension is the key aspect of this work, because it was found to be a set of hitherto not combined aspects, mechanisms, drafts and sketches, lacking a central combined outcome. Therefore the contribution of this thesis consists in a span of topics starting with a summary of attacks, possible countermeasures and a sketch of the outcome to the design and implementation of a viable product, concluding in an outlook at possible further work. The chosen path for the work in this research was experimental prototype construction following an established research method that first highlights the analysis of attack vectors to the system component and then evaluates the possibilities in order to im- prove said method. This led to a concept well known in common large-scale computer science systems, called a honeypot. Its common definitions and setups were analy- sed and the concept translation to the wireless sensor network domain was evaluated. Then the prototype was designed and implemented. This was done by following the ap- proach set by the science of cybersecurity, which states that the results of experiments and prototypes lead to improving knowledge intentionally for re-use

Network Intrusion Detection System:A systematic study of Machine Learning and Deep Learning approaches

The rapid advances in the internet and communication fields have resulted in ahuge increase in the network size and the corresponding data. As a result, manynovel attacks are being generated and have posed challenges for network secu-rity to accurately detect intrusions. Furthermore, the presence of the intruderswiththeaimtolaunchvariousattackswithinthenetworkcannotbeignored.Anintrusion detection system (IDS) is one such tool that prevents the network frompossible intrusions by inspecting the network traffic, to ensure its confidential-ity, integrity, and availability. Despite enormous efforts by the researchers, IDSstillfaceschallengesinimprovingdetectionaccuracywhilereducingfalsealarmrates and in detecting novel intrusions. Recently, machine learning (ML) anddeep learning (DL)-based IDS systems are being deployed as potential solutionsto detect intrusions across the network in an efficient manner. This article firstclarifiestheconceptofIDSandthenprovidesthetaxonomybasedonthenotableML and DL techniques adopted in designing network-based IDS (NIDS) sys-tems. A comprehensive review of the recent NIDS-based articles is provided bydiscussing the strengths and limitations of the proposed solutions. Then, recenttrends and advancements of ML and DL-based NIDS are provided in terms ofthe proposed methodology, evaluation metrics, and dataset selection. Using theshortcomings of the proposed methods, we highlighted various research chal-lenges and provided the future scope for the research in improving ML andDL-based NIDS

Modélisation formelle des systèmes de détection d'intrusions

L’écosystème de la cybersécurité évolue en permanence en termes du nombre, de la diversité, et de la complexité des attaques. De ce fait, les outils de détection deviennent inefficaces face à certaines attaques. On distingue généralement trois types de systèmes de détection d’intrusions : détection par anomalies, détection par signatures et détection hybride. La détection par anomalies est fondée sur la caractérisation du comportement habituel du système, typiquement de manière statistique. Elle permet de détecter des attaques connues ou inconnues, mais génère aussi un très grand nombre de faux positifs. La détection par signatures permet de détecter des attaques connues en définissant des règles qui décrivent le comportement connu d’un attaquant. Cela demande une bonne connaissance du comportement de l’attaquant. La détection hybride repose sur plusieurs méthodes de détection incluant celles sus-citées. Elle présente l’avantage d’être plus précise pendant la détection. Des outils tels que Snort et Zeek offrent des langages de bas niveau pour l’expression de règles de reconnaissance d’attaques. Le nombre d’attaques potentielles étant très grand, ces bases de règles deviennent rapidement difficiles à gérer et à maintenir. De plus, l’expression de règles avec état dit stateful est particulièrement ardue pour reconnaître une séquence d’événements. Dans cette thèse, nous proposons une approche stateful basée sur les diagrammes d’état-transition algébriques (ASTDs) afin d’identifier des attaques complexes. Les ASTDs permettent de représenter de façon graphique et modulaire une spécification, ce qui facilite la maintenance et la compréhension des règles. Nous étendons la notation ASTD avec de nouvelles fonctionnalités pour représenter des attaques complexes. Ensuite, nous spécifions plusieurs attaques avec la notation étendue et exécutons les spécifications obtenues sur des flots d’événements à l’aide d’un interpréteur pour identifier des attaques. Nous évaluons aussi les performances de l’interpréteur avec des outils industriels tels que Snort et Zeek. Puis, nous réalisons un compilateur afin de générer du code exécutable à partir d’une spécification ASTD, capable d’identifier de façon efficiente les séquences d’événements.Abstract : The cybersecurity ecosystem continuously evolves with the number, the diversity, and the complexity of cyber attacks. Generally, we have three types of Intrusion Detection System (IDS) : anomaly-based detection, signature-based detection, and hybrid detection. Anomaly detection is based on the usual behavior description of the system, typically in a static manner. It enables detecting known or unknown attacks but also generating a large number of false positives. Signature based detection enables detecting known attacks by defining rules that describe known attacker’s behavior. It needs a good knowledge of attacker behavior. Hybrid detection relies on several detection methods including the previous ones. It has the advantage of being more precise during detection. Tools like Snort and Zeek offer low level languages to represent rules for detecting attacks. The number of potential attacks being large, these rule bases become quickly hard to manage and maintain. Moreover, the representation of stateful rules to recognize a sequence of events is particularly arduous. In this thesis, we propose a stateful approach based on algebraic state-transition diagrams (ASTDs) to identify complex attacks. ASTDs allow a graphical and modular representation of a specification, that facilitates maintenance and understanding of rules. We extend the ASTD notation with new features to represent complex attacks. Next, we specify several attacks with the extended notation and run the resulting specifications on event streams using an interpreter to identify attacks. We also evaluate the performance of the interpreter with industrial tools such as Snort and Zeek. Then, we build a compiler in order to generate executable code from an ASTD specification, able to efficiently identify sequences of events