An ontology-based system to identify complex network attacks

Abstract — Intrusion Detection Systems are tools used to detect attacks against networks. Many of these attacks are a sequence of multiple simple attacks. These complex attacks are more difficult to identify because (a) they are difficult to predict, (b) almost anything could be an attack, and (c) there are a huge number of possibilities. The problem is that the expertise of what constitutes an attack lies in the tacit knowledge of experienced network engineers. By providing an ontological representation of what constitutes a network attack human expertise to be codified and tested. The details of this representation are explained. An implementation of the representation has been developed. Lastly, the use of the representation in an Intrusion Detection System for complex attack detection has been demonstrated using use cases. Keywords- Computer network security; Intrusion Detection System; Ontolog

FUSIÓN Y CORRELACIÓN DE ALERTAS BASADAS EN ONTOLOGÍAS SOBRE SISTEMAS MULTI-AGENTES

RESUMEN ANALÍTICOLos sistemas de detección de ataques o intrusiones evalúan tráfico a partir de un conjuntos de firmas predeterminadas para identificar posibles comportamientos anormales, sin embargo, estetipo de técnicas son insuficientes si la secuencia del evento no corresponde a alguno de los patrones previamente reconocidos. El uso de redes trampa/señuelo (honeynet) ha contribuido a identificarla taxonomía de los atacantes. Este artículo presenta una aproximación a un modelo de detección de ataques utilizando sistemas multi-agentes en modo señuelo que incorpora procesos de fusión ycorrelación de alertas sobre ontologías, conducentes a identificar comportamientos anómalos a partirde procesos de inferencia y razonamiento.PALABRAS CLAVES: Ontologías, Fusión de Alertas, Correlación de Ataques, Sistemas Multi-agentes, Detección de Intrusiones Inteligente. ANALYTICAL SUMMARYAttacks Detection systems evaluate traffic attacks or intrusions from a default signature sets to identify potential abnormal behaviors, however, these techniques are insufficient if the sequence ofevents does not correspond to any of the previously recognized patterns. The use of honeynet aims to identify the taxonomy of attackers. This papers presents an approach to attack detection modelusing multi-agent systems incorporating honeynet mode mergers and alert correlation on ontologies to identify abnormal behavior leading from inference and reasoning processes.KEYWORDS: Ontologies, Fusion Alerts, Correlation Attacks, Multiagent Systems, Intelligent Intrusion Detection

Sistema de detección de intrusiones con mantenimiento asistido de bases de datos de ataques mediante aprendizaje automático

Los sistemas de detecci´on de intrusiones (o IDS, del ingl´es Intrusion Detection System) tienen como fin la detecci´on de ataques en redes de comunicaciones. Como tales, constituyen un elemento de inter´es en la provisi´on de seguridad en gesti´on de redes ante la asunci´on de existencia de agujeros de seguridad en los sistemas hardware y software. Por otro lado, existen sistemas de detecci´on de intrusiones de c´odigo abierto basados en reglas, cuya principal desventaja consiste en el esfuerzo t´ecnico de matenimiento de la base de datos de reglas. En este documento se analizan las t´ecnicas m´as utilizadas en sistemas de detecci´on de intrusiones y se reutilizan sistemas de intrusiones basados en reglas para proponer un sistema de detecci´on de intrusiones con mantenimiento asistido de bases de datos de ataques mediante aprendizaje autom´atico

TÉCNICAS INTELIGENTES, AGENTES ADAPTATIVOS Y REPRESENTACIONES ONTOLÓGICAS EN SISTEMAS DE DETECCIÓN DE INTRUSOS

RESUMEN La seguridad Informática requiere una optimización permanente de los mecanismos de protección y estrategias que permitan prevenir ataques en las redes y sistemas de información. El proceso de monitoreo de eventos que ocurren en un sistema o en una red a partir de patrones y firmas de posibles ataques se conoce como Sistema de Detección de Intrusos (IDS). Los IDS han escalado significativamente al punto de focalizarse en modelos basados en prevención más que en corrección, estos sistemas monitorean tráfico utilizando un conjunto de firmas para detectar actividades malignas, reportar incidentes o tomar acciones correctivas; pero cualquier cambio insertado en el patrón de un ataque, puede comprometer el sistema y evitar que la tecnología subyacente de detección o prevención sea insuficiente. En los últimos años se han planteado diferentes modelos basados en técnicas de Inteligencia Artificial que pueden ayudar a la generación automática de nuevas firmas y detectar nuevos patrones de ataque sin la intervención humana. Algunas investigaciones presentan técnicas como Redes Neuronales, Algoritmos Genéticos, Razonamiento Basado en Casos, árboles de decisión, Lógica Difusa entre otras, aplicadas a la Detección de Intrusos, además de arquitecturas basadas en Agentes Inteligentes sobre IDS Distribuidos incorporando así capacidades de autonomía, reactividad, pro actividad, movilidad y racionalidad. Este artículo es el resultado de un estudio del estado del arte de las diferentes estrategias inteligentes en IDS. Además la introducción de modelos de cooperación a partir de Agentes adaptativos y de representaciones ontológicas en los Sistemas de Detección de Intrusos Distribuidos, adicionalmente se plantean los elementos de una investigación en curso donde se incorporan estos métodos.PALABRAS CLAVE: Sistemas de Detección de Intrusos, Detección de Intrusos Inteligente, Agentes Inteligentes, Seguridad en Redes, Representaciones Ontológicas y Semánticas Conglomerados.   ABSTRACT Security Computing requires a permanent optimization in protection mechanisms and strategies that allow preventing attacks in the networks and information systems. The event monitoring process that happens in a system or a network using patterns or signs is known like Intrusion Detection System (IDS).    The IDS have been focused more in prevention models than correction models; these systems tests traffic using a set of signs to detect malicious activities, report incidents o take correction actions; but, any change inserted in the attack pattern can compromise the system and avoid the underlying technology and make insufficient the Intrusion Detection. Over the years different models based in Artificial Intelligence techniques have been considered to help the automatic signs and patterns generation without human intervention.     Some     researching     projects     present Neuronal Networks, Genetic Algorithms, Case Based Reasoning, decision trees, Fuzzy logic applied to the Intrusion Detection; additionally using Intelligent and Mobile Agents architectures over Distributed IDS incorporating autonomy, reactivity, pro activity, mobility and    rationality    capabilities.     This    paper    is    result    of studying state of art of multiples intelligent strategies in IDS and cooperation models using Agents and ontology representation in Intrusion Detection. This paper complements elements in a course research considering integrating these methods.KEYWORDS: Intrusion Detection Systems, Intelligent Intrusion Detection, Intelligent Agents, Network Security, Ontology and Semantic representations

Distributed Load Testing by Modeling and Simulating User Behavior

Modern human-machine systems such as microservices rely upon agile engineering practices which require changes to be tested and released more frequently than classically engineered systems. A critical step in the testing of such systems is the generation of realistic workloads or load testing. Generated workload emulates the expected behaviors of users and machines within a system under test in order to find potentially unknown failure states. Typical testing tools rely on static testing artifacts to generate realistic workload conditions. Such artifacts can be cumbersome and costly to maintain; however, even model-based alternatives can prevent adaptation to changes in a system or its usage. Lack of adaptation can prevent the integration of load testing into system quality assurance, leading to an incomplete evaluation of system quality. The goal of this research is to improve the state of software engineering by addressing open challenges in load testing of human-machine systems with a novel process that a) models and classifies user behavior from streaming and aggregated log data, b) adapts to changes in system and user behavior, and c) generates distributed workload by realistically simulating user behavior. This research contributes a Learning, Online, Distributed Engine for Simulation and Testing based on the Operational Norms of Entities within a system (LODESTONE): a novel process to distributed load testing by modeling and simulating user behavior. We specify LODESTONE within the context of a human-machine system to illustrate distributed adaptation and execution in load testing processes. LODESTONE uses log data to generate and update user behavior models, cluster them into similar behavior profiles, and instantiate distributed workload on software systems. We analyze user behavioral data having differing characteristics to replicate human-machine interactions in a modern microservice environment. We discuss tools, algorithms, software design, and implementation in two different computational environments: client-server and cloud-based microservices. We illustrate the advantages of LODESTONE through a qualitative comparison of key feature parameters and experimentation based on shared data and models. LODESTONE continuously adapts to changes in the system to be tested which allows for the integration of load testing into the quality assurance process for cloud-based microservices

Comodo: Collaborative Monitoring of Commitment Delegations

Understanding accountability in contract violations, e.g., whom is accountable for what, is a tedious, time-consuming, and costly task for human decision-making, especially when contractual responsibilities are delegated among parties. Intelligent software agents equipped with expert capabilities such as monitoring and diagnosis help save time and improve accuracy of diagnosis by formal reasoning upon electronic contracts. Such contracts are represented as commitment norms, a well studied artifact in multi-agent systems, which provide semantics for agent interactions. Due to the open and heterogeneous nature of multi-agent systems, commitments are often violated. When a commitment is violated, e.g., an exception occurs, agents need to collaborate to understand what went wrong and which agent is responsible. We propose Comodo: a framework for monitoring commitment delegations and detecting violations. We define a complete set of possible rational delegation schemes for commitments, identifying for each combination of delegations what critical situations may lead to an improper delegation and potentially to a commitment violation. Comodo provides a sound and complete distributed reasoning procedure that is able to find all improper delegations of a given commitment. We provide the complete implementation of Comodo using the Reactive Event Calculus, and present an e-commerce case study to demonstrate its workings. Due to its generic nature, we discuss the application of our approach to other distributed diagnosis problems in emergency healthcare, Internet of Things and smart environments, and security, privacy, and accountability in the context of socio-technical system

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Securing open multi-agent systems governed by electronic institutions

One way to build large-scale autonomous systems is to develop an open multi-agent system using peer-to-peer architectures in which agents are not pre-engineered to work together and in which agents themselves determine the social norms that govern collective behaviour. The social norms and the agent interaction models can be described by Electronic Institutions such as those expressed in the Lightweight Coordination Calculus (LCC), a compact executable specification language based on logic programming and pi-calculus. Open multi-agent systems have experienced growing popularity in the multi-agent community and are expected to have many applications in the near future as large scale distributed systems become more widespread, e.g. in emergency response, electronic commerce and cloud computing. A major practical limitation to such systems is security, because the very openness of such systems opens the doors to adversaries for exploit existing vulnerabilities. This thesis addresses the security of open multi-agent systems governed by electronic institutions. First, the main forms of attack on open multi-agent systems are introduced and classified in the proposed attack taxonomy. Then, various security techniques from the literature are surveyed and analysed. These techniques are categorised as either prevention or detection approaches. Appropriate countermeasures to each class of attack are also suggested. A fundamental limitation of conventional security mechanisms (e.g. access control and encryption) is the inability to prevent information from being propagated. Focusing on information leakage in choreography systems using LCC, we then suggest two frameworks to detect insecure information flows: conceptual modeling of interaction models and language-based information flow analysis. A novel security-typed LCC language is proposed to address the latter approach. Both static (design-time) and dynamic (run-time) security type checking are employed to guarantee no information leakage can occur in annotated LCC interaction models. The proposed security type system is then formally evaluated by proving its properties. A limitation of both conceptual modeling and language-based frameworks is difficulty of formalising realistic policies using annotations. Finally, the proposed security-typed LCC is applied to a cloud computing configuration case study, in which virtual machine migration is managed. The secrecy of LCC interaction models for virtual machine management is analysed and information leaks are discussed