6,253 research outputs found
Increasing resilience of ATM networks using traffic monitoring and automated anomaly analysis
Systematic network monitoring can be the cornerstone for
the dependable operation of safety-critical distributed
systems. In this paper, we present our vision for informed
anomaly detection through network monitoring and
resilience measurements to increase the operators'
visibility of ATM communication networks. We raise the
question of how to determine the optimal level of
automation in this safety-critical context, and we present a
novel passive network monitoring system that can reveal
network utilisation trends and traffic patterns in diverse
timescales. Using network measurements, we derive
resilience metrics and visualisations to enhance the
operators' knowledge of the network and traffic behaviour,
and allow for network planning and provisioning based on
informed what-if analysis
Sonification of Network Traffic Flow for Monitoring and Situational Awareness
Maintaining situational awareness of what is happening within a network is
challenging, not least because the behaviour happens within computers and
communications networks, but also because data traffic speeds and volumes are
beyond human ability to process. Visualisation is widely used to present
information about the dynamics of network traffic dynamics. Although it
provides operators with an overall view and specific information about
particular traffic or attacks on the network, it often fails to represent the
events in an understandable way. Visualisations require visual attention and so
are not well suited to continuous monitoring scenarios in which network
administrators must carry out other tasks. Situational awareness is critical
and essential for decision-making in the domain of computer network monitoring
where it is vital to be able to identify and recognize network environment
behaviours.Here we present SoNSTAR (Sonification of Networks for SiTuational
AwaReness), a real-time sonification system to be used in the monitoring of
computer networks to support the situational awareness of network
administrators. SoNSTAR provides an auditory representation of all the TCP/IP
protocol traffic within a network based on the different traffic flows between
between network hosts. SoNSTAR raises situational awareness levels for computer
network defence by allowing operators to achieve better understanding and
performance while imposing less workload compared to visual techniques. SoNSTAR
identifies the features of network traffic flows by inspecting the status flags
of TCP/IP packet headers and mapping traffic events to recorded sounds to
generate a soundscape representing the real-time status of the network traffic
environment. Listening to the soundscape allows the administrator to recognise
anomalous behaviour quickly and without having to continuously watch a computer
screen.Comment: 17 pages, 7 figures plus supplemental material in Github repositor
SUTMS - Unified Threat Management Framework for Home Networks
Home networks were initially designed for web browsing and non-business critical applications. As infrastructure improved, internet broadband costs decreased, and home internet usage transferred to e-commerce and business-critical applications. Todayâs home computers host personnel identifiable information and financial data and act as a bridge to corporate networks via remote access technologies like VPN. The expansion of remote work and the transition to cloud computing have broadened the attack surface for potential threats. Home networks have become the extension of critical networks and services, hackers can get access to corporate data by compromising devices attacked to broad- band routers. All these challenges depict the importance of home-based Unified Threat Management (UTM) systems. There is a need of unified threat management framework that is developed specifically for home and small networks to address emerging security challenges. In this research, the proposed Smart Unified Threat Management (SUTMS) framework serves as a comprehensive solution for implementing home network security, incorporating firewall, anti-bot, intrusion detection, and anomaly detection engines into a unified system. SUTMS is able to provide 99.99% accuracy with 56.83% memory improvements. IPS stands out as the most resource-intensive UTM service, SUTMS successfully reduces the performance overhead of IDS by integrating it with the flow detection mod- ule. The artifact employs flow analysis to identify network anomalies and categorizes encrypted traffic according to its abnormalities. SUTMS can be scaled by introducing optional functions, i.e., routing and smart logging (utilizing Apriori algorithms). The research also tackles one of the limitations identified by SUTMS through the introduction of a second artifact called Secure Centralized Management System (SCMS). SCMS is a lightweight asset management platform with built-in security intelligence that can seamlessly integrate with a cloud for real-time updates
Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches
The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attackerâs ability to evade detection
Detecting Anomalous Microflows in IoT Volumetric Attacks via Dynamic Monitoring of MUD Activity
IoT networks are increasingly becoming target of sophisticated new
cyber-attacks. Anomaly-based detection methods are promising in finding new
attacks, but there are certain practical challenges like false-positive alarms,
hard to explain, and difficult to scale cost-effectively. The IETF recent
standard called Manufacturer Usage Description (MUD) seems promising to limit
the attack surface on IoT devices by formally specifying their intended network
behavior. In this paper, we use SDN to enforce and monitor the expected
behaviors of each IoT device, and train one-class classifier models to detect
volumetric attacks.
Our specific contributions are fourfold. (1) We develop a multi-level
inferencing model to dynamically detect anomalous patterns in network activity
of MUD-compliant traffic flows via SDN telemetry, followed by packet inspection
of anomalous flows. This provides enhanced fine-grained visibility into
distributed and direct attacks, allowing us to precisely isolate volumetric
attacks with microflow (5-tuple) resolution. (2) We collect traffic traces
(benign and a variety of volumetric attacks) from network behavior of IoT
devices in our lab, generate labeled datasets, and make them available to the
public. (3) We prototype a full working system (modules are released as
open-source), demonstrates its efficacy in detecting volumetric attacks on
several consumer IoT devices with high accuracy while maintaining low false
positives, and provides insights into cost and performance of our system. (4)
We demonstrate how our models scale in environments with a large number of
connected IoTs (with datasets collected from a network of IP cameras in our
university campus) by considering various training strategies (per device unit
versus per device type), and balancing the accuracy of prediction against the
cost of models in terms of size and training time.Comment: 18 pages, 13 figure
Improving the Evaluation of Network Anomaly Detection Using a Data Fusion Approach
Any future extensions or updates will be published as a part of WAND's ongoing research projects: http://research.wand.net.nzCurrently, the evaluation of network anomaly detection methods is often not repeatable. It is difficult to ascertain if different implementations of the same methods have the same performance or the relative performance of different methods. This is in part due to a lack of open implementations, the absence of recent datasets and no common format to express results.
A common approach to evaluating a method is to use the Defense Advanced Research Projects Agency (DARPA) 1999 datasets, or a derivative of them, in combination with a different dataset or network capture. The DARPA datasets are relatively old and bear little resemblance to modern day traffic and the other datasets are unlabelled and typically publicly unavailable making it difficult to ascertain the validity of the research evaluated in such a way.
This thesis primarily contributes a new evaluation methodology that uses a data fusion based approach that allows for reproducible evaluations with modern datasets.
The new methodology incorporates three other contributions: A new way to capture network traces that are fully anonymised yet retains more information than any current network traces and a new trace annotation format and a method for verifying the correctness of the annotations.
The DARPA 1999 dataset was used to demonstrate the validity of the approach and an evaluation was performed on a new dataset that has been captured using the methods introduced. In the evaluation we find that methodology is a viable approach forward, but that it comes with a different set of drawbacks than the current state of the art
Geophysical Characterisation and Monitoring of Earth Embankment Dams
Geophysics has become fundamental in characterising earth embankment dams and identifying preferential seepage pathways, problem areas, and structural defects. The issue of non-uniqueness is profound in the interpretation of geophysical data, with features often attributed to multiple potential sources. This project tackles this issue by applying a multidisciplinary approach comprising traditional techniques to a study site in South Wales. These techniques comprised ground conductivity, magnetometry, and Electrical Resistivity Tomography (ERT). The computation of normalised chargeability data from an Induced Polarisation (IP) survey, normally used for mineral exploration, was applied to delineate between clay and moisture rich areas. This eliminated the issue of non-uniqueness between these two subsurface conditions. The application of these techniques led to successful characterisation of the embankment in terms of its engineered and natural components and identified a potential seepage pathway attributed to surface waters.The Self-Potential (SP) method was evolved into a monitoring solution, building on the research and development of TerraDat Ltdâs SPiVolt system. A methodology was developed to efficiently fabricate and install an SP monitoring network. SP monitoring confirmed the presence of the preferential seepage pathway hypothesised through the characterisation survey and identified a second pathway through the damâs core.DĆ”r Cymru Welsh Water have since used the results of this project to design a targeted grouting campaign and install surface drainage at the site. Comprehensive understanding of the material composition and temporal variations of subsurface conditions is considered essential for ensuring dam and reservoir owners achieve their aims of climate resilience and asset protection. The geophysical characterisation and monitoring methodology presented in this thesis provides an effective low-cost solution that can be applied to multiple scenarios such as landslide investigations, coal tip stability assessments and other hydrogeological problems
- âŠ