A characteristic-based visual analytics approach to detect subtle attacks from NetFlow records

Security is essentially important for any enterprise networks. Denial of service, port scanning, and data exfiltration are among of the most common network intrusions. It\u27s urgent for network administrators to detect such attacks effectively and efficiently from network traffic. Though there are many intrusion detection systems (IDSs) and approaches, Visual Analytics (VA) provides a human-friendly approach to detect network intrusions with situational awareness functionality. Overview visualization is the first and most important step in a VA approach. However, many VA systems cannot effectively identify subtle attacks from massive traffic data because of the incapability of overview visualizations. In this work, we developed two overviews and tried to identify subtle attacks directly from these two overviews. Moreover, zoomed-in visualizations were also provided for further investigation. The primary data source was NetFlow and we evaluated the VA system with datasets from Mini Challenge 3 of VAST challenge 2013. Evaluation results indicated that the VA system can detect all the labeled intrusions (denial of service, port scanning and data exfiltration) with very few false alerts

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive

Visual analytics methods for retinal layers in optical coherence tomography data

Optical coherence tomography is an important imaging technology for the early detection of ocular diseases. Yet, identifying substructural defects in the 3D retinal images is challenging. We therefore present novel visual analytics methods for the exploration of small and localized retinal alterations. Our methods reduce the data complexity and ensure the visibility of relevant information. The results of two cross-sectional studies show that our methods improve the detection of retinal defects, contributing to a deeper understanding of the retinal condition at an early stage of disease.Die optische Kohärenztomographie ist ein wichtiges Bildgebungsverfahren zur Früherkennung von Augenerkrankungen. Die Identifizierung von substrukturellen Defekten in den 3D-Netzhautbildern ist jedoch eine Herausforderung. Wir stellen daher neue Visual-Analytics-Methoden zur Exploration von kleinen und lokalen Netzhautveränderungen vor. Unsere Methoden reduzieren die Datenkomplexität und gewährleisten die Sichtbarkeit relevanter Informationen. Die Ergebnisse zweier Querschnittsstudien zeigen, dass unsere Methoden die Erkennung von Netzhautdefekten in frühen Krankheitsstadien verbessern

Augmented reality (AR) for surgical robotic and autonomous systems: State of the art, challenges, and solutions

Despite the substantial progress achieved in the development and integration of augmented reality (AR) in surgical robotic and autonomous systems (RAS), the center of focus in most devices remains on improving end-effector dexterity and precision, as well as improved access to minimally invasive surgeries. This paper aims to provide a systematic review of different types of state-of-the-art surgical robotic platforms while identifying areas for technological improvement. We associate specific control features, such as haptic feedback, sensory stimuli, and human-robot collaboration, with AR technology to perform complex surgical interventions for increased user perception of the augmented world. Current researchers in the field have, for long, faced innumerable issues with low accuracy in tool placement around complex trajectories, pose estimation, and difficulty in depth perception during two-dimensional medical imaging. A number of robots described in this review, such as Novarad and SpineAssist, are analyzed in terms of their hardware features, computer vision systems (such as deep learning algorithms), and the clinical relevance of the literature. We attempt to outline the shortcomings in current optimization algorithms for surgical robots (such as YOLO and LTSM) whilst providing mitigating solutions to internal tool-to-organ collision detection and image reconstruction. The accuracy of results in robot end-effector collisions and reduced occlusion remain promising within the scope of our research, validating the propositions made for the surgical clearance of ever-expanding AR technology in the future

Fuzzy intrusion detection

Visual data mining techniques are used to assess which metrics are most effective at detecting different types of attacks. The research confirms that data aggregation and data reduction play crucial roles in the formation of the metrics. Once the proper metrics are identified, fuzzy rules are constructed for detecting attacks in several categories. The attack categories are selected to match the different phases that intruders frequently use when attacking a system. A suite of attacks tools is assembled to test the fuzzy rules. The research shows that fuzzy rules applied to good metrics can provide an effective means of detecting a wide variety of network intrusion activity. This research is being used as a proof of concept for the development of system known as the Fuzzy Intrusion Recognition Engine (FIRE).This thesis examines the application of fuzzy systems to the problem of network intrusion detection. Historically, there have been two primary methods of performing intrusion detection: misuse detection and anomaly detection. In misuse detection, a database of attack signatures is maintained that match known intrusion activity. While misuse detection systems are very effective, they require constant updates to the signature database to remain effective or to detect distinctly new attacks. Anomaly detection systems attempt to discover suspicious behavior by comparing system activity against past usage profiles. In this research, network activity is collected and usage profiles established for a variety of metrics. A network data gathering and data analysis tool was developed to create the metrics from the network stream. Great care is given to identifying the metrics that are most suitable for detecting intrusion activity

Detection and elimination of rock face vegetation from terrestrial LIDAR data using the virtual articulating conical probe algorithm

A common use of terrestrial lidar is to conduct studies involving change detection of natural or engineered surfaces. Change detection involves many technical steps beyond the initial data acquisition: data structuring, registration, and elimination of data artifacts such as parallax errors, near-field obstructions, and vegetation. Of these, vegetation detection and elimination with terrestrial lidar scanning (TLS) presents a completely different set of issues when compared to vegetation elimination from aerial lidar scanning (ALS). With ALS, the ground footprint of the lidar laser beam is very large, and the data acquisition hardware supports multi-return waveforms. Also, the underlying surface topography is relatively smooth compared to the overlying vegetation which has a high spatial frequency. On the other hand, with most TLS systems, the width of the lidar laser beam is very small, and the data acquisition hardware supports only first-return signals. For the case where vegetation is covering a rock face, the underlying rock surface is not smooth because rock joints and sharp block edges have a high spatial frequency very similar to the overlying vegetation. Traditional ALS approaches to eliminate vegetation take advantage of the contrast in spatial frequency between the underlying ground surface and the overlying vegetation. When the ALS approach is used on vegetated rock faces, the algorithm, as expected, eliminates the vegetation, but also digitally erodes the sharp corners of the underlying rock. A new method that analyzes the slope of a surface along with relative depth and contiguity information is proposed as a way of differentiating high spatial frequency vegetative cover from similar high spatial frequency rock surfaces. This method, named the Virtual Articulating Conical Probe (VACP) algorithm, offers a solution for detection and elimination of rock face vegetation from TLS point cloud data while not affecting the geometry of the underlying rock surface. Such a tool could prove invaluable to the geotechnical engineer for quantifying rates of vertical-face rock loss that impact civil infrastructure safety --Abstract, page iii

Darknet as a Source of Cyber Threat Intelligence: Investigating Distributed and Reflection Denial of Service Attacks

Cyberspace has become a massive battlefield between computer criminals and computer security experts. In addition, large-scale cyber attacks have enormously matured and became capable to generate, in a prompt manner, significant interruptions and damage to Internet resources and infrastructure. Denial of Service (DoS) attacks are perhaps the most prominent and severe types of such large-scale cyber attacks. Furthermore, the existence of widely available encryption and anonymity techniques greatly increases the difficulty of the surveillance and investigation of cyber attacks. In this context, the availability of relevant cyber monitoring is of paramount importance. An effective approach to gather DoS cyber intelligence is to collect and analyze traffic destined to allocated, routable, yet unused Internet address space known as darknet. In this thesis, we leverage big darknet data to generate insights on various DoS events, namely, Distributed DoS (DDoS) and Distributed Reflection DoS (DRDoS) activities. First, we present a comprehensive survey of darknet. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. In addition, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Second, we characterize darknet data. Such information could generate indicators of cyber threat activity as well as provide in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet inferred threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Third, we propose a DDoS inference and forecasting model that aims at providing insights to organizations, security operators and emergency response teams during and after a DDoS attack. Specifically, this work strives to predict, within minutes, the attacks’ features, namely, intensity/rate (packets/sec) and size (estimated number of compromised machines/bots). The goal is to understand the future short-term trend of the ongoing DDoS attacks in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods and forecasting approaches. Fourth, we propose a novel approach to infer and characterize Internet-scale DRDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring DDoS activities using darknet, this work shows that we can extract DoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DRDoS activities such as intensity, rate and geographic location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks and the expectation maximization and k-means clustering techniques in an attempt to identify campaigns of DRDoS attacks. Finally, we conclude this work by providing some discussions and pinpointing some future work