Using Markov Models and Statistics to Learn, Extract, Fuse, and Detect Patterns in Raw Data

Many systems are partially stochastic in nature. We have derived data driven approaches for extracting stochastic state machines (Markov models) directly from observed data. This chapter provides an overview of our approach with numerous practical applications. We have used this approach for inferring shipping patterns, exploiting computer system side-channel information, and detecting botnet activities. For contrast, we include a related data-driven statistical inferencing approach that detects and localizes radiation sources.Comment: Accepted by 2017 International Symposium on Sensor Networks, Systems and Securit

Identification of networked tunnelled applications

In protocol tunnelling, one application protocol is encapsulated within another carrier protocol in an unusual way to circumvent firewall policy. Application-layer tunnels are a significant security and resource abuse threat for networks because those applications which are restricted by firewalls such as high data-rate games, peer-to-peer file sharing, video and audio streaming, and chat are carried through via allowed protocols like HTTP, HTTPS and the firewall security policy is thwarted. Protocols such as HTTP and HTTPS are indispensable today for any network which has to be connected to the Internet; hence these become a high value target for running restricted applications via tunnelling. The identification of the actual application running across a network is important for network management, optimization, security and abuse prevention. The existing techniques for identification of applications running across the network, for example port number based identification, and packet data analysis techniques are not always successful, especially for applications which use encrypted tunnels. This work describes a statistical approach to detect applications which are running using application layer tunnels. Previous work has shown the packet size distribution to be an effective metric for detecting most network applications, both UDP and TCP based applications. In this work it is shown how packet stream statistics including packet size distributions can be used to differentiate and identify networked tunnelled applications successfully. Tunnelled applications are identifiable using the traffic statistical parameters. Traffic trace files of the applications were captured, statistical parameters were derived from the trace files, and then these parameters were used for training machine learning algorithms. The trained machine learning algorithm is then able to classify the other packet trace data as belonging to an application. Five different machine learning algorithms have been applied, and their performance accuracy is discussed. The entropy distance based Nearest Neighbour machine learning algorithm and the Euclidean Distance based Nearest Neighbour classifier had better results than others. This method of identification of tunnelled applications can be complimentary to other network security systems such as firewalls and Intrusion Detection Systems.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Harnessing Predictive Models for Assisting Network Forensic Investigations of DNS Tunnels

In recent times, DNS tunneling techniques have been used for malicious purposes, however network security mechanisms struggle to detect them. Network forensic analysis has been proven effective, but is slow and effort intensive as Network Forensics Analysis Tools struggle to deal with undocumented or new network tunneling techniques. In this paper, we present a machine learning approach, based on feature subsets of network traffic evidence, to aid forensic analysis through automating the inference of protocols carried within DNS tunneling techniques. We explore four network protocols, namely, HTTP, HTTPS, FTP, and POP3. Three features are extracted from the DNS tunneled traffic: IP packet length, DNS Query Name Entropy, and DNS Query Name Length. We benchmark the performance of four classification models, i.e., decision trees, support vector machines, k-nearest neighbours, and neural networks, on a data set of DNS tunneled traffic. Classification accuracy of 95% is achieved and the feature set reduces the original evidence data size by a factor of 74%. More importantly, our findings provide strong evidence that predictive modeling machine learning techniques can be used to identify network protocols within DNS tunneled traffic in real-time with high accuracy from a relatively small-sized feature-set, without necessarily infringing on privacy from the outset, nor having to collect complete DNS Tunneling sessions

Traffic Monitoring and analysis for source identification

Ph.DDOCTOR OF PHILOSOPH

Network communication privacy: traffic masking against traffic analysis

An increasing number of recent experimental works have been demonstrating the supposedly secure channels in the Internet are prone to privacy breaking under many respects, due to traffic features leaking information on the user activity and traffic content. As a matter of example, traffic flow classification at application level, web page identification, language/phrase detection in VoIP communications have all been successfully demonstrated against encrypted channels. In this thesis I aim at understanding if and how complex it is to obfuscate the information leaked by traffic features, namely packet lengths, direction, times. I define a security model that points out what the ideal target of masking is, and then define the optimized and practically implementable masking algorithms, yielding a trade-off between privacy and overhead/complexity of the masking algorithm. Numerical results are based on measured Internet traffic traces. Major findings are that: i) optimized full masking achieves similar overhead values with padding only and in case fragmentation is allowed; ii) if practical realizability is accounted for, optimized statistical masking algorithms attain only moderately better overhead than simple fixed pattern masking algorithms, while still leaking correlation information that can be exploited by the adversary

Towards a Near-real-time Protocol Tunneling Detector based on Machine Learning Techniques

In the very last years, cybersecurity attacks have increased at an unprecedented pace, becoming ever more sophisticated and costly. Their impact has involved both private/public companies and critical infrastructures. At the same time, due to the COVID-19 pandemic, the security perimeters of many organizations expanded, causing an increase of the attack surface exploitable by threat actors through malware and phishing attacks. Given these factors, it is of primary importance to monitor the security perimeter and the events occurring in the monitored network, according to a tested security strategy of detection and response. In this paper, we present a protocol tunneling detector prototype which inspects, in near real time, a company's network traffic using machine learning techniques. Indeed, tunneling attacks allow malicious actors to maximize the time in which their activity remains undetected. The detector monitors unencrypted network flows and extracts features to detect possible occurring attacks and anomalies, by combining machine learning and deep learning. The proposed module can be embedded in any network security monitoring platform able to provide network flow information along with its metadata. The detection capabilities of the implemented prototype have been tested both on benign and malicious datasets. Results show 97.1% overall accuracy and an F1-score equals to 95.6%.Comment: 12 pages, 4 figures, 4 table

Strengthening the Anonymity of Anonymous Communication Systems

In this work, we examine why a popular anonymity network, Tor, is vulnerable to timing side-channel attacks. We explore removing this vulnerability from Tor without sacrificing its low-latency which is important for usability. We find that Tor is vulnerable because inter-packet delays propagate along the network path from the source to the destination. This provides an easily detected signature. We explore techniques for making the timing signature either expensive or impossible to detect. If each packet took a unique, disjoint path from source to destination the inter-packet delay signature would be undetectable. Jitter and latency would change packet arrival orders. This is impractical since the overhead for constructing these circuits would be prohibitive. We scaled this idea back to reflect how the BitTorrent protocol creates a large number of possible paths from a small number of nodes. We form a fully connected network with the source, destination, and a small number of nodes. The number of paths through this network from source to destination grows quickly with the addition of each node. Paths do not have to include every node, so the delay of each path is different. By transmitting consecutive packets on different paths, the network delays will mask the inter-packet delay signature

Cyber Physical System Security — DoS Attacks on Synchrophasor Networks in the Smart Grid

With the rapid increase of network-enabled sensors, switches, and relays, cyber-physical system security in the smart grid has become important. The smart grid operation demands reliable communication. Existing encryption technologies ensures the authenticity of delivered messages. However, commonly applied technologies are not able to prevent the delay or drop of smart grid communication messages. In this dissertation, the author focuses on the network security vulnerabilities in synchrophasor network and their mitigation methods. Side-channel vulnerabilities of the synchrophasor network are identified. Synchrophasor network is one of the most important technologies in the smart grid transmission system. Experiments presented in this dissertation shows that a DoS attack that exploits the side-channel vulnerability against the synchrophasor network can lead to the power system in stability. Side-channel analysis extracts information by observing implementation artifacts without knowing the actual meaning of the information. Synchrophasor network consist of Phasor Measurement Units (PMUs) use synchrophasor protocol to transmit measurement data. Two side-channels are discovered in the synchrophasor protocol. Side-channel analysis based Denial of Service (DoS) attacks differentiate the source of multiple PMU data streams within an encrypted tunnel and only drop selected PMU data streams. Simulations on a power system shows that, without any countermeasure, a power system can be subverted after an attack. Then, mitigation methods from both the network and power grid perspectives are carried out. From the perspective of network security study, side-channel analysis, and protocol transformation has the potential to assist the PMU communication to evade attacks lead with protocol identifications. From the perspective of power grid control study, to mitigate PMU DoS attacks, Cellular Computational Network (CCN) prediction of PMU data is studied and used to implement a Virtual Synchrophasor Network (VSN), which learns and mimics the behaviors of an objective power grid. The data from VSN is used by the Automatic Generation Controllers (AGCs) when the PMU packets are disrupted by DoS attacks. Real-time experimental results show the CCN based VSN effectively inferred the missing data and mitigated the negative impacts of DoS attacks. In this study, industry-standard hardware PMUs and Real-Time Digital Power System Simulator (RTDS) are used to build experimental environments that are as close to actual production as possible for this research. The above-mentioned attack and mitigation methods are also tested on the Internet. Man-In-The-Middle (MITM) attack of PMU traffic is performed with Border Gateway Protocol (BGP) hijacking. A side-channel analysis based MITM attack detection method is also investigated. A game theory analysis is performed to give a broade