1,416 research outputs found
Applicability of clustering to cyber intrusion detection
Maintaining cyber security is a complex task, utilizing many levels of network information along with an array of technology. Current practices for combating cyber attacks typically use Intrusion Detection Systems (IDSs) to passively detect and block multi-stage attacks. Because of the speed and force at which a new type of cyber attack can occur, automated detection and response is becoming an apparent necessity. Anomaly-based detection systems, such as statistical-based or clustering algorithms, attempt to address this by analyzing the relative differences in network and host activity. Signature-based IDS systems are typically more accurate for known attacks, but require time and resources for an analyst to update the signature database. This work hypothesizes that the latency from zero-day attack to signature creation can be shortened via anomaly-based algorithms. In particular, the summarizing ability of clustering is leveraged and examined in its applicability of signature creation. This work first investigates a modified density-based clustering algorithm as an IDS, with its strengths and weaknesses identified. Being able to separate malicious from normal activity, the modified algorithm is then applied in a supervised way to signature creation. Lessons learned from the supervised signature creation are then leveraged for the development of unsupervised real-time signature classification. Automating signature creation and classification via clustering turns out satisfactory but with limitations. Density supports for new signatures via clustering can be diluted and lead to misclassification
A Survey of Languages for Specifying Dynamics: A Knowledge Engineering Perspective
A number of formal specification languages for knowledge-based systems has been developed. Characteristics for knowledge-based systems are a complex knowledge base and an inference engine which uses this knowledge to solve a given problem. Specification languages for knowledge-based systems have to cover both aspects. They have to provide the means to specify a complex and large amount of knowledge and they have to provide the means to specify the dynamic reasoning behavior of a knowledge-based system. We focus on the second aspect. For this purpose, we survey existing approaches for specifying dynamic behavior in related areas of research. In fact, we have taken approaches for the specification of information systems (Language for Conceptual Modeling and TROLL), approaches for the specification of database updates and logic programming (Transaction Logic and Dynamic Database Logic) and the generic specification framework of abstract state machine
Millions to the Polls: Practical Policies to Fulfill the Freedom to Vote for All Americans
Voting is the bedrock of America's democracy. In a government of, by, and for the people, casting a ballot is the fundamental means through which we all have a say in the political decisions that affect our lives. Yet now, without substantial interventions, the freedom to vote is at great risk.This report contains a comprehensive and bold agenda of 16 policy proposals and common sense reforms. It details policies to help us realize the full promise of a democracy
Advances in modern botnet understanding and the accurate enumeration of infected hosts
Botnets remain a potent threat due to evolving modern architectures, inadequate remediation methods, and inaccurate measurement techniques. In response, this re- search exposes the architectures and operations of two advanced botnets, techniques to enumerate infected hosts, and pursues the scientific refinement of infected-host enu- meration data by recognizing network structures which distort measurement. This effort is motivated by the desire to reveal botnet behavior and trends for future mit- igation, methods to discover infected hosts for remediation in real time and threat assessment, and the need to reveal the inaccuracy in population size estimation when only counting IP addresses. Following an explanation of theoretical enumeration techniques, the architectures, deployment methodologies, and malicious output for the Storm and Waledac botnets are presented. Several tools developed to enumerate these botnets are then assessed in terms of performance and yield. Finally, this study documents methods that were developed to discover the boundaries and impact of NAT and DHCP blocks in network populations along with a footprint measurement based on relative entropy which better describes how uniformly infections communi- cate through their IP addresses. Population data from the Waledac botnet was used to evaluate these techniqu
Intrusion detection based on behavioral rules for the bytes of the headers of the data units in IP networks
Nowadays, communications through computer networks are of utmost importance for the normal functioning of organizations, worldwide transactions and content delivery. These networks are threatened by all kinds of attacks, leading to traffic anomalies that will eventually disrupt the normal behaviour of the networks, exploring specific breaches on a system component or exhausting network resources. Automatic detection of these network anomalies comprises one of the most important resources for network administration, and Intrusion Detection Systems(IDSs) are amongst the systems responsible for this automatic detection.
This dissertation starts from the assumption that it is possible to use machine learning to, consistently and automatically, produce rules for an intrusion detector based on statistics for the first 64 bytes of the headers of Internet Protocol (IP) packets. The survey on the state of the art on related works and currently available IDSs shows that the specific approach taken here is worth to be explored. The decision tree learning algorithm known as C4.5 is identified as a
suitable means to produce the aforementioned rules, due to the similarity between their syntax and the tree structure.
Several rules are then devised using the ML approach for several attacks. The attacks were the same used in a previous work, in which the rules were devised manually. Both rule sets are then compared to show that, in fact, it is possible to construct rules using the approach taken herein, and that the rules created resorting to the C4.5 algorithm are superior to the ones devised after thorough human analysis of several statistics calculated for the bytes of the headers of the packets. To compare them, each rule set was used to detect intrusions in third party traces containing attacks and in live traffic during simulation of attacks. Most of the attacks producing noticeable impact on the headers were detected by both rule sets, but the results for the third party traces were better in the case of the ML devised rules, providing a clear evidence for the
aforementioned assumptions.Hoje em dia, as comunicações através de redes informáticas são da maior importância para o
normal funcionamento das organizações, transações mundiais e entrega de conteúdos. Essas
redes são ameaçadas por todo o tipo de ataques, levando a anomalias no tráfego, que eventualmente vão corromper o normal funcionamento da rede, explorando falhas específicas num
componente de um sistema, ou esgotando os recursos de rede. A deteção automática dessas
anomalias de rede é um dos recursos mais importantes para os administradores de rede, e os
Sistemas de Deteção de Intrusões estão entre os sistemas responsáveis por essa deteção.
Esta dissertação tem como ponto de partida, a assunção que é possível usar mecanismos de
aprendizagem automática para produzir, de modo consistente e automático, regras para a deteção de intrusões, baseadas em estatísticas dos primeiros 64 bytes dos cabeçalhos dos pacotes
IP. O estudo sobre o estado da arte em trabalhos da área, e em sistemas de deteção atualmente
disponíveis, mostrou que o método usado nesta dissertação merece ser estudado. O algoritmo
de árvores de decisão C4.5 foi identificado como um meio apropriado para produzir as regras
já referidas, devido à semelhança entre a sintaxe das mesmas e a estrutura em árvore deste
algoritmo.
Várias regras foram depois produzidas para vários tipos de ataque, usando a abordagem por
aprendizagem automática. Os ataques tomados em consideração foram os mesmos que foram
utilizados num trabalho anterior, em que a regras foram concebidas manualmente. Ambos os
conjuntos de regras são depois comparados, para mostrar que, de facto, é possível construir regras através da abordagem utilizada nesta dissertação, e que as regras criadas através do algoritmo C4.5 são superiores às que foram criadas através de análise humana das várias estatísticas
calculadas para os bytes dos cabeçalhos dos pacotes. Para as comparar, cada conjunto de regras foi utilizado para detetar intrusões em registos de tráfego disponíveis na Internet contendo
ataques e em tráfego em tempo real, durante a simulação de ataques. A maioria dos ataques
que produz um forte impacto nos cabeçalhos dos pacotes foi detetado por ambos os conjuntos,
mas os resultados com os registos retirados da Internet foram melhores para as regras produzidas
por aprendizagem automática, dando uma prova clara para o que foi previamente assumido
Improving Intrusion Prevention, Detection and Response
Merged with duplicate record 10026.1/479 on 10.04.2017 by CS (TIS)In the face of a wide range of attacks. Intrusion Detection Systems (IDS) and other Internet
security tools represent potentially valuable safeguards to identify and combat the problems
facing online systems. However, despite the fact that a variety o f commercial and open source
solutions are available across a range of operating systems and network platforms, it is notable
that the deployment of IDS is often markedly less than other well-known network security
countermeasures and other tools may often be used in an ineffective manner.
This thesis considers the challenges that users may face while using IDS, by conducting a web-based
questionnaire to assess these challenges. The challenges that are used in the questionnaire
were gathered from the well-established literature. The participants responses varies between
being with or against selecting them as challenges but all the listed challenges approved that
they are consider problems in the IDS field.
The aim of the research is to propose a novel set of Human Computer Interaction-Security
(HCI-S) usability criteria based on the findings of the web-based questionnaire. Moreover,
these criteria were inspired from previous literature in the field of HCI. The novelty of the
criteria is that they focus on the security aspects. The new criteria were promising when they
were applied to Norton 360, a well known Internet security suite. Testing the alerts issued by
security software was the initial step before testing other security software. Hence, a set of security software were selected and some alerts were triggered as a result of performing a
penetration test conducted within a test-bed environment using the network scanner Nmap. The
findings reveal that four of the HCI-S usability criteria were not fully addressed by all of these
security software.
Another aim of this thesis is to consider the development of a prototype to address the HCI-S
usability criteria that seem to be overlooked in the existing security solutions. The thesis
conducts a practical user trial and the findings are promising and attempt to find a proper
solution to solve this problem. For instance, to take advantage of previous security decisions, it
would be desirable for a system to consider the user's previous decisions on similar alerts, and
modify alerts accordingly to account for the user's previous behaviour. Moreover, in order to
give users a level of fiexibility, it is important to enable them to make informed decisions, and
to be able to recover from them if needed. It is important to address the proposed criteria that
enable users to confirm / recover the impact of their decision, maintain an awareness of system
status all the time, and to offer responses that match users' expectations.
The outcome of the current study is a set of a proposed 16 HCI-S usability criteria that can be
used to design and to assess security alerts issued by any Internet security suite. These criteria
are not equally important and they vary between high, medium and low.The embassy of the arab republic of Egypt (cultural centre & educational bureau) in Londo
On the placement of security-related Virtualised Network Functions over data center networks
Middleboxes are typically hardware-accelerated appliances such as firewalls, proxies, WAN optimizers, and NATs that play an important role in service provisioning over today's data centers. Reports show that the number of middleboxes is on par with the number of routers, and consequently represent a significant commitment from an operator's capital and operational expenditure budgets. Over the past few years, software middleboxes known as Virtual Network Functions (VNFs) are replacing the hardware appliances to reduce cost, improve the flexibility of deployment, and allow for extending network functionality in short timescales.
This dissertation aims at identifying the unique characteristics of security modules implementation as VNFs in virtualised environments. We focus on the placement of the security VNFs to minimise resource usage without violating the security imposed constraints as a challenge faced by operators today who want to increase the usable capacity of their infrastructures. The work presented here, focuses on the multi-tenant environment where customised security services are provided to tenants. The services are implemented as a software module deployed as a VNF collocated with network switches to reduce overhead. Furthermore, the thesis presents a formalisation for the resource-aware placement of security VNFs and provides a constraint programming solution along with examining heuristic, meta-heuristic and near-optimal/subset-sum solutions to solve larger size problems in reduced time.
The results of this work identify the unique and vital constraints of the placement of security functions. They demonstrate that the granularity of the traffic required by the security functions imposes traffic constraints that increase the resource overhead of the deployment. The work identifies the north-south traffic in data centers as the traffic designed for processing for security functions rather than east-west traffic. It asserts that the non-sharing strategy of security modules will reduce the complexity in case of the multi-tenant environment. Furthermore, the work adopts on-path deployment of security VNF traffic strategy, which is shown to reduce resources overhead compared to previous approaches
- …