MFIRE-2: A Multi Agent System for Flow-based Intrusion Detection Using Stochastic Search

Detecting attacks targeted against military and commercial computer networks is a crucial element in the domain of cyberwarfare. The traditional method of signature-based intrusion detection is a primary mechanism to alert administrators to malicious activity. However, signature-based methods are not capable of detecting new or novel attacks. This research continues the development of a novel simulated, multiagent, flow-based intrusion detection system called MFIRE. Agents in the network are trained to recognize common attacks, and they share data with other agents to improve the overall effectiveness of the system. A Support Vector Machine (SVM) is the primary classifier with which agents determine an attack is occurring. Agents are prompted to move to different locations within the network to find better vantage points, and two methods for achieving this are developed. One uses a centralized reputation-based model, and the other uses a decentralized model optimized with stochastic search. The latter is tested for basic functionality. The reputation model is extensively tested in two configurations and results show that it is significantly superior to a system with non-moving agents. The resulting system, MFIRE-2, demonstrates exciting new network defense capabilities, and should be considered for implementation in future cyberwarfare applications

Information dissemination in mobile networks

This thesis proposes some solutions to relieve, using Wi-Fi wireless networks, the data consumption of cellular networks using cooperation between nodes, studies how to make a good deployment of access points to optimize the dissemination of contents, analyzes some mechanisms to reduce the nodes' power consumption during data dissemination in opportunistic networks, as well as explores some of the risks that arise in these networks. Among the applications that are being discussed for data off-loading from cellular networks, we can find Information Dissemination in Mobile Networks. In particular, for this thesis, the Mobile Networks will consist of Vehicular Ad-hoc Networks and Pedestrian Ad-Hoc Networks. In both scenarios we will find applications with the purpose of vehicle-to-vehicle or pedestrian-to-pedestrian Information dissemination, as well as vehicle-to-infrastructure or pedestrian-to-infrastructure Information dissemination. We will see how both scenarios (vehicular and pedestrian) share many characteristics, while on the other hand some differences make them unique, and therefore requiring of specific solutions. For example, large car batteries relegate power saving techniques to a second place, while power-saving techniques and its effects to network performance is a really relevant issue in Pedestrian networks. While Cellular Networks offer geographically full-coverage, in opportunistic Wi-Fi wireless solutions the short-range non-fullcoverage paradigm as well as the high mobility of the nodes requires different network abstractions like opportunistic networking, Disruptive/Delay Tolerant Networks (DTN) and Network Coding to analyze them. And as a particular application of Dissemination in Mobile Networks, we will study the malware spread in Mobile Networks. Even though it relies on similar spreading mechanisms, we will see how it entails a different perspective on Dissemination

Doctor of Philosophy

dissertationWe develop a novel framework for friend-to-friend (f2f) distributed services (F3DS) by which applications can easily offer peer-to-peer (p2p) services among social peers with resource sharing governed by approximated levels of social altruism. Our frame- work differs significantly from typical p2p collaboration in that it provides a founda- tion for distributed applications to cooperate based on pre-existing trust and altruism among social peers. With the goal of facilitating the approximation of relative levels of altruism among social peers within F3DS, we introduce a new metric: SocialDistance. SocialDistance is a synthetic metric that combines direct levels of altruism between peers with an altruism decay for each hop to approximate indirect levels of altruism. The resulting multihop altruism levels are used by F3DS applications to proportion and prioritize the sharing of resources with other social peers. We use SocialDistance to implement a novel flash file/patch distribution method, SocialSwarm. SocialSwarm uses the SocialDistance metric as part of its resource allocation to overcome the neces- sity of (and inefficiency created by) resource bartering among friends participating in a BitTorrent swarm. We find that SocialSwarm achieves an average file download time reduction of 25% to 35% in comparison with standard BitTorrent under a variety of configurations and conditions, including file sizes, maximum SocialDistance, as well as leech and seed counts. The most socially connected peers yield up to a 47% decrease in download completion time in comparison with average nonsocial BitTorrent swarms. We also use the F3DS framework to implement novel malware detection application- F3DS Antivirus (F3AV)-and evaluate it on the Amazon cloud. We show that with f2f sharing of resources, F3AV achieves a 65% increase in the detection rate of 0- to 1-day-old malware among social peers as compared to the average of individual scanners. Furthermore, we show that F3AV provides the greatest diversity of mal- ware scanners (and thus malware protection) to social hubs-those nodes that are positioned to provide strategic defense against socially aware malware

Cyberhealth and Informational Wellbeing

In this dissertation, I present a new framework for conceptualizing the digital landscape inspired by the field of public health. I call this framework Public Cyberhealth. This framework is an alternative to the dominant cybersecurity paradigm, which frames cyberspace as a digital battleground. I argue that the philosophy of public health can be useful for thinking about the normative justification for—and ethical limits on—government intervention in cyberspace, while public health policy and institutions can serve as examples of how to manifest these higher principles (e.g. the WHO, ethical review boards). This Public Cyberhealth framework takes seriously non-malicious threats to network robustness and resilience (e.g. human error, buggy code, natural disasters), highlights the impact of network threats and interventions on health and wellbeing, and is more thoughtful about protecting individual rights compared to the dominant cybersecurity lens typically used by policymakers and IT professionals. In addition to defining this alternative framework, I demonstrate how it may be used in three contexts. First, I explore how thinking about the digital landscape like a public health expert can help one to understand the role public goods play in maintaining robust digital networks. Second, I explore how this framework can help one to create polices which adequately account for how digital technologies impact health. And third, I define a theory of “informational wellbeing,” which seeks to capture the myriad of ways in which digital information and its use, control, accuracy, and accessibility impact personal wellbeing. The Public Cyberhealth framework is not only a useful and coherent way of thinking about technology policy, but also reveals interesting and surprising things about the nature of health, wellbeing, and identity in the digital age

Application of Software Engineering Principles to Synthetic Biology and Emerging Regulatory Concerns

As the science of synthetic biology matures, engineers have begun to deliver real-world applications which are the beginning of what could radically transform our lives. Recent progress indicates synthetic biology will produce transformative breakthroughs. Examples include: 1) synthesizing chemicals for medicines which are expensive and difficult to produce; 2) producing protein alternatives; 3) altering genomes to combat deadly diseases; 4) killing antibiotic-resistant pathogens; and 5) speeding up vaccine production. Although synthetic biology promises great benefits, many stakeholders have expressed concerns over safety and security risks from creating biological behavior never seen before in nature. As with any emerging technology, there is the risk of malicious use known as the dual-use problem. The technology is becoming democratized and de-skilled, and people in do-it-yourself communities can tinker with genetic code, similar to how programming has become prevalent through the ease of using macros in spreadsheets. While easy to program, it may be non-trivial to validate novel biological behavior. Nevertheless, we must be able to certify synthetically engineered organisms behave as expected, and be confident they will not harm natural life or the environment. Synthetic biology is an interdisciplinary engineering domain, and interdisciplinary problems require interdisciplinary solutions. Using an interdisciplinary approach, this dissertation lays foundations for verifying, validating, and certifying safety and security of synthetic biology applications through traditional software engineering concepts about safety, security, and reliability of systems. These techniques can help stakeholders navigate what is currently a confusing regulatory process. The contributions of this dissertation are: 1) creation of domain-specific patterns to help synthetic biologists develop assurance cases using evidence and arguments to validate safety and security of designs; 2) application of software product lines and feature models to the modular DNA parts of synthetic biology commonly known as BioBricks, making it easier to find safety features during design; 3) a technique for analyzing DNA sequence motifs to help characterize proteins as toxins or non-toxins; 4) a legal investigation regarding what makes regulating synthetic biology challenging; and 5) a repeatable workflow for leveraging safety and security artifacts to develop assurance cases for synthetic biology systems. Advisers: Myra B. Cohen and Brittany A. Dunca

An investigation into Off-Link IPv6 host enumeration search methods

This research investigated search methods for enumerating networked devices on off-link 64 bit Internet Protocol version 6 (IPv6) subnetworks. IPv6 host enumeration is an emerging research area involving strategies to enable detection of networked devices on IPv6 networks. Host enumeration is an integral component in vulnerability assessments (VAs), and can be used to strengthen the security profile of a system. Recently, host enumeration has been applied to Internet-wide VAs in an effort to detect devices that are vulnerable to specific threats. These host enumeration exercises rely on the fact that the existing Internet Protocol version 4 (IPv4) can be exhaustively enumerated in less than an hour. The same is not true for IPv6, which would take over 584,940 years to enumerate a single network. As such, research is required to determine appropriate host enumeration search methods for IPv6, given that the protocol is seeing increase global usage. For this study, a survey of Internet resources was conducted to gather information about the nature of IPv6 usage in real-world scenarios. The collected survey data revealed patterns in the usage of IPv6 that influenced search techniques. The research tested the efficacy of various searching algorithms against IPv6 datasets through the use of simulation. Multiple algorithms were devised to test different approaches to host enumeration against 64 bit IPv6 subnetworks. Of these, a novel adaptive heuristic search algorithm, a genetic algorithm and a stripe search algorithm were chosen to conduct off-link IPv6 host enumeration. The suitability of a linear algorithm, a Monte Carlo algorithm and a pattern heuristics algorithm were also tested for their suitability in searching off-link IPv6 networks. These algorithms were applied to two test IPv6 address datasets, one comprised of unique IPv6 data observed during the survey phase, and one comprised of unique IPv6 data generated using pseudorandom number generators. Searching against the two unique datasets was performed in order to determine appropriate strategies for off-link host enumeration under circumstances where networked devices were configured with addresses that represented real-word IPv6 addresses, and where device addresses were configured through some randomisation function. Whilst the outcomes of this research support that an exhaustive enumeration of an IPv6 network is infeasible, it has been demonstrated that devices on IPv6 networks can be enumerated. In particular, it was identified that the linear search technique and the variants tested in this study (pattern search and stripe search), remained the most consistent means of enumerating an IPv6 network. Machine learning methods were also successfully applied to the problem. It was determined that the novel adaptive heuristic search algorithm was an appropriate candidate for search operations. The adaptive heuristic search algorithm successfully enumerated over 24% of the available devices on the dataset that was crafted from surveyed IPv6 address data. Moreover, it was confirmed that stochastic address generation can reduce the effectiveness of enumeration strategies, as all of the algorithms failed to enumerate more than 1% of hosts against a pseudorandomly generated dataset. This research highlights a requirement for effective IPv6 host enumeration algorithms, and presents and validates appropriate methods. The methods presented in this thesis can help to influence the tools and utilities that are used to conduct host enumeration exercises

Software similarity and classification

This thesis analyses software programs in the context of their similarity to other software programs. Applications proposed and implemented include detecting malicious software and discovering security vulnerabilities