Data Sanitization: Improving the Forensic Utility of Anomaly Detection Systems

Anomaly Detection (AD) sensors have become an invaluable tool for forensic analysis and intrusion detection. Unfortunately, the detection accuracy of all learning-based ADs depends heavily on the quality of the training data, which is often poor, severely degrading their reliability as a protection and forensic analysis tool. In this paper, we propose extending the training phase of an AD to include a sanitization phase that aims to improve the quality of unlabeled training data by making them as "attack-free" and "regular" as possible in the absence of absolute ground truth. Our proposed scheme is agnostic to the underlying AD, boosting its performance based solely on training-data sanitization. Our approach is to generate multiple AD models for content-based AD sensors trained on small slices of the training data. These AD "micro-models" are used to test the training data, producing alerts for each training input. We employ voting techniques to determine which of these training items are likely attacks. Our preliminary results show that sanitization increases 0-day attack detection while maintaining a low false positive rate, increasing confidence to the AD alerts. We perform an initial characterization of the performance of our system when we deploy sanitized versus unsanitized AD systems in combination with expensive host-based attack-detection systems. Finally, we provide some preliminary evidence that our system incurs only an initial modest cost, which can be amortized over time during online operation

Characterization of cyber attacks through variable length Markov models

The increase in bandwidth, the emergence of wireless technologies, and the spread of the Internet throughout the world have created new forms of communication with effects on areas such as business, entertainment, and education. This pervasion of computer networks into human activity has amplified the importance of cyber security. Network security relies heavily on Intrusion Detection Systems (IDS), whose objective is to detect malicious network traffic and computer usage. IDS data can be correlated into cyber attack tracks, which consist of ordered collections of alerts triggered during a single multi-stage attack. The objective of this research is to enhance the current knowledge of attack behavior by developing a model that captures the sequential properties of attack tracks. Two sequence characterization models are discussed: Variable Length Markov Models (VLMMs), which are a type of finite-context models, and Hidden Markov Models (HMMs), which are also known as finite-state models. A VLMM is implemented based on attack sequences s = {x1, x2, ...xn} where xi 2 and is a set of possible values of one or more fields in an alert message. This work shows how the proposed model can be used to predict future attack actions (xj+1) belonging to a newly observed and unfolding attack sequence s = {x1, x2, ..., xj}. It also presents a metric that measures the variability in attack actions based on information entropy and a method for classifying attack tracks as sophisticated or simple based on average log-loss. In addition, insights into the analysis of attack target machines are discussed

Definition and Empirical Evaluation of Voters for Redundant Smart Sensor Systems Definición y Evaluación Empírica de Algoritmos de Voteo para Sistemas Redundantes de Sensado Inteligente

Abstract This study is the first attempt for integration voting algorithms with fault diagnosis devices. Voting algorithms are used to arbitrate between the results of redundant modules in fault-tolerant systems. Smart sensors are used for FDI (Fault Detection and Isolation) purposes by means of their built in intelligence. Integration of fault masking and FDI strategies is necessary in the construction of ultra-available/safe systems with on-line fault detection capability. This article introduces a range of novel software voting algorithms which adjudicate among the results of redundant smart sensors in a Triple Modular Redundant (TMR) system. Techniques to integrate replicated smart sensors and fault masking approach are discussed, and a classification of hybrid voters is provided based on result and confidence values, which affect the metrics of availability and safety.Thus, voters are classified into four groups: Independent-diagnostic safety-optimised voters, Integrated-diagnostic safety-optimised voters, Independent-diagnostic availability-optimised voters and Integrated-diagnostic availability-optimised voters. The properties of each category are explained and sample versions of each class as well as their possible application areas are discussed. Keywords: Ultra-Available System, Smart Sensor, Fault Masking, Triple Modular Redundancy. Resumen Este estudio es una primer aproximación para la integración de algoritmos de voteo con dispositivos de diagnóstico de fallas. Los algoritmos de voteo son usados para arbitrar entre los resultados de elementos redundantes en sistemas tolerantes a fallas. Los sensores inteligentes son usados para propositos de detección y separación de fallas (FDI) dada la capacidad su capacidad de inteligencia construida. La integración de enmascaramiento de fallas y las estrategias de FDI is necesaria en la construcción de sistemas altamente disponibles y seguros con la capacidad de detección de fallas en línea. Este artículo introduce un rango de algoritmos de voteo los cuales adjudican un resultado entre los resultados generados por los sensores inteligentes en un módulo de redundancia triple. Las técnicas para integrar los sensores inteligentes replicados y la aproximación de enmascaramiento de fallas son revisadas en este artículo. Una clasificación de algoritmos de voteo híbrido es provista con base en el resultado y los valores de confianza los cuales afectan las métricas de disponibilidad y seguridad de estos algoritmos. De hecho los algoritmos de voteo son clasificados en cuatro grupos: Diagnóstico-Independiente con seguridad-optimizada, Diagnóstico-Integrado con seguridad-optimizada, Diagnóstico-Independiente con disponibilidad-opitimizada y Diagnóstico-Integrado con disponibilidad-optimizada. Las propiedades de cada categoria son revisadas asi como muestras de sus implementaciones son discutidas

Uncertainty in Reliability Evaluation: A Framework and Practical Case Studies

In modern society, human became dependent on sophisticated engineering systems. During the recent years, the major man-made disasters triggered more concerns on reliability and dependability of these systems. More public attention is paid to the presence of uncertainty and risk regarding reliability of engineering systems. This dissertation focuses on the identification of uncertainty and its effects, and on the determination of a framework of reliability evaluation under the presence of uncertainty. This dissertation is based on the definitions and terminologies from renowned international standards and literature. The fundamentals and basic formulas are adequately explained. Existing works of similar topic have been compared and their advantages and limitations are mentioned. A novel framework is proposed to overcome the limitations of the existing works. The framework is designed to be compatible with the guidelines in risk management, and is composed of three approaches for different types of uncertainty. These approaches are: 1) approach for aleatory uncertainty, 2) approach for epistemic uncertainty, and 3) approach for early design stage. Practical case studies are demonstrated at the end of the chapter of each approach. The uncertainty information, which is obtained from this framework, can improve the confidence in the application of reliability studies to critical engineering systems.Unsicherheit in der Zuverlässigkeitsbewertung Der technologische Fortschritt, das Zusammenfügen unterschiedlicher technologischer Bereiche und die steigende Komplexität von Systemen machen Zuverlässigkeits- und Verfügbarkeitsanalysen unverzichtbar und bereits in der Planungsphase zum integralen Bestandteil von Systemauslegung, um später finanzielle Schäden und hohe Strafzahlungen zu vermeiden. Bisher angewandte Verfahren zur Bestimmung von Zuverlässigkeits- und Verfügbarkeitskennwerten haben den Nachteil, dass Unsicherheiten nicht ausreichend berücksichtigt werden und deshalb auch keine Aussage über deren Einfluss auf die Kenngrößen gemacht werden können. Die Dissertation basiert auf den Definitionen und Terminologien internationaler Normen und wissenschaftlicher Erkenntnisse. Divere Grundlagen und die grundlegenden Verfahren werden erklärt. Bestehende Werke zu Unsicherheiten werden verglichen und deren Vor- und Nachteile genannt. Ein neues Rahmenwerk wird vorgeschlagen, um die Beschränkungen der bestehenden Werke zu überwinden. Dieses orientiert sich an den Leitlinien des Risikomanagements und besteht aus drei Ansätzen zur Berücksichtigung verschiedener Arten von Unsicherheiten. Diese Ansätze sind: 1) Ansatz für aleatorische Unsicherheit, 2) Ansatz für epistemische Unsicherheit und 3) Ansatz von Unsicherheit in frühen Planungs- bzw. Entwicklungsphasen (Early Design Stage). Praktische Fallstudien zu Unsicherheiten werden am Ende der jeweiligen Kapitel aufgezeigt. Die aus den Analysen gewonnenen Informationen können zur Verbesserung des Vertrauens bei der Anwendung von Zuverlässigkeitsstudien dienen