1,012 research outputs found
Automated Approach to Intrusion Detection in VM-based Dynamic Execution Environment
Because virtual computing platforms are dynamically changing, it is difficult to build high-quality intrusion detection system. In this paper, we present an automated approach to intrusions detection in order to maintain sufficient performance and reduce dependence on execution environment. We discuss a hidden Markov model strategy for abnormality detection using frequent system call sequences, letting us identify attacks and intrusions automatically and efficiently. We also propose an automated mining algorithm, named AGAS, to generate frequent system call sequences. In our approach, the detection performance is adaptively tuned according to the execution state every period. To improve performance, the period value is also under self-adjustment
Desenvolvimentos de uma nova abordagem em inteligência artificial para deteção de anomalias
Doutoramento em Engenharia InformáticaEste trabalho visou o desenvolvimento do modelo de frustração celular para
aplicações à segurança informática. Neste âmbito foram desenvolvidos os
processos necessários para materializar o modelo de frustração celular num
algoritmo semi-supervisionado de deteção de anomalias. É por seguida
efetuada uma comparação da capacidade de discriminação do algoritmo
de frustração celular com algoritmos do estado de arte, nomeadamente
máquinas de vetores de suporte e florestas aleatórias (com sigla em inglês
de SVM e RF, respetivamente). Verifica-se que nos casos estudados o algoritmo
de frustração celular obtém uma capacidade de discriminação de
anomalias semelhante, senão melhor, que os algoritmos anteriormente descritos.
São ainda descritas otimizações para reduzir o elevado custo computacional
do algoritmo recorrendo a novos paradigmas de computação, i.e.
pelo uso de placas gráficas, assim como otimizações que visam reduzir a
complexidade do algoritmo. Em ambos os casos foi verificada uma redução
do tempo computacional. Por fim, é ainda verificado que as melhorias introduzidas
permitiram que a capacidade de discriminação do algoritmo se
tornasse menos sensível à perturbação dos seus parâmetros.This work sought to develop the cellular frustration model for computer security
applications. In this sense, the required processes to materialize the
cellular frustration model in a semi-supervised anomaly detection algorithm
were developed. The discrimination capability of the cellular frustration algorithm
was then compared with the discrimination capability of state of the
art algorithms, namely support vector machines and random forests (SVMs
and RFs, respectively). In the studied cases it is observed that the cellular
frustration algorithm exhibits comparable, if not better, anomaly detection
capabilities. Optimizations to reduce the high computational cost that rely
on new computational paradigms, i.e. by the use of graphic cards, as well
as optimizations to reduce the algorithm complexity were also described. In
both cases it was observed a reduction of the computational time required
by the algorithm. Finally, it was verified that the introduced improvements
allowed the anomaly detection capability of the algorithm to become less
sensitive to the perturbation of its parameters
Detecção de elementos estranhos em modelos inspirados em imunologia
Mestrado em Engenharia FísicaNeste trabalho é apresentado um algoritmo para detecção de elementos
estranhos (nonself) baseado no mecanismo de Frustração Celular. Este
mecanismo apresenta uma nova abordagem às interacções celulares que
ocorrem no sistema imunológico adaptativo. O conceito é o de que qualquer
elemento estranho estabelecerá interacções menos frustradas do que os
restantes elementos do sistema, podendo por isso, através do seu
comportamento anómalo, ser detectado. O algoritmo proposto possui
vantagens em relação aos sistemas imunológicos artificiais mais conhecidos.
Entre elas está a possibilidade de obter detecção perfeita com um número
reduzido de detectores. Nesta tese, analisa-se comparativamente este
algoritmo com algoritmos de selecção negativa existentes na literatura.In this work an algorithm for nonself detection is presented, based on the
Cellular Frustration mechanism. This mechanism presents a novel approach to
cellular interactions occurring in the adaptive immune system. The concept is
that any nonself element will establish less frustrated interactions than the
remaining elements of the system, can thus, by its anomalous behaviour, be
detected. The proposed algorithm has advantages over the most know artificial
immune systems. Among the advantages there is the possibility to achieve
perfect detection using a reduced number of detectors. In this thesis, this
algorithm is analysed comparatively to negative selection algorithms that can
be found in literature
SPECTRAL GRAPH-BASED CYBER DETECTION AND CLASSIFICATION SYSTEM WITH PHANTOM COMPONENTS
With cyber attacks on the rise, cyber defenders require new, innovative solutions to provide network protection. We propose a spectral graph-based cyber detection and classification (SGCDC) system using phantom components, the strong node concept, and the dual-degree matrix to detect, classify, and respond to worm and distributed denial-of-service (DDoS) attacks. The system is analyzed using absorbing Markov chains and a novel Levy-impulse model that characterizes network SYN traffic to determine the theoretical false-alarm rates of the system. The detection mechanism is analyzed in the face of network noise and congestion using Weyl’s theorem, the Davis-Kahan theorem, and a novel application of the n-dimensional Euclidean metric. The SGCDC system is validated using real-world and synthetic datasets, including the WannaCry and Blaster worms and a SYN flood attack. The system accurately detected and classified the attacks in all but one case studied. The known attacking nodes were identified in less than 0.27 sec for the DDoS attack, and the worm-infected nodes were identified in less than one second after the second infected node began the target search and discovery process for the WannaCry and Blaster worm attacks. The system also produced a false-alarm rate of less than 0.005 under a scenario. These results improve upon other non-spectral graph systems that have detection rates of less than 0.97 sec and false alarm rates as high as 0.095 sec for worm and DDoS attacks.Lieutenant Commander, United States NavyApproved for public release. distribution is unlimite
Intrusion Detection and Prevention: Immunologically Inspired Approaches
Computer security can be viewed as a process of discrimination between authorized
actions, legitimate users, etc, and intrusions such as viruses, trojans, etc. The
immune system of the human body has been performing such an action for a much longer
time and it is very likely that it has developed a set of techniques and mechanisms
that are, in comparison, a great deal better than the ones used in the current
computer security systems. And it certainly has, as in the opposite case, the human
race would be extinguished by now.
The immune system of the human body is a collection of mechanisms and techniques that
offer an overall defense for the organism in a both distributed and localized manner.
These are specific and non specific mechanisms. The specific ones offer a level of
defense against one single type of threat, whereas the non specific ones have a more
wide range. This is much like the defense mechanism in the information security
world such as specific ones, through virus signatures and non specific ones such as
firewalls and encryption mechanisms. The specific ones, are a good way of defense
towards known and previously encountered attacks, for which a signature as been
developed. These however have a difficulty in keeping up with the dynamically
changing attacks. The non specific ones, do offer a good level of general defense,
however they are static. They form a preventive barrier in the prospect of intrusion
and are not able to detect a currently ongoing intrusion.
The immune system offers levels of defense for the organism that are very dynamic.
They prevent known intrusions and are also able to dynamically adapt themselves in
order to detect ongoing ones. This latter concept is the one of interest to this
study. The idea of applying immunological principles to the systems of computer
security was introduced in 1994 by Jeffrey Kephart in the design for an immune system
for computers and networks
An Artificial Immune System Approach with Secondary Response for Misbehavior Detection in Mobile Ad-Hoc Networks
In mobile ad hoc networks, nodes act both as terminals and information relays, and they participate in a common routing protocol, such as dynamic source routing (DSR). The network is vulnerable to routing misbehavior, due to faulty or malicious nodes. Misbehavior detection systems aim at removing this vulnerability. In this paper, we investigate the use of an artificial immune system (AIS) to detect node misbehavior in a mobile ad hoc network using DSR. The system is inspired by the natural immune system (IS) of vertebrates. Our goal is to build a system that, like its natural counterpart, automatically learns, and detects new misbehavior. We describe our solution for the classification task of the AIS; it employs negative selection and clonal selection, the algorithms for learning and adaptation used by the natural IS. We define how we map the natural IS concepts such as self, antigen, and antibody to a mobile ad hoc network and give the resulting algorithm for classifying nodes as misbehaving. We implemented the system in the network simulator Glomosim; we present detection results and discuss how the system parameters affect the performance of primary and secondary response. Further steps will extend the design by using an analogy to the innate system, danger signal, and memory cells
Data-Driven Architecture to Increase Resilience In Multi-Agent Coordinated Missions
The rise in the use of Multi-Agent Systems (MASs) in unpredictable and changing environments has created the need for intelligent algorithms to increase their autonomy, safety and performance in the event of disturbances and threats. MASs are attractive for their flexibility, which also makes them prone to threats that may result from hardware failures (actuators, sensors, onboard computer, power source) and operational abnormal conditions (weather, GPS denied location, cyber-attacks). This dissertation presents research on a bio-inspired approach for resilience augmentation in MASs in the presence of disturbances and threats such as communication link and stealthy zero-dynamics attacks. An adaptive bio-inspired architecture is developed for distributed consensus algorithms to increase fault-tolerance in a network of multiple high-order nonlinear systems under directed fixed topologies. In similarity with the natural organisms’ ability to recognize and remember specific pathogens to generate its immunity, the immunity-based architecture consists of a Distributed Model-Reference Adaptive Control (DMRAC) with an Artificial Immune System (AIS) adaptation law integrated within a consensus protocol. Feedback linearization is used to modify the high-order nonlinear model into four decoupled linear subsystems. A stability proof of the adaptation law is conducted using Lyapunov methods and Jordan decomposition. The DMRAC is proven to be stable in the presence of external time-varying bounded disturbances and the tracking error trajectories are shown to be bounded. The effectiveness of the proposed architecture is examined through numerical simulations. The proposed controller successfully ensures that consensus is achieved among all agents while the adaptive law v simultaneously rejects the disturbances in the agent and its neighbors. The architecture also includes a health management system to detect faulty agents within the global network. Further numerical simulations successfully test and show that the Global Health Monitoring (GHM) does effectively detect faults within the network
- …