Automated Approach to Intrusion Detection in VM-based Dynamic Execution Environment

Because virtual computing platforms are dynamically changing, it is difficult to build high-quality intrusion detection system. In this paper, we present an automated approach to intrusions detection in order to maintain sufficient performance and reduce dependence on execution environment. We discuss a hidden Markov model strategy for abnormality detection using frequent system call sequences, letting us identify attacks and intrusions automatically and efficiently. We also propose an automated mining algorithm, named AGAS, to generate frequent system call sequences. In our approach, the detection performance is adaptively tuned according to the execution state every period. To improve performance, the period value is also under self-adjustment

Desenvolvimentos de uma nova abordagem em inteligência artificial para deteção de anomalias

Doutoramento em Engenharia InformáticaEste trabalho visou o desenvolvimento do modelo de frustração celular para aplicações à segurança informática. Neste âmbito foram desenvolvidos os processos necessários para materializar o modelo de frustração celular num algoritmo semi-supervisionado de deteção de anomalias. É por seguida efetuada uma comparação da capacidade de discriminação do algoritmo de frustração celular com algoritmos do estado de arte, nomeadamente máquinas de vetores de suporte e florestas aleatórias (com sigla em inglês de SVM e RF, respetivamente). Verifica-se que nos casos estudados o algoritmo de frustração celular obtém uma capacidade de discriminação de anomalias semelhante, senão melhor, que os algoritmos anteriormente descritos. São ainda descritas otimizações para reduzir o elevado custo computacional do algoritmo recorrendo a novos paradigmas de computação, i.e. pelo uso de placas gráficas, assim como otimizações que visam reduzir a complexidade do algoritmo. Em ambos os casos foi verificada uma redução do tempo computacional. Por fim, é ainda verificado que as melhorias introduzidas permitiram que a capacidade de discriminação do algoritmo se tornasse menos sensível à perturbação dos seus parâmetros.This work sought to develop the cellular frustration model for computer security applications. In this sense, the required processes to materialize the cellular frustration model in a semi-supervised anomaly detection algorithm were developed. The discrimination capability of the cellular frustration algorithm was then compared with the discrimination capability of state of the art algorithms, namely support vector machines and random forests (SVMs and RFs, respectively). In the studied cases it is observed that the cellular frustration algorithm exhibits comparable, if not better, anomaly detection capabilities. Optimizations to reduce the high computational cost that rely on new computational paradigms, i.e. by the use of graphic cards, as well as optimizations to reduce the algorithm complexity were also described. In both cases it was observed a reduction of the computational time required by the algorithm. Finally, it was verified that the introduced improvements allowed the anomaly detection capability of the algorithm to become less sensitive to the perturbation of its parameters

Detecção de elementos estranhos em modelos inspirados em imunologia

Mestrado em Engenharia FísicaNeste trabalho é apresentado um algoritmo para detecção de elementos estranhos (nonself) baseado no mecanismo de Frustração Celular. Este mecanismo apresenta uma nova abordagem às interacções celulares que ocorrem no sistema imunológico adaptativo. O conceito é o de que qualquer elemento estranho estabelecerá interacções menos frustradas do que os restantes elementos do sistema, podendo por isso, através do seu comportamento anómalo, ser detectado. O algoritmo proposto possui vantagens em relação aos sistemas imunológicos artificiais mais conhecidos. Entre elas está a possibilidade de obter detecção perfeita com um número reduzido de detectores. Nesta tese, analisa-se comparativamente este algoritmo com algoritmos de selecção negativa existentes na literatura.In this work an algorithm for nonself detection is presented, based on the Cellular Frustration mechanism. This mechanism presents a novel approach to cellular interactions occurring in the adaptive immune system. The concept is that any nonself element will establish less frustrated interactions than the remaining elements of the system, can thus, by its anomalous behaviour, be detected. The proposed algorithm has advantages over the most know artificial immune systems. Among the advantages there is the possibility to achieve perfect detection using a reduced number of detectors. In this thesis, this algorithm is analysed comparatively to negative selection algorithms that can be found in literature

SPECTRAL GRAPH-BASED CYBER DETECTION AND CLASSIFICATION SYSTEM WITH PHANTOM COMPONENTS

With cyber attacks on the rise, cyber defenders require new, innovative solutions to provide network protection. We propose a spectral graph-based cyber detection and classification (SGCDC) system using phantom components, the strong node concept, and the dual-degree matrix to detect, classify, and respond to worm and distributed denial-of-service (DDoS) attacks. The system is analyzed using absorbing Markov chains and a novel Levy-impulse model that characterizes network SYN traffic to determine the theoretical false-alarm rates of the system. The detection mechanism is analyzed in the face of network noise and congestion using Weyl’s theorem, the Davis-Kahan theorem, and a novel application of the n-dimensional Euclidean metric. The SGCDC system is validated using real-world and synthetic datasets, including the WannaCry and Blaster worms and a SYN flood attack. The system accurately detected and classified the attacks in all but one case studied. The known attacking nodes were identified in less than 0.27 sec for the DDoS attack, and the worm-infected nodes were identified in less than one second after the second infected node began the target search and discovery process for the WannaCry and Blaster worm attacks. The system also produced a false-alarm rate of less than 0.005 under a scenario. These results improve upon other non-spectral graph systems that have detection rates of less than 0.97 sec and false alarm rates as high as 0.095 sec for worm and DDoS attacks.Lieutenant Commander, United States NavyApproved for public release. distribution is unlimite

Intrusion Detection and Prevention: Immunologically Inspired Approaches

Computer security can be viewed as a process of discrimination between authorized actions, legitimate users, etc, and intrusions such as viruses, trojans, etc. The immune system of the human body has been performing such an action for a much longer time and it is very likely that it has developed a set of techniques and mechanisms that are, in comparison, a great deal better than the ones used in the current computer security systems. And it certainly has, as in the opposite case, the human race would be extinguished by now. The immune system of the human body is a collection of mechanisms and techniques that offer an overall defense for the organism in a both distributed and localized manner. These are specific and non specific mechanisms. The specific ones offer a level of defense against one single type of threat, whereas the non specific ones have a more wide range. This is much like the defense mechanism in the information security world such as specific ones, through virus signatures and non specific ones such as firewalls and encryption mechanisms. The specific ones, are a good way of defense towards known and previously encountered attacks, for which a signature as been developed. These however have a difficulty in keeping up with the dynamically changing attacks. The non specific ones, do offer a good level of general defense, however they are static. They form a preventive barrier in the prospect of intrusion and are not able to detect a currently ongoing intrusion. The immune system offers levels of defense for the organism that are very dynamic. They prevent known intrusions and are also able to dynamically adapt themselves in order to detect ongoing ones. This latter concept is the one of interest to this study. The idea of applying immunological principles to the systems of computer security was introduced in 1994 by Jeffrey Kephart in the design for an immune system for computers and networks

An Artificial Immune System Approach with Secondary Response for Misbehavior Detection in Mobile Ad-Hoc Networks

In mobile ad hoc networks, nodes act both as terminals and information relays, and they participate in a common routing protocol, such as dynamic source routing (DSR). The network is vulnerable to routing misbehavior, due to faulty or malicious nodes. Misbehavior detection systems aim at removing this vulnerability. In this paper, we investigate the use of an artificial immune system (AIS) to detect node misbehavior in a mobile ad hoc network using DSR. The system is inspired by the natural immune system (IS) of vertebrates. Our goal is to build a system that, like its natural counterpart, automatically learns, and detects new misbehavior. We describe our solution for the classification task of the AIS; it employs negative selection and clonal selection, the algorithms for learning and adaptation used by the natural IS. We define how we map the natural IS concepts such as self, antigen, and antibody to a mobile ad hoc network and give the resulting algorithm for classifying nodes as misbehaving. We implemented the system in the network simulator Glomosim; we present detection results and discuss how the system parameters affect the performance of primary and secondary response. Further steps will extend the design by using an analogy to the innate system, danger signal, and memory cells

Data-Driven Architecture to Increase Resilience In Multi-Agent Coordinated Missions

The rise in the use of Multi-Agent Systems (MASs) in unpredictable and changing environments has created the need for intelligent algorithms to increase their autonomy, safety and performance in the event of disturbances and threats. MASs are attractive for their flexibility, which also makes them prone to threats that may result from hardware failures (actuators, sensors, onboard computer, power source) and operational abnormal conditions (weather, GPS denied location, cyber-attacks). This dissertation presents research on a bio-inspired approach for resilience augmentation in MASs in the presence of disturbances and threats such as communication link and stealthy zero-dynamics attacks. An adaptive bio-inspired architecture is developed for distributed consensus algorithms to increase fault-tolerance in a network of multiple high-order nonlinear systems under directed fixed topologies. In similarity with the natural organisms’ ability to recognize and remember specific pathogens to generate its immunity, the immunity-based architecture consists of a Distributed Model-Reference Adaptive Control (DMRAC) with an Artificial Immune System (AIS) adaptation law integrated within a consensus protocol. Feedback linearization is used to modify the high-order nonlinear model into four decoupled linear subsystems. A stability proof of the adaptation law is conducted using Lyapunov methods and Jordan decomposition. The DMRAC is proven to be stable in the presence of external time-varying bounded disturbances and the tracking error trajectories are shown to be bounded. The effectiveness of the proposed architecture is examined through numerical simulations. The proposed controller successfully ensures that consensus is achieved among all agents while the adaptive law v simultaneously rejects the disturbances in the agent and its neighbors. The architecture also includes a health management system to detect faulty agents within the global network. Further numerical simulations successfully test and show that the Global Health Monitoring (GHM) does effectively detect faults within the network