Firmware enhancements for BYOD-aware network security

In today’s connected world, users migrate within a complex set of networks, including, but not limited to, 3G and 4G (LTE) services provided by mobile operators, Wi-Fi hotspots in private and public places, as well as wireless and/or wired LAN access in business and home environments. Following the widely expanding Bring Your Own Device (BYOD) approach, many public and educational institutions have begun to encourage customers and students to use their own devices at all times. While this may be cost-effective in terms of decreased investments in hardware and consequently lower maintenance fees on a long-term basis, it may also involve some security risks. In particular, many users are often connected to more than one network and/or communication service provider at the same time, for example to a 3G/4G mobile network and to a Wi-Fi. In a BYOD setting, an infected device or a rogue one can turn into an unwanted gateway, causing a security breach by leaking information across networks. Aiming at investigating in greater detail the implications of BYOD on network security in private and business settings we are building a framework for experiments with mobile routers both in home and business networks. This is a continuation of our earlier work on communications and services with enhanced security for network appliances

Generating background network traffic for network security testbeds

With the advancement of science and technology, there has been a rapid growth in computer network attacks. Most of them are in the form of sophisticated and smart attacks, which are hard to trace. Although researchers have been working on this issue - attack detection, prevention and mitigation - the existing network security evaluation techniques lack effective experimental infrastructure and rigorous scientific methodologies for developing and testing the cyber security technologies. To make progress in this area, we need to address one of the major shortcomings in evaluating network security mechanisms -- lack of relevant, representative network data. The research community is in need of tools that are able to generate scalable, tunable, and representative network traffic. Such tools are vital in a tested environment, where they can be used to evaluate the behavior and performance of security related tools. In this context, we present the Markov Traffic Generator (MTG), which is able to generate representative network traffic. The MTG follows a unique approach of generating background traffic at the session level, unlike the previous approaches operated on the packet level. The tool is application dependent and is able to generate various types of TCP traffic. The resulting tool is useful for researchers and developers in building, testing and evaluating cyber security related tools. In this work, we develop the classifications of background traffic generation models based on the past work and present a new toolkit, the Markov Traffic Generator (MTG). As opposed to past work, MTG uses a first order hierarchical Markov agent to generate background user behavior in network testbed. The Markov agents can be used to generate behavior that mimics observed traffic in real networks. The thesis concludes by showing that MTG can realistically replicate observed network behavior

Mutating network scans for the assessment of supervised classifier ensembles

As it is well known, some Intrusion Detection Systems (IDSs) suffer from high rates of false positives and negatives. A mutation technique is proposed in this study to test and evaluate the performance of a full range of classifier ensembles for Network Intrusion Detection when trying to recognize new attacks. The novel technique applies mutant operators that randomly modify the features of the captured network packets to generate situations that could not otherwise be provided to IDSs while learning. A comprehensive comparison of supervised classifiers and their ensembles is performed to assess their generalization capability. It is based on the idea of confronting brand new network attacks obtained by means of the mutation technique. Finally, an example application of the proposed testing model is specially applied to the identification of network scans and related mutationsSpanish Ministry of Science and Innovation (TIN2010-21272-C02-01 and CIT-020000-2009-12) (both funded by the European Regional Development Fund). The authors would also like to thank the vehicle interior manufacturer, Grupo Antolin Ingenieria S. A., within the framework of the MAGNO2008 - 1028.- CENIT. Project also funded by the MICINN, the Spanish Ministry of Science and Innovation (PID 560300-2009-11) and the Regional Government of Castile-Leon (CCTT/10/BU/0002). This work was also supported in the framework of the IT4Innovations Centre of Excellence project, reg. no. (CZ.1.05/1.1.00/02.0070) supported by the Operational Program 'Research and Development for Innovations' funded through the Structural Funds of the European Union and the state budget of the Czech Republic.This is a pre-copyedited, author-produced PDF of an article accepted for publication in Logic Journal of the IGPL following peer review. The version of record: Javier Sedano, Silvia González, Álvaro Herrero, Bruno Baruque, and Emilio Corchado, Mutating network scans for the assessment of supervised classifier ensembles, Logic Jnl IGPL, first published online September 3, 2012, doi:10.1093/jigpal/jzs037 is available online at: http://jigpal.oxfordjournals.org/content/early/2012/09/03/jigpal.jzs03

Anomaly-based network intrusion detection: Techniques, systems and challenges.

Threat Intrusion detection Anomaly detection IDS systems and platforms Assessment a b s t r a c t The Internet and computer networks are exposed to an increasing number of security threats. With new types of attacks appearing continually, developing flexible and adaptive security oriented approaches is a severe challenge. In this context, anomaly-based network intrusion detection techniques are a valuable technology to protect target systems and networks against malicious activities. However, despite the variety of such methods described in the literature in recent years, security tools incorporating anomaly detection functionalities are just starting to appear, and several important problems remain to be solved. This paper begins with a review of the most well-known anomaly-based intrusion detection techniques. Then, available platforms, systems under development and research projects in the area are presented. Finally, we outline the main challenges to be dealt with for the wide scale deployment of anomaly-based intrusion detectors, with special emphasis on assessment issues. ª 2008 Elsevier Ltd. All rights reserved. Introduction Intrusion Detection Systems (IDS) are security tools that, like other measures such as antivirus software, firewalls and access control schemes, are intended to strengthen the security of information and communication systems. Although, as shown i

A Study Of Methodologies Used In Intrusion Detection And Prevention Systems

The increase in the security breach of computer systems and computer networks has led to the increase in the number of security tools that seek to protect these assets. Among these tools are intrusion detection and prevention systems (IDPS). IDPS are security systems that are used to detect and prevent security threats to computer systems and computer networks. These systems are configured to detect and respond to security threats automatically, thereby reducing the risk to monitored computers and networks

A Framework for Hybrid Intrusion Detection Systems

Web application security is a definite threat to the world’s information technology infrastructure. The Open Web Application Security Project (OWASP), generally defines web application security violations as unauthorized or unintentional exposure, disclosure, or loss of personal information. These breaches occur without the company’s knowledge and it often takes a while before the web application attack is revealed to the public, specifically because the security violations are fixed. Due to the need to protect their reputation, organizations have begun researching solutions to these problems. The most widely accepted solution is the use of an Intrusion Detection System (IDS). Such systems currently rely on either signatures of the attack used for the data breach or changes in the behavior patterns of the system to identify an intruder. These systems, either signature-based or anomaly-based, are readily understood by attackers. Issues arise when attacks are not noticed by an existing IDS because the attack does not fit the pre-defined attack signatures the IDS is implemented to discover. Despite current IDSs capabilities, little research has identified a method to detect all potential attacks on a system. This thesis intends to address this problem. A particular emphasis will be placed on detecting advanced attacks, such as those that take place at the application layer. These types of attacks are able to bypass existing IDSs, increase the potential for a web application security breach to occur and not be detected. In particular, the attacks under study are all web application layer attacks. Those included in this thesis are SQL injection, cross-site scripting, directory traversal and remote file inclusion. This work identifies common and existing data breach detection methods as well as the necessary improvements for IDS models. Ultimately, the proposed approach combines an anomaly detection technique measured by cross entropy and a signature-based attack detection framework utilizing genetic algorithm. The proposed hybrid model for data breach detection benefits organizations by increasing security measures and allowing attacks to be identified in less time and more efficiently

Feedback control in intrusion detection systems

Master'sMASTER OF ENGINEERIN

Detector Design Considerations in High-Dimensional Artificial Immune Systems

This research lays the groundwork for a network intrusion detection system that can operate with only knowledge of normal network traffic, using a process known as anomaly detection. Real-valued negative selection (RNS) is a specific anomaly detection algorithm that can be used to perform two-class classification when only one class is available for training. Researchers have shown fundamental problems with the most common detector shape, hyperspheres, in high-dimensional space. The research contained herein shows that the second most common detector type, hypercubes, can also cause problems due to biasing certain features in high dimensions. To address these problems, a new detector shape, the hypersteinmetz solid, is proposed, the goal of which is to provide a tradeoff between the problems plaguing hyperspheres and hypercubes. In order to investigate the potential benefits of the hypersteinmetz solid, an effective RNS detector size range is determined. Then, the relationship between content coverage of a dataset and classification accuracy is investigated. Subsequently, this research shows the tradeoffs that take place in high-dimensional data when hypersteinmetzes are chosen over hyperspheres or hypercubes. The experimental results show that detector shape is the dominant factor toward classification accuracy in high-dimensional RNS

Benchmarking insider threat intrusion detection systems

viii, 97 leaves : ill. ; 29 cm.Includes abstract.Includes bibliographical references (leaves 88-97).An intrusion detection system generally detects unwanted manipulations to computer systems. In recent years, this technology has been used to protect personal information after it has been collected by an organization. Selecting an appropriate IDS is an important decision for system security administrators, to keep authorized employees from abusing their access to the system to exploit sensitive information. To date, little work has been done to create a benchmark for small and mid-size organizations to measure and compare the capability of different insider threat IDSs which are based on user profiling. It motivates us to create a benchmark which enables organizations to compare these different IDSs. The benchmark is used to produce useful comparisons of the accuracy and overhead of two key research implementations of future insider threat intrusion algorithms, which are based on user behavior

BIOLOGICAL INSPIRED INTRUSION PREVENTION AND SELF-HEALING SYSTEM FOR CRITICAL SERVICES NETWORK

With the explosive development of the critical services network systems and Internet, the need for networks security systems have become even critical with the enlargement of information technology in everyday life. Intrusion Prevention System (IPS) provides an in-line mechanism focus on identifying and blocking malicious network activity in real time. This thesis presents new intrusion prevention and self-healing system (SH) for critical services network security. The design features of the proposed system are inspired by the human immune system, integrated with pattern recognition nonlinear classification algorithm and machine learning. Firstly, the current intrusions preventions systems, biological innate and adaptive immune systems, autonomic computing and self-healing mechanisms are studied and analyzed. The importance of intrusion prevention system recommends that artificial immune systems (AIS) should incorporate abstraction models from innate, adaptive immune system, pattern recognition, machine learning and self-healing mechanisms to present autonomous IPS system with fast and high accurate detection and prevention performance and survivability for critical services network system. Secondly, specification language, system design, mathematical and computational models for IPS and SH system are established, which are based upon nonlinear classification, prevention predictability trust, analysis, self-adaptation and self-healing algorithms. Finally, the validation of the system carried out by simulation tests, measuring, benchmarking and comparative studies. New benchmarking metrics for detection capabilities, prevention predictability trust and self-healing reliability are introduced as contributions for the IPS and SH system measuring and validation. Using the software system, design theories, AIS features, new nonlinear classification algorithm, and self-healing system show how the use of presented systems can ensure safety for critical services networks and heal the damage caused by intrusion. This autonomous system improves the performance of the current intrusion prevention system and carries on system continuity by using self-healing mechanism