Exploiting n-gram location for intrusion detection

Signature-based and protocol-based intrusion detection systems (IDS) are employed as means to reveal content-based network attacks. Such systems have proven to be effective in identifying known intrusion attempts and exploits but they fail to recognize new types of attacks or carefully crafted variants of well known ones. This paper presents the design and the development of an anomaly-based IDS technique which is able to detect content-based attacks carried out over application level protocols, like HTTP and FTP. In order to identify anomalous packets, the payload is split up in chunks of equal length and the n-gram technique is used to learn which byte sequences usually appear in each chunk. The devised technique builds a different model for each pair and uses them to classify the incoming traffic. Models are build by means of a semi-supervised approach. Experimental results witness that the technique achieves an excellent accuracy with a very low false positive rate

2. GI FG SIDAR Graduierten-Workshop über Reaktive Sicherheit (SPRING)

SPRING ist eine wissenschaftliche Veranstaltung im Bereich der Reaktiven Sicherheit, die Nachwuchswissenschaftlern die Möglichkeit bietet, Ergebnisse eigener Arbeiten zu präsentieren und dabei Kontakte über die eigene Universität hinaus zu knüpfen. Nach der Premiere in Berlin fand Spring in 2007 in Dortmund statt. Die Vorträge deckten ein breites Spektrum ab, von noch laufenden Projekten, die ggf. erstmals einem breiteren Publikum vorgestellt werden, bis zu abgeschlossenen Forschungsarbeiten, die zeitnah auch auf Konferenzen präsentiert wurden bzw.\ werden sollen oder einen Schwerpunkt der eigenen Diplomarbeit oder Dissertation bilden. Die zugehörigen Abstracts sind in diesem technischen Bericht zusammengefaßt und wurden über die Universitätsbibliothek Dortmund elektronisch, zitierfähig und recherchierbar veröffentlicht. In dieser Ausgabe finden sich Beiträge zur den folgenden Themen: Vorfallsbehandlung und Web-Services, Dynamische Umgebungen und Verwundbarkeiten, Anomalie- und Protokollerkennung sowie zu verschiedenen Aspekten der IT-Frühwarnung: Malware-Erkennung und -Analyse, Sensorik und Kooperation

Pendekatan unsupervised untuk Mendeteksi Serangan Tingkat Rendah pada Jaringan Komputer

Serangan tingkat rendah merupakan serangan yang diam-diam masuk ke dalam system tanpa mengirimkan paket-paket dalam jumlah besar. Contoh dari serangan jenis ini adalah exploit, backdoors, dan worms. Untuk mencegah serangan jenis ini, kami mengusulkan system deteksi intrusi dengan menggunakan Recurrent Neural Network dan Autoencoders.Pendekatan unsupervised yang diusulkan mampu mengidentifikasi serangan tingkat rendah dalam koneksi jaringan, mengesampingkan persyaratan untuk menyediakan sampel berbahaya untuk data pelatihan. Pendekatan yang diusulkan memberikan peningkatan detection rate setidaknya 12,04% dari penelitian sebelumnya

Reconfigurable antennas for wireless network security

Large scale proliferation of wireless technology coupled with the increasingly hostile information security landscape is of serious concern as organizations continue to widely adopt wireless networks to access and distribute critical and con dential information. Private users also face more risks than ever as they exchange more and more sensitive information over home and public networks through their ubiquitous wireless-enabled laptops and hand held devices. The fundamental broadcast nature of wireless data transmission aggravates the situation, since unlike wired networks, it introduces multiple avenues for attack and penetration into a network. Though several traditional mechanisms do exist to protect wireless networks against threats, such schemes are a carryover from the traditional wire based systems. Hence vulnerabilities continue to exist, and have been repeatedly demonstrated to be susceptible to failure under di erent circumstances.The resulting uncertainties have led to a signi cant paradigm shift in the design and implementation of wireless security in recent times, among which wireless channel based security schemes have shown the most promise. Channel based security schemes are rooted on the simple fact that a legitimate user and an adversary cannot be physically co-located and hence the underlying multi-path structure corresponding to the two links cannot be the same. However most wireless systems are constrained in terms of bandwidth, power and number of transceivers, which seriously limit the performance of such channel based security implementations. To overcome these limitations, this thesis proposes a new dimension to the channel based security approach by introducing the capabilities of recon gurable antennas. The main objective of this work is to demonstrate that the ability of recon gurable antennas to generate di erent channel realizations that are uncorrelated between di erent modes will lead to signi cant improvements in intrusion detection rates.To this end, two di erent schemes that make use of channels generated by a recon gurable antenna are proposed and evaluated through measurements. The rstscheme is based on associating a channel based ngerprint to the legitimate user to prevent intrusion. The three main components of this scheme are i ) a ngerprint derived from the di erent modes of the antenna, ii ) a metric to compare two ngerprints and iii ) a hypothesis test based on the proposed metric to classify intruders and legitimate transmitters. The second scheme relies on monitoring the statistics of the channels for the legitimate transmitters' links since any intrusion will result in an observable change in the channel's statistics. The problem is posed as a generalized likelihood ratio test (GLRT) which responds to any change in the channel statistics by a large spike in the likelihood ratio's value. The detector's performance is studied as a function of pattern correlation coe cient for both schemes to provide insights on designing appropriate antenna modes for better performance.Moreover this thesis takes a holistic approach to studying the antenna based security schemes. A novel channel modeling approach which combines the cluster channel model and site speci c ray tracer results is proposed and validated to facilitate the analysis of such schemes through simulations without resorting to comprehensive channel measurements. This approach is motivated by the lack of an intuitive and simple channel model to study systems that use recon gurable antennas for any application.Finally the design of a metamaterial based substrate that can help miniaturize antenna arrays and recon gurable antennas is presented. The magnetic permeabilityenhanced metamaterial's capability to miniaturize an antenna's size while maintaining an acceptable level of isolation between elements in an array is experimentallydemonstrated. The bene ts gained in a wireless communication system that uses a patch antenna arrray built on this substrate is quanti ed in terms of mean e ective gain, correlation between the antennas and channel capacity through channel measurements.Despite their capability to signi cantly improve spectral e ciency, the widespread adoption of recon gurable antennas in wireless devices has been hampered by their complexity, cost and size. The work presented in this thesis is therefore intended to serve as a catalyst to the widespread adoption of recon gurable antenna technology by i ) adding value to such antennas by utilizing them for enhancing system security and ii ) providing a mechanism to miniaturize them to facilitate their integration into modern space constrained wireless devices.Ph.D., Electrical Engineering -- Drexel University, 201