Sistema de deteccíón de anomalías de red basado en el procesamiento de la Carga Útil [Payload]

Los sistemas actuales de detección de anomalías basados en la carga útil pasan por serias dificultades a la hora de defenderse frente a ataques de tipo mimicry, así como ataques día cero, pudiendo poner en serio peligro los sistemas protegidos. El sistema propuesto en este documento, como preprocesador del IDS Snort, se basa en la correlación entre instrucciones de un mismo ataque para defenderse frente a ataques polimorficos, así como en los patrones de ataques ya conocidos, pudiendo así protegerse de ataques de reciente creación, dado que basan parte de su código en algún ataque conocido. Como método para conseguir estos objetivos se han evaluado diferentes vías que se desarrollan a lo largo de este documento. OpenMP nos proporciona paralelismo en arquitecturas de memoria compartida para acelerar el procesamiento de los paquetes, mientras que se han optimizado ciertas secciones críticas del proceamiento, así como del almacenamiento de las estructuras necesarias para almacenar la información generada. Se ha evaluado el rendimiento de la nueva implementación con tráfico real proveniente de la red de la UCM, dichos resultados arrojan interesantes observaciones sobre el algoritmo. Como líneas de investigación en progreso quedaría transformar las secciones críticas del procesamiento a GPGPU, ya sea CUDA u OpenCL, así como el uso de sistemas de correlación de alertas para descargar de trabajo al IDS. [ABSTRACT] Nowadays payload anomaly based detection systems go through serious difficulties when facing mimicry type attacks, as well as zero day attacks, putting protected systems on jeopardy. The system proposed on this document, as a Snort preprocessor, is based on attack instructions correlation to defend against polymorphic attacks, aditionally the use of well known attack patterns allows us to protect the network against new attacks, since a part of their code relies on already known attacks. Different ways of developement have been evaluated when pursuing these goals, being all of them presented troughout this document. While OpenMP provides us with enhaced performance on the processing of packages by using shared memory parallelism, critical sections of the processing algorithm have been improved, as well as the storage of the necessary data structures to store all of the generated information. Performance of the new implementation has been tested with real traffic from the UCM net, these results show up interesting observations about the algorithm. As current progress research lines it is important to highlight the implementation on GPGPU, CUDA or OpenCL, of critical parts of the processing algorithm, as well as the use of alert correlation systems to relieve the IDS of a part of its workload

Communication in Microkernel-Based Operating Systems

Communication in microkernel-based systems is much more frequent than system calls known from monolithic kernels. This can be attributed to the placement of system services into their own protection domains. Communication has to be fast to avoid unnecessary overhead. Also, communication channels in microkernel-based systems are used for more than just remote procedure calls. In distributed systems, which also have a componentized design, it is state of the art to use tools to generate stubs for the communication between components. The communication interfaces of components are described in an interface definition language (IDL). In contrast to distributed systems, components of a microkernel-based system run on the same architecture and message delivery is guaranteed. In this Thesis, I explore the different kinds of communication, which can be used in microkernel-based systems, as well as their possible representation in IDL. Specifically, I introduce the syntax to describe kernel objects in IDL. I discuss the complexity of IDL compilers and its relation to the complexity of the IDL. Furthermore, I evaluate the performance of the communication stubs generated by different IDL compilers and discuss techniques to minimize performance overhead in generated stubs. I validated these techniques by implementing the Drops IDL Compiler - Dice. Finally, this Thesis presents a mechanism to measure the frequency and performance of invocations of generated communication code. I used this technique to conduct measurements in highly complex systems and introducing the least possible overhead

Communication in Microkernel-Based Operating Systems

Communication in microkernel-based systems is much more frequent than system calls known from monolithic kernels. This can be attributed to the placement of system services into their own protection domains. Communication has to be fast to avoid unnecessary overhead. Also, communication channels in microkernel-based systems are used for more than just remote procedure calls. In distributed systems, which also have a componentized design, it is state of the art to use tools to generate stubs for the communication between components. The communication interfaces of components are described in an interface definition language (IDL). In contrast to distributed systems, components of a microkernel-based system run on the same architecture and message delivery is guaranteed. In this Thesis, I explore the different kinds of communication, which can be used in microkernel-based systems, as well as their possible representation in IDL. Specifically, I introduce the syntax to describe kernel objects in IDL. I discuss the complexity of IDL compilers and its relation to the complexity of the IDL. Furthermore, I evaluate the performance of the communication stubs generated by different IDL compilers and discuss techniques to minimize performance overhead in generated stubs. I validated these techniques by implementing the Drops IDL Compiler - Dice. Finally, this Thesis presents a mechanism to measure the frequency and performance of invocations of generated communication code. I used this technique to conduct measurements in highly complex systems and introducing the least possible overhead

Communication in Microkernel-Based Operating Systems

Communication in microkernel-based systems is much more frequent than system calls known from monolithic kernels. This can be attributed to the placement of system services into their own protection domains. Communication has to be fast to avoid unnecessary overhead. Also, communication channels in microkernel-based systems are used for more than just remote procedure calls. In distributed systems, which also have a componentized design, it is state of the art to use tools to generate stubs for the communication between components. The communication interfaces of components are described in an interface definition language (IDL). In contrast to distributed systems, components of a microkernel-based system run on the same architecture and message delivery is guaranteed. In this Thesis, I explore the different kinds of communication, which can be used in microkernel-based systems, as well as their possible representation in IDL. Specifically, I introduce the syntax to describe kernel objects in IDL. I discuss the complexity of IDL compilers and its relation to the complexity of the IDL. Furthermore, I evaluate the performance of the communication stubs generated by different IDL compilers and discuss techniques to minimize performance overhead in generated stubs. I validated these techniques by implementing the Drops IDL Compiler - Dice. Finally, this Thesis presents a mechanism to measure the frequency and performance of invocations of generated communication code. I used this technique to conduct measurements in highly complex systems and introducing the least possible overhead

A Survey on Industrial Control System Testbeds and Datasets for Security Research

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs

Managing Information System Integration Technologies--A Study of Text Mined Industry White Papers

Industry white papers are increasingly being used to explain the philosophy and operation of a product in marketplace or technology context. This explanation is used by senior managers for strategic planning in an organization. This research explores the effectiveness of white papers and strategies for managers to learn about technologies using white papers. The research is conducted by collecting industry white papers in the area of Information System Integration and gleaned relevant information through text-mining tool, Vantage Point. The text mined information is analyzed to provide solutions for practical problems in systems integration market. The indirect findings of the research are New System Integration Business Models, Methods for Calculating ROI of System Integration Project, and Managing Implementation Failures