Statistical anomaly denial of service and reconnaissance intrusion detection

This dissertation presents the architecture, methods and results of the Hierarchical Intrusion Detection Engine (HIDE) and the Reconnaissance Intrusion Detection System (RIDS); the former is denial-of-service (DoS) attack detector while the latter is a scan and probe (P&S) reconnaissance detector; both are statistical anomaly systems. The HIDE is a packet-oriented, observation-window using, hierarchical, multi-tier, anomaly based network intrusion detection system, which monitors several network traffic parameters simultaneously, constructs a 64-bin probability density function (PDF) for each, statistically compares it to a reference PDF of normal behavior using a similarity metric, then combines the results into an anomaly status vector that is classified by a neural network classifier. Three different data sets have been utilized to test the performance of HIDE; they are OPNET simulation data, DARPA\u2798 intrusion detection evaluation data and the CONEX TESTBED attack data. The results showed that HIDE can reliably detect DoS attacks with high accuracy and very low false alarm rates on all data sets. In particular, the investigation using the DARPA\u2798 data set yielded an overall total misclassification rate of 0.13%, false negative rate of 1.42%, and false positive rate of 0.090%; the latter implies a rate of only about 2.6 false alarms per day. The RIDS is a session oriented, statistical tool, that relies on training to model the parameters of its algorithms, capable of detecting even distributed stealthy reconnaissance attacks. It consists of two main functional modules or stages: the Reconnaissance Activity Profiler (RAP) and the Reconnaissance Alert Correlater (RAC). The RAP is a session-oriented module capable of detecting stealthy scanning and probing attacks, while the RAG is an alert-correlation module that fuses the RAP alerts into attack scenarios and discovers the distributed stealthy attack scenarios. RIDS has been evaluated against two data sets: (a) the DARPA\u2798 data, and (b) 3 weeks of experimental data generated using the CONEX TESTBED network. The RIDS has demonstrably achieved remarkable success; the false positive, false negative and misclassification rates found are low, less than 0.1%, for most reconnaissance attacks; they rise to about 6% for distributed highly stealthy attacks; the latter is a most challenging type of attack, which has been difficult to detect effectively until now

Flow-oriented anomaly-based detection of denial of service attacks with flow-control-assisted mitigation

Flooding-based distributed denial-of-service (DDoS) attacks present a serious and major threat to the targeted enterprises and hosts. Current protection technologies are still largely inadequate in mitigating such attacks, especially if they are large-scale. In this doctoral dissertation, the Computer Network Management and Control System (CNMCS) is proposed and investigated; it consists of the Flow-based Network Intrusion Detection System (FNIDS), the Flow-based Congestion Control (FCC) System, and the Server Bandwidth Management System (SBMS). These components form a composite defense system intended to protect against DDoS flooding attacks. The system as a whole adopts a flow-oriented and anomaly-based approach to the detection of these attacks, as well as a control-theoretic approach to adjust the flow rate of every link to sustain the high priority flow-rates at their desired level. The results showed that the misclassification rates of FNIDS are low, less than 0.1%, for the investigated DDOS attacks, while the fine-grained service differentiation and resource isolation provided within the FCC comprise a novel and powerful built-in protection mechanism that helps mitigate DDoS attacks

An Artificial Neural Network-based Decision-Support System for Integrated Network Security

As large-scale Cyber attacks become more sophisticated, local network defenders should employ strength-in-numbers to achieve mission success. Group collaboration reduces individual efforts to analyze and assess network traffic. Network defenders must evolve from an isolated defense in sector policy and move toward a collaborative strength-in-numbers defense policy that rethinks traditional network boundaries. Such a policy incorporates a network watch ap-proach to global threat defense, where local defenders share the occurrence of local threats in real-time across network security boundaries, increases Cyber Situation Awareness (CSA) and provides localized decision-support. A single layer feed forward artificial neural network (ANN) is employed as a global threat event recommender system (GTERS) that learns expert-based threat mitigation decisions. The system combines the occurrence of local threat events into a unified global event situation, forming a global policy that allows the flexibility of various local policy interpretations of the global event. Such flexibility enables a Linux based network defender to ignore windows-specific threats while focusing on Linux threats in real-time. In this thesis, the GTERS is shown to effectively encode an arbitrary policy with 99.7% accuracy based on five threat-severity levels and achieves a generalization accuracy of 96.35% using four distinct participants and 9-fold cross-validation

Ankle-Foot Orthosis Stiffness: Biomechanical Effects, Measurement and Emulation

Ankle-foot orthoses (AFOs) are braces worn by individuals with gait impairments to provide support about the ankle. AFOs come in a variety of designs for clinicians to choose from. However, as the effects of different design parameters on AFO properties and AFO users have not been adequately quantified, it is not clear which design choices are most likely to improve patient outcomes. Recent advances in manufacturing have further expanded the design space, adding urgency and complexity to the challenge of selecting optimal designs. A key AFO property affected by design decisions is sagittal-plane rotational stiffness. To evaluate the effectiveness of different AFO designs, we need: 1) a better understanding of the biomechanical effects of AFO stiffness and 2) more precise and repeatable stiffness measurement methods. This dissertation addresses these needs by accomplishing four aims. First, we conducted a systematic literature review on the influence of AFO stiffness on gait biomechanics. We found that ankle and knee kinematics are affected by increasing stiffness, with minimal effects on hip kinematics and kinetics. However, the lack of effective stiffness measurement techniques made it difficult to determine which specific values or ranges of stiffness influence biomechanics. Therefore, in Aim2, we developed an AFO stiffness measurement apparatus (SMApp). The SMApp is an automated device that non-destructively flexes an AFO to acquire operator- and trial-independent measurements of its torque-angle dynamics. The SMApp was designed to test a variety of AFO types and sizes across a wide range of flexion angles and speeds exceeding current alternatives. Common models of AFO torque-angle dynamics in literature have simplified the relationship to a linear fit whose slope represents stiffness. This linear approximation ignores damping parameters. However, as previous studies were unable to precisely control AFO flexion speed, the presence of speed effects has not been adequately investigated. Thus, in Aim3, we used the SMApp to test whether AFOs exhibit viscoelastic behaviors over the range of speeds typically achieved during walking. This study revealed small but statistically significant effects of flexion speed on AFO stiffness for samples of both traditional AFOs and novel 3-D printed AFOs, suggesting that more complex models that include damping parameters could be more suitable for modeling AFO dynamics. Finally, in Aim 4, we investigated the use of an active exoskeleton, that can haptically-emulate different AFOs, as a potential test bed for studying the effects of AFO parameters on human movement. Prior work has used emulation for rapid prototyping of candidate assistive devices. While emulators can mimic a physical device's torque-angle profile, the physical and emulated devices may have other differences that influence user biomechanics. Current studies have not investigated these differences, which limits translation of findings from emulated to physical devices. To evaluate the efficacy of AFO emulation as a research tool, we conducted a single-subject pilot study with a custom-built AFO emulator device. We compared user kinematics while walking with a physical AFO against those with an emulated AFO and found they elicited similar ankle trajectories. This dissertation resulted in the successful development and evaluation of a framework consisting of two test beds, one to assess AFO mechanical properties and another to assess the effects of these properties on the AFO user. These tools enable innovations in AFO design that can translate to measurable improvements in patient outcomes.PHDMechanical EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/163219/1/deema_1.pd

Improving intrusion detection systems using data mining techniques

Recent surveys and studies have shown that cyber-attacks have caused a lot of damage to organisations, governments, and individuals around the world. Although developments are constantly occurring in the computer security field, cyber-attacks still cause damage as they are developed and evolved by hackers. This research looked at some industrial challenges in the intrusion detection area. The research identified two main challenges; the first one is that signature-based intrusion detection systems such as SNORT lack the capability of detecting attacks with new signatures without human intervention. The other challenge is related to multi-stage attack detection, it has been found that signature-based is not efficient in this area. The novelty in this research is presented through developing methodologies tackling the mentioned challenges. The first challenge was handled by developing a multi-layer classification methodology. The first layer is based on decision tree, while the second layer is a hybrid module that uses two data mining techniques; neural network, and fuzzy logic. The second layer will try to detect new attacks in case the first one fails to detect. This system detects attacks with new signatures, and then updates the SNORT signature holder automatically, without any human intervention. The obtained results have shown that a high detection rate has been obtained with attacks having new signatures. However, it has been found that the false positive rate needs to be lowered. The second challenge was approached by evaluating IP information using fuzzy logic. This approach looks at the identity of participants in the traffic, rather than the sequence and contents of the traffic. The results have shown that this approach can help in predicting attacks at very early stages in some scenarios. However, it has been found that combining this approach with a different approach that looks at the sequence and contents of the traffic, such as event- correlation, will achieve a better performance than each approach individually

TOWARDS A HOLISTIC EFFICIENT STACKING ENSEMBLE INTRUSION DETECTION SYSTEM USING NEWLY GENERATED HETEROGENEOUS DATASETS

With the exponential growth of network-based applications globally, there has been a transformation in organizations\u27 business models. Furthermore, cost reduction of both computational devices and the internet have led people to become more technology dependent. Consequently, due to inordinate use of computer networks, new risks have emerged. Therefore, the process of improving the speed and accuracy of security mechanisms has become crucial.Although abundant new security tools have been developed, the rapid-growth of malicious activities continues to be a pressing issue, as their ever-evolving attacks continue to create severe threats to network security. Classical security techniquesfor instance, firewallsare used as a first line of defense against security problems but remain unable to detect internal intrusions or adequately provide security countermeasures. Thus, network administrators tend to rely predominantly on Intrusion Detection Systems to detect such network intrusive activities. Machine Learning is one of the practical approaches to intrusion detection that learns from data to differentiate between normal and malicious traffic. Although Machine Learning approaches are used frequently, an in-depth analysis of Machine Learning algorithms in the context of intrusion detection has received less attention in the literature.Moreover, adequate datasets are necessary to train and evaluate anomaly-based network intrusion detection systems. There exist a number of such datasetsas DARPA, KDDCUP, and NSL-KDDthat have been widely adopted by researchers to train and evaluate the performance of their proposed intrusion detection approaches. Based on several studies, many such datasets are outworn and unreliable to use. Furthermore, some of these datasets suffer from a lack of traffic diversity and volumes, do not cover the variety of attacks, have anonymized packet information and payload that cannot reflect the current trends, or lack feature set and metadata.This thesis provides a comprehensive analysis of some of the existing Machine Learning approaches for identifying network intrusions. Specifically, it analyzes the algorithms along various dimensionsnamely, feature selection, sensitivity to the hyper-parameter selection, and class imbalance problemsthat are inherent to intrusion detection. It also produces a new reliable dataset labeled Game Theory and Cyber Security (GTCS) that matches real-world criteria, contains normal and different classes of attacks, and reflects the current network traffic trends. The GTCS dataset is used to evaluate the performance of the different approaches, and a detailed experimental evaluation to summarize the effectiveness of each approach is presented. Finally, the thesis proposes an ensemble classifier model composed of multiple classifiers with different learning paradigms to address the issue of detection accuracy and false alarm rate in intrusion detection systems

Internet of Underwater Things and Big Marine Data Analytics -- A Comprehensive Survey

The Internet of Underwater Things (IoUT) is an emerging communication ecosystem developed for connecting underwater objects in maritime and underwater environments. The IoUT technology is intricately linked with intelligent boats and ships, smart shores and oceans, automatic marine transportations, positioning and navigation, underwater exploration, disaster prediction and prevention, as well as with intelligent monitoring and security. The IoUT has an influence at various scales ranging from a small scientific observatory, to a midsized harbor, and to covering global oceanic trade. The network architecture of IoUT is intrinsically heterogeneous and should be sufficiently resilient to operate in harsh environments. This creates major challenges in terms of underwater communications, whilst relying on limited energy resources. Additionally, the volume, velocity, and variety of data produced by sensors, hydrophones, and cameras in IoUT is enormous, giving rise to the concept of Big Marine Data (BMD), which has its own processing challenges. Hence, conventional data processing techniques will falter, and bespoke Machine Learning (ML) solutions have to be employed for automatically learning the specific BMD behavior and features facilitating knowledge extraction and decision support. The motivation of this paper is to comprehensively survey the IoUT, BMD, and their synthesis. It also aims for exploring the nexus of BMD with ML. We set out from underwater data collection and then discuss the family of IoUT data communication techniques with an emphasis on the state-of-the-art research challenges. We then review the suite of ML solutions suitable for BMD handling and analytics. We treat the subject deductively from an educational perspective, critically appraising the material surveyed.Comment: 54 pages, 11 figures, 19 tables, IEEE Communications Surveys & Tutorials, peer-reviewed academic journa

Research and Technology Objectives and Plans Summary (RTOPS)

This publication represents the NASA research and technology program for FY-93. It is a compilation of the Summary portions of each of the RTOP's (Research and Technology Objectives and Plans) used for management review and control of research currently in progress throughout NASA. The RTOP Summary is designed to facilitate communication and coordination among concerned technical personnel in government, in industry, and in universities. The first section containing citations and abstracts of the RTOP's is followed by four indexes: Subject, Technical Monitor, Responsible NASA Organization, and RTOP Number

Research and technology, 1990: Goddard Space Flight Center

Goddard celebrates 1990 as a banner year in space based astronomy. From above the Earth's obscuring atmosphere, four major orbiting observatories examined the heavens at wavelengths that spanned the electromagnetic spectrum. In the infrared and microwave, the Cosmic Background Explorer (COBE), measured the spectrum and angular distribution of the cosmic background radiation to extraordinary precision. In the optical and UV, the Hubble Space Telescope has returned spectacular high resolution images and spectra of a wealth of astronomical objects. The Goddard High Resolution Spectrograph has resolved dozens of UV spectral lines which are as yet unidentified because they have never before been seen in any astronomical spectrum. In x rays, the Roentgen Satellite has begun returning equally spectacular images of high energy objects within our own and other galaxies