4,540 research outputs found
Recommended from our members
A survey on online monitoring approaches of computer-based systems
This report surveys forms of online data collection that are in current use (as well as being the subject of research to adapt them to changing technology and demands), and can be used as inputs to assessment of dependability and resilience, although they are not primarily meant for this use
Recommended from our members
An Experimental Study of Diversity with Off-The-Shelf AntiVirus Engines
Fault tolerance in the form of diverse redundancy is well known to improve the detection rates for both malicious and non-malicious failures. What is of interest to designers of security protection systems are the actual gains in detection rates that they may give. In this paper we provide exploratory analysis of the potential gains in detection capability from using diverse AntiVirus products for the detection of self-propagating malware. The analysis is based on 1599 malware samples collected by the operation of a distributed honeypot deployment over a period of 178 days. We sent these samples to the signature engines of 32 different AntiVirus products taking advantage of the VirusTotal service. The resulting dataset allowed us to perform analysis of the effects of diversity on the detection capability of these components as well as how their detection capability evolves in time
Dendritic Cells for Anomaly Detection
Artificial immune systems, more specifically the negative selection
algorithm, have previously been applied to intrusion detection. The aim of this
research is to develop an intrusion detection system based on a novel concept
in immunology, the Danger Theory. Dendritic Cells (DCs) are antigen presenting
cells and key to the activation of the human signals from the host tissue and
correlate these signals with proteins know as antigens. In algorithmic terms,
individual DCs perform multi-sensor data fusion based on time-windows. The
whole population of DCs asynchronously correlates the fused signals with a
secondary data stream. The behaviour of human DCs is abstracted to form the DC
Algorithm (DCA), which is implemented using an immune inspired framework,
libtissue. This system is used to detect context switching for a basic machine
learning dataset and to detect outgoing portscans in real-time. Experimental
results show a significant difference between an outgoing portscan and normal
traffic.Comment: 8 pages, 10 tables, 4 figures, IEEE Congress on Evolutionary
Computation (CEC2006), Vancouver, Canad
Recommended from our members
IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems
The increasing interconnection of industrial networks exposes them to an
ever-growing risk of cyber attacks. To reveal such attacks early and prevent
any damage, industrial intrusion detection searches for anomalies in otherwise
predictable communication or process behavior. However, current efforts mostly
focus on specific domains and protocols, leading to a research landscape broken
up into isolated silos. Thus, existing approaches cannot be applied to other
industries that would equally benefit from powerful detection. To better
understand this issue, we survey 53 detection systems and find no fundamental
reason for their narrow focus. Although they are often coupled to specific
industrial protocols in practice, many approaches could generalize to new
industrial scenarios in theory. To unlock this potential, we propose IPAL, our
industrial protocol abstraction layer, to decouple intrusion detection from
domain-specific industrial protocols. After proving IPAL's correctness in a
reproducibility study of related work, we showcase its unique benefits by
studying the generalizability of existing approaches to new datasets and
conclude that they are indeed not restricted to specific domains or protocols
and can perform outside their restricted silos
IPAL: Breaking up Silos of Protocol-dependent and Domain-specific Industrial Intrusion Detection Systems
The increasing interconnection of industrial networks exposes them to an
ever-growing risk of cyber attacks. To reveal such attacks early and prevent
any damage, industrial intrusion detection searches for anomalies in otherwise
predictable communication or process behavior. However, current efforts mostly
focus on specific domains and protocols, leading to a research landscape broken
up into isolated silos. Thus, existing approaches cannot be applied to other
industries that would equally benefit from powerful detection. To better
understand this issue, we survey 53 detection systems and find no fundamental
reason for their narrow focus. Although they are often coupled to specific
industrial protocols in practice, many approaches could generalize to new
industrial scenarios in theory. To unlock this potential, we propose IPAL, our
industrial protocol abstraction layer, to decouple intrusion detection from
domain-specific industrial protocols. After proving IPAL's correctness in a
reproducibility study of related work, we showcase its unique benefits by
studying the generalizability of existing approaches to new datasets and
conclude that they are indeed not restricted to specific domains or protocols
and can perform outside their restricted silos
Intelligent multi-agent system for intrusion detection and countermeasures
Intelligent mobile agent systems offer a new approach to implementing intrusion detection systems (IDS). The prototype intrusion detection system, MAIDS, demonstrates the benefits of an agent-based IDS, including distributing the computational effort, reducing the amount of information sent over the network, platform independence, asynchronous operation, and modularity offering ease of updates. Anomaly detection agents use machine learning techniques to detect intrusions; one such agent processes streams of system calls from privileged processes. Misuse detection agents match known problems and correlate events to detect intrusions. Agents report intrusions to other agents and to the system administrator through the graphical user interface (GUI);A sound basis has been created for the intrusion detection system. Intrusions have been modeled using the Software Fault Tree Analysis (SFTA) technique; when augmented with constraint nodes describing trust, contextual, and temporal relationships, the SFTA forms a basis for stating the requirements of the intrusion detection system. Colored Petri Nets (CPN) have been created to model the design of the Intrusion Detection System. Algorithmic transformations are used to create CPN templates from augmented SFT and to create implementation templates from CPNs. The implementation maintains the CPN semantics in the distributed agent-based intrusion detection system
- …