Securing Enterprise Networks with Statistical Node Behavior Profiling

The substantial proliferation of the Internet has made it the most critical infrastructure in today\u27s world. However, it is still vulnerable to various kinds of attacks/malwares and poses a number of great security challenges. Furthermore, we have also witnessed in the past decade that there is always a fast self-evolution of attacks/malwares (e.g. from worms to botnets) against every success in network security. Network security thereby remains a hot topic in both research and industry and requires both continuous and great attention. In this research, we consider two fundamental areas in network security, malware detection and background traffic modeling, from a new view point of node behavior profiling under enterprise network environments. Our main objectives are to extend and enhance the current research in these two areas. In particular, central to our research is the node behavior profiling approach that groups the behaviors of different nodes by jointly considering time and spatial correlations. We also present an extensive study on botnets, which are believed to be the largest threat to the Internet. To better understand the botnet, we propose a botnet framework and predict a new P2P botnet that is much stronger and stealthier than the current ones. We then propose anomaly malware detection approaches based directly on the insights (statistical characteristics) from the node behavior study and apply them on P2P botnet detection. Further, by considering the worst case attack model where the botmaster knows all the parameter values used in detection, we propose a fast and optimized anomaly detection approach by formulating the detection problem as an optimization problem. In addition, we propose a novel traffic modeling structure using behavior profiles for NIDS evaluations. It is efficient and takes into account the node heterogeneity in traffic modeling. It is also compatible with most current modeling schemes and helpful in generating better realistic background traffic. Last but not least, we evaluate the proposed approaches using real user trace from enterprise networks and achieve encouraging results. Our contributions in this research include: 1) a new node behavior profiling approach to study the normal node behavior; 2) a framework for botnets; 3) a new P2P botnet and performance comparisons with other P2P botnets; 4) two anomaly detection approaches based on node behavior profiles; 4) a fast and optimized anomaly detection approach under the worst case attack model; 5) a new traffic modeling structure and 6) simulations and evaluations of the above approaches under real user data from enterprise networks. To the best of our knowledge, we are the first to propose the botnet framework, consider the worst case attack model and propose corresponding fast and optimized solution in botnet related research. We are also the first to propose efficient solutions in traffic modeling without the assumption of node homogeneity

Image segmentation and object classification for automatic detection of tuberculosis in sputum smears

Includes bibliographical references (leaves 95-101).An automated microscope is being developed in the MRC/UCT Medical Imaging Research Unit at the University of Cape Town in an effort to ease the workload of laboratory technicians screening sputum smears for tuberculosis (TB), in order to improve screening in countries with a heavy burden of TB. As a step in the development of such a microscope, the project described here was concerned with the extraction and identification of TB bacilli in digital images of sputum smears obtained with a microscope. The investigations were carried out on Ziehl-Neelsen (ZN) stained sputum smears. Different image segmentation methods were compared and object classification was implemented using various two-class classifiers, for images obtained using a microscope with 100x objective lens magnification. The bacillus identification route established for the 100x images, was applied to images obtained using a microscope with 20x objective lens magnification. In addition, one-class classification was applied the 100x images. A combination of pixel classifiers performed best in image segmentation to extract objects of interest. For 100x images, the product of the Bayes’, quadratic and logistic linear classifiers resulted in a percentage of correctly classified bacillus pixels of 89.38%; 39.52% of pixels were incorrectly classified. The segmentation method did not miss any bacillus objects with their length in the focal plane of an image. The biggest source of error for the segmentation method was staining inconsistencies. The pixel segmentation method performed poorly on images with 20x magnification. Geometric change invariant features were extracted to describe segmented objects; Fourier coefficients, moment invariant features and colour features were used. All two-class object classifiers had balanced performance for 100x images, with sensitivity and specificity above 95% for the detection of an individual bacillus after Fisher mapping of the feature set. Object classification on images with 20x magnification performed similarly. One-class object classification using the mixture of Gaussians classifier, without Fisher mapping of features, produced sensitivity and specificity above 90% when applied to 100x images