Incremental hybrid intrusion detection for 6LoWPAN

IPv6 over Low-powered Wireless Personal Area Networks (6LoWPAN) has grown in importance in recent years, with the Routing Protocol for Low Power and Lossy Networks (RPL) emerging as a major enabler. However, RPL can be subject to attack, with severe consequences. Most proposed IDSs have been limited to specific RPL attacks and typically assume a stationary environment. In this article, we propose the first adaptive hybrid IDS to efficiently detect and identify a wide range of RPL attacks (including DIO Suppression, Increase Rank, and Worst Parent attacks, which have been overlooked in the literature) in evolving data environments. We apply our framework to networks under various levels of node mobility and maliciousness. We experiment with several incremental machine learning (ML) approaches and various ‘concept-drift detection’ mechanisms (e.g. ADWIN, DDM, and EDDM) to determine the best underlying settings for the proposed scheme

Bayesian changepoint models motivated by cyber-security applications

Changepoint detection has an important role to play in the next generation of cyber security defenses. A cyber attack typically changes the behaviour of the target network. Therefore, to detect the presence of a network intrusion, it can be informative to monitor for changes in the high-volume data sources that are collected inside an enterprise computer network. However, most traditional changepoint detection methods are not adapted to characterise what cyber security analysts mean by a change, and consequently raise too many false alerts but also overlook weak signals that are suggestive of a real attack. This thesis will present three novel Bayesian changepoint models that address some challenges raised by cyber data: the first model combines evidence across a graph of time series to identify patterns of changepoints that are a priori more likely to correspond to an attack; the second model offers robustness to non-exchangeable data within segments so that normal dynamic phenomena observed in cyber data can be captured; and, the third model relaxes the standard assumption that changes are instantaneous, so that time intervals where cyber data may be subject to non-instantaneous changes can be identified.Open Acces

Security related self-protected networks: Autonomous threat detection and response (ATDR)

>Magister Scientiae - MScCybersecurity defense tools, techniques and methodologies are constantly faced with increasing challenges including the evolution of highly intelligent and powerful new-generation threats. The main challenges posed by these modern digital multi-vector attacks is their ability to adapt with machine learning. Research shows that many existing defense systems fail to provide adequate protection against these latest threats. Hence, there is an ever-growing need for self-learning technologies that can autonomously adjust according to the behaviour and patterns of the offensive actors and systems. The accuracy and effectiveness of existing methods are dependent on decision making and manual input by human experts. This dependence causes 1) administration overhead, 2) variable and potentially limited accuracy and 3) delayed response time

Denial of Service in Web-Domains: Building Defenses Against Next-Generation Attack Behavior

The existing state-of-the-art in the field of application layer Distributed Denial of Service (DDoS) protection is generally designed, and thus effective, only for static web domains. To the best of our knowledge, our work is the first that studies the problem of application layer DDoS defense in web domains of dynamic content and organization, and for next-generation bot behaviour. In the first part of this thesis, we focus on the following research tasks: 1) we identify the main weaknesses of the existing application-layer anti-DDoS solutions as proposed in research literature and in the industry, 2) we obtain a comprehensive picture of the current-day as well as the next-generation application-layer attack behaviour and 3) we propose novel techniques, based on a multidisciplinary approach that combines offline machine learning algorithms and statistical analysis, for detection of suspicious web visitors in static web domains. Then, in the second part of the thesis, we propose and evaluate a novel anti-DDoS system that detects a broad range of application-layer DDoS attacks, both in static and dynamic web domains, through the use of advanced techniques of data mining. The key advantage of our system relative to other systems that resort to the use of challenge-response tests (such as CAPTCHAs) in combating malicious bots is that our system minimizes the number of these tests that are presented to valid human visitors while succeeding in preventing most malicious attackers from accessing the web site. The results of the experimental evaluation of the proposed system demonstrate effective detection of current and future variants of application layer DDoS attacks