A roadmap towards improving managed security services from a privacy perspective

Published version of an article in the journal: Ethics and Information Technology. Also available from the publisher at: http://dx.doi.org/10.1007/s10676-014-9348-3This paper proposes a roadmap for how privacy leakages from outsourced managed security services using intrusion detection systems can be controlled. The paper first analyses the risk of leaking private or confidential information from signature-based intrusion detection systems. It then discusses how the situation can be improved by developing adequate privacy enforcement methods and privacy leakage metrics in order to control and reduce the leakage of private and confidential information over time. Such metrics should allow for quantifying how much information that is leaking, where these information leakages are, as well as showing what these leakages mean. This includes adding enforcement mechanisms ensuring that operation on sensitive information is transparent and auditable. The data controller or external quality assurance organisations can then verify or certify that the security operation operates in a privacy friendly manner. The roadmap furthermore outlines how privacy-enhanced intrusion detection systems should be implemented by initially providing privacy-enhanced alarm handling and then gradually extending support for privacy enhancing operation to other areas like digital forensics, exchange of threat information and big data analytics based attack detection

Incident Handling for Healthcare Organizations and Supply-Chains

Healthcare ecosystems form a critical type of infrastructures that provide valuable services in today societies. However, the underlying sensitive information is also of interest of malicious entities around the globe, with the attack volume being continuously increasing. Safeguarding this complex computerized setting constitutes a major challenge for the involved organizations. This paper presents an incident handling system for healthcare organizations and their supply-chain. The proposed approach utilizes swarm intelligence in order to assess the current security posture in a continuous basis and respond to attacks in real-time. The overall solution is based on the related NIST 800.61 standard and implements the operations of i) preparation, ii) detection and analysis, iii) containment, eradication, and recovery, and iv) post-incident activity. The system is developed under the EU funded project AI4HEALTHSEC and is applied in the relevant healthcare pilots

Evaluating Machine Learning Classifiers for Hybrid Network Intrusion Detection Systems

Existing classifier evaluation methods do not fully capture the intended use of classifiers in hybrid intrusion detection systems (IDS), systems that employ machine learning alongside a signature-based IDS. This research challenges traditional classifier evaluation methods in favor of a value-focused evaluation method that incorporates evaluator-specific weights for classifier and prediction threshold selection. By allowing the evaluator to weight known and unknown threat detection by alert classification, classifier selection is optimized to evaluator values for this application. The proposed evaluation methods are applied to a Cyber Defense Exercise (CDX) dataset. Network data is processed to produce connection-level features, then labeled using packet-level alerts from a signature-based IDS. Seven machine learning algorithms are evaluated using traditional methods and the value-focused method. Comparing results demonstrates fallacies with traditional methods that do not consider evaluator values. Classifier selection fallacies are revealed in 2 of 5 notional weighting schemes and prediction threshold selection fallacies are revealed in 5 of 5 weighting schemes

Targeted attack detection by means of free and open source solutions

Compliance requirements are part of everyday business requirements for various areas, such as retail and medical services. As part of compliance it may be required to have infrastructure in place to monitor the activities in the environment to ensure that the relevant data and environment is sufficiently protected. At the core of such monitoring solutions one would find some type of data repository, or database, to store and ultimately correlate the captured events. Such solutions are commonly called Security Information and Event Management, or SIEM for short. Larger companies have been known to use commercial solutions such as IBM's Qradar, Logrythm, or Splunk. However, these come at significant cost and arent suitable for smaller businesses with limited budgets. These solutions require manual configuration of event correlation for detection of activities that place the environment in danger. This usually requires vendor implementation assistance that also would come at a cost. Alternatively, there are open source solutions that provide the required functionality. This research will demonstrate building an open source solution, with minimal to no cost for hardware or software, while still maintaining the capability of detecting targeted attacks. The solution presented in this research includes Wazuh, which is a combination of OSSEC and the ELK stack, integrated with an Network Intrusion Detection System (NIDS). The success of the integration, is determined by measuring postive attack detection based on each different configuration options. To perform the testing, a deliberately vulnerable platform named Metasploitable will be used as a victim host. The victim host vulnerabilities were created specifically to serve as target for Metasploit. The attacks were generated by utilising Metasploit Framework on a prebuilt Kali Linux host

Towards transparent and secure IoT: Device intents declaration, and user privacy self awareness and control

In recent years, we have seen a growing wave of integration of new IoT (Internet of Things) technologies into society. The massive integration of these technologies has led to the emergence of several critical issues which have consequently created new challenges, for which no obvious answers have yet been found. One of the main challenges has to do with the security and privacy of information processed by IoT devices present in our daily life. At present there are no guarantees from the manufacturers of such IoT devices, which are connected on our networks, as regards the collection and sending of personal information, nor an expected behavior. Thus, in this work, we developed and tested a solution that aims to increase the privacy and security of information in Networks of IoT devices, from the perspective of controlling the communication of smart devices on the network. To include one tool capable of analyzing packets sent by IoT devices and another capable of defining and allowing the application of network traffic control rules to the packets in question. These tools were indispensable for investigation of the two central aspects of this dissertation, which are investigating how the declarations of communication intentions of the IoT devices specified by the manufacturers are used, in order to facilitate control of communication by consumers and enable them to detect violations of those intentions, and how to give users/consumers control over IoT communication, so that they can define what they do and do not want their devices to communicate.Nos últimos anos, assistimos a uma onda de crescimento da integração de novas tecnologias IoT (Internet Of Things) na sociedade. A integração massiva destas tecnologias levou ao aparecimento de vários aspetos críticos que, consequentemente, criou novos desafios, para os quais ainda não foram dadas respostas óbvias. Um dos principais desafios diz respeito à segurança e privacidade da informação dos dispositivos IoT presentes no nosso dia-a-dia. Atualmente, não existem quaisquer garantias por parte dos fabricantes destes equipamentos IoT, que estão conectados nas nossas redes, relativamente à recolha e envio de informação pessoal realizada pelos mesmos, bem como um comportamento expectável. Assim, neste trabalho, desenvolvemos e testamos uma solução que cujo objetivo é aumentar a privacidade e segurança da informação em redes de dispositivos IoT, na perspetiva do controlo da comunicação dos dispositivos inteligentes na rede. Para incluir-se uma ferramenta capaz de efetuar análise dos pacotes enviados pelos dispositivos IoT e uma outra capaz de definir e permitir a aplicação de regras de controlo de tráfego de rede aos pacotes mencionados. Estas ferramentas foram indispensáveis para a investigação dos dois aspetos centrais desta dissertação, que são a investigação de como as declarações de intenções de comunicação dos dispositivos IoT especificados pelos fabricantes são utilizadas, para facilitarem o controlo de comunicação destes pelos consumidores e permitir-lhes detetar violações dessas intenções e como atribuir ao utilizador/consumidor controlo sobre a comunicação IoT, para que este possa explicitar o pretende e não pretende que os seus dispositivos comuniquem

A New SCADA Dataset for Intrusion Detection System Research

Supervisory Control and Data Acquisition (SCADA) systems monitor and control industrial control systems in many industrials and economic sectors which are considered critical infrastructure. In the past, most SCADA systems were isolated from all other networks, but recently connections to corporate enterprise networks and the Internet have increased. Security concerns have risen from this new found connectivity. This thesis makes one primary contribution to researchers and industry. Two datasets have been introduced to support intrusion detection system research for SCADA systems. The datasets include network traffic captured on a gas pipeline SCADA system in Mississippi State University’s SCADA lab. IDS researchers lack a common framework to train and test proposed algorithms. This leads to an inability to properly compare IDS presented in literature and limits research progress. The datasets created for this thesis are available to be used to aid researchers in assessing the performance of SCADA IDS systems

Cybersecurity Deep: Approaches, Attacks Dataset, and Comparative Study

Cyber attacks are increasing rapidly due to advanced digital technologies used by hackers. In addition, cybercriminals are conducting cyber attacks, making cyber security a rapidly growing field. Although machine learning techniques worked well in solving large-scale cybersecurity problems, an emerging concept of deep learning (DL) that caught on during this period caused information security specialists to improvise the result. The deep learning techniques analyzed in this study are convolution neural networks, recurrent neural networks, and deep neural networks in the context of cybersecurity.A framework is proposed, and a realtime laboratory setup is performed to capture network packets and examine this captured data using various DL techniques. A comparable interpretation is presented under the DL techniques with essential parameters, particularly accuracy, false alarm rate, precision, and detection rate. The DL techniques experimental output projects improvise the performance of various realtime cybersecurity applications on a real-time dataset. CNN model provides the highest accuracy of 98.64% with a precision of 98% with binary class. The RNN model offers the secondhighest accuracy of 97.75%. CNN model provides the highest accuracy of 98.42 with multiclass class. The study shows that DL techniques can be effectively used in cybersecurity applications. Future research areas are being elaborated, including the potential research topics to improve several DL methodologies for cybersecurity applications.publishedVersio