Security information management with frame-based attack presentation and first-order reasoning

Internet has grown by several orders of magnitude in recent years, and this growth has escalated the importance of computer security. Intrusion Detection System (IDS) is used to protect computer networks. However, the overwhelming flow of log data generated by IDS hamper security administrators from uncovering new insights and hidden attack scenarios. Security Information Management (SIM) is a new growing area of interest for intrusion detection. The research work in this dissertation explores the semantics of attack behaviors and designs Frame-based Attack Representation and First-order logic Automatic Reasoning (FAR-FAR) using linguistics and First-order Logic (FOL) based approaches. Techniques based on linguistics can provide efficient solutions to acquire semantic information from alert contexts, while FOL can tackle a wide variety of problems in attack scenario reasoning and querying. In FAR-FAR, the modified case grammar PCTCG is used to convert raw alerts into frame-structured alert streams and the alert semantic network 2-AASN is used to generate the attack scenarios, which can then inform the security administrator. Based on the alert contexts and attack ontology, Space Vector Model (SVM) is applied to categorize the intrusion stages. Furthermore, a robust Variant Packet Sending-interval Link Padding algorithm (VPSLP) is proposed to prevent links between the IDS sensors and the FAR-FAR agents from traffic analysis attacks. Recent measurements and studies demonstrated that real network traffic exhibits statistical self-similarity over several time scales. The bursty traffic anomaly detection method, Multi-Time scaling Detection (MTD), is proposed to statistically analyze network traffic\u27s Histogram Feature Vector to detect traffic anomalies

Real time security assessment of the power system using a hybrid support vector machine and multilayer perceptron neural network algorithms

Abstract : In today’s grid, the technological based cyber-physical systems have continued to be plagued with cyberattacks and intrusions. Any intrusive action on the power system’s Optimal Power Flow (OPF) modules can cause a series of operational instabilities, failures, and financial losses. Real time intrusion detection has become a major challenge for the power community and energy stakeholders. Current conventional methods have continued to exhibit shortfalls in tackling these security issues. In order to address this security issue, this paper proposes a hybrid Support Vector Machine and Multilayer Perceptron Neural Network (SVMNN) algorithm that involves the combination of Support Vector Machine (SVM) and multilayer perceptron neural network (MPLNN) algorithms for predicting and detecting cyber intrusion attacks into power system networks. In this paper, a modified version of the IEEE Garver 6-bus test system and a 24-bus system were used as case studies. The IEEE Garver 6-bus test system was used to describe the attack scenarios, whereas load flow analysis was conducted on real time data of a modified Nigerian 24-bus system to generate the bus voltage dataset that considered several cyberattack events for the hybrid algorithm. Sising various performance metricion and load/generator injections, en included in the manuscriptmulation results showed the relevant influences of cyberattacks on power systems in terms of voltage, power, and current flows. To demonstrate the performance of the proposed hybrid SVMNN algorithm, the results are compared with other models in related studies. The results demonstrated that the hybrid algorithm achieved a detection accuracy of 99.6%, which is better than recently proposed schemes

SUTMS - Unified Threat Management Framework for Home Networks

Home networks were initially designed for web browsing and non-business critical applications. As infrastructure improved, internet broadband costs decreased, and home internet usage transferred to e-commerce and business-critical applications. Today’s home computers host personnel identifiable information and financial data and act as a bridge to corporate networks via remote access technologies like VPN. The expansion of remote work and the transition to cloud computing have broadened the attack surface for potential threats. Home networks have become the extension of critical networks and services, hackers can get access to corporate data by compromising devices attacked to broad- band routers. All these challenges depict the importance of home-based Unified Threat Management (UTM) systems. There is a need of unified threat management framework that is developed specifically for home and small networks to address emerging security challenges. In this research, the proposed Smart Unified Threat Management (SUTMS) framework serves as a comprehensive solution for implementing home network security, incorporating firewall, anti-bot, intrusion detection, and anomaly detection engines into a unified system. SUTMS is able to provide 99.99% accuracy with 56.83% memory improvements. IPS stands out as the most resource-intensive UTM service, SUTMS successfully reduces the performance overhead of IDS by integrating it with the flow detection mod- ule. The artifact employs flow analysis to identify network anomalies and categorizes encrypted traffic according to its abnormalities. SUTMS can be scaled by introducing optional functions, i.e., routing and smart logging (utilizing Apriori algorithms). The research also tackles one of the limitations identified by SUTMS through the introduction of a second artifact called Secure Centralized Management System (SCMS). SCMS is a lightweight asset management platform with built-in security intelligence that can seamlessly integrate with a cloud for real-time updates

Adaptive Attack Mitigation in Software Defined Networking

In recent years, SDN has been widely studied and put into practice to assist in network management, especially with regards newly evolved network security challenges. SDN decouples the data and control planes, while maintaining a centralised and global view of the whole network. However, the separation of control and data planes made it vulnerable to security threats because it created new attack surfaces and potential points of failure. Traditionally, network devices such as routers and switches were designed with tightly integrated data and control planes, which meant that the device made decisions about how to forward traffic as it was being received. With the introduction of SDN, the control plane was separated from the data plane and centralized in a software-based controller. The controller is responsible for managing and configuring the network, while the data plane handles the actual forwarding of traffic. This separation of planes made it possible for network administrators to more easily manage and configure network traffic. However, it also created new potential points of attack. Attackers can target the software-based controller or the communication channels between the controller and the data plane to gain access to the network and manipulate traffic. If an attacker successfully compromises the controller, they can gain control over the entire network and cause significant disruption. Seven main categories directly related to these risks have been identified, which are unauthorized access, data leakage, data modification, compromised application, denial of services (DoS), configuration issues and system-level SDN security. Distributed Denial of Service (DDoS) attacks are a significant threat to SDN because they can overwhelm the resources of the network, causing it to become unavailable and disrupting business operations. In an SDN architecture, the central controller is responsible for managing the flow of network traffic and directing it to the appropriate destination. However, if the network is hit with a DDoS attack, the controller can quickly become overwhelmed with traffic, making it difficult to manage the network and causing the network to become unavailable. Coupling SDN capabilities with intelligent traffic analysis using Machine Learning and/or Deep Learning has recently attracted major research efforts especially in combatting DDoS attack in SDN. However, most efforts have only been a simple mapping of earlier solutions into the SDN environment. Focussing in DDoS attack in SDN, firstly, this thesis address the problem of SDN security based on deep learning in a purely native SDN environment, where a Deep Learning intrusion detection module is tailored to the SDN environment with the least overhead performance. In particular, propose a hybrid unsupervised machine learning approach based on auto-encoding for intrusion detection in SDNs. The experimental results show that the proposed module can achieve high accuracy with a minimum of selected flow features. The performance of the controller with the deployed model has been tested for throughput and latency. The results show a minimum overhead on the SDN controller performance, while yielding a very high detection accuracy. Secondly, a hybrid deep autoencoder with a random forest classifier model to enhance intrusion detection performance in a native SDN environment was introduced. A deep learning architecture combining a deep autoencoder with random forest learning feature representation of traffic flows natively was collected from the SDN environment. Publicly available packet Capture (PCAP) files of recorded traffic flows were used in the SDN network for flow feature extraction and real-time implementation. The results show very high and consistent performance metrics, with an average of a 0.9 receiver-operating characteristics area under curve (ROC AUC) recorded. Finally, an adaptive framework for attack mitigation in Software Defined Network environments is suggested. A combined three level protection mechanism was introduced to support the functionality of the secure SDN network operations. Entropy-based filtering was used to determine the legitimacy of a connection before a deep learning hybrid machine learning module made the second layer inspection. Through extensive experimental evaluations, the proposed framework demonstrates a strong potential for intrusion detection in SDN environments

SSHCure: a flow-based SSH intrusion detection system

SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data

Real-time cross-layer design for large-scale flood detection and attack trace-back mechanism in IEEE 802.11 wireless mesh networks

IEEE 802.11 WMN is an emerging next generation low-cost multi-hop wireless broadband provisioning technology. It has the capability of integrating wired and wireless networks such as LANs, IEEE 802.11 WLANs, IEEE 802.16 WMANs, and sensor networks. This kind of integration: large-scale coverage, decentralised and multi-hop architecture, multi-radios, multi-channel assignments, ad hoc connectivity support the maximum freedom of users to join or leave the network from anywhere and at anytime has made the situation far more complex. As a result broadband resources are exposed to various kinds of security attacks, particularly DoS attacks