Deteção de intrusões na rede recorrendo a deteção de anomalias

A proliferação e uso generalizado das novas tecnologias trouxeram consigo, inevitavelmente, um aumento da ocorrência de ataques informáticos. A problemática dos ataques informáticos assume relevância extrema no quotidiano de qualquer pessoa ou organização. Neste âmbito a segurança dos equipamentos informáticos que processam e armazenam a informação é cada vez mais um ponto central que requer soluções inovadoras e adequadas. Nesta dissertação propõe-se uma solução que visa ajudar a mitigar o problema da segurança informática, tendo como objetivo auxiliar as organizações a identificar, detetar, gerir e responder às ameaças de segurança de forma assertiva e rápida. De forma mais específica, o projeto contempla a modelação do comportamento dos dispositivos ligados em rede usando machine learning e a deteção de forma automática desvios de comportamento que possam evidencia o comprometimento, em termos de cibersegurança, desses dispositivos.The proliferation and widespread use of new technologies has inevitably brought with it an increase in the occurrence of cyber attacks. The problem of computer attacks is extremely relevant in the daily life of any person or organization. In this context, the security of computer equipment that processes and stores information is increasingly a central point that requires innovative and appropriate solutions. This dissertation proposes a solution that aims to help mitigate the problem of computer security, with the objective of helping organizations to identify, detect, manage, and respond to security threats assertively and quickly. More specifically, the project includes modeling the behavior of networked devices using machine learning and the automatic detection of behavioral deviations that may indicate the compromise, in terms of cybersecurity, of these devices

非構造化記述を含む文化財書誌に対するLinked Data化手法の開発 : 古典籍書誌データへの適用とその評価

博士（学術）佐賀大

Scholarly Context Not Found: One in Five Articles Suffers from Reference Rot

The emergence of the web has fundamentally affected most aspects of information communication, including scholarly communication. The immediacy that characterizes publishing information to the web, as well as accessing it, allows for a dramatic increase in the speed of dissemination of scholarly knowledge. But, the transition from a paper-based to a web-based scholarly communication system also poses challenges. In this paper, we focus on reference rot, the combination of link rot and content drift to which references to web resources included in Science, Technology, and Medicine (STM) articles are subject. We investigate the extent to which reference rot impacts the ability to revisit the web context that surrounds STM articles some time after their publication. We do so on the basis of a vast collection of articles from three corpora that span publication years 1997 to 2012. For over one million references to web resources extracted from over 3.5 million articles, we determine whether the HTTP URI is still responsive on the live web and whether web archives contain an archived snapshot representative of the state the referenced resource had at the time it was referenced. We observe that the fraction of articles containing references to web resources is growing steadily over time. We find one out of five STM articles suffering from reference rot, meaning it is impossible to revisit the web context that surrounds them some time after their publication. When only considering STM articles that contain references to web resources, this fraction increases to seven out of ten. We suggest that, in order to safeguard the long-term integrity of the web-based scholarly record, robust solutions to combat the reference rot problem are required. In conclusion, we provide a brief insight into the directions that are explored with this regard in the context of the Hiberlink project

RFC9031: Constrained Join Protocol (CoJP) for 6TiSCH

International audienceThis document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework

Monitoramento e visualização de navegação web em tempo real

Monografia (graduação)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência da Computação, 2015.Um ataque de monitoramento e visualização de navegação web de um host em tempo real consiste em interceptar o tráfego entre um alvo e seu respectivo gateway, utilizando os dados para renderizar as páginas da web correspondentes em um navegador local. Este procedimento já foi abordado em trabalhos anteriores [36] [18], recebendo o nome de Webspy, tendo como base o ARP Spoofing para o desvio de tráfego. Entretanto, estes trabalhos já não dão resultados efetivos, uma vez que foram ambientados de redes cabeadas, com transporte de dados em canais inseguros e páginas da web estáticas, com poucos arquivos. Atualmente, para um ataque decente, é necessário também levar em conta as redes sem fio, uso dos protocolos SSL/TLS, para cifragem da comunicação entre cliente e servidor, e o dinamismo presente na web, produzido pelo JavaScript e utilização de cookies do HTTP. Este trabalho tem como objetivo o tratamento destes pontos, explorando a técnica do SSL Stripping e elaborando esquemas para solucionar o tratamento de cookies e sessões, assim como as constantes requisições assíncronas, viáveis pelo JavaScript. ___________________________________________________________________________ ABSTRACTA host’s web traffic monitoring and real-time visualization attack consists in intercept the traffic between a victim and its gateway, using its data to render the corresponding web pages in a local web browser. This procedure has already bem addressed in previous works [36] [18], being called Webspy, based on the ARP Spoofing technique. However, these works no longer provide effective results, once they were implemented in wired networks, with data transport in insecure links and static web pages, with few files. Currently, for a decent attack, it’s a must to deal with wireless networks, use of SSL/TLS protocols, for the communication encryption between client and server, and the current dynamism found in the web, produced by Javascript and use of HTTP cookies. This project aims to deal with these matters, exploring the SSL Stripping technique and developing solutions to treat cookies, sessions, and asynchronous requests caused by JavaScript as well

Bolvedere: a scalable network flow threat analysis system

Since the advent of the Internet, and its public availability in the late 90’s, there have been significant advancements to network technologies and thus a significant increase of the bandwidth available to network users, both human and automated. Although this growth is of great value to network users, it has led to an increase in malicious network-based activities and it is theorized that, as more services become available on the Internet, the volume of such activities will continue to grow. Because of this, there is a need to monitor, comprehend, discern, understand and (where needed) respond to events on networks worldwide. Although this line of thought is simple in its reasoning, undertaking such a task is no small feat. Full packet analysis is a method of network surveillance that seeks out specific characteristics within network traffic that may tell of malicious activity or anomalies in regular network usage. It is carried out within firewalls and implemented through packet classification. In the context of the networks that make up the Internet, this form of packet analysis has become infeasible, as the volume of traffic introduced onto these networks every day is so large that there are simply not enough processing resources to perform such a task on every packet in real time. One could combat this problem by performing post-incident forensics; archiving packets and processing them later. However, as one cannot process all incoming packets, the archive will eventually run out of space. Full packet analysis is also hindered by the fact that some existing, commonly-used solutions are designed around a single host and single thread of execution, an outdated approach that is far slower than necessary on current computing technology. This research explores the conceptual design and implementation of a scalable network traffic analysis system named Bolvedere. Analysis performed by Bolvedere simply asks whether the existence of a connection, coupled with its associated metadata, is enough to conclude something meaningful about that connection. This idea draws away from the traditional processing of every single byte in every single packet monitored on a network link (Deep Packet Inspection) through the concept of working with connection flows. Bolvedere performs its work by leveraging the NetFlow version 9 and IPFIX protocols, but is not limited to these. It is implemented using a modular approach that allows for either complete execution of the system on a single host or the horizontal scaling out of subsystems on multiple hosts. The use of multiple hosts is achieved through the implementation of Zero Message Queue (ZMQ). This allows for Bolvedre to horizontally scale out, which results in an increase in processing resources and thus an increase in analysis throughput. This is due to ease of interprocess communications provided by ZMQ. Many underlying mechanisms in Bolvedere have been automated. This is intended to make the system more userfriendly, as the user need only tell Bolvedere what information they wish to analyse, and the system will then rebuild itself in order to achieve this required task. Bolvedere has also been hardware-accelerated through the use of Field-Programmable Gate Array (FPGA) technologies, which more than doubled the total throughput of the system