Towards Bayesian-Based Trust Management for Insider Attacks in Healthcare Software-Defined Networks

© 2004-2012 IEEE. The medical industry is increasingly digitalized and Internet-connected (e.g., Internet of Medical Things), and when deployed in an Internet of Medical Things environment, software-defined networks (SDNs) allow the decoupling of network control from the data plane. There is no debate among security experts that the security of Internet-enabled medical devices is crucial, and an ongoing threat vector is insider attacks. In this paper, we focus on the identification of insider attacks in healthcare SDNs. Specifically, we survey stakeholders from 12 healthcare organizations (i.e., two hospitals and two clinics in Hong Kong, two hospitals and two clinics in Singapore, and two hospitals and two clinics in China). Based on the survey findings, we develop a trust-based approach based on Bayesian inference to figure out malicious devices in a healthcare environment. Experimental results in either a simulated and a real-world network environment demonstrate the feasibility and effectiveness of our proposed approach regarding the detection of malicious healthcare devices, i.e., our approach could decrease the trust values of malicious devices faster than similar approaches

Security Enhanced Applications for Information Systems

Every day, more users access services and electronically transmit information which is usually disseminated over insecure networks and processed by websites and databases, which lack proper security protection mechanisms and tools. This may have an impact on both the users’ trust as well as the reputation of the system’s stakeholders. Designing and implementing security enhanced systems is of vital importance. Therefore, this book aims to present a number of innovative security enhanced applications. It is titled “Security Enhanced Applications for Information Systems” and includes 11 chapters. This book is a quality guide for teaching purposes as well as for young researchers since it presents leading innovative contributions on security enhanced applications on various Information Systems. It involves cases based on the standalone, network and Cloud environments

Theoretical and Applied Foundations for Intrusion Detection in Single and Federated Clouds

Les systèmes infonuagiques deviennent de plus en plus complexes, plus dynamiques et hétérogènes. Un tel environnement produit souvent des données complexes et bruitées, empêchant les systèmes de détection d’intrusion (IDS) de détecter des variantes d’attaques connues. Une seule intrusion ou une attaque dans un tel système hétérogène peut se présenter sous des formes différentes, logiquement mais non synthétiquement similaires. Les IDS traditionnels sont incapables d’identifier ces attaques, car ils sont conçus pour des infrastructures spécifiques et limitées. Par conséquent, une détection précise dans le nuage ne sera absolument pas identifiée. Outre le problème de l’infonuagique, les cyber-attaques sont de plus en plus sophistiquées et difficiles à détecter. Il est donc extrêmement compliqué pour un unique IDS d’un nuage de détecter toutes les attaques, en raison de leurs implications, et leurs connaissances limitées et insuffisantes de celles-ci. Les solutions IDS actuelles de l’infonuagique résident dans le fait qu’elles ne tiennent pas compte des aspects dynamiques et hétérogènes de l’infonuagique. En outre, elles s’appuient fondamentalement sur les connaissances et l’expérience locales pour identifier les attaques et les modèles existants. Cela rend le nuage vulnérable aux attaques «Zero-Day». À cette fin, nous résolvons dans cette thèse deux défis associés à l’IDS de l’infonuagique : la détection des cyberattaques dans des environnements complexes, dynamiques et hétérogènes, et la détection des cyberattaques ayant des informations limitées et/ou incomplètes sur les intrusions et leurs conséquences. Dans cette thèse, nous sommes intéressés aux IDS génériques de l’infonuagique afin d’identifier les intrusions qui sont indépendantes de l’infrastructure utilisée. Par conséquent, à chaque fois qu’un pressentiment d’attaque est identifié, le système de détection d’intrusion doit être capable de reconnaître toutes les variantes d’une telle attaque, quelle que soit l’infrastructure utilisée. De plus, les IDS de l’infonuagique coopèrent et échangent des informations afin de faire bénéficier chacun des expertises des autres, pour identifier des modèles d’attaques inconnues.----------ABSTRACT: Cloud Computing systems are becoming more and more complex, dynamic and heterogeneous. Such an environment frequently produces complex and noisy data that make Intrusion Detection Systems (IDSs) unable to detect unknown variants of known attacks. A single intrusion or an attack in such a heterogeneous system could take various forms that are logically but not synthetically similar. This, in turn, makes traditional IDSs unable to identify these attacks, since they are designed for specific and limited infrastructures. Therefore, the accuracy of the detection in the cloud will be very negatively affected. In addition to the problem of the cloud computing environment, cyber attacks are getting more sophisticated and harder to detect. Thus, it is becoming increasingly difficult for a single cloud-based IDS to detect all attacks, because of limited and incomplete knowledge about attacks and implications. The problem of the existing cloud-based IDS solutions is that they overlook the dynamic and changing nature of the cloud. Moreover, they are fundamentally based on the local knowledge and experience to perform the classification of attacks and normal patterns. This renders the cloud vulnerable to “Zero-Day” attacks. To this end, we address throughout this thesis two challenges associated with the cloud-based IDS which are: the detection of cyber attacks under complex, dynamic and heterogeneous environments; and the detection of cyber attacks under limited and/or incomplete information about intrusions and implications. We are interested in this thesis in allowing cloud-based IDSs to be generic, in order to identify intrusions regardless of the infrastructure used. Therefore, whenever an intrusion has been identified, an IDS should be able to recognize all the different structures of such an attack, regardless of the infrastructure that is being used. Moreover, we are interested in allowing cloud-based IDSs to cooperate and share knowledge with each other, in order to make them benefit from each other’s expertise to cover unknown attack patterns. The originality of this thesis lies within two aspects: 1) the design of a generic cloud-based IDS that allows the detection under changing and heterogeneous environments and 2) the design of a multi-cloud cooperative IDS that ensures trustworthiness, fairness and sustainability. By trustworthiness, we mean that the cloud-based IDS should be able to ensure that it will consult, cooperate and share knowledge with trusted parties (i.e., cloud-based IDSs). By fairness, we mean that the cloud-based IDS should be able to guarantee that mutual benefits will be achieved through minimising the chance of cooperating with selfish IDSs. This is useful to give IDSs the motivation to participate in the community

A survey of defense mechanisms against distributed denial of service (DDOS) flooding attacks

Distributed Denial of Service (DDoS) flooding attacks are one of the biggest concerns for security professionals. DDoS flooding attacks are typically explicit attempts to disrupt legitimate users' access to services. Attackers usually gain access to a large number of computers by exploiting their vulnerabilities to set up attack armies (i.e., Botnets). Once an attack army has been set up, an attacker can invoke a coordinated, large-scale attack against one or more targets. Developing a comprehensive defense mechanism against identified and anticipated DDoS flooding attacks is a desired goal of the intrusion detection and prevention research community. However, the development of such a mechanism requires a comprehensive understanding of the problem and the techniques that have been used thus far in preventing, detecting, and responding to various DDoS flooding attacks. In this paper, we explore the scope of the DDoS flooding attack problem and attempts to combat it. We categorize the DDoS flooding attacks and classify existing countermeasures based on where and when they prevent, detect, and respond to the DDoS flooding attacks. Moreover, we highlight the need for a comprehensive distributed and collaborative defense approach. Our primary intention for this work is to stimulate the research community into developing creative, effective, efficient, and comprehensive prevention, detection, and response mechanisms that address the DDoS flooding problem before, during and after an actual attack. © 1998-2012 IEEE

Enhanced cluster based trust management framework for mobile Ad hoc networks

Trust management in decentralized networks and MANETs are much more complicated than the traditional access point based on wireless networks. The nodes in MANETs are used to provide trust information or evidence to find trustworthy nodes. However, the trust evaluation procedure depends on the local information due to its limited resources. In a trust management framework, there are issues to be resolved that include inefficient monitoring system with trust, inaccuracy in trust computation assign and lack of path selection based on trust. Therefore, in this research, a Trust Management Framework (TMF) was developed to address the aforementioned issues. The framework has the capability to monitor the network, assign trust values, and select an appropriate path for the transmission of packets among nodes which depends on the assignment of trust values. The TMF provides a secure cluster-based trust management to monitor the network that minimizes network overhead, improves path selection based on trust evaluation, and assigns trust for clusters-nodes with improved packet delivery ratio and delay. The performance of the TMF was assessed by performing simulation with Network Simulator version 2 (NS2). The results of the framework were compared with the state-of-the-art frameworks such as Requirement for Neural TMF (RNTMF), Recommendation Trust Framework with Defence Framework (RTMD), and Energy Efficient Secure Dynamic Source Routing (EESDSR). The results demonstrated that the Packets Delivery Ratio (PDR) of the TMF was 25.2% better than RNTMF, 21.4% better than RTMD, and 18.4% better than EESDSR. The overhead of the TMF was 4.5% less than RNTMF, 23.2% less than RTMD, and 26.8% less than EESDSR. The findings showed that TMF has better performance in terms of trust management in MANETs

Real-time data operations and causal security analysis for edge-cloud-based Smart Grid infrastructure

The electric power grids are one of the fundamental infrastructures of modern society and are among the most complex networks ever made. Recent development in communications, sensing and measurement techniques has completely changed the traditional electric power grid and has brought us the intelligent electric power grid known as Smart Grid. As a critical cyber-physical system (CPS), Smart Grid is an integration of physical components, sensors, actuators, control centers, and communication networks. The key to orchestrate large scale Smart Grid is to provide situational awareness of the system. And situational awareness is based on large-scale, real-time, accurate collection and analysis of the monitoring and measurement data of the system. However, it is challenging to guarantee situational awareness of Smart Grid. On the one hand, connecting a growing number of heterogeneous programmable devices together introduces new security risks and increases the attack surface of the system. On the other hand, the tremendous amount of measurements from sensors spanning a large geographical area can result in a reduction of available bandwidth and increasing network latency. Both the lack of security protection and the delayed sensor data impede the situational awareness of the system and thus limit the ability to efficiently control and protect large scale Smart Grids in time-critical scenarios. To target the aforementioned challenge, in this thesis, I propose a series of frameworks to provide and guarantee situational awareness in Smart Grid. Taking an integrated approach of edge-cloud design, real-time data operations, and causal security analysis, the proposed frameworks enhance security protection by anomaly detection and managing as well as causal reasoning of alerts, and reduce traffic volume by online data compression. Extensive experiments by real or synthetic traffic demonstrate that the proposed frameworks achieve satisfactory performance and bear great potential practical value