AI Solutions for MDS: Artificial Intelligence Techniques for Misuse Detection and Localisation in Telecommunication Environments

This report considers the application of Articial Intelligence (AI) techniques to the problem of misuse detection and misuse localisation within telecommunications environments. A broad survey of techniques is provided, that covers inter alia rule based systems, model-based systems, case based reasoning, pattern matching, clustering and feature extraction, articial neural networks, genetic algorithms, arti cial immune systems, agent based systems, data mining and a variety of hybrid approaches. The report then considers the central issue of event correlation, that is at the heart of many misuse detection and localisation systems. The notion of being able to infer misuse by the correlation of individual temporally distributed events within a multiple data stream environment is explored, and a range of techniques, covering model based approaches, `programmed' AI and machine learning paradigms. It is found that, in general, correlation is best achieved via rule based approaches, but that these suffer from a number of drawbacks, such as the difculty of developing and maintaining an appropriate knowledge base, and the lack of ability to generalise from known misuses to new unseen misuses. Two distinct approaches are evident. One attempts to encode knowledge of known misuses, typically within rules, and use this to screen events. This approach cannot generally detect misuses for which it has not been programmed, i.e. it is prone to issuing false negatives. The other attempts to `learn' the features of event patterns that constitute normal behaviour, and, by observing patterns that do not match expected behaviour, detect when a misuse has occurred. This approach is prone to issuing false positives, i.e. inferring misuse from innocent patterns of behaviour that the system was not trained to recognise. Contemporary approaches are seen to favour hybridisation, often combining detection or localisation mechanisms for both abnormal and normal behaviour, the former to capture known cases of misuse, the latter to capture unknown cases. In some systems, these mechanisms even work together to update each other to increase detection rates and lower false positive rates. It is concluded that hybridisation offers the most promising future direction, but that a rule or state based component is likely to remain, being the most natural approach to the correlation of complex events. The challenge, then, is to mitigate the weaknesses of canonical programmed systems such that learning, generalisation and adaptation are more readily facilitated

Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability

[ES] La presente tesis doctoral realiza un análisis en detalle de los elementos de decisión necesarios para mejorar la comprensión de la situación en ciberdefensa con especial énfasis en la percepción y comprensión del analista de un centro de operaciones de ciberseguridad (SOC). Se proponen dos arquitecturas diferentes basadas en el análisis forense de flujos de datos (NF3). La primera arquitectura emplea técnicas de Ensemble Machine Learning mientras que la segunda es una variante de Machine Learning de mayor complejidad algorítmica (lambda-NF3) que ofrece un marco de defensa de mayor robustez frente a ataques adversarios. Ambas propuestas buscan automatizar de forma efectiva la detección de malware y su posterior gestión de incidentes mostrando unos resultados satisfactorios en aproximar lo que se ha denominado un SOC de próxima generación y de computación cognitiva (NGC2SOC). La supervisión y monitorización de eventos para la protección de las redes informáticas de una organización debe ir acompañada de técnicas de visualización. En este caso, la tesis aborda la generación de representaciones tridimensionales basadas en métricas orientadas a la misión y procedimientos que usan un sistema experto basado en lógica difusa. Precisamente, el estado del arte muestra serias deficiencias a la hora de implementar soluciones de ciberdefensa que reflejen la relevancia de la misión, los recursos y cometidos de una organización para una decisión mejor informada. El trabajo de investigación proporciona finalmente dos áreas claves para mejorar la toma de decisiones en ciberdefensa: un marco sólido y completo de verificación y validación para evaluar parámetros de soluciones y la elaboración de un conjunto de datos sintéticos que referencian unívocamente las fases de un ciberataque con los estándares Cyber Kill Chain y MITRE ATT & CK.[CA] La present tesi doctoral realitza una anàlisi detalladament dels elements de decisió necessaris per a millorar la comprensió de la situació en ciberdefensa amb especial èmfasi en la percepció i comprensió de l'analista d'un centre d'operacions de ciberseguretat (SOC). Es proposen dues arquitectures diferents basades en l'anàlisi forense de fluxos de dades (NF3). La primera arquitectura empra tècniques de Ensemble Machine Learning mentre que la segona és una variant de Machine Learning de major complexitat algorítmica (lambda-NF3) que ofereix un marc de defensa de major robustesa enfront d'atacs adversaris. Totes dues propostes busquen automatitzar de manera efectiva la detecció de malware i la seua posterior gestió d'incidents mostrant uns resultats satisfactoris a aproximar el que s'ha denominat un SOC de pròxima generació i de computació cognitiva (NGC2SOC). La supervisió i monitoratge d'esdeveniments per a la protecció de les xarxes informàtiques d'una organització ha d'anar acompanyada de tècniques de visualització. En aquest cas, la tesi aborda la generació de representacions tridimensionals basades en mètriques orientades a la missió i procediments que usen un sistema expert basat en lògica difusa. Precisament, l'estat de l'art mostra serioses deficiències a l'hora d'implementar solucions de ciberdefensa que reflectisquen la rellevància de la missió, els recursos i comeses d'una organització per a una decisió més ben informada. El treball de recerca proporciona finalment dues àrees claus per a millorar la presa de decisions en ciberdefensa: un marc sòlid i complet de verificació i validació per a avaluar paràmetres de solucions i l'elaboració d'un conjunt de dades sintètiques que referencien unívocament les fases d'un ciberatac amb els estàndards Cyber Kill Chain i MITRE ATT & CK.[EN] This doctoral thesis performs a detailed analysis of the decision elements necessary to improve the cyber defence situation awareness with a special emphasis on the perception and understanding of the analyst of a cybersecurity operations center (SOC). Two different architectures based on the network flow forensics of data streams (NF3) are proposed. The first architecture uses Ensemble Machine Learning techniques while the second is a variant of Machine Learning with greater algorithmic complexity (lambda-NF3) that offers a more robust defense framework against adversarial attacks. Both proposals seek to effectively automate the detection of malware and its subsequent incident management, showing satisfactory results in approximating what has been called a next generation cognitive computing SOC (NGC2SOC). The supervision and monitoring of events for the protection of an organisation's computer networks must be accompanied by visualisation techniques. In this case, the thesis addresses the representation of three-dimensional pictures based on mission oriented metrics and procedures that use an expert system based on fuzzy logic. Precisely, the state-of-the-art evidences serious deficiencies when it comes to implementing cyber defence solutions that consider the relevance of the mission, resources and tasks of an organisation for a better-informed decision. The research work finally provides two key areas to improve decision-making in cyber defence: a solid and complete verification and validation framework to evaluate solution parameters and the development of a synthetic dataset that univocally references the phases of a cyber-attack with the Cyber Kill Chain and MITRE ATT & CK standards.Llopis Sánchez, S. (2023). Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19424

Web-based Geographical Visualization of Container Itineraries

Around 90% of the world cargo is transported in maritime containers, but only around 2% are physically inspected. This opens the possibility for illicit activities. A viable solution is to control containerized cargo through information-based risk analysis. Container route-based analysis has been considered a key factor in identifying potentially suspicious consignments. Essential part of itinerary analysis is the geographical visualization of the itinerary. In the present paper, we present initial work of a web-based system’s realization for interactive geographical visualization of container itinerary.JRC.G.4-Maritime affair

Rule-Based Intelligence on the Semantic Web: Implications for Military Capabilities

Rules are a key element of the Semantic Web vision, promising to provide a foundation for reasoning capabilities that underpin the intelligent manipulation and exploitation of information content. Although ontologies provide the basis for some forms of reasoning, it is unlikely that ontologies, by themselves, will support the range of knowledge-based services that are likely to be required on the Semantic Web. As such, it is important to consider the contribution that rule-based systems can make to the realization of advanced machine intelligence on the Semantic Web. This report aims to review the current state-of-the-art with respect to semantic rule-based technologies. It provides an overview of the rules, rule languages and rule engines that are currently available to support ontology-based reasoning, and it discusses some of the limitations of these technologies in terms of their inability to cope with uncertain or imprecise data and their poor performance in some reasoning contexts. This report also describes the contribution of reasoning systems to military capabilities, and suggests that current technological shortcomings pose a significant barrier to the widespread adoption of reasoning systems within the defence community. Some solutions to these shortcomings are presented and a timescale for technology adoption within the military domain is proposed. It is suggested that application areas such as semantic integration, semantic interoperability, data fusion and situation awareness provide the best opportunities for technology adoption within the 2015 timeframe. Other capabilities, such as decision support and the emulation of human-style reasoning capabilities are seen to depend on the resolution of significant challenges that may hinder attempts at technology adoption and exploitation within the 2020 timeframe

Preliminary Recommendations for the Collection, Storage, and Analysis of UAS Safety Data

Although the use of UASs in military and public service operations is proliferating, civilian use of UASs remains limited in the United States today. With efforts underway to accommodate and integrate UASs into the NAS, a proactive understanding of safety issues, i.e., the unique hazards and the corresponding risks that UASs pose not only through their operations for commercial purposes, but also to existing operations in the NAS, is especially important so as to (a) support the development of a sound regulatory basis, (b) regulate, design and properly equip UASs, and (c) effectively mitigate the risks posed. Data, especially about system and component failures, incidents, and accidents, provides valuable insight into how performance and operational capabilities/limitations contribute to hazards. Since the majority of UAS operations today take place in a context that is significantly different from the norm in civil aviation, i.e., with different operational goals and standards, identifying that which constitutes useful and sufficient data on UASs and their operations is a substantial research challenge

An Energy Aware and Secure MAC Protocol for Tackling Denial of Sleep Attacks in Wireless Sensor Networks

Wireless sensor networks which form part of the core for the Internet of Things consist of resource constrained sensors that are usually powered by batteries. Therefore, careful energy awareness is essential when working with these devices. Indeed,the introduction of security techniques such as authentication and encryption, to ensure confidentiality and integrity of data, can place higher energy load on the sensors. However, the absence of security protection c ould give room for energy drain attacks such as denial of sleep attacks which have a higher negative impact on the life span ( of the sensors than the presence of security features. This thesis, therefore, focuses on tackling denial of sleep attacks from two perspectives A security perspective and an energy efficiency perspective. The security perspective involves evaluating and ranking a number of security based techniques to curbing denial of sleep attacks. The energy efficiency perspective, on the other hand, involves exploring duty cycling and simulating three Media Access Control ( protocols Sensor MAC, Timeout MAC andTunableMAC under different network sizes and measuring different parameters such as the Received Signal Strength RSSI) and Link Quality Indicator ( Transmit power, throughput and energy efficiency Duty cycling happens to be one of the major techniques for conserving energy in wireless sensor networks and this research aims to answer questions with regards to the effect of duty cycles on the energy efficiency as well as the throughput of three duty cycle protocols Sensor MAC ( Timeout MAC ( and TunableMAC in addition to creating a novel MAC protocol that is also more resilient to denial of sleep a ttacks than existing protocols. The main contributions to knowledge from this thesis are the developed framework used for evaluation of existing denial of sleep attack solutions and the algorithms which fuel the other contribution to knowledge a newly developed protocol tested on the Castalia Simulator on the OMNET++ platform. The new protocol has been compared with existing protocols and has been found to have significant improvement in energy efficiency and also better resilience to denial of sleep at tacks Part of this research has been published Two conference publications in IEEE Explore and one workshop paper

Operational leadership : Relationship with swift trust, moral stress, and adaptability

Forutsetningene for krigføring og militær ledelse har endret seg dramatisk de siste tiårene. Raske teknologiske fremskritt og et nytt geopolitisk landskap innebærer en rekke nye krav og utfordringer for militære ledere. Denne avhandlingenfokuserer på den enkelte militære leder fra et psykologisk perspektiv. Det overordnede målet med dette doktorgradsprosjektet var å gi en større forståelse av hvordan rask tillit til midlertidige grupper, moralsk stress og tilpasningsevne er relatert til operativ ledelse blant hærledere på lavere nivå. Studie 1 hadde som mål å belyse faktorer som gagner, eller ikke gagner, utviklingen av rask tillit til ledere i midlertidige militærgrupper. Totalt deltok 581 norske og svenske kadetter og offiserer og en kombinasjon av kvalitativ metode og ikke-parametrisk statistikk ble brukt. En hierarkisk modell av faktorer som bidrar til rask tillit til ledere av midlertidige grupper dukket opp. Modellen består av to kategorier på høyt nivå – individuelle kjennetegn og relasjonsrelaterte kjennetegn, som begge omfatter flere underordnede kategorier. Studie 2 hadde som mål å identifisere og få en dypere forståelse av miljø-, organisasjons- og gruppeforhold, og ledelsesrelaterte spørsmål spesielt, rapportert som viktige i alvorlig stressende situasjoner som involverer en moralsk stressor som militær- og politifolk står overfor. Studiegruppen besto av 16 militærkadetter og offiserer og 10 politifolk (alle svenske). Det ble gjennomført dybdeintervjuer og analysert ved hjelp av en fundert teoritilnærming. Den nye modellen består av et hierarkisk system av innbyrdes beslektede koder og kategorier av aspekter rapportert som viktige i alvorlig stressende situasjoner som involverer en moralsk stressor. Kategoriene var følgende (hver er underbygget av flere koder): Miljø, Organisasjon, Ledelse og Gruppe. Studie 3, til slutt, besto av en innledende kvalitativ studie (studie 3A), etterfulgt av en kvantitativ studie (studie 3B). Målet med studie 3A var å oppnå en dypere forståelse av følgende spørsmål: hva kjennetegner vellykket og mislykket militær ledelse på et lavere hierarkisk nivå, når tilpasningsevne er nødvendig for å håndtere en uventet truende hendelse under et fredsbevarende eller fredshåndhevelsesoppdrag i et miljø preget ved irregulær krigføring? Siden kvalitative studier har lav generaliserbarhet, ble de oppnådde resultatene operasjonalisert til et spørreskjema (studie 3B) for å fastslå om en kvantitativ studie ville validere resultatene eller ikke. Intervjuer ble gjennomført med 16 svenske soldater og offiserer i studie 3A, og svar innhentet fra 193 svenske soldater og offiserer i studie 3B. En prosessmodell som beskriver forhold som påvirker tilpasningsevnen når man møter en uventet hendelse ble utviklet i studie 3A. Modellen ble testet i studie 3B. Regresjonsanalyser viste høye til moderat høye justerte R²-koeffisienter. Imidlertid ga en moderasjonsanalyse et ikke-signifikant resultat og en baneanalyse resulterte i en dårlig modelltilpasning. Hovedbidragene til avhandlingen er de tre utviklede teoretiske modellene, og ved tilpasningsevne, den kvantitative testen av modellen. Person-for-situasjon-paradigmet ble brukt som rammeverk i den generelle diskusjonen av alle tre studiene. Til sammen utvider funnene den nåværende forståelsen av operativ ledelse blant militære ledere på lavere nivå.The conditions for warfare and military leadership have changed dramatically in the last few decades. Rapid technological advancements and a new geopolitical landscape imply an array of new demands and challenges for military leaders. This thesis focuses on the individual military leader from a psychological perspective. The overall aim of this thesis was to provide a greater understanding how swift trust in temporary groups, moral stress and adaptability are related to operational leadership among lower-level army leaders. Study 1 aimed to illuminate factors that benefit, or do not benefit, the development of swift trust towards leaders in temporary military groups. A total of 581 Norwegian and Swedish cadets and officers participated and a combination of qualitative clustering and non-parametric statistics was used. A hierarchical model of factors contributing to swift trust in leaders of temporary groups emerged. The model consists of two high-level categories—Individual-related characteristics and Relationship-related characteristics, both of which comprise several subordinate categories. Study 2 aimed to identify and gain a deeper understanding of environmental, organizational, and group conditions, and leadership-related issues in particular, reported as being important in severely stressful situations involving a moral stressor faced by military and police officers. The study group consisted of 16 military cadets and officers and 10 police officers (all Swedish). In-depth interviews were conducted and analyzed using a grounded theory-approach. The emerging model consists of a hierarchical system of interrelated codes and categories of aspects reported as being important in severely stressful situations involving a moral stressor. The categories were the following (each being underpinned by several codes): Environment, Organization, Leadership, and Group. Study 3, finally, consisted of an initial qualitative study (study 3A), followed by a quantitative study (study 3B). The aim of study 3A was to obtain a deeper understanding regarding the following question: what characterizes successful and unsuccessful military leadership at a lower hierarchical level, when adaptability is needed to handle an unexpected threatening event during a peacekeeping or peace enforcement mission in an environment characterized by irregular warfare? Since qualitative studies have low generalizability, the obtained results were operationalized into a questionnaire (study 3B) in order to ascertain whether a quantitative study would validate the results or not. Interviews were conducted with 16 Swedish soldiers and officers in study 3A, and responses obtained from 193 Swedish soldiers and officers in study 3B. A process model describing conditions that affect adaptability when encountering an unexpected event was developed in study 3A. The model was tested in study 3B. Regression analyses showed high to moderately high adjusted R² coefficients. However, a moderation analysis yielded a non-significant result and a path-analysis resulted in a poor model fit. The main contributions of the thesis are the three developed theoretical models, and in the case of adaptability, the quantitative test of the model. The person-by-situation paradigm was used as a framework in the general discussion of all three studies. Taken together, the findings broaden the current understanding of operational leadership among lower-level military leaders.Doktorgradsavhandlin