Using the Pattern-of-Life in Networks to Improve the Effectiveness of Intrusion Detection Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.As the complexity of cyber-attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of Intrusion Detection Systems (IDSs) should be able to adapt their detection characteristics based not only on the measureable network traffic, but also on the available high- level information related to the protected network to improve their detection results. We make use of the Pattern-of-Life (PoL) of a network as the main source of high-level information, which is correlated with the time of the day and the usage of the network resources. We propose the use of a Fuzzy Cognitive Map (FCM) to incorporate the PoL into the detection process. The main aim of this work is to evidence the improved the detection performance of an IDS using an FCM to leverage on network related contextual information. The results that we present verify that the proposed method improves the effectiveness of our IDS by reducing the total number of false alarms; providing an improvement of 9.68% when all the considered metrics are combined and a peak improvement of up to 35.64%, depending on particular metric combination

Adding Contextual Information to Intrusion Detection Systems Using Fuzzy Cognitive Maps

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.In the last few years there has been considerable increase in the efficiency of Intrusion Detection Systems (IDSs). However, networks are still the victim of attacks. As the complexity of these attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of IDSs should be designed incorporating reasoning engines supported by contextual information about the network, cognitive information and situational awareness to improve their detection results. In this paper, we propose the use of a Fuzzy Cognitive Map (FCM) in conjunction with an IDS to incorporate contextual information into the detection process. We have evaluated the use of FCMs to adjust the Basic Probability Assignment (BPA) values defined prior to the data fusion process, which is crucial for the IDS that we have developed. The experimental results that we present verify that FCMs can improve the efficiency of our IDS by reducing the number of false alarms, while not affecting the number of correct detections

Identifying and Quantifying Critical Information Streams for Tactical Combat Decision Modeling

It is often asserted that more information on the battlefield leads to greater situational awareness (SA) which, in turn, translates to enhanced mission performance and outcomes.  However, the volume of available information on the modern networked battlefield is extensive and growing, which induces risk of indecision due to cognitive overload.  The potential overload highlights the need to streamline the flow of information to those critical streams that provide the most value to a tactical leader’s decision process at particular points in time. The purpose of this study is to identify critical information streams required by tactical leaders within the various phases of a dismounted search and attack/react to contact scenario.  Domain Mapping Matrix methodology (DMM) is utilized to quantify the value of various information streams relative to the sub -phases within the scenario using a constructed nominal scale. The significance of the highlighted interactions is validated through the use of statistical analysis, with combat veterans serving as test cases. The findings of this study will facilitate the development of decision models that will eventually enable more accurate and realistic simulation of the leader’s decision processes that increased SA purportedly enhances

Adding contextual information to intrusion detection systems using fuzzy cognitive maps

In the last few years there has been considerable increase in the efficiency of Intrusion Detection Systems (IDSs). However, networks are still the victim of attacks. As the complexity of these attacks keeps increasing, new and more robust detection mechanisms need to be developed. The next generation of IDSs should be designed incorporating reasoning engines supported by contextual information about the network, cognitive information from the network users and situational awareness to improve their detection results. In this paper, we propose the use of a Fuzzy Cognitive Map (FCM) in conjunction with an IDS to incorporate contextual information into the detection process. We have evaluated the use of FCMs to adjust the Basic Probability Assignment (BPA) values defined prior to the data fusion process, which is crucial for the IDS that we have developed. The results that we present verify that FCMs can improve the efficiency of our IDS by reducing the number of false alarms, while not affecting the number of correct detections

Multi-Stage Attack Detection Using Contextual Information

The appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA is to create a Point of Entry (PoE) to a target machine, which could be used as part of an Advanced Persistent Threat (APT) like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs in real-time by 58%

Multi-stage attack detection using contextual information

The appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA is to create a Point of Entry (PoE) to a target machine, which could be used as part of an APT like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs in real-time by 58%

Addressing Multi-Stage Attacks Using Expert Knowledge and Contextual Information

New challenges in the cyber-threat domain are driven by tactical and meticulously designed Multi-Stage Attacks (MSAs). Current state-of-the-art (SOTA) Intrusion Detection Systems (IDSs) are developed to detect individual attacks through the use of signatures or identifying manifested anomalies in the network environment. However, an MSA differs from traditional one-off network attacks as it requires a set of sequential stages, whereby each stage may not be malicious when manifested individually, therefore, potentially be underestimated by current IDSs. This work proposes a new approach towards addressing this challenging type of cyber-attacks by employing external sources of information, beyond the conventional use of signatures and monitored network data. In particular, both expert knowledge and contextual information in the form of Pattern-of-Life (PoL) of the network are shown to be influential in giving an advantage against SOTA techniques. We compare our proposed anomaly-based IDS, based on decision making powered by the Dempster-Shafer (D-S) Theory and Fuzzy Cognitive Maps (FCMs), against Snort, one of the most widely deployed IDS in the world. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the Detection Rate (DR) of MSAs by almost 50%

A technique for determining viable military logistics support alternatives

A look at today's US military will see them operating much beyond the scope of protecting and defending the United States. These operations now consist of, but are not limited to humanitarian aid, disaster relief, and conflict resolution. This broad spectrum of operational environments has necessitated a transformation of the individual military services into a hybrid force that can leverage the inherent and emerging capabilities from the strengths of those under the umbrella of the Department of Defense (DOD), this concept has been coined Joint Operations. Supporting Joint Operations requires a new approach to determining a viable military logistics support system. The logistics architecture for these operations has to accommodate scale, time, varied mission objectives, and imperfect information. Compounding the problem is the human in the loop (HITL) decision maker (DM) who is a necessary component for quickly assessing and planning logistics support activities. Past outcomes are not necessarily good indicators of future results, but they can provide a reasonable starting point for planning and prediction of specific needs for future requirements. Adequately forecasting the necessary logistical support structure and commodities needed for any resource intensive environment has progressed well beyond stable demand assumptions to one in which dynamic and nonlinear environments can be captured with some degree of fidelity and accuracy. While these advances are important, a holistic approach that allows exploration of the operational environment or design space does not exist to guide the military logistician in a methodical way to support military forecasting activities. To bridge this capability gap, a method called A Technique for Logistics Architecture Selection (ATLAS) has been developed. This thesis describes and applies the ATLAS method to a notional military scenario that involves the Navy concept of Seabasing and the Marine Corps concept of Distributed Operations applied to a platoon sized element. This work uses modeling and simulation to incorporate expert opinion and knowledge of military operations, dynamic reasoning methods, and certainty analysis to create a decisions support system (DSS) that can be used to provide the DM an enhanced view of the logistics environment and variables that impact specific measures of effectiveness.Ph.D.Committee Chair: Mavris, Dimitri; Committee Member: Fahringer, Philip; Committee Member: Nixon, Janel; Committee Member: Schrage, Daniel; Committee Member: Soban, Danielle; Committee Member: Vachtsevanos, Georg

An Epistemological Inquiry into the Incorporation of Emergency Management Concept in the Homeland Security with a Post-Disaster Security Centric Focus

The historical roots of the Emergency Management concept in the U.S. date back to 19th century. As disasters occurred, policies relating to disaster response have been developed, and many statuary provisions, including several Federal Disaster Relief Acts, conceptually established the framework of Emergency Management. In 1979, with the foundation of the Federal Emergency Management Agency (FEMA), disaster relief efforts were finally institutionalized, and the federal government acknowledged that Emergency Management included mitigation, preparedness, response and recovery activities as abbreviated \u27MPRR.\u27 However, after 2000, the U.S. experienced two milestone events - the September 11 terrorist attacks in 2001 and Hurricane Katrina in 2005. Following the foundation of the Department of Homeland Security (DHS) in 2002, the definitional context of Emergency Management and its phases/components, simply its essence, evolved and was incorporated into many official documents differently, creating contextual inconsistencies. Recent key official documents embody epistemological problems that have the potential to traumatize the coherence of the Homeland Security contextual framework as well as to impose challenges theoretically to the education and training of Homeland Security/Emergency Management stakeholders. Furthermore, the conceptual design of the Emergency Support Functions (ESF) which have been defined within the context of the National Response Framework (NRF) displays similar problematic symptoms, and existing urban area Public Safety and Security planning processes have also not been supported by methodologies that are aligned with the post-disaster security requirements. To that end, the conceptual framework of Emergency Management and its incorporation in the Homeland Security global architecture should be revised and redefined to enhance coherence and reliability. Coherence in the contextual structure directly links to the system\u27s organizational structure and its viability functions. Also, holistic multi-dimensional system representations/abstractions, which would support appreciation of the system\u27s complex context, should be incorporated in policy documents to be utilized to educate the relevant stakeholders (individuals, teams, etc.) during the training/orientation programs. In addition, the NRF and its ESFs should be reviewed through a post-disaster security centric focus, since the post-disaster environment has unique characteristics that should be addressed by different approaches. In that sense, this dissertation develops a Post-Disaster Security Index (PDSI) Model that provides valuable insights for security agents and other Emergency Management and Homeland Security stakeholders

A situation risk awareness approach for process systems safety

Promoting situation awareness is an important design objective for a wide variety of domains, especially for process systems where the information flow is quite high and poor decisions may lead to serious consequences. In today's process systems, operators are often moved to a control room far away from the physical environment, and increasing amounts of information are passed to them via automated systems, they therefore need a greater level of support to control and maintain the facilities in safe conditions. This paper proposes a situation risk awareness approach for process systems safety where the effect of ever-increasing situational complexity on human decision-makers is a concern. To develop the approach, two important aspects - addressing hazards that arise from hardware failure and reducing human error through decision-making - have been considered. The proposed situation risk awareness approach includes two major elements: an evidence preparation component and a situation assessment component. The evidence preparation component provides the soft evidence, using a fuzzy partitioning method, that is used in the subsequent situation assessment component. The situation assessment component includes a situational network based on dynamic Bayesian networks to model the abnormal situations, and a fuzzy risk estimation method to generate the assessment result. A case from US Chemical Safety Board investigation reports has been used to illustrate the application of the proposed approach. © 2013 Elsevier Ltd