Vulnerability analysis of AIS-based intrusion detection systems using genetic and evolutionary hackers

In this thesis, an overview of current intrusion detection methods, evolutionary computation, and immunity-based intrusion detection systems (IDSs) is presented. An application named Genetic Interactive Teams for Intrusion Detection Design and Analysis (GENERTIA) is introduced which uses genetic algorithm (GA)-based hackers known as a red team in order to find vulnerabilities, or holes, in an artificial immune system (AlS)-based IDS. GENERTIA also uses a GA-based blue team in order to repair the holes it finds. The performance of the GA-based hackers is tested and measured according to the number of distinct holes that it finds. The GA-based red team�s behavior is then compared to that of 12 variations of the particle swarm optimization (PSO)-based red team named SWO, SW0+, SW1, SW2, SW3, SW4, CCSWO, CCSW0+, CCSW1, CCSW2, CCSW3, and CCSW4. Each variant of the PSO-based red team differs in terms of the way that it searches for holes in an IDS. Through this test, it is determined that none of the red teams based on PSO perform as well as the one based on a GA. However, two of the twelve PSO-based red teams, CCSW4 and SW0+, provide hole finding capabilities closest to that of the GA. In addition to the ability of the different red teams to find holes in an AlS-based IDS, the search behaviors of the GA-based hackers, PSO-based hackers that use a variable called a constriction coefficient, and PSO-based hackers that do not use the coefficient are compared. The results of this comparison show that it may be possible to implement a red team based on a hybrid �genetic swarm� that improves upon the performance of both the GA- and PSO-based red teams

An Immune Inspired Approach to Anomaly Detection

The immune system provides a rich metaphor for computer security: anomaly detection that works in nature should work for machines. However, early artificial immune system approaches for computer security had only limited success. Arguably, this was due to these artificial systems being based on too simplistic a view of the immune system. We present here a second generation artificial immune system for process anomaly detection. It improves on earlier systems by having different artificial cell types that process information. Following detailed information about how to build such second generation systems, we find that communication between cells types is key to performance. Through realistic testing and validation we show that second generation artificial immune systems are capable of anomaly detection beyond generic system policies. The paper concludes with a discussion and outline of the next steps in this exciting area of computer security.Comment: 19 pages, 4 tables, 2 figures, Handbook of Research on Information Security and Assuranc

The security challenges in the IoT enabled cyber-physical systems and opportunities for evolutionary computing & other computational intelligence

Internet of Things (IoT) has given rise to the fourth industrial revolution (Industrie 4.0), and it brings great benefits by connecting people, processes and data. However, cybersecurity has become a critical challenge in the IoT enabled cyber physical systems, from connected supply chain, Big Data produced by huge amount of IoT devices, to industry control systems. Evolutionary computation combining with other computational intelligence will play an important role for cybersecurity, such as artificial immune mechanism for IoT security architecture, data mining/fusion in IoT enabled cyber physical systems, and data driven cybersecurity. This paper provides an overview of security challenges in IoT enabled cyber-physical systems and what evolutionary computation and other computational intelligence technology could contribute for the challenges. The overview could provide clues and guidance for research in IoT security with computational intelligence

Information Security Analysis and Auditing of IEC61850 Automated Substations

This thesis is about issues related to the security of electric substations automated by IEC61850, an Ethernet (IEEE 802.3) based protocol. It is about a comprehen­ sive security analysis and development of a viable method of auditing the security of this protocol. The security analysis focuses on the possible threats to an electric substation based on the possible motives of an attacker. Existing methods and met­ rics for assessing the security of computer networks are explored and examined for suitability of use with IEC61850. Existing methods and metrics focus on conven­ tional computers used in computer networks which are fundamentally different from Intelligent Electronic Devices (IED’s) of substations in terms of technical composition and functionality. Hence, there is a need to develop a new method of assessing the security of such devices. The security analysis is then used to derive a new metric scheme to assess the security of IED’s that use IEC61850. This metric scheme is then tested out in a sample audit on a real IEC61850 network and compared with two other commonly used security metrics. The results show that the new metric is good in assessing the security of IED’s themselves. Further analysis on IED security is done by conducting simulated cyber attacks. The results are then used to develop an Intrusion Detection System (IDS) to guard against such attacks. The temporal risk of intrusion on an electric substation is also evaluated

DEVELOPMENT OF SECUREPLUS ANTIVIRUS WITH THE ARTIFICIAL IMMUNE SYSTEMMODEL

This paper is about Malware proliferation in the wide and the development of an Antivirus called Secure Plus. Malware is a generic name for malfunctioned program codes that could wreak destructive impacts on Information Technology critical infrastructures. These malware usually use various techniques to avoid being detected; usually they are encrypted using hybridized cryptographic algorithms. Malware may be detected using antivirus that can scan the database signatures already accumulated and stored by antivirus vendors in some server. These stored databases signatures can then be compared with zero-day malware through comparison with the benign software. The zero-day malware are of sophisticated program codes that can transmute into different transforming patterns; yet retain their portent functionalities attributes and are now of billion categories by deverse clones. This paper after over viewing the literatures on ground (and they are of large numerical numbers), attempts to make its contribution to the design and development of Antivirus that can detect those zero-day or metamorphic malware. This proposed Antivirus being developed is christened Secure Plus that applies the heuristic Artificial Immune System Algorithm for the design and development. The tested experimental outputs are provided as prove of the Secure Plus effectual functionality worthy of application but need further works through to detect malware proactively

Search based software engineering: Trends, techniques and applications

© ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version is available from the link below.In the past five years there has been a dramatic increase in work on Search-Based Software Engineering (SBSE), an approach to Software Engineering (SE) in which Search-Based Optimization (SBO) algorithms are used to address problems in SE. SBSE has been applied to problems throughout the SE lifecycle, from requirements and project planning to maintenance and reengineering. The approach is attractive because it offers a suite of adaptive automated and semiautomated solutions in situations typified by large complex problem spaces with multiple competing and conflicting objectives. This article provides a review and classification of literature on SBSE. The work identifies research trends and relationships between the techniques applied and the applications to which they have been applied and highlights gaps in the literature and avenues for further research.EPSRC and E

Intelligent network intrusion detection using an evolutionary computation approach

With the enormous growth of users\u27 reliance on the Internet, the need for secure and reliable computer networks also increases. Availability of effective automatic tools for carrying out different types of network attacks raises the need for effective intrusion detection systems. Generally, a comprehensive defence mechanism consists of three phases, namely, preparation, detection and reaction. In the preparation phase, network administrators aim to find and fix security vulnerabilities (e.g., insecure protocol and vulnerable computer systems or firewalls), that can be exploited to launch attacks. Although the preparation phase increases the level of security in a network, this will never completely remove the threat of network attacks. A good security mechanism requires an Intrusion Detection System (IDS) in order to monitor security breaches when the prevention schemes in the preparation phase are bypassed. To be able to react to network attacks as fast as possible, an automatic detection system is of paramount importance. The later an attack is detected, the less time network administrators have to update their signatures and reconfigure their detection and remediation systems. An IDS is a tool for monitoring the system with the aim of detecting and alerting intrusive activities in networks. These tools are classified into two major categories of signature-based and anomaly-based. A signature-based IDS stores the signature of known attacks in a database and discovers occurrences of attacks by monitoring and comparing each communication in the network against the database of signatures. On the other hand, mechanisms that deploy anomaly detection have a model of normal behaviour of system and any significant deviation from this model is reported as anomaly. This thesis aims at addressing the major issues in the process of developing signature based IDSs. These are: i) their dependency on experts to create signatures, ii) the complexity of their models, iii) the inflexibility of their models, and iv) their inability to adapt to the changes in the real environment and detect new attacks. To meet the requirements of a good IDS, computational intelligence methods have attracted considerable interest from the research community. This thesis explores a solution to automatically generate compact rulesets for network intrusion detection utilising evolutionary computation techniques. The proposed framework is called ESR-NID (Evolving Statistical Rulesets for Network Intrusion Detection). Using an interval-based structure, this method can be deployed for any continuous-valued input data. Therefore, by choosing appropriate statistical measures (i.e. continuous-valued features) of network trafc as the input to ESRNID, it can effectively detect varied types of attacks since it is not dependent on the signatures of network packets. In ESR-NID, several innovations in the genetic algorithm were developed to keep the ruleset small. A two-stage evaluation component in the evolutionary process takes the cooperation of rules into consideration and results into very compact, easily understood rulesets. The effectiveness of this approach is evaluated against several sources of data for both detection of normal and abnormal behaviour. The results are found to be comparable to those achieved using other machine learning methods from both categories of GA-based and non-GA-based methods. One of the significant advantages of ESR-NIS is that it can be tailored to specific problem domains and the characteristics of the dataset by the use of different fitness and performance functions. This makes the system a more flexible model compared to other learning techniques. Additionally, an IDS must adapt itself to the changing environment with the least amount of configurations. ESR-NID uses an incremental learning approach as new flow of traffic become available. The incremental learning approach benefits from less required storage because it only keeps the generated rules in its database. This is in contrast to the infinitely growing size of repository of raw training data required for traditional learning

A Multi Agent System for Flow-Based Intrusion Detection

The detection and elimination of threats to cyber security is essential for system functionality, protection of valuable information, and preventing costly destruction of assets. This thesis presents a Mobile Multi-Agent Flow-Based IDS called MFIREv3 that provides network anomaly detection of intrusions and automated defense. This version of the MFIRE system includes the development and testing of a Multi-Objective Evolutionary Algorithm (MOEA) for feature selection that provides agents with the optimal set of features for classifying the state of the network. Feature selection provides separable data points for the selected attacks: Worm, Distributed Denial of Service, Man-in-the-Middle, Scan, and Trojan. This investigation develops three techniques of self-organization for multiple distributed agents in an intrusion detection system: Reputation, Stochastic, and Maximum Cover. These three movement models are tested for effectiveness in locating good agent vantage points within the network to classify the state of the network. MFIREv3 also introduces the design of defensive measures to limit the effects of network attacks. Defensive measures included in this research are rate-limiting and elimination of infected nodes. The results of this research provide an optimistic outlook for flow-based multi-agent systems for cyber security. The impact of this research illustrates how feature selection in cooperation with movement models for multi agent systems provides excellent attack detection and classification

Modeling the Artificial Immune System to the Human Immune System with the Use of Agents

The purpose of this study is to provide a model and a work frame to approximate the artificial immune system to the human immune system with the use of agents to counter malicious software (malware). The artificial immune system components are commercial off-the-shelf products that are managed by the agent that coordinate and synchronize their activity. The behavior of the agent is a simulation of the B-cells in the Human Immune System in the encapsulation, analysis and digestion of the antigen. The proposed architecture can be implemented in almost certainty based on the use of the commercial off-the-shelf products (COTS). The agent can be constructed to perform the required functionality with the help of the sandbox tools that provide the encapsulation. Anomaly detectors provide the knowledge of any process' action that is considered abnormal, hence, a possible malware. The Antivirus applications provide the digestion of the antigen, where known malware is handled directly, while unknown malware is analyzed by signature extraction, then handled by the antivirus. Other components such as intrusion detection (ID) applications perform the defenses at the entrances to the system (communication channels) and the firewall applications provide the prevention of the spread of the antigen and quarantining it in the infected node. The implementation of the model will provide a parallel self-healing system against antigens along side the applications and hardware self-healing systems.Computer Science Departmen