Predictive Cyber Situational Awareness and Personalized Blacklisting: A Sequential Rule Mining Approach

Cybersecurity adopts data mining for its ability to extract concealed and indistinct patterns in the data, such as for the needs of alert correlation. Inferring common attack patterns and rules from the alerts helps in understanding the threat landscape for the defenders and allows for the realization of cyber situational awareness, including the projection of ongoing attacks. In this paper, we explore the use of data mining, namely sequential rule mining, in the analysis of intrusion detection alerts. We employed a dataset of 12 million alerts from 34 intrusion detection systems in 3 organizations gathered in an alert sharing platform, and processed it using our analytical framework. We execute the mining of sequential rules that we use to predict security events, which we utilize to create a predictive blacklist. Thus, the recipients of the data from the sharing platform will receive only a small number of alerts of events that are likely to occur instead of a large number of alerts of past events. The predictive blacklist has the size of only 3 % of the raw data, and more than 60 % of its entries are shown to be successful in performing accurate predictions in operational, real-world settings

Methodology for Fast Pattern Matching by Deterministic Finite Automaton with Perfect Hashing Ondrej Lengal

Abstract-As the speed of current computer networks increases, it is necessary to protect networks by security systems such as firewalls and Intrusion Detection Systems operating at multigigabit speeds. Pattern matching is the time-critical operation of current IDS on multigigabit networks. Regular expressions are often used to describe malicious network patterns. This paper deals with fast regular expression matching using the Deterministic Finite Automaton (DFA) with perfect hash function. We introduce decomposition of the problem on two parts: transformation of the input alphabet and usage of a fast DFA, and usage of perfect hashing to reduce space/speed tradeoff for DFA transition table

Low-Cost Precise QoS Measurement Tool

When implementing networks with QoS guarantees, precise measurement of network QoS characteristics is needed. Primary characteristics of this class are packet loss, throughput, delay, delay variation as well as distribution of delay and delay variation. Commercial network analyzers are often very expensive, do not include provisions for precise time synchronization needed for one-way delay measurement and are closed in a sense that it is not possible to integrate them with other applications for measurement result processing. In this article we describe an architecture and implementation of a simple lowcost measurement tool that can be used for precise measurements of all of the above listed characteristics in small laboratories.

VoIP-PSTN Interoperability by Asterisk and SS7 Signalling

Abstract. PSTN, the world's circuit-switched network, has employed Signalling System #7 as its protocol suite for international and national interconnection during past decades. VoIP networks however have developed different signalling protocols suitable for IP environment. Gateways interconnecting VoIP and PSTN networks are usually proprietary and expensive solutions. Today an open source software can perform this function. As an example we have decided to test Asterisk PBX and two open source implementations of SS7, the SS7 channel driver and SS7 library. We have tested these solutions for interconnection to PSTN and run various tests to verify the implementation functionality