McPAD: A multiple classifier system for accurate payload-based anomaly detection

Anomaly-based network intrusion detection systems (IDS) are valuable tools for the defense-in-depth of computer networks. Unsupervised or unlabeled learning approaches for network anomaly detection have been recently proposed. Such anomaly-based network IDS are able to detect (unknown) zero-day attacks, although much care has to be dedicated to controlling the amount of false positives generated by the detection system. As a matter of fact, it is has been shown that the false positive rate is the true limiting factor for the performance of IDS, and that in order to substantially increase the Bayesian detection rate, P(Intrusion/Alarm), the IDS must have a very low false positive rate (e.g., as low as 10(-5) or even lower). In this paper we present McPAD (multiple classifier payload-based anomaly detector), a new accurate payload-based anomaly detection system that consists of an ensemble of one-class classifiers. We show that our anomaly detector is very accurate in detecting network attacks that bear some form of sheH-code in the malicious payload. This holds true even in the case of polymorphic attacks and for very low false positive rates. Furthermore, we experiment with advanced polymorphic blending attacks and we show that in some cases even in the presence of such sophisticated attacks and for a low false positive rate our IDS still has a relatively high detection rate.

Anomaly detection using call stack information

The call stack of a program execution can be a very good information source for intrusion detection. There is no prior work on dynamically extracting information from call stack and effectively using it to detect exploits. In this paper, we propose a new method to do anomaly detection using call stack information. The basic idea is to extract return addresses from the call stack, and generate abstract execution path between two program execution points. Experiments show that our method can detect some attacks that cannot be detected by other approaches, while its convergence and false positive performance is comparable to or better than the other approaches. We compare our method with other approaches by analyzing their underlying principles and thus achieve a better characterization of their performance, in particular, on what and why attacks will be missed by the various approaches

Propagation of premixed flames in the presence of Darrieus–Landau and thermal diffusive instabilities

We study the propagation of premixed flames, in the absence of external turbulence, under the effect of both hydrodynamic (Darrieus–Landau) and thermodiffusive instabilities. The Sivashinsky equation in a suitable parameter space is initially utilized to parametrically investigate the flame propagation speed under the potential action of both kinds of instability. An adequate variable transformation shows that the propagation speed can collapse on a universal scaling law as a function of a parameter related to the number of unstable wavelengths within the domain nc. To assess whether this picture can persist in realistic flames, a DNS database of large scale, two-dimensional flames is presented, embracing a range of nc values and subject to either purely hydrodynamic instability (DL) or both kinds of instability (TD). With the aid of similar DNS databases from the literature we observe that when adequately rescaled, propagation speeds follow two distinct scaling laws, depending on the presence of thermodiffusive instability or lack thereof. We verify the presence of secondary cutoff values for nc identifying (a) the insurgence of secondary wrinkling in purely hydrodynamically unstable flames and (b) the attainment of domain independence in thermodiffusively unstable flames. A possible flame surface density based model for the subgrid wrinkling is also proposed

Measuring intrusion detection capability: An information-theoretic approach

A fundamental problem in intrusion detection is what metric(s) can be used to objectively evaluate an intrusion detection system (IDS) in terms of its ability to correctly classify events as normal or intrusive. Traditional metrics (e.g., true positive rate and false positive rate) measure different aspects, but no single metric seems sufficient to measure the capability of intrusion detection systems. The lack of a single unified metric makes it difficult to fine-tune and evaluate an IDS. In this paper, we provide an in-depth analysis of existing metrics. Specifically, we analyze a typical cost-based scheme [6], and demonstrate that this approach is very confusing and ineffective when the cost factor is not carefully selected. In addition, we provide a novel information-theoretic analysis of IDS and propose a new metric that highly complement

Cataract Surgery Complications in Uveitis Patients: A Review Article

Uveitis is a leading causes of blindness worldwide, and the development of cataracts is common due to both the presence of intraocular inflammation and the most commonly employed treatment with corticosteroids. The management of these cataracts can be very challenging and often requires additional procedures that can compromise surgical results. The underlying disease affects a relatively young population at higher risk of complications. Preoperative control of inflammation/quiescent disease for at least three months is generally accepted as the minimum amount of time prior to surgical intervention. Phacoemulsification with intraocular lens is the preferred method for surgery, with some studies showing improvement in visual acuity in over 90% of patients. The most common postoperative complications include macular edema, posterior capsule opacification, recurrent or persistent inflammation, glaucoma, epiretinal membrane and IOL deposits, or dislocation. Despite the potential complications, cataract surgery in uveitis patients is considered a safe and successful procedure

Data-driven subfilter modelling of thermo-diffusively unstable hydrogen–air premixed flames

This article is dedicated to Moshe Matalon on the occasion of his 70th birthday, for his numerous contributions to the field of combustion and, in particular, to the rich and varied topic of premixed flame stability. Here, we follow in his footsteps and propose a subfilter modelling framework for thermo-diffusively unstable premixed flames, such as lean hydrogen–air flames. Performing an optimal estimator analysis for the unfiltered and filtered heat release rate of the lean premixed hydrogen–air flames, the latter is found to require at least two scalars for an appropriate representation while for large filter sizes, the heat release appears to require only one scalar for parametrisation. As a result, we develop a modelling strategy based on the construction of thermochemical tables for each unclosed term as a function of two variables as well as the filter size. The framework is based on the filtered tabulated chemistry approach, where, in lieu of a one-dimensional unstretched flame, we adopt a data-driven paradigm and filter fully resolved two-dimensional simulations of variable size. Models originating from small- and medium-sized simulations are tested a-priori on a large-size simulation, thus highlighting the role of the lateral domain in the dataset used for tabulation. The concept of a minimum domain size is thus discussed, leading to a dataset exhibiting the minimal properties for sufficiently accurate thermochemical tables. The strategy is shown to be more accurate than a classical one-dimensional filtered tabulated chemistry approach and shows promise in future LES modelling of laboratory and industrial scale hydrogen flames

Towards an information-theoretic framework for analyzing intrusion detection systems

IDS research still needs to strengthen mathematical foundations and theoretic guidelines. In this paper, we build a formal framework, based on information theory, for analyzing and quantifying the effectiveness of an IDS. We firstly present a formal IDS model, then analyze it following an information-theoretic approach. Thus, we propose a set of information-theoretic metrics that can quantitatively measure the effectiveness of an IDS in terms of feature representation capability, classification information loss, and overall intrusion detection capability. We establish a link to relate these metrics, and prove a fundamental upper bound on the intrusion detection capability of an IDS. Our framework is a practical theory which is data trace driven and evaluation oriented in this area. In addition to grounding IDS research on a mathematical theory for formal study, this framework provides practical guidelines for IDS fine-tuning, evaluation and design, that is, the provided set of metrics greatly facilitates a static/dynamic fine-tuning of an IDS to achieve optimal operation and a fine-grained means to evaluate IDS performance and improve IDS design. We conduct experiments to demonstrate the utility of our framework in practice