Analysis and characterisation of botnet scan traffic

Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity

Multi-level resilience in networked environments:concepts and principles

Resilience is an essential property for critical networked environments such as utility networks (e.g. gas, water and electricity grids), industrial control systems, and communication networks. Due to the complexity of such networked environments achieving resilience is multi-dimensional since it involves a range of factors such as redundancy and connectivity of different system components as well as availability, security, dependability and fault tolerance. Hence, it is of importance to address resilience within a unified framework that considers such factors and further enables the practical composition of resilience mechanisms. In this paper we firstly introduce the concepts and principles of Multi-Level Resilience (MLR) and then demonstrate its applicability in a particular cloud-based scenario

A multi-level resilience framework for unified networked environments

Networked infrastructures underpin most social and economical interactions nowadays and have become an integral part of the critical infrastructure. Thus, it is crucial that heterogeneous networked environments provide adequate resilience in order to satisfy the quality requirements of the user. In order to achieve this, a coordinated approach to confront potential challenges is required. These challenges can manifest themselves under different circumstances in the various infrastructure components. The objective of this paper is to present a multi-level resilience approach that goes beyond the traditional monolithic resilience schemes that focus mainly on one infrastructure component. The proposed framework considers four main aspects, i.e. users, application, network and system. The latter three are part of the technical infrastructure while the former profiles the service user. Under two selected scenarios this paper illustrates how an integrated approach coordinating knowledge from the different infrastructure elements allows a more effective detection of challenges and facilitates the use of autonomic principles employed during the remediation against challenges

Tool support for the evaluation of anomaly traffic classification for network resilience

Resilience is the ability of the network to maintain an acceptable level of operation in the face of anomalies, such as malicious attacks, operational overload or misconfigurations. Techniques for anomaly traffic classification are often used to characterize suspicious network traffic, thus supporting anomaly detection schemes in network resilience strategies. In this paper, we extend the PReSET toolset to allow the investigation, comparison and analysis of algorithms for anomaly traffic classification based on machine learning. PReSET was designed to allow the simulation-based evaluation of resilience strategies, thus enabling the comparison of optimal configurations and policies for combating different types of attacks (e.g., DDoS attacks, worms) and other anomalies. In such resilience strategies, policies written in the Ponder2 language can be used to activate/reconfigure traffic classification modules and other mechanisms (e.g., traffic shaping), depending on monitored results in the simulation environment. Our results show that PReSET can be a valuable tool for network operators to evaluate anomaly traffic classification techniques in terms of standard performance metrics

Multi-level network resilience: traffic analysis, anomaly detection and simulation

Traffic analysis and anomaly detection have been extensively used to characterize network utilization as well as to identify abnormal network traffic such as malicious attacks. However, so far, techniques for traffic analysis and anomaly detection have been carried out independently, relying on mechanisms and algorithms either in edge or in core networks alone. In this paper we propose the notion of multi-level network resilience, in order to provide a more buy pill robust traffic analysis and anomaly detection architecture, combining mechanisms and algorithms operating in a coordinated fashion both in the edge and in the core networks. This work is motivated by the potential complementarities between the research being developed at IIT Madras and Lancaster University. In this paper we describe the current work being developed at IIT Madras and Lancaster on traffic analysis and anomaly detection, and outline the principles of a multi-level resilience architecture

Appliance-level Short-term Load Forecasting using Deep Neural Networks

The recently employed demand-response (DR) model enabled by the transformation of the traditional power grid to the SmartGrid (SG) allows energy providers to have a clearer understanding of the energy utilisation of each individual household within their administrative domain. Nonetheless, the rapid growth of IoT-based domestic appliances within each household in conjunction with the varying and hard-to-predict customer-specific energy requirements is regarded as a challenge with respect to accurately profiling and forecasting the day-to-day or week-to-week appliance-level power consumption demand. Such a forecast is considered essential in order to compose a granular and accurate aggregate-level power consumption forecast for a given household, identify faulty appliances, and assess potential security and resilience issues both from an end-user as well as from an energy provider perspective. Therefore, in this paper we investigate techniques that enable this and propose the applicability of Deep Neural Networks (DNNs) for short-term appliance-level power profiling and forecasting. We demonstrate their superiority over the past heavily used Support Vector Machines (SVMs) in terms of prediction accuracy and computational performance with experiments conducted over real appliance-level dataset gathered in four residential households

A Situation Aware Information Infrastructure (SAI^2) Framework

Computer network infrastructures constitute the critical backbone of every socio-economic ICT system. Consequently, they are becoming increasingly mission-critical in our society since they provide always-on services for many everyday applications (e.g., Cloud Data Centres), safety-critical operations (e.g., Air Traffic Control networks), critical manufacturing services (e.g., Utility networks and Industrial Control Systems), and critical real-time services (e.g., Financial Trading Systems). The resilience and ability of such systems to remain operational in the face of threats is therefore paramount; this needs to be done by taking remedial action and intelligently reshaping their resources. At the same time, current communication architectures do not allow for such informed and adaptive provisioning. In this paper, we introduce the concepts, principles and current research activities related to a new Situation Aware Information Infrastructure ( SAI2SAI2 ) framework being developed for next generation ICT environments

Placental magnetic resonance imaging in chronic hypertension: A case-control study

Introduction We aimed to explore the use of magnetic resonance imaging (MRI) in vivo as a tool to elucidate the placental phenotype in women with chronic hypertension. Methods In case-control study, women with chronic hypertension and those with uncomplicated pregnancies were imaged using either a 3T Achieva or 1.5T Ingenia scanner. T2-weighted images, diffusion weighted and T1/T2* relaxometry data was acquired. Placental T2*, T1 and apparent diffusion coefficient (ADC) maps were calculated. Results 129 women (43 with chronic hypertension and 86 uncomplicated pregnancies) were imaged at a median of 27.7 weeks’ gestation (interquartile range (IQR) 23.9–32.1) and 28.9 (IQR 26.1–32.9) respectively. Visual analysis of T2-weighted imaging demonstrated placentae to be either appropriate for gestation or to have advanced lobulation in women with chronic hypertension, resulting in a greater range of placental mean T2* values for a given gestation, compared to gestation-matched controls. Both skew and kurtosis (derived from histograms of T2* values across the whole placenta) increased with advancing gestational age at imaging in healthy pregnancies; women with chronic hypertension had values overlapping those in the control group range. Upon visual assessment, the mean ADC declined in the third trimester, with a corresponding decline in placental mean T2* values and showed an overlap of values between women with chronic hypertension and the control group. Discussion A combined placental MR examination including T2 weighted imaging, T2*, T1 mapping and diffusion imaging demonstrates varying placental phenotypes in a cohort of women with chronic hypertension, showing overlap with the control group

Cell - cycle molecules expression in Hodgkin's lymphoma

BACKGROUND: Several biological markers have been reproducibly associated with HL patients’ prognosis, nevertheless not been incorporated into current prognostic systems. Inferior prognosis has been correlated with increased neoplastic cells’ proliferation rate (mainly reflected by Ki67 or PCNA expression) but the issue still remains controversial. Minichromosome maintenance proteins (MCMs) are essential for the formation of the prereplicative complexes, which is the first key event during G1 phase. D-type Cyclins, in conjunction with CDK4/6 operate late G1 phase to promote progression through the G1/S restriction point. PURPOSE: (1) To study the expression of the proliferation molecules CCND3, MCM2 and MCM7 by HRS cells in a relatively large series of homogeneously treated HL patients and (2) to investigate the correlation between their expression with demographic, clinical, laboratory and histopathological parameters, as well as patients’ outcome MATERIAL & METHODS: Lymph node sections from 138 HIV-negative HL – patients, >14 years old, were immunohistochemically stained for CCND3, MCM2, MCM7 and Ki67. Stained slides were evaluated by image analysis. RESULTS: MCM2 was expressed in 115/116 cases in a median of 63% of HRS cells (0-99); MCM7 in 121/121 cases (median 88% of HRS cells, range 15- 100; CCND3 in 105/113 cases (median 24%, range 0-98). There was a relatively strong positive correlation between MCM2 and MCM7 (Spearman’s rho 0.28, p=0.004), but MCM2 and 7 were not correlated with CCND3 or Ki67. Higher MCM2 expression was observed in patients with early stages (p=0.03), lower leukocyte counts (p=0.03) and higher albumin levels (p=0.002). Higher MCM7 expression was observed in asymptomatic patients (p=0.004), in early stages (p=0.005), <5 involved sites (p=0.009), no anemia (p=0.02) and higher albumin levels (p=0.005). Higher CCND3 expression was observed in older patients (p=0.03) with lower leukocyte counts (p=0.05) and normal LDH (p=0.05). At any cutoff examined, MCM2, MCM7 and CCND3 expression was not correlated with 142 failure free (FFS) or overall survival (OS) in univariate analysis. However, multivariate analysis revealed that higher MCM7 expression was an adverse prognostic factor for OS along with age and advanced stage and had a borderline effect on FFS, when adjusted for stage. CONCLUSIONS: Our data suggest that MCM2, MCM7 and CCND3 are expressed by the HRS cells in the majority of HL patients. MCM2 and MCM7 are interrelated, but not correlated with CCND3 or Ki67. Interestingly, MCM2 and MCM7 expression was higher in patients with markers of less extensive or less aggressive disease. For this reason, although not associated with the outcome in univariate analysis, higher MCM7 expression emerged as an adverse prognostic factor in multivariate analysis. Thus MCM7 expression appears to deserve further evaluation in larger patient serieΗ ανεύρεση νέων προγνωστικών παραγόντων για το λέμφωμα Hodgkin, αποτελεί ουσιαστική ανάγκη, αφού, παρά την αδιαμφισβήτητη πρόοδο των τελευταίων χρόνων στη διαγνωστική και θεραπευτική αντιμετώπιση του λεμφώματος, σε ποσοστό 25–30% των ασθενών δεν επιτυγχάνεται πλήρης ύφεση ή παρατηρείται υποτροπή μετά την θεραπευτική αντιμετώπιση πρώτης γραμμής Συνεπώς η το κατά δυνατόν πληρέστερη κατανόηση της βιολογίας του λεμφώματος Hodgkin και ο αναπαραγώγιμος καθορισμός προγνωστικών παραγόντων – κυρίως βιολογικών – με βάση τα τρέχοντα θεραπευτικά δεδομένα, πέραν της συμβολής τους στον αποτελεσματικό προσδιορισμό της πρόγνωσης και τον καθορισμό ομάδων ασθενών με σημαντικά διαφορετικό κίνδυνο αστοχίας ή υποτροπής, θα μπορούσε να συμβάλλει στην ανεύρεση νέων αιτιολογικών θεραπευτικών προσεγγίσεων ή ακόμα και εξατομικευμένων θεραπειών. ΣΚΟΠΟΣ: (1) η διερεύνηση της έκφρασης των μορίων κυτταρικού πολλαπλασιασμού Κυκλίνη–D3 (CCND3), MCM–2 και MCM–7 για πρώτη φορά σε μια μεγάλη σειρά, ως επί το πλείστον ομοιογενώς αντιμετωπισθέντων ασθενών με λέμφωμα Hodgkin και (2) η συσχέτιση της έκφρασής τους με δημογραφικές, κλινικές, εργαστηριακές και παθολογοανατομικές παραμέτρους καθώς και την πρόγνωση του λεμφώματος Hodgkin. ΜΕΘΟΔΟΙ: Χρησιμοποιήθηκαν τομές λεμφαδένων 138 HIV(-) ασθενών, ηλικίας άνω των 14 ετών με διαγνωσμένο λέμφωμα Hodgkin και αξιολογήθηκε η ανοσοϊστοχημική έκφραση των μορίων κυτταρικού πολλαπλασιασμού Κυκλίνη– D3, MCM2 και MCM7 με τη χρήση της μεθόδου ανάλυσης εικόνας. ΑΠΟΤΕΛΕΣΜΑΤΑ: Διαπιστώθηκε έκφραση της Κυκλίνης–D3 σε 105 από τα 113 περιστατικά, με διάμεσο τιμή έκφρασης από τα κύταρα HRS 24.4%, διατεταρτημοριακό εύρος (interquartile range - IQR) 11.5%–47.5% και εύρος τιμών (range) 0–97.8%. Για την MCM–2 διαπιστώθηκε έκφραση σε 115 από τα 116 περιστατικά, διάμεση τιμή 63.1%, IQR 37.9%–81,1% και εύρος τιμών (range) 0–98.7%. Για την MCM–7 διαπιστώθηκε έκφραση 121/121, διάμεση τιμή 87.8%, 139 IQR 80.9%–94.5% και το εύρος τιμών (range) 14.6–100%. Βρέθηκε θετική συσχέτιση, όχι όμως πολύ ισχυρή, ανάμεσα στα MCM2 και MCM–7, ενώ δεν βρέθηκε συσχέτιση των MCM2 και MCM–7με την Κυκλίνη–D3. Το MCM–7 βρέθηκε ότι συσχετίζεται αντίστροφα με τα προχωρημένα στάδια (p=0.005), τα Β–συμπτώματα (p=0.004), την προσβολή ?5 ανατομικών περιοχών (p=0.009), την αναιμία (p=0.02), τα ελαττωμένα επίπεδα αλβουμίνης ορού (p=0.005) και τα αυξημένα επίπεδα β2-μικροσφαιρίνης ορού (p=0.002). Το MCM–2 συσχετίστηκε αντίστροφα σε στατιστικώς σημαντικό βαθμό με τα προχωρημένα στάδια HL (p=0.03), τη λευκυττάρωση (?10x109/L, p=0.03) και με τις ελαττωμένες τιμές αλβουμίνης ορού (<4 g/dL, p=0.002), ενώ οριακής στατιστικής σημαντικότητος ευθεία συσχέτιση παρουσίασε με τις αυξημένες τιμές ΤΚΕ (?30 mm/h, p=0.08). Η κυκλίνη–D3 βρέθηκε να παρουσιάζει στατιστικώς σημαντική ευθεία συσχέτιση με την ηλικία ?45 έτη (p=0.03) και αντίστροφη συσχέτιση με τη λευκοκυττάρωση (?10x109/L, p=0.05), και τις αυξημένες τιμές γαλακτικής αφυδρογονάσης ορού (LDΗ) (p=0.05). Οριακής στατιστικής σημαντικότητος αντίστροφη συσχέτιση βρέθηκε να έχει με το θήλυ φύλο (p=0.07), τη διήθηση του μυελού των οστών (p=0.07) καθώς και τη διήθηση του ήπατος (p=0.09). Στη μονοπαραγοντική ανάλυση κανένα από τα μόρια Κυκλίνη–D3, MCM–2 ή MCM–7 δεν συσχετίσθηκε με την επιβίωση ελεύθερης νόσου (ΕΕΕΝ) ή τη συνολική επιβίωση (ΣΕ), ανεξάρτητα από το σημείο διχοτόμησης του ποσοστού έκφρασης του εκάστοτε δείκτη. Εντούτοις, στην πολυπαραγοντική ανάλυση διαπιστώθηκε ότι η έκφραση της πρωτεΐνης MCM–7 σε μεγαλύτερο ποσοστό νεοπλασματικών κυττάρων, αξιολογούμενη ως συνεχής μεταβλητή, επιβαρύνει την πρόγνωση των ασθενών με λέμφωμα Hodgkin, όπως αυτή αντανακλάται από την ΕΕΕΝ (σε οριακά επίπεδα σημαντικότητος, αφού ληφθεί υπ’ όψιν το κλινικό στάδιο) και τη συνολική επιβίωση (σε στατιστικώς σημαντικό βαθμό, αφού ληφθεί υπ’ όψιν το κλινικό στάδιο και η ηλικία). ΣΥΜΠΕΡΑΣΜΑΤΑ: Τα κύτταρα HRS εκφράζουν τα μόρια Κυκλίνη–D3, MCM–2 και MCM–7 στην πλειονότητα των ασθενών με λέμφωμα Hodgkin. Η έκφραση των μορίων MCM2 και MCM7 είναι αλληλένδετη, αλλά δεν σχετιζεται με την έκφραση της Κυκλίνης–D3. Ενδιαφέρον παρουσιάζει το οτι η έκφραση των 140 MCM–2 και MCM–7 ήταν υψηλότερη σε ασθενείς με δείκτες λιγότερο εκτεταμένης ή λιγότερο επιθετικής νόσου. Γι’ αυτό το λόγο, βρέθηκε στην πολυπαραγοντική ανάλυση ότι η υψηλή έκφραση της πρωτεΐνης MCM7 επιβαρύνει την πρόγνωση των ασθενών με λέμφωμα Hodgkin, παρόλο που στη μονοπαραγοντική ανάλυση δεν συσχετίσθηκε με την ΕΕΕΝ ή τη ΣΕ. Φαίνεται συνεπώς η ανάγκη της περεταίρω διερεύνησης της έκφρασης της πρωτεΐνης MCM7 σε μεγαλύτερες σειρές ασθενώ

Tackling energy theft in smart grids through data-driven analysis

The increasing use of information and communication technology (ICT) in electricity grid infrastructures facilitates improved energy generation, transmission, and distribution. However, smart grids are still in their infancy with a disparate regional role out. Due to the involved costs utility providers are only embedding ICT in selected parts of the grid, thereby creating only partial smart grid infrastructures. We argue that using the data provided by these partial smart grid deployments can still be beneficial in solving various issues such as energy theft detection. In this paper, we focus on various data-driven techniques to detect energy theft in power networks. These data-driven detection techniques (at the smart meter as well as the aggregated level) can indicate various forms of energy theft (e.g. through clandestine connections or meter tampering). This paper also presents two case studies to show the effectiveness of these approaches