Incident Prioritisation for Intrusion Response Systems

The landscape of security threats continues to evolve, with attacks becoming more serious and the number of vulnerabilities rising. To manage these threats, many security studies have been undertaken in recent years, mainly focusing on improving detection, prevention and response efficiency. Although there are security tools such as antivirus software and firewalls available to counter them, Intrusion Detection Systems and similar tools such as Intrusion Prevention Systems are still one of the most popular approaches. There are hundreds of published works related to intrusion detection that aim to increase the efficiency and reliability of detection, prevention and response systems. Whilst intrusion detection system technologies have advanced, there are still areas available to explore, particularly with respect to the process of selecting appropriate responses. Supporting a variety of response options, such as proactive, reactive and passive responses, enables security analysts to select the most appropriate response in different contexts. In view of that, a methodical approach that identifies important incidents as opposed to trivial ones is first needed. However, with thousands of incidents identified every day, relying upon manual processes to identify their importance and urgency is complicated, difficult, error-prone and time-consuming, and so prioritising them automatically would help security analysts to focus only on the most critical ones. The existing approaches to incident prioritisation provide various ways to prioritise incidents, but less attention has been given to adopting them into an automated response system. Although some studies have realised the advantages of prioritisation, they released no further studies showing they had continued to investigate the effectiveness of the process. This study concerns enhancing the incident prioritisation scheme to identify critical incidents based upon their criticality and urgency, in order to facilitate an autonomous mode for the response selection process in Intrusion Response Systems. To achieve this aim, this study proposed a novel framework which combines models and strategies identified from the comprehensive literature review. A model to estimate the level of risks of incidents is established, named the Risk Index Model (RIM). With different levels of risk, the Response Strategy Model (RSM) dynamically maps incidents into different types of response, with serious incidents being mapped to active responses in order to minimise their impact, while incidents with less impact have passive responses. The combination of these models provides a seamless way to map incidents automatically; however, it needs to be evaluated in terms of its effectiveness and performances. To demonstrate the results, an evaluation study with four stages was undertaken; these stages were a feasibility study of the RIM, comparison studies with industrial standards such as Common Vulnerabilities Scoring System (CVSS) and Snort, an examination of the effect of different strategies in the rating and ranking process, and a test of the effectiveness and performance of the Response Strategy Model (RSM). With promising results being gathered, a proof-of-concept study was conducted to demonstrate the framework using a live traffic network simulation with online assessment mode via the Security Incident Prioritisation Module (SIPM); this study was used to investigate its effectiveness and practicality. Through the results gathered, this study has demonstrated that the prioritisation process can feasibly be used to facilitate the response selection process in Intrusion Response Systems. The main contribution of this study is to have proposed, designed, evaluated and simulated a framework to support the incident prioritisation process for Intrusion Response Systems.Ministry of Higher Education in Malaysia and University of Malay

ABC: android botnet classification using feature selection and classification algorithms

Smartphones have become an important part of human lives, and this led to an increase number of smartphone users. However, this also attracts hackers to develop malicious applications especially Android botnet to steal the private information and causing financial losses. Due to the fast modifications in the technologies used by malicious application (app) developers, there is an urgent need for more advanced techniques for Android botnet detection. In this paper, a new approach for Android botnet classification based on features selection and classification algorithms is proposed. The proposed approach uses the permissions requested in the Android app as features, to differentiate between the Android botnet apps and benign apps. The Information Gain algorithm is used to select the most significant permissions, then the classification algorithms Naïve Bayes, Random Forest and J48 used to classify the Android apps as botnet or benign apps. The experimental results show that Random Forest Algorithm achieved the highest detection accuracy of 94.6% with lowest false positive rate of 0.099

Evaluation of IoT-Based Computational Intelligence Tools for DNA Sequence Analysis in Bioinformatics

In contemporary age, Computational Intelligence (CI) performs an essential role in the interpretation of big biological data considering that it could provide all of the molecular biology and DNA sequencing computations. For this purpose, many researchers have attempted to implement different tools in this field and have competed aggressively. Hence, determining the best of them among the enormous number of available tools is not an easy task, selecting the one which accomplishes big data in the concise time and with no error can significantly improve the scientist's contribution in the bioinformatics field. This study uses different analysis and methods such as Fuzzy, Dempster-Shafer, Murphy and Entropy Shannon to provide the most significant and reliable evaluation of IoT-based computational intelligence tools for DNA sequence analysis. The outcomes of this study can be advantageous to the bioinformatics community, researchers and experts in big biological data

A risk index model for security incident prioritisation

With thousands of incidents identified by security appliances every day, the process of distinguishing which incidents are important and which are trivial is complicated. This paper proposes an incident prioritisation model, the Risk Index Model (RIM), which is based on risk assessment and the Analytic Hierarchy Process (AHP). The model uses indicators, such as criticality, maintainability, replaceability, and dependability as decision factors to calculate incidents’ risk index. The RIM was validated using the MIT DARPA LLDOS 1.0 dataset, and the results were compared against the combined priorities of the Common Vulnerability Scoring System (CVSS) v2 and Snort Priority. The experimental results have shown that 100% of incidents could be rated with RIM, compared to only 17.23% with CVSS. In addition, this study also improves the limitation of group priority in the Snort Priority (e.g. high, medium and low priority) by quantitatively ranking, sorting and listing incidents according to their risk index. The proposed study has also investigated the effect of applying weighted indicators at the calculation of the risk index, as well as the effect of calculating them dynamically. The experiments have shown significant changes in the resultant risk index as well as some of the top priority rankings

Analysis of the social capital indicators by using DEMATEL approach: the case of Islamic Azad University

DEMATEL is a comprehensive approach for designing and analyzing structural models which includes cause and effect relationships among complex factors and by using it in social and managerial issues can classify and organize the interactive effects of a large number of factors affecting on a particular issue. This technique is mainly considered for studying the global complex problems and determining the strategic and objective goals of the global issues in order to access the appropriate solutions up to use the judgment and opinion of the experts in scientific, political, and social fields. The advantages of this method compared to the AHP and ANP approaches are that it measures the direct and indirect effects among the factors and base on the diagram’s calculations and according to the cause and effect relationships will rank and analysis the intensive effect of direct and indirect impact of the factors in a qualitative way. This paper, first described the DEMATEL method which is one of the well-known method of group decision-making and its applications are described and then its application in evaluating and prioritizing the social capital indicators is discussed. Finally, the implementation of this method in Islamic Azad University is explained

DFCL: DYNAMIC FUZZY LOGIC CONTROLLER FOR INTRUSION DETECTION

Intrusions are a problem with the deployment of Networks which give misuse and abnormal behavior in running reliable network operations and services. In this work, a Dynamic Fuzzy Logic Controller (DFLC) is proposed for an anomaly detection problem, with the aim of solving the problem of attack detection rate and faster response process. Data is collected by PingER project. PingER project actively measures the worldwide Internet’s end-to-end performance. It covers over 168 countries around the world. PingER uses simple ubiquitous Internet Ping facility to calculate number of useful performance parameters. From each set of 10 pings between a monitoring host and a remote host, the features being calculated include Minimum Round Trip Time (RTT), Jitter, Packet loss, Mean Opinion Score (MOS), Directness of Connection (Alpha), Throughput, ping unpredictability and ping reachability. A set of 10 pings is being sent from the monitoring node to the remote node every 30 minutes. The received data shows the current characteristic and behavior of the networks. Any changes in the received data signify the existence of potential threat or abnormal behavior. D-FLC uses the combination of parameters as an input to detect the existence of any abnormal behavior of the network. The proposed system is simulated in Matlab Simulink environment. Simulations results show that the system managed to catch 95% of the anomalies with the ability to distinguish normal and abnormal behavior of the network

Grano-GT: A granular ground truth collection tool for encrypted browser-based Internet traffic

© 2020 Modern network traffic classification puts much attention toward producing a granular classification of the traffic, such as at the application service level. However, the classification process is often impaired by the lack of granular network traffic ground truth. Granular network traffic ground truth is critical to provide a benchmark for a fair evaluation of modern network traffic classification. Nevertheless, in modern network traffic classification, existing ground truth tools only managed to build the ground truth at the application name level at most. Application name level granularity is quickly becoming insufficient to address the current needs of network traffic classification and therefore; this paper presents the design, development and experimental evaluation of Grano-GT, a tool to build a reliable and highly granular network traffic ground truth for encrypted browser-based traffic at the application name and service levels. Grano-GT builds on four main engines which are packet capture, browser, application and service isolator engines. These engines work together to intercept the application requests and combine them with the support of temporal features and cascading filters to produce reliable and highly granular ground truth. Preliminary experimental results show that Grano-GT can classify the Internet traffic into respective application names with high reliability. Grano-GT achieved an average accuracy of more than 95% when validated using nDPI at the application name level. The remaining 5% loss of accuracy was primarily due to the unavailability of signatures in nDPI. In addition, Grano-GT managed to classify application service traffic with significant reliability and validated using the Kolmogorov-Smirnov test

GRAIN: Granular multi-label encrypted traffic classification using classifier chain

Granular traffic classification categorizes traffic into detailed classes like application names and services. Application names represent parent applications, such as Facebook, while application services are the individual actions within the parent application, such as Facebook-comment. These granular classes are still insufficient to keep pace with modern applications that offer various services. Accordingly, this paper further divides the application service class into inter-application and intra-application services to provide more insights. Interapplication service refers to a similar service between different parent applications, such as Facebook-comment and Youtube-comment, whereas intra-application service differentiates services within the same parent application, such as Facebook-comment and Facebook-post. Most studies focus on classification at the application name and inter-application service levels. In contrast, classification at the intra-application service level receives far less attention due to its complexity despite providing the highest flexibility. Therefore, this paper presents GRAIN, a granular multi-label approach to classify encrypted traffic at all three levels of granular classification: application name, inter-application and intra-application service levels using a classifier chain. GRAIN chains two random forest classifiers to produce a multi-label classification using seven novel statistical features based on packet payload length. The utilized features are independent of the packet payload content, thus unaffected by packet encryption and preserving user privacy. Our performance evaluation showed that GRAIN achieved an average F-measure of 99% at the application name level, 93% at the inter-application service level and 88% at the intra-application service level. To test for robustness, we compared GRAIN against four baseline classifiers and the ISCX VPN-nonVPN public dataset in which GRAIN maintained its comparable performance across all tests

Ant colony optimization for vehicle traffic systems: applications and challenges

Ant-based algorithms simulate the cooperative behaviour of real ants in finding food resources. A significant number of studies have focused on the self-organised behaviour of ants in the natural environment to develop effective systems for dynamic problems. Ant-based systems have special properties such as scalability, adaptability, and dynamicity, which are the main requirements for solving vehicle traffic congestion problem. Thus, ant-based algorithms are now being adopted by vehicle traffic systems VTSs to guide vehicles to less congested paths. However, literature shows that comprehensive reviews are lacking in this field. The main contribution of this paper is the review and classification of the most relevant systems based on novel taxonomy. A survey that includes statistical analyses on ant-based VTS was conducted to identify the limitations and evaluation process of VTS. This paper concludes by proposing a general framework in applying ant colony optimisation to VTS