Present and Future of Network Security Monitoring

This work was funded by the Ministry of Science and Innovation through CDTI through the Ayudas Cervera para Centros Tecnologicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) through the Project EGIDA under Grant CER-20191012, and in part by the Spanish Ministry of Economy and Competitiveness and European Regional Development Fund (ERDF) funds under Project TIN2017-83494-R.Network Security Monitoring (NSM) is a popular term to refer to the detection of security incidents by monitoring the network events. An NSM system is central for the security of current networks, given the escalation in sophistication of cyberwarfare. In this paper, we review the state-of-the-art in NSM, and derive a new taxonomy of the functionalities and modules in an NSM system. This taxonomy is useful to assess current NSM deployments and tools for both researchers and practitioners. We organize a list of popular tools according to this new taxonomy, and identify challenges in the application of NSM in modern network deployments, like Software Defined Network (SDN) and Internet of Things (IoT).Ministry of Science and Innovation through CDTI through the Ayudas Cervera para Centros Tecnologicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) through the Project EGIDA CER-20191012Spanish Ministry of Economy and CompetitivenessEuropean Regional Development Fund (ERDF) funds TIN2017-83494-

Evaluation of Diagnosis Methods in PCA-based Multivariate Statistical Process Control

Multivariate Statistical Process Control (MSPC) based on Principal Component Analysis (PCA) is a well-known methodology in chemometrics that is aimed at testing whether an industrial process is under Normal Operation Conditions (NOC). As a part of the methodology, once an anomalous behaviour is detected, the root causes need to be diagnosed to troubleshoot the problem and/or avoid it in the future. While there have been a number of developments in diagnosis in the past decades, no sound method for comparing existing approaches has been proposed. In this paper, we propose such a procedure and use it to compare several diagnosis methods using randomly simulated data and from realistic data sources. This is a general comparative approach that takes into account factors that have not previously been considered in the literature. The results show that univariate diagnosis is more reliable than its multivariate counterpart

Semi-supervised Multivariate Statistical Network Monitoring for Learning Security Threats

This paper presents a semi-supervised approach for intrusion detection. The method extends the unsupervised Multivariate Statistical Network Monitoring approach based on Principal Component Analysis by introducing a supervised optimization technique to learn the optimum scaling in the input data. It inherits the advantages of the unsupervised strategy, capable of uncovering new threats, with that of supervised strategies, able of learning the pattern of a targeted threat. The supervised learning is based on an extension of the gradient descent method based on Partial Least Squares (PLS). Moreover, we enhance this method by using sparse PLS variants. The practical application of the system is demonstrated on a recently published real case study, showing relevant improvements in detection performance and in the interpretation of the attacks

SIMAGRO: Un prototipo para la detección de anomalías en entornos IoT para el sector agroalimentario

El sector primario es uno de los m ́as relevantes en Andalucía. Una de las ́areas m ́as importantes dentro de este sector es la agricultura, destacando la producción de aceituna, frutas y hortalizas tropicales, además de los cultivos ecológicos (estos últimos suponen la mitad del total en España). Tras los a ̃nos que se han sucedido de crisis, uno de los pilares fundamentales para que se reactive este sector es la optimización de las técnicas de cultivo, lo que implica la necesidad de una transformación digital profunda. Por esta razón, la sensorización de plantaciones agrarias y la implantación del IoT (del inglés, Internet of Things) como mecanismo de monitorización de los cultivos supone un gran avance para las entidades que lo están implantando. ÉGIDA es la primera Red de Excelencia Cervera para la privacidad y la seguridad de los datos. Uno de los objetivos de esta Red es concienciar sobre la necesidad de llevar a cabo una digitalización segura. En este sentido, existe una alta implicación con la securizaci ́on activa de los entornos IoT, concretamente en el sector agroalimentario. En este contexto, y fruto de la colaboración activa entre la Universidad de Granada (UGR) y Fidesol, se ha llevado a cabo el desarrollo un prototipo para la detecci ́on de anomalías en entornos IoT para el sector agroalimentario. Este prototipo aplica por primera vez el sensor MSNM (MSNM-S) en un escenario IoT. El objetivo de este artículo es doble: por un lado, probar el funcionamiento de Atenea Lab y, por otro, presentar los resultados de la evaluación de este prototipo y resolver las siguientes cuestiones: i) ¿Es aplicable MSNM jerárquico a entornos IoT? y ii) ¿Cómo afecta la configuración de MSNM-S a entornos IoT? Además, se pretende identificar posibles puntos de mejora para continuar evolucionando tanto el prototipo obtenido para IoT como el sensor de MSNMEste trabajo está financiado en parte por las Ayudas Cervera para Centros Tecnológicos del Centro Españool para el Desarrollo de Tecnolog ́ıa Industrial (CDTI) en el marco del proyecto EGIDA (CER-20191012) y por el Ministerio de Ciencia e Innovación (MICIN) MICIN/AEI/10.13039/501100011033, bajo los proyectos PID2020-113462RB-I00 y PID2020- 114495RB-I00, así como los proyectos PPJIA2022-51 y PPJIA2022-52 de ayudas del plan propio de la UGR

High frequency of low-count monoclonal B-cell lymphocytosis in hospitalized COVID-19 patients

Low-count monoclonal B-cell lymphocytosis (MBLlo, <500 clonal B-cells/μL) is a highly prevalent condition in the general population (4% to 16% of otherwise healthy adults), which increases significantly with age.1-7 In most cases, clonal B-cells share phenotypic and cytogenetic features with chronic lymphocytic leukemia (CLL), but only a small fraction (≈1.8%) progresses to high-count MBL (MBLhi; ≥500 and <5000 clonal B-cells/μL)3 in the medium-term.8 However, previous reports showed that MBLlo subjects had an increased risk of severe infections in association with a (predominantly) secondary antibody deficiency,8-10 suggesting that MBLlo might be a risk marker for developing more severe infections.This work was supported by the Instituto de Salud Carlos III (Ministerio de Ciencia e Innovación, Madrid, Spain, and FONDOS FEDER (a way to build Europe) grants CB16/12/00400 (CIBERONC), COV20/00386, and PI17/00399; the Consejería de Educación and the Gerencia Regional de Salud, Consejería de Sanidad from Junta de Castilla y León (Valladolid, Spain) grants SA109P20 and GRS-COVID-33/A/20; the European Regional Development Fund (INTERREG POCTEP Spain-Portugal) grant 0639-IDIAL-NET-3-3; and the CRUK (United Kingdom), Fundación AECC (Spain), and Associazione Italiana per la Ricerca Sul Cancro (Italy) “Early Cancer Research Initiative Network on MBL (ECRINM3)” ACCELERATOR award. G.O.-A. is supported by a grant from the Consejería de Educación, Junta de Castilla y León (Valladolid, Spain); B.F.-H. was supported by grant 0639-IDIAL-NET-3-3.Peer reviewe

Risk Factors for COVID-19 in Inflammatory Bowel Disease: A National, ENEIDA-Based Case–Control Study (COVID-19-EII)

(1) Scant information is available concerning the characteristics that may favour the acquisition of COVID-19 in patients with inflammatory bowel disease (IBD). Therefore, the aim of this study was to assess these differences between infected and noninfected patients with IBD. (2) This nationwide case-control study evaluated patients with inflammatory bowel disease with COVID-19 (cases) and without COVID-19 (controls) during the period March-July 2020 included in the ENEIDA of GETECCU. (3) A total of 496 cases and 964 controls from 73 Spanish centres were included. No differences were found in the basal characteristics between cases and controls. Cases had higher comorbidity Charlson scores (24% vs. 19%; p = 0.02) and occupational risk (28% vs. 10.5%; p < 0.0001) more frequently than did controls. Lockdown was the only protective measure against COVID-19 (50% vs. 70%; p < 0.0001). No differences were found in the use of systemic steroids, immunosuppressants or biologics between cases and controls. Cases were more often treated with 5-aminosalicylates (42% vs. 34%; p = 0.003). Having a moderate Charlson score (OR: 2.7; 95%CI: 1.3-5.9), occupational risk (OR: 2.9; 95%CI: 1.8-4.4) and the use of 5-aminosalicylates (OR: 1.7; 95%CI: 1.2-2.5) were factors for COVID-19. The strict lockdown was the only protective factor (OR: 0.1; 95%CI: 0.09-0.2). (4) Comorbidities and occupational exposure are the most relevant factors for COVID-19 in patients with IBD. The risk of COVID-19 seems not to be increased by immunosuppressants or biologics, with a potential effect of 5-aminosalicylates, which should be investigated further and interpreted with caution

COVID-19 symptoms at hospital admission vary with age and sex: results from the ISARIC prospective multinational observational study

Background: The ISARIC prospective multinational observational study is the largest cohort of hospitalized patients with COVID-19. We present relationships of age, sex, and nationality to presenting symptoms. Methods: International, prospective observational study of 60 109 hospitalized symptomatic patients with laboratory-confirmed COVID-19 recruited from 43 countries between 30 January and 3 August 2020. Logistic regression was performed to evaluate relationships of age and sex to published COVID-19 case definitions and the most commonly reported symptoms. Results: ‘Typical’ symptoms of fever (69%), cough (68%) and shortness of breath (66%) were the most commonly reported. 92% of patients experienced at least one of these. Prevalence of typical symptoms was greatest in 30- to 60-year-olds (respectively 80, 79, 69%; at least one 95%). They were reported less frequently in children (≤ 18 years: 69, 48, 23; 85%), older adults (≥ 70 years: 61, 62, 65; 90%), and women (66, 66, 64; 90%; vs. men 71, 70, 67; 93%, each P &lt; 0.001). The most common atypical presentations under 60 years of age were nausea and vomiting and abdominal pain, and over 60 years was confusion. Regression models showed significant differences in symptoms with sex, age and country. Interpretation: This international collaboration has allowed us to report reliable symptom data from the largest cohort of patients admitted to hospital with COVID-19. Adults over 60 and children admitted to hospital with COVID-19 are less likely to present with typical symptoms. Nausea and vomiting are common atypical presentations under 30 years. Confusion is a frequent atypical presentation of COVID-19 in adults over 60 years. Women are less likely to experience typical symptoms than men

Multivariate Statistical Network Monitoring for Network Security based on Principal Component Analysis

Currently we live in hyper-connected world, which is one of the main causes for the fast propagation of Information Technology (IT) Security attacks. An IT Security incident can impact both in the economy and the reputation of the organization that suffers it. Thus, IT Security is a prior concern for any organization. Another important issue related to IT Security threats is that the time required for compromising a network is, on average, in the order of minutes, while the security team may need months to detect an incident after it takes place. This makes it necessary to enhance the mechanisms of intrusion detection to improve the capability of prioritization and classification of IT security alarms. With the appropriate tools, the security team can detect the incidents timely without being overwhelmed by an excessive number of alarms. Network security is of utmost importance within IT Security, and it aims to make the communications infrastructure secure from the point of view of the IT. In general, there are three approaches for network security: prevention, detection and response. These approaches can be combined to achieve a comprehensive security system. A practical combination of the detection and response dimensions is the so-called Network Security Monitoring (NSM), which is an approach that aims to detect the incidents in a network by monitoring the network traffic. NSM is carried out by collecting, combining and analyzing different sources of information, in order to detect and notify intrusions. There are two main techniques for incident detection: Signature based, which allows to detect attacks from previously defined patterns; and Anomaly-based, which allows to detect deviations from the normal behavior in a network, captured in a previously trained model. Multivariate Statistical Network Monitoring (MSNM) is an NSM methodology that follows an anomaly-based detection scheme that extends the Multivariate Statistical Process Control (MSPC) theory, developed in the area of industrial process research. MSPC consists in two phases: phase I, detection of assignable causes of variation in the calibration data that are corrected and eliminated until the process is under Normal Operation Condition (NOC); and phase II, monitoring of new data to detect (and diagnose) anomalies. MSNM applies this philosophy to traffic network data, adding two prior steps: parsing and fusion, which are needed to combine information from different data sources in NSM. MSNM is useful to prioritize and diagnose anomalies, which is congruent with the security team’s workflow. In this PhD, we start from the MSNM methodology and introduce a number of enhancements: i) a pre-processing method to consider the cyclostationarity of the data (e.g. the cycles existing during day and night or weeks and weekends), ii) a methodology for the comparison of diagnosis methods, and iii) a univariate method for diagnosis. Furthermore, the pre-processing and diagnosis methods, as well as some of other existing extensions for MSNM are evaluated and compared with other reference methods using a real network data set for the first time. The application on real network data allows to assess the MSNM extensions under realistic conditions, yielding a more accurate perspective of their performance. This research work shows the existing symbiosis between industrial processes and network security, introducing enhancements that are of interest for both topics and that open new lines of research exploring the synergy between MSPC and MSNM.Tesis Univ. Granada