Unsupervised two-class and multi-class support vector machines for abnormal traffic characterization

Although measurement-based real-time traffic classification has received considerable research attention, the timing constraints imposed by the high accuracy requirements and the learning phase of the algorithms employed still remain a challenge. In this paper we propose a measurement-based classification framework that exploits unsupervised learning to accurately categorise network anomalies to specific classes. We introduce the combinatorial use of two-class and multi-class unsupervised Support Vector Machines (SVM)s to first distinguish normal from anomalous traffic and to further classify the latter category to individual groups depending on the nature of the anomaly

Analysis and Characterization of Botnet Scan Traffic

Botnets compose a major source of malicious activity over a network and their early identification and detection is considered as a top priority by security experts. The majority of botmasters rely heavily on a scan procedure in order to detect vulnerable hosts and establish their botnets via a command and control (C&C) server. In this paper we examine the statistical characteristics of the scan process invoked by the Mariposa and Zeus botnets and demonstrate the applicability of conditional entropy as a robust metric for profiling it using real pre-captured operational data. Our analysis conducted on real datasets demonstrates that the distributional behaviour of conditional entropy for Mariposa and Zeus-related scan flows differs significantly from flows manifested by the commonly used NMAP scans. In contrast with the typically used by attackers Stealth and Connect NMAP scans, we show that consecutive scanning flows initiated by the C&C servers of the examined botnets exhibit a high dependency between themselves in regards of their conditional entropy. Thus, we argue that the observation of such scan flows under our proposed scheme can sufficiently aid network security experts towards the adequate profiling and early identification of botnet activity

Secure and privacy-aware proxy mobile IPv6 protocol for vehicle-to-grid networks

Vehicle-to-Grid (V2G) networks have emerged as a new communication paradigm between Electric Vehicles (EVs) and the Smart Grid (SG). In order to ensure seamless communications between mobile EVs and the electric vehicle supply equipment, the support of ubiquitous and transparent mobile IP communications is essential in V2G networks. However, enabling mobile IP communications raises real concerns about the possibility of tracking the locations of connected EVs through their mobile IP addresses. In this paper, we employ certificate-less public key cryptography in synergy with the restrictive partially blind signature technique to construct a secure and privacy-aware proxy mobile IPv6 (SP-PMIPv6) protocol for V2G networks. SP-PMIPv6 achieves low authentication latency while protecting the identity and location privacy of the mobile EV. We evaluate the SP-PMIPv6 protocol in terms of its authentication overhead and the information-theoretic uncertainty derived by the mutual information metric to show the high level of achieved anonymity

Power Consumption Profiling Using Energy Time-Frequency Distributions in Smart Grids

Smart grids are power distribution networks that include a significant communication infrastructure, which is used to collect usage data and monitor the operational status of the grid. As a consequence of this additional infrastructure, power networks are at an increased risk of cyber-attacks. In this letter, we address the problem of detecting and attributing anomalies that occur in the sub-meter power consumption measurements of a smart grid, which could be indicative of malicious behavior. We achieve this by clustering a set of statistical features of power measurements that are determined using the Smoothed Pseudo Wigner Ville (SPWV) energy Time-Frequency (TF)distribution. We show how this approach is able to more accurately distinguish clusters of energy consumption than simply using raw power measurements. Our ultimate goal is to apply the principles of profiling power consumption measurements as part of an enhanced anomaly detection system for smart grids

A multi-level resilience framework for unified networked environments

Networked infrastructures underpin most social and economical interactions nowadays and have become an integral part of the critical infrastructure. Thus, it is crucial that heterogeneous networked environments provide adequate resilience in order to satisfy the quality requirements of the user. In order to achieve this, a coordinated approach to confront potential challenges is required. These challenges can manifest themselves under different circumstances in the various infrastructure components. The objective of this paper is to present a multi-level resilience approach that goes beyond the traditional monolithic resilience schemes that focus mainly on one infrastructure component. The proposed framework considers four main aspects, i.e. users, application, network and system. The latter three are part of the technical infrastructure while the former profiles the service user. Under two selected scenarios this paper illustrates how an integrated approach coordinating knowledge from the different infrastructure elements allows a more effective detection of challenges and facilitates the use of autonomic principles employed during the remediation against challenges

Malware Detection in the Cloud under Ensemble Empirical Mode Decomposition

Cloud networks underpin most of todays’ socioeconomical Information Communication Technology (ICT) environments due to their intrinsic capabilities such as elasticity and service transparency. Undoubtedly, this increased dependence of numerous always-on services with the cloud is also subject to a number of security threats. An emerging critical aspect is related with the adequate identification and detection of malware. In the majority of cases, malware is the first building block for larger security threats such as distributed denial of service attacks (e.g. DDoS); thus its immediate detection is of crucial importance. In this paper we introduce a malware detection technique based on Ensemble Empirical Mode Decomposition (E-EMD) which is performed on the hypervisor level and jointly considers system and network information from every Virtual Machine (VM). Under two pragmatic cloud-specific scenarios instrumented in our controlled experimental testbed we show that our proposed technique can reach detection accuracy rates over 90% for a range of malware samples. In parallel we demonstrate the superiority of the introduced approach after comparison with a covariance-based anomaly detection technique that has been broadly used in previous studies. Consequently, we argue that our presented scheme provides a promising foundation towards the efficient detection of malware in modern virtualized cloud environments. Index Terms—Malware Detection, Empirical Mode Decomposition, Cloud computing, Anomaly Detectio

A multi-level resilience framework for unified networked environments

Networked infrastructures underpin most social and economical interactions nowadays and have become an integral part of the critical infrastructure. Thus, it is crucial that heterogeneous networked environments provide adequate resilience in order to satisfy the quality requirements of the user. In order to achieve this, a coordinated approach to confront potential challenges is required. These challenges can manifest themselves under different circumstances in the various infrastructure components. The objective of this paper is to present a multi-level resilience approach that goes beyond the traditional monolithic resilience schemes that focus mainly on one infrastructure component. The proposed framework considers four main aspects, i.e. users, application, network and system. The latter three are part of the technical infrastructure while the former profiles the service user. Under two selected scenarios this paper illustrates how an integrated approach coordinating knowledge from the different infrastructure elements allows a more effective detection of challenges and facilitates the use of autonomic principles employed during the remediation against challenges

Malware Detection in Cloud Computing Infrastructures

Cloud services are prominent within the private, public and commercial domains. Many of these services are expected to be always on and have a critical nature; therefore, security and resilience are increasingly important aspects. In order to remain resilient, a cloud needs to possess the ability to react not only to known threats, but also to new challenges that target cloud infrastructures. In this paper we introduce and discuss an online cloud anomaly detection approach, comprising dedicated detection components of our cloud resilience architecture. More specifically, we exhibit the applicability of novelty detection under the one-class support Vector Machine (SVM) formulation at the hypervisor level, through the utilisation of features gathered at the system and network levels of a cloud node. We demonstrate that our scheme can reach a high detection accuracy of over 90% whilst detecting various types of malware and DoS attacks. Furthermore, we evaluate the merits of considering not only system-level data, but also network-level data depending on the attack type. Finally, the paper shows that our approach to detection using dedicated monitoring components per VM is particularly applicable to cloud scenarios and leads to a flexible detection system capable of detecting new malware strains with no prior knowledge of their functionality or their underlying instructions. Index Terms—Security, resilience, invasive software, multi-agent systems, network-level security and protection

Fault Diagnosis in DSL Networks using Support Vector Machines

The adequate operation for a number of service distribution networks relies on the e�ective maintenance and fault management of their underlay DSL infrastructure. Thus, new tools are required in order to adequately monitor and further diagnose anomalies that other segments of the DSL network cannot identify due to the pragmatic issues raised by hardware or software misconfigurations. In this work we present a fundamentally new approach for classifying known DSL-level anomalies by exploiting the properties of novelty detection via the employment of one-class Support Vector Machines (SVMs). By virtue of the imbalance residing in the training samples that consequently lead to problematic prediction outcomes when used within two-class formulations, we adopt the properties of one-class classification and construct models for independently identifying and classifying a single type of a DSL-level anomaly. Given the fact that the greater number of the installed Digital Subscriber Line Access Multiplexers (DSLAMs) within the DSL network of a large European ISP were misconfigured, thus unable to accurately flag anomalous events, we utilize as inference solutions the models derived by the one-class SVM formulations built by the known labels as flagged by the much smaller number of correctly configured DSLAMs in the same network in order to aid the classification aspect against the monitored unlabelled events. By reaching an average over 95% on a number of classification accuracy metrics such as precision, recall and F-score we show that one-class SVM classifiers overcome the biased classification outcomes achieved by the traditional two-class formulations and that they may constitute as viable and promising components within the design of future network fault management strategies. In addition, we demonstrate their superiority over commonly used two-class machine learning approaches such as Decision Trees and Bayesian Networks that has been used in the same context within past solutions. Keywords: Network management, Support Vector Machines, supervised learning, one-class classifiers, DSL anomalie

Assessing the impact of intra-cloud live migration on anomaly detection

Virtualized cloud environments have emerged as a necessity within modern unified ICT infrastructures and have established themselves as a reliable backbone for numerous always-on services. `Live' intra-cloud virtual-machine (VM) migration is a widely used technique for efficient resource management employed within modern cloud infrastructures. Despite the benefits of such functionality, there are still several security issues which have not yet been thoroughly assessed and quantified. We investigate the impact of live virtual-machine migration on state-of-the-art anomaly detection (AD) techniques (namely PCA and K-means), by evaluating live migration under various attack types and intensities. We find that the performance for both detectors degrades as shown by their Receiver Operating Characteristics (ROC) curves when intra-cloud live migration is initiated while VMs are under a netscan (NS) or a denial-of-service (DoS) attack