Accommodating repair actions into gas turbine prognostics

Elements of gas turbine degradation, such as compressor fouling, are recoverable through maintenance actions like compressor washing. These actions increase the usable engine life and optimise the performance of the gas turbine. However, these maintenance actions are performed by a separate organization to those undertaking fleet management operations, leading to significant uncertainty in the maintenance state of the asset. The uncertainty surrounding maintenance actions impacts prognostic efficacy. In this paper, we adopt Bayesian on-line change point detection to detect the compressor washing events. Then, the event detection information is used as an input to a prognostic algorithm, advising an update to the estimation of remaining useful life. To illustrate the capability of the approach, we demonstrated our on-line Bayesian change detection algorithms on synthetic and real aircraft engine service data, in order to identify the compressor washing events for a gas turbine and thus provide demonstrably improved prognosis

War Fighting in Cyberspace: Evolving Force Presentation and Command and Control

The Department of Defense (DOD) is endeavoring to define war fighting in the global cyberspace domain. Creation of US Cyber Command (USCYBERCOM), a subunified functional combatant command (FCC) under US Strategic Command (USSTRATCOM), is a huge step in integrating and coordinating the defense, protection, and operation of DOD networks; however, this step does not mean that USCYBERCOM will perform or manage all cyberspace functions. In fact the vast majority of cyberspace functions conducted by the services and combatant commands (COCOM), although vital for maintaining access to the domain in support of their operations, are not of an active war-fighting nature. We apply the concepts of war fighting, offense, and active defense to the domain of cyber space and propose several recommendations to aid USCYBERCOM as it works with the services and geographic combatant commands (GCC) to fight in cyberspace

A Multidiscipline Approach to Mitigating the Insider Threat

Preventing and detecting the malicious insider is an inherently difficult problem that expands across many areas of expertise such as social, behavioral and technical disciplines. Unfortunately, current methodologies to combat the insider threat have had limited success primarily because techniques have focused on these areas in isolation. The technology community is searching for technical solutions such as anomaly detection systems, data mining and honeypots. The law enforcement and counterintelligence communities, however, have tended to focus on human behavioral characteristics to identify suspicious activities. These independent methods have limited effectiveness because of the unique dynamics associated with the insider threat. The solution requires a multidisciplinary approach with a clearly defined methodology that attacks the problem in an organized and consistent manner. The purpose of this paper is to present a framework that provides a systematic way to identify the malicious insider and describe a methodology to counter the threat. Our model, the Multidiscipline Approach to Mitigating the Insider Threat (MAMIT), introduces a novel process for addressing this challenge. MAMIT focuses on the collaboration of information from the relative disciplines and uses indicators to produce a consolidated matrix demonstrating the likelihood of an individual being a malicious insider. The well-known espionage case study involving Robert Hanssen is used to illustrate the effectiveness of the framework

Using PLSI-U to Detect Insider Threats by Datamining Email

Despite a technology bias that focuses on external electronic threats, insiders pose the greatest threat to an organisation. This paper discusses an approach to assist investigators in identifying potential insider threats. We discern employees\u27 interests from e-mail using an extended version of PLSI. These interests are transformed into implicit and explicit social network graphs, which are used to locate potential insiders by identifying individuals who feel alienated from the organisation or have a hidden interest in a sensitive topic. By applying this technique to the Enron e-mail corpus, a small number of employees appear as potential insider threats

Design and Analysis of a Dynamically Configured Log-based Distributed Security Event Detection Methodology

Military and defense organizations rely upon the security of data stored in, and communicated through, their cyber infrastructure to fulfill their mission objectives. It is essential to identify threats to the cyber infrastructure in a timely manner, so that mission risks can be recognized and mitigated. Centralized event logging and correlation is a proven method for identifying threats to cyber resources. However, centralized event logging is inflexible and does not scale well, because it consumes excessive network bandwidth and imposes significant storage and processing requirements on the central event log server. In this paper, we present a flexible, distributed event correlation system designed to overcome these limitations by distributing the event correlation workload across the network of event-producing systems. To demonstrate the utility of the methodology, we model and simulate centralized, decentralized, and hybrid log analysis environments over three accountability levels and compare their performance in terms of detection capability, network bandwidth utilization, database query efficiency, and configurability. The results show that when compared to centralized event correlation, dynamically configured distributed event correlation provides increased flexibility, a significant reduction in network traffic in low and medium accountability environments, and a decrease in database query execution time in the high-accountability case

Traffic Collision Avoidance System: False Injection Viability

Safety is a simple concept but an abstract task, specifically with aircraft. One critical safety system, the Traffic Collision Avoidance System II (TCAS), protects against mid-air collisions by predicting the course of other aircraft, determining the possibility of collision, and issuing a resolution advisory for avoidance. Previous research to identify vulnerabilities associated with TCAS’s communication processes discovered that a false injection attack presents the most comprehensive risk to veritable trust in TCAS, allowing for a mid-air collision. This research explores the viability of successfully executing a false injection attack against a target aircraft, triggering a resolution advisory. Monetary constraints precluded access to a physical TCAS unit; instead, this research creates a novel program, TCAS-False Injection Environment (TCAS-FIE), that incorporates real-world distributed computing systems to simulate a ground-based attacker scenario which explores how a false injection attack could target an operational aircraft. TCAS-FIEs’ simulation models are defined by parameters to execute tests that mimic real-world TCAS units during Mode S message processing. TCAS-FIE simulations execute tests over applicable ranges (5–30 miles), altitudes (25–45K ft), and bearings standard for real-world TCAS tracking. The comprehensive tests compare altitude, measure range closure rate, and measure signal strength from another aircraft to determine the delta in bearings over time. In the attack scenario, the ground-based adversary falsely injects a spoofed aircraft with characteristics matching a Boeing 737-800 aircraft, targeting an operational Boeing 737-800 aircraft. TCAS-FIE completes 555,000 simulations using the various ranges, altitudes, and bearings. The simulated success rate to trigger a resolution advisory is 32.63%, representing 181,099 successful resolution advisory triggers out of 555,000 total simulations. The results from additional analysis determine the required ranges, altitudes, and bearing parameters to trigger future resolution advisories, yielding a predictive threat map for aircraft false injection attacks. The resulting map provides situational awareness to pilots in the event of a real-world TCAS anomaly

Insider Threat Detection using Virtual Machine Introspection

This paper presents a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated using two data sets. Results of the research show the developed methodology is effective in detecting the malicious insider scenarios on Windows guests

A Comparison of Generalizability for Anomaly Detection

In security-related areas there is concern over the novel “zeroday” attack that penetrates system defenses and wreaks havoc. The best methods for countering these threats are recognizing “non-self” as in an Artificial Immune System or recognizing “self” through clustering. For either case, the concern remains that something that looks similar to self could be missed. Given this situation one could logically assume that a tighter fit to self rather than generalizability is important for false positive reduction in this type of learning problem. This article shows that a tight fit, although important, does not supersede having some model generality. This is shown using three systems. The first two use sphere and ellipsoid clusters with a k-means algorithm modified to work on the one-class/blind classification problem. The third is based on wrapping the self points with a multidimensional convex hull (polytope) algorithm capable of learning disjunctive concepts via a thresholding constant. All three of these algorithms are tested on an intrusion detection problem and a steganalysis problem with results exceeding published results using an Artificial Immune System