Article

Execution monitoring of security-critical programs in distributed systems: a Specification-based approach

Authors:
C. Ko
C. Ko
C. Ko
  • This person is not on ResearchGate, or hasn't claimed this research yet.
M. Ruschitzka
M. Ruschitzka
M. Ruschitzka
  • This person is not on ResearchGate, or hasn't claimed this research yet.
K. Levitt
K. Levitt
K. Levitt
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download citation
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

We describe a specification-based approach to detect exploitations of vulnerabilities in security-critical programs. The approach utilizes security specifications that describe the intended behavior of programs and scans audit trails for operations that are in violation of the specifications. We developed a formal framework for specifying the security-relevant behavior of programs, on which we based the design and implementation of a real-time intrusion detection system for a distributed system. Also, we wrote security specifications for 15 Unix setuid root programs. Our system detects attacks caused by monitored programs, including security violations caused by improper synchronization in distributed programs. Our approach encompasses attacks that exploit previously unknown vulnerabilities in security-critical programs.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... In the area of intrusion detection (Lazarevic,2005) presents a complete survey. Ko et al (1997) have proposed a specification-based approach, which uses dynamic verification techniques to detect exploitations of vulnerabilities in security-critical programs. According to this framework, one hat to specify a trace policy which describes the intended behavior of programs with regards to security properties. ...
... A trace policy determines security-valid operation sequences of the execution of one or more programs. For specifying such trace policies, Ko et al. (1997) have developed a grammar, called "parallel environment grammar (PE-grammar)" whose alphabet consists of system operations. A PE-grammar can express various classes of security trace policies, including behavior related access to system objects, synchronization, and operation sequencing and race conditions in concurrent or distributed programs. ...
A Review of Security Mechanisms for Multi-Agent Systems
Chapter
  • Jan 2019
This chapter reviews current technologies used to build secure agents. A wide spectrum of mechanisms to provide security to agent-based systems is provided, giving an overview with the main agent-based systems and agent-oriented tools. An evaluation of security mechanisms is done that identifies security weaknesses. This review covers from the initial approaches to the more recent mechanisms. This analysis draws attention to the fact that these systems have traditionally neglected the need of a secure underlying infrastructure.
View
... -Dynamic Specification-based detection In this mechanism the maliciousness of the samples is determined by observing the behavior during the runtime/execution for implementing dynamic specification-based detection. Ko et al. (1997) specification-based solution is for the distributed environment. Initially, the analyst defines the trace rule, which is further used to detect malicious behavior. ...
Advanced Persistent Threats (APT): evolution, anatomy, attribution and countermeasures
Article
Full-text available
  • May 2023
In today’s cyber warfare realm, every stakeholder in cyberspace is becoming more potent by developing advanced cyber weapons. They have equipped with the most advanced malware and maintain a hidden attribution. The precocious cyber weapons, targeted and motivated with some specific intention are called as Advanced Persistent Threats (APT). Developing defense mechanisms and performing attribution analysis of such advanced attacks are extremely difficult due to the intricate design of attack vector and sophisticated malware employed with high stealth and evasive techniques. These attacks also include advanced zero-day and negative-day exploits and payloads. This paper provides a comprehensive survey on the evolution of advanced malware design paradigms, APT attack vector and its anatomy, APT attack Tactics, Techniques, and Procedures (TTP) and specific case studies on open-ended APT attacks. The survey covers a detailed discussion on APT attack phases and comparative study on threat life-cycle specification by various organizations. This work also addresses the APT attack attribution and countermeasures against these attacks from classical signature and heuristic based detection to modern machine learning and genetics based detection mechanisms along with sophisticated zero-day and negative day malware countermeasure by various techniques like monitoring of network traffic and DNS logs, moving target based defense, and attack graph based defenses. Furthermore, the survey addresses various research scopes in the domain of APT cyber-attacks.
View
... Few more approaches are based on specification of systems. Such as [6] where security critical programs were monitored for vulnerability specification captures the behavior of objects. sequence of operations performed during execution of any program were observed and if it is beyond the specification it is considered as violation. ...
Post-Attack Intrusion Detection using Log Files Analysis
Article
Full-text available
  • Oct 2015
Information security is always a main concern of an organization. It is always a challenging job to design a precise Intrusion detection system(IDS) which will detect the intrusions. Intrusion detection systems are broadly classified as host based (HIDS) and network based intrusion detection systems (NIDS). In this paper a comparative study is done on different approaches for detecting intrusion on single host. Point to note that attack detection systems has aim to only detect the activity of intruder and it does not provide any preventive majors.
View
... The specification provides a model of information like network topology, regular traffic patterns, communication intervals, scheduled operations, predictable processes, and real-time events to characterize genuine behavior [94]. Therefore, if the CIDS detects events that do not comply with the specifications, it is considered a violation of security [95]. As this method is based on legitimate behaviors, it does not generate false alarms when abnormal programs, that are legitimate, are faced. ...
Integration of blockchain and collaborative intrusion detection for secure data transactions in industrial IoT: a survey
Article
Full-text available
  • Jun 2022
  • CLUSTER COMPUT
The advent of the Industrial Internet of Things (IIoT) integrates all manners of computing technologies, from tiny actuators to process-intensive servers. The distributed network of IoT devices relies on centralized architecture to compensate for their lack of resources. Within this complex network, it is crucial to ensure the security and privacy of data in the IIoT systems as they involve real-time functions that manage people’s movement and industrial materials like chemicals, radio-active goods, and large equipment. Intrusion Detection Systems (IDS) have been widely used to detect and thwart cyber-attacks on such systems. However, these are inefficient for the multi-layered IIoT networks which include heterogeneous protocol standards and topologies. With the need for a novel security method, the integration of collaborative IDS (CIDS) and blockchain has become a disruptive technology to ensure secure and trustable network transactions. Which detection methodology is suitable for this integration, and IIoT? Will blockchain render IIoT completely immune to cyber-attacks? In this paper, we provide a comprehensive review of the state of the art, analyze, and classify the integration approaches of CIDS and blockchain, and discuss suitable approaches for securing IIoT systems. We also categorize the major blockchain vulnerabilities with their potential losses to expose significant gaps for future research directions.
View
... In fact, anomaly detection technology will introduce a large number of false alarms while reducing false negatives, making it difficult to apply to real scenarios. In this regard, hybrid detection technology was proposed by Ko et al. [19], who developed a language framework through the analysis of program execution sequence and concurrent program grammatical events and finally customized event tracking strategy for real-time web intrusion detection. The experimental results of Prem et al. [20] proved that the strategy-based method is superior to a single feature detection or anomaly detection method. ...
A Web Shell Detection Method Based on Multiview Feature Fusion
Article
Full-text available
  • Sep 2020
Web shell is a malicious script file that can harm web servers. Web shell is often used by intruders to perform a series of malicious operations on website servers, such as privilege escalation and sensitive information leakage. Existing web shell detection methods have some shortcomings, such as viewing a single network traffic behavior, using simple signature comparisons, and adopting easily bypassed regex matches. In view of the above deficiencies, a web shell detection method based on multiview feature fusion is proposed based on the PHP language web shell. Firstly, lexical features, syntactic features, and abstract features that can effectively represent the internal meaning of web shells from multiple levels are integrated and extracted. Secondly, the Fisher score is utilized to rank and filter the most representative features, according to the importance of each feature. Finally, an optimized support vector machine (SVM) is used to establish a model that can effectively distinguish between web shell and normal script. In large-scale experiments, the final classification accuracy of the model on 1056 web shells and 1056 benign web scripts reached 92.18%. The results also surpassed well-known web shell detection tools such as VirusTotal, ClamAV, LOKI, and CloudWalker, as well as the state-of-the-art web shell detectionmethods.
View
... Second, our technique of analyzing a relatively small corpus of known-good programs -which do not change a great deal over time -for significant deviations from normal, is also very different than typical applications of anomaly detection to analyzing IP network traffic or sequences of system calls. Our technique and application is closer in spirit to specificationbased intrusion detection [19], whereas anomaly detection against typical network and host data is more reflec-tive of outlier detection [40] and can suffer considerably from the base-rate fallacy [4]. ...
Catch Me If You Can: Using Power Analysis to Identify HPC Activity
Preprint
  • May 2020
Monitoring users on large computing platforms such as high performance computing (HPC) and cloud computing systems is non-trivial. Utilities such as process viewers provide limited insight into what users are running, due to granularity limitation, and other sources of data, such as system call tracing, can impose significant operational overhead. However, despite technical and procedural measures, instances of users abusing valuable HPC resources for personal gains have been documented in the past \cite{hpcbitmine}, and systems that are open to large numbers of loosely-verified users from around the world are at risk of abuse. In this paper, we show how electrical power consumption data from an HPC platform can be used to identify what programs are executed. The intuition is that during execution, programs exhibit various patterns of CPU and memory activity. These patterns are reflected in the power consumption of the system and can be used to identify programs running. We test our approach on an HPC rack at Lawrence Berkeley National Laboratory using a variety of scientific benchmarks. Among other interesting observations, our results show that by monitoring the power consumption of an HPC rack, it is possible to identify if particular programs are running with precision up to and recall of 95\% even in noisy scenarios.
View
... Specification-based Methods: This approach monitors the activity of connected devices given certain rules, explicitly specifying allowed or not-allowed network activities [22], [27]. In [28], authors apply a specification-based approach to a wireless sensor network where specifications are defined and enforced by the network operator. ...
Detecting Behavioral Change of IoT Devices Using Clustering-Based Network Traffic Modeling
Article
  • Mar 2020
The Internet-of-Things (IoT) is increasingly becoming a major challenge for network administrators to manage connected devices and sensors ranging from smart-lights to smoke-alarms and security-cameras, at scale. IoT devices use an extensive variety of firmware, and provide little (or no) access for management of their operating systems and configurations. Operators of IoT infrastructure, therefore, need to employ traffic classification models (trained by historical data) to automatically detect their assets on the network, and ensure the health of devices against cyber-attacks by monitoring their network behavior. On the other hand, IoT manufacturers often automatically perform firmware upgrades from cloud servers to devices that are operational in the field. This can potentially lead to a change of device behavior which makes it difficult for network operators to maintain classification models (incorporating changes without retraining the entire model). In this paper, we develop a modular device classification architecture that allows operators to automatically detect IoT devices by their network activity and dynamically accommodate legitimate changes in assets (either addition of new device profile or upgrade of existing profiles). Our contributions are threefold: (1) We identify key traffic attributes that can be obtained from flow-level network telemetry to characterize the behavior of various IoT device types. We develop an unsupervised one-class clustering method for each device to detect their normal network behavior; (2) We tune device-specific clustering models and use them to classify IoT devices from their network traffic in real-time. We enhance our classification by developing methods for automatic conflict resolution and noise filtering; and (3) We evaluate the efficacy of our scheme by applying it to traffic traces (benign and attack) from ten real IoT devices, and demonstrate its ability to detect behavioral changes with an overall accuracy of more than 94%.
View
... With specification based detection, expected system behaviour and properties is catalogued, any deviation from the specifications results in an alert about possibility of system compromise [20]. Approaches based on specification based detection build specified system behaviour based on expert knowledge of the system using the system least privileged principle. ...
View
... (obfuscated for privacy). Existing network traffic detectors usually cannot capture the precise process information [50,64]. Thus, we first compose an anomaly AIQL query that computes moving average (SMA3) to find processes which transfer a large amount of data to this suspicious IP. ...
AIQL: Enabling Efficient Attack Investigation from System Monitoring Data
Preprint
Full-text available
  • Jun 2018
The need for countering Advanced Persistent Threat (APT) attacks has led to the solutions that ubiquitously monitor system activities in each host, and perform timely attack investigation over the monitoring data for analyzing attack provenance. However, existing query systems based on relational databases and graph databases lack language constructs to express key properties of major attack behaviors, and often execute queries inefficiently since their semantics-agnostic design cannot exploit the properties of system monitoring data to speed up query execution. To address this problem, we propose a novel query system built on top of existing monitoring tools and databases, which is designed with novel types of optimizations to support timely attack investigation. Our system provides (1) domain-specific data model and storage for scaling the storage, (2) a domain-specific query language, Attack Investigation Query Language (AIQL) that integrates critical primitives for attack investigation, and (3) an optimized query engine based on the characteristics of the data and the semantics of the queries to efficiently schedule the query execution. We deployed our system in NEC Labs America comprising 150 hosts and evaluated it using 857 GB of real system monitoring data (containing 2.5 billion events). Our evaluations on a real-world APT attack and a broad set of attack behaviors show that our system surpasses existing systems in both efficiency (124x over PostgreSQL, 157x over Neo4j, and 16x over Greenplum) and conciseness (SQL, Neo4j Cypher, and Splunk SPL contain at least 2.4x more constraints than AIQL).
View
... It is noticeable that some researchers rarely try to enhance the performance evaluation metrics process by introducing new metrics to evaluate and analyze the IDS performance. One such metric is the detection latency [24]; which tries to measure the time that is required to discover an intruder since it descended into the system. It should be noted that this metric is not identical in the case of the insider attackers and the case of outsider attackers. ...
View
... This is reflected in the notation used in the intrusion detection community[1,2], where knowledge based intrusion detection (a.k.a., misuse based 3 ) is the kind of intrusion detection that relies on a model of the attack, and behaviour based intrusion detection the one that relies on the model of the legitimate behaviour. In turn, behaviour based NIDS are usually subdivided in anomaly based NIDS and specification based intrusion detection[3], with the distinction that in anomaly based NIDS the model of the target system is built more or less automatically during a " learning phase " , while in specification-based NIDS models are " manually developed specifications that capture legitimate (rather than previously seen) system behaviors "[4]. The common perception about knowledgebased vs. anomaly-based and specification-based NIDS is that P1 Knowledge-based NIDSs work well in practical deployments, but they are " ineffective " P2 Anomaly-based NIDS are effective (only) in benchmarks, but do not work well in practical deployments. ...
From Intrusion Detection to Software Design
Conference Paper
Full-text available
  • Aug 2017
I believe the single most important reason why we are so helpless against cyber-attackers is that present systems are not supervisable. This opinion is developed in years spent working on network intrusion detection, both as academic and entrepreneur. I believe we need to start writing software and systems that are supervisable by design; in particular, we should do this for embedded devices. In this paper, I present a personal view on the field of intrusion detection, and conclude with some consideration on software design.
View
... Further, researchers proposed using cause-and-effect relationships among attacks to make multistep associations. This method was first presented by Templeton [11] [12]. Then Peng Ning [13] [14] made in-depth and systematic study based on this theory. ...
View
... Some efficient measurements have been launched to improve IDS. Detection latency has been regarded as an essential factor in the measurement of IDS effectiveness and efficiency [81,82]. In spite of whether the intrusion has been dynamic or static, immediate detection of faults has been helping to respond to them also immediately. ...
Wireless local area network: A comprehensive review of attacks and metrics
Article
Full-text available
  • Jan 2017
Wireless Local Area Networks (WLAN) was once a single network solution. Yet now, it contributes to all part of business and computer industry. Thus, WLAN security measures need special attention. In order to identify WLAN networks’ vulnerability, some intrusion detection systems, architecture, and potential threats in the literature of this area is investigated. This approach is to categorize present wireless intrusion detection system (IDS) and detection technique. Several advantageous and drawbacks are presented and an in-depth critical literature review is presented. Different WLAN attack types and review some metrics in relation to operability and performance of IDS is summarized and extensively argued which can be conducted through integrating both practitioners and scholars. The future research areas are also discussed.
View
... Baseline detection relies on models of the intended behavior of users, applications and networks and interprets deviations from this normal' behavior [4, 5, 6, 7]. This approach is complementary with respect to misuse detection, where a number of attack descriptions (usually in the form of signatures) are matched against the stream of audited events, looking for evidence that one of the modeled attacks is occurring [8]. ...
Enhancing SIEM Correlation Rules Through Baselining
Conference Paper
Full-text available
  • May 2012
In this paper, we describe research into the use of baselining for enhancing SIEM Correlation rules. Enterprise grade software has been updated with a capability that identifies anomalous events based on baselines as well as rule based correlation engine, and alerts administrators when such events are identified. To reduce the number of false positive alerts we have investigated the use of different baseline training techniques and introduce the use of 3 different training approaches for baseline detection and updating lifecycle.
View
... The specication approach depends more on human observation and expertise than on mathematics. It was for the rst time utilized by C. Ko et al. [91] in 1997. It uses a logicbased description of expected behavior to construct a base model. ...
Intrusion Detection in Network Traffic
Thesis
Full-text available
  • Sep 2016
The thesis deals with anomaly based network intrusion detection which utilize machine learning approaches. First, state-of-the-art datasets intended for evaluation of intrusion detection systems are described as well as the related works employing statistical analysis and machine learning techniques for network intrusion detection. In the next part, original feature set, Advanced Security Network Metrics (ASNM) is presented, which is part of conceptual automated network intrusion detection system, AIPS. Then, tunneling obfuscation techniques as well as non-payload-based ones are proposed to apply as modifications of network attack execution. Experiments reveal that utilized obfuscations are able to avoid attack detection by supervised classifier using ASNM features, and their utilization can strengthen the detection performance of the classifier by including them into the training process of the classifier. The work also presents an alternative view on the non-payload-based obfuscation techniques, and demonstrates how they may be employed as a training data driven approximation of network traffic normalizer.
View
... However, such an approach does not take into account the implicit relationships between the states of the distributed processes that interact following some specific patterns during a distributed computation. The idea of specifying a reference model for a distributed computation has been addressed in [6] where the authors describe the behavior of a set of processes as sequences of system calls. However, all these studies rely on the hypothesis we can build a global clock, and thus all events that are observed in the distributed systems are totally ordered. ...
View
A Review on Intrusion Detection System for IoT based Systems
Article
Full-text available
  • Mar 2024
One of the key objectives of intelligent Internet of Things-based systems is to improve people's quality of life in terms of simplicity and efficiency. The paradigm for the Internet of Things (IoT) has surfaced recently as a technology to construct intelligent IoT systems. Security and privacy are essential considerations for all intelligent systems built on the Internet of Things concept. Because of the restricted processing and storage capabilities of IoT devices as well as their unique protocols, traditional IDSs are not a practical choice in an IoT environment. An overview of the most recent IDSs created for the IoT paradigm is given in this article, with particular attention to the techniques, features, and procedures of each. This essay also offers a thorough analysis of the IoT architecture, new security flaws, and how they relate to the layers of the IoT architecture. This study suggests that, despite previous studies on the design and implementation of integrated information systems in IoT paradigms, it is still an important task to develop efficient, reliable or trustworthy integrated information systems for IoT-based intelligent systems. This review concludes with future perspectives and important aspects to consider in the development of these IDS.
View
View
View
Online Parallel Attack Detection Method for Industrial Control Based on Multi-Bandpass Filter
Article
  • Jan 2023
Unlike conventional IT systems, industrial control systems (ICS) requires tailored attack detection methods due to its unique communication protocols. Existing attack detection methods lack the ability to consider both detection accuracy and time performance, particularly for highly stealthy fake data injection attacks (FDIA). To address these challenges, this work proposes an online parallel attack detection method for ICS based on multi-bandpass filter. By building multiple adaptive filters based on energy equilibrium and time-frequency domain data transformation, we implement multi-frequency band data segmentation. Hierarchical temporal memory (HTM) models are employed to parallelly fit the segmented data and detect anomalies. Simulation experiments demonstrate that our method outperforms the state-of-the-art Numenta method, achieving a 9% higher detection accuracy while reducing detection time to just 1/14 of Numenta’s. These results highlight the significant advantages of our method in striking a balance between detection accuracy and time performance. Our proposed method fills the gap in ICS attack detection and offers substantial improvements over existing techniques.
View
Intrusion Detection and Prevention
Chapter
  • Apr 2023
Intrusion detection and prevention are security measures used to detect and prevent cybersecurity risks to computer systems, networks, infrastructure resources, and others. Intrusion detection and prevention systems automatically detect and respond to cybersecurity risks in order to reduce potential risks through threat event attacks. They use different methods for a successful execution. In this context, the signature-based approach that corresponds to known threat event attacks is used, or the anomaly-based detection that compares definitions of what activity is considered normal against observed threat event attacks, to identify significant deviations. Other methods are the stateful protocol analysis, which compares predetermined profiles of general accepted definitions of benign protocol activities for each protocol state against observed events, to identify deviations, or the hybrid system approach that combines some or all of the other methodologies to detect and respond to cybersecurity risks, and others. However, the need of intrusion detection and prevention systems architectures require distinguished decisions to the essential methodology used and the deployed system architecture. Against this background, this chapter seeks to offer a clear explanation of respective methodologies and comparing theses methodologies with regard to effectivity and efficiency. This requires (i) a discussion regarding the importance of intrusion detection and prevention to combat against threat event attack risks, malicious threat event attacks, by logging information about them and attempt to stop this, and (ii) reporting the identified malicious threat event attacks to the cybersecurity response team. Furthermore, investigation of threat event attacks is done, because threat event actor’s seeking out computer systems, networks, and infrastructure resources to exploit vulnerabilities and to attack, causing serious problems for threat event attacks for the targeted industrial, public, and private organizations. Therefore, Intrusion Detection and Prevention Systems (IDPSs) are a valuable approach in keeping information systems secure against malicious threat event attack risks by monitoring, analyzing, and responding to possible cybersecurity violations against computer systems, networks, or infrastructure resources. The violations may result from attempts by unauthorized intruders that try to compromise the computer systems, networks, infrastructure resources, and others. These intruders can be privileged internal users that misuse their authority, or external single cyberattackers or attacker-groups. In this context, Chap. 3 introduces in Sect. 3.1 in the specific background of intrusion detection methods and in Sect. 3.1.1 in the specific characteristics and capabilities of the different intrusion detection forms and their advantages and disadvantages. Thus, anomaly detection is part of Sect. 3.1.2, while Sect. 3.1.3 refers to misuse intrusion detection, and Sect. 3.1.4 focuses on advantages and disadvantages of anomaly and misuse intrusion detection forms. Section 3.1.5 refers to the Specification-based Intrusion Detection, which combines the strength of anomaly and misuse detection, and Sect. 3.1.6 refers to the characteristics of intrusion detection types. The focus of Sect. 3.1.7 is on intrusion detection systems and its architecture. In this sense, Sect. 3.2 focusses on intrusion prevention, whereby Sect. 3.2.1 describes the intrusion prevention system, while Sect. 3.2.2 focuses on the architecture of the intrusion prevention system. Section 3.3 refers to the intrusion detection and prevention system architecture and the respective performance measures as constraints for the proof of concept approach. Section 3.4 introduces the intrusion detection capability metric, which includes the necessity developing the respective detection approach to detect known and unknown threat event attacks. Finally, Sect. 3.5 summarizes the intrusion detection and intrusion prevention approaches, concerning a stable and resilient system operation. Section 3.6 contains comprehensive questions from the topics intrusion detection and intrusion prevention methodologies and architectures, while reference section refers to references for further reading.
View
A Fault and Intrusion Tolerance Framework for Containerized Environments: A Specification-Based Error Detection Approach
Conference Paper
Full-text available
  • Sep 2022
Container-based virtualization has gained momentum over the past few years thanks to its lightweight nature and support for agility. However, its appealing features come at the price of a reduced isolation level compared to the traditional hostbased virtualization techniques, exposing workloads to various faults, such as co-residency attacks like container escape. In this work, we propose to leverage the automated management capabilities of containerized environments to derive a Fault and Intrusion Tolerance (FIT) framework based on error detectionrecovery and fault treatment. Namely, we aim at deriving a specification-based error detection mechanism at the host level to systematically and formally capture security state errors indicating breaches potentially caused by malicious containers. Although the paper focuses on security side use cases, results are logically extendable to accidental faults. Our aim is to immunize the target environments against accidental and malicious faults and preserve their core dependability and security properties.
View
A Survey on IoT Intrusion Detection: Federated Learning, Game Theory, Social Psychology and Explainable AI as Future Directions
Article
Full-text available
  • Jan 2022
In the past several years, the world has witnessed an acute surge in the production and usage of smart devices which are referred to as the Internet of Things (IoT). These devices interact with each other as well as with their surrounding environments to sense, gather and process data of various kinds. Such devices are now part of our everyday’s life and are being actively used in several verticals such as transportation, healthcare, and smart homes. IoT devices, which usually are resource-constrained, often need to communicate with other devices such as fog nodes and/or cloud computing servers to accomplish certain tasks that demand large resource requirements. These communications entail unprecedented security vulnerabilities, where malicious parties find in this heterogeneous and multi-party architecture a compelling platform to launch their attacks. In this work, we conduct an in-depth survey on the existing intrusion detection solutions proposed for the IoT ecosystem which includes the IoT devices as well as the communications between the IoT, fog computing and cloud computing layers. Although some survey articles already exist, the originality of this work stems from the three following points: (1) discuss the security issues of the IoT ecosystem not only from the perspective of IoT devices but also taking into account the communications between the IoT, fog and cloud computing layers; (2) propose a novel two-level classification scheme that first categorizes the literature based on the approach used to detect attacks and then classify each approach into a set of sub-techniques; and (3) propose a comprehensive cybersecurity framework that combines the concepts of Explainable Artificial Intelligence (XAI), federated learning, game theory and social psychology to offer future IoT systems a strong protection against cyberattacks.
View
View
Database Intrusion Detection Systems (DIDs): Insider Threat Detection via Behaviour-Based Anomaly Detection Systems - A Brief Survey of Concepts and Approaches
Chapter
  • Jan 2022
One of the data security and privacy concerns is of insider threats, where legitimate users of the system abuse the access privileges they hold. The insider threat to data security means that an insider steals or leaks sensitive personal information. Database Intrusion detection systems, specifically behaviour-based database intrusion detection systems, have been shown effective in detecting insider attacks. This paper presents background concepts on database intrusion detection systems in the context of detecting insider threats and examines existing approaches in the literature on detecting malicious accesses by an insider to Database Management Systems (DBMS).
View
Intrusion Detection and Network-Based Attacks
Chapter
  • Oct 2021
This second chapter on network security complements Chap. 10’s treatment of firewalls and tunnels. Here we discuss intrusion detection and various tools for network monitoring (packet sniffing) and vulnerability assessment, followed by denial of service and other network-based attacks that exploit standard TCP/IP network or Ethernet protocols.We consider TCP session hijacking, and two categories of address resolution attacks— DNS-based attacks, which facilitate pharming, and attacks involving Address Resolution Protocol (ARP) spoofing.
View
A Review of Rule Learning Based Intrusion Detection Systems and Their Prospects in Smart Grids
Article
Full-text available
  • Apr 2021
Intrusion detection systems (IDS) are commonly categorized into misuse based, anomaly based and specification based IDS. Both misuse based IDS and anomaly based IDS are extensively researched in academia and industry. However, as critical infrastructures including smart grids (SG) may often face sophisticated unknown attacks in the near future, misuse based attack detection techniques will mostly miss their targets. Despite the fact that anomaly based IDS can detect novel attacks, they are not often deployed in industry, mainly owing to high false positive rate and lack of interpretability of trained models. With misuse based IDS’ inability to detect unknown attacks and requirement for frequently manually crafting and updating signatures and with anomaly based IDS’ bad reputation for high false alarm rate, specification based IDS can be regarded as the most suitable detection engine for cyber-physical systems (CPS) including SG. We argue that specification based IDS especially using rule learning could prove to be the most promising IDS for SG. Intrusion detection rules are learned through rule learning techniques and periodically automatically updated to accommodate dynamic system behaviors in SG. Fortunately, rule learning based IDS can not only detect previously unknown attacks but also achieve higher interpretability, due to symbolic representation of learned rules. It can thus be considered more “trustworthy” from human perspective and further assist human in the loop security operation. The present work provides a systematic and deep analysis of rule learning techniques and their suitability for IDS in SG. Besides, it concludes the most important criteria for learning intrusion detection rules and assessing their quality. This work serves not only as a guide to a number of important rule learning techniques but also as the first survey on their applications in IDS, which indicates their potential opportunities in SG security.
View
View
Design and Implementation of Self-Protecting systems: A Formal Approach
Article
Full-text available
  • Feb 2021
  • FUTURE GENER COMP SY
As threats to computer security become more common, complex and frequent, systems that can automatically protect themselves from attacks are imminently needed. In this paper, we propose a formal approach to achieve self-protection by performing security analysis on self-adaptive systems, taking the adaptation process into account. We use probabilistic model checking to quantitatively analyze adaptation security, rank the strategies available and select the most secure one to apply in the system. We have incorporated our approach in Rainbow which is a framework to develop architecture-based self-adaptive systems. To evaluate our approach’s effectiveness, we applied it on two case studies: a simple document storage system and ZNN, a well known self-adaptive exemplar. The results show that applying our approach can guarantee a reasonable degree of security, both during and after adaptation.
View
FGMC-HADS: Fuzzy Gaussian Mixture-based Correntropy Models for detecting Zero-day Attacks from Linux Systems
Article
  • Jun 2020
  • COMPUT SECUR
As existing system calls-based Host Anomaly Detection Systems (HADSs) exclude hidden patterns that can reside in the elapsed times of system calls with respect to the lifecycle of a kernel-calling process, they lack precision in the construction of behavioral regions for assisting in reliably protecting hosts against modern unknown attacks. In this paper, a HADS, the so-called Fuzzy Gaussian Mixture-based Correntropy (FGMC-HADS), based on the fuzzy rough set attribute reduction (FRAR) method, Gaussian mixture model (GMM) and Correntropy mechanism, is proposed. FGMC-HADS comprises two novel modules: (1) the FRAR method is applied to combine system calls’ identifiers and elapsed times to construct relevant hidden patterns; and (2) based on the GMM and Correntropy approaches, an anomaly detection technique called ’Corr-GMM’ is developed to fuse multivariate features and recognize unknown anomalous activities, respectively. The posterior probabilities of the GMM are used as input to the Correntropy model to determine the time-series interdependencies of host activities, and then the Corr-GMM constructs legitimate boundaries as a threshold for discovering abnormal behaviors. The proposed FGMC-HADS is trained and validated using the datasets of NGIDS-DS, KDD-98 and new ToN_IoT of Linux data. The experimental results indicate that the proposed FGMC-HADS a reliable defense layer for Linux-based hosts against unknown attacks compared with other compelling HIDS techniques.
View
SEDMDroid: An enhanced stacking ensemble of deep learning framework for Android malware detection
Article
  • May 2020
The openness and extensibility of Android have made it a popular platform for smart phones and a strong candidate to drive the Internet-of-Things. Due to its popularity and functionality, it is the main target of malicious software (malware). Malware poses a serious threat to user privacy, money, equipment and file integrity. In such context, by studying the actions of malware, this work develops a novel framework SEDMDroid to detect Android malware, based on an enhanced stacking ensemble of deep learning algorithm. This stacking ensemble of deep learning method is a two-tier architecture, which includes an ensemble of base Multi-Layer Perception (MLP) classifiers and a fusion Support Vector Machine (SVM) classifier. The essences of this architecture are a double disturbance strategy through disturbance of the sample and the feature space to guarantee the accuracy and diversity of the base classifiers, and to learn the implicit supplementary information from the output of the trained base classifiers to optimize the classification efficiency. The proposed method is evaluated using a dataset with multi-level static features, which covers permission, sensitive API, monitoring system event and permission-rate, and the average accuracy is 89.29%.
View
Important Internet Applications of Classification
Chapter
  • Jan 2020
of important internet applications of classification, including: spam filtering, recommender systems, sentiment analysis, example-based search, malware detection and network intrusion detection.
View
View
Combating Dependence Explosion in Forensic Analysis Using Alternative Tag Propagation Semantics
Conference Paper
Full-text available
  • May 2020
We are witnessing a rapid escalation in targeted cyber-attacks called Advanced and Persistent Threats (APTs). Carried out by skilled adversaries, these attacks take place over extended time periods, and remain undetected for months. A common approach for retracing the attacker's steps is to start with one or more suspicious events from system logs, and perform a dependence analysis to uncover the rest of attacker's actions. The accuracy of this analysis suffers from the dependence explosion problem, which causes a very large number of benign events to be flagged as part of the attack. In this paper, we propose two novel techniques, tag attenuation and tag decay, to mitigate dependence explosion. Our techniques take advantage of common behaviors of benign processes, while providing a conservative treatment of processes and data with suspicious provenance. Our system, called MORSE, is able to construct a compact scenario graph that summarizes attacker activity by sifting through millions of system events in a matter of seconds. Our experimental evaluation, carried out using data from two government-agency sponsored red team exercises, demonstrates that our techniques are (a) effective in identifying stealthy attack campaigns, (b) reduce the false alarm rates by more than an order of magnitude, and (c) yield compact scenario graphs that capture the vast majority of the attacks, while leaving out benign background activity.
View
View
View
A fog computing based approach to DDoS mitigation in IIoT systems
Article
  • May 2019
  • COMPUT SECUR
Distributed denial of service (DDoS)cyber-attack poses a severe threat to the industrial Internet of Things (IIoT)operation due to the security vulnerabilities resulted from increased connectivity and openness, and the large number of deployed low computation power devices. This paper applies Fog computing concept in DDoS mitigation by allocating traffic monitoring and analysis work close to local devices, and, on the other hand, coordinating and consolidating work to cloud central servers so as to achieve fast response while at low false alarm rate. The mitigation scheme consists of real-time traffic filtering via field firewall devices, which are able to reversely filter the signature botnet attack packets; offline specification based traffic analysis via virtualized network functions (VNFs)in the local servers; and centralized coordination via cloud server, which consolidates and correlates the information from the distributed local servers to make a more accurate decision. The proposed scheme is tested in an industrial control system testbed and the experiments evaluate the detection time and rate for two types of DDoS attacks and demonstrate the effectiveness of the scheme.
View
View
A Review of Dynamic Verification of Security and Dependability Properties
Chapter
  • Jan 2019
This chapter reviews the notions of security and dependability properties from the perspective of software engineering, providing the reader with a technical background on dynamic verification and runtime monitoring techniques. The chapter covers the technical background on security and dependability properties with system verification through dynamic verification or monitoring. The authors initially provide a short overview of the security and dependability properties themselves. Once definitions of security and dependability properties are introduced, they present a critical analysis of current research on dynamic verification by presenting general purpose and security oriented dynamic verification approaches.
View
Intrusion detection systems for IoT-based smart environments: a survey
Article
Full-text available
  • Dec 2018
One of the goals of smart environments is to improve the quality of human life in terms of comfort and efficiency. The Internet of Things (IoT) paradigm has recently evolved into a technology for building smart environments. Security and privacy are considered key issues in any real-world smart environment based on the IoT model. The security vulnerabilities in IoT-based systems create security threats that affect smart environment applications. Thus, there is a crucial need for intrusion detection systems (IDSs) designed for IoT environments to mitigate IoT-related security attacks that exploit some of these security vulnerabilities. Due to the limited computing and storage capabilities of IoT devices and the specific protocols used, conventional IDSs may not be an option for IoT environments. This article presents a comprehensive survey of the latest IDSs designed for the IoT model, with a focus on the corresponding methods, features, and mechanisms. This article also provides deep insight into the IoT architecture, emerging security vulnerabilities, and their relation to the layers of the IoT architecture. This work demonstrates that despite previous studies regarding the design and implementation of IDSs for the IoT paradigm, developing efficient, reliable and robust IDSs for IoT-based smart environments is still a crucial task. Key considerations for the development of such IDSs are introduced as a future outlook at the end of this survey.
View
View
Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths
Article
  • Mar 2018
Enforcing a variety of security measures (such as intrusion detection systems, etc.) can provide a certain level of protection to computer networks. However, such security practice often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains to be a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.
View
View
View
Software Metrics as Indicators of Security Vulnerabilities
Conference Paper
  • Oct 2017
Detecting software security vulnerabilities and dis- tinguishing vulnerable from non-vulnerable code is anything but simple. Most of the time, vulnerabilities remain undisclosed until they are exposed, for instance, by an attack during the software operational phase. Software metrics are widely-used indicators of software quality, but the question is whether they can be used to distinguish vulnerable software units from the non-vulnerable ones during development. In this paper, we perform an exploratory study on software metrics, their interdependency, and their relation with security vulnerabilities. We aim at understanding: i) the correlation between software architectural characteristics, represented in the form of software metrics, and the number of vulnerabilities; and ii) which are the most informative and discriminative metrics that allow identifying vulnerable units of code. To achieve these goals, we use, respectively, correlation coefficients and heuristic search techniques. Our analysis is carried out on a dataset that includes metrics and reported security vulnerabilities, exposed by security attacks, for all functions, classes, and files of five widely used projects. Results show: i) a strong correlation between several project-level metrics and the number of vulnerabilities, ii) the possibility of using a group of metrics, at both file and function levels, to distinguish vulnerable and non-vulnerable code with a high level of accuracy.
View
Enterprise-Level Cyber Situation Awareness
Chapter
  • Jul 2017
  • Lect Notes Comput Sci
This chapter begins with a literature review of situation awareness (SA) concepts, and a study on how to apply SA to the cyber field for enterprise-level network security diagnosis. With the finding that an isolation problem exists between the individual perspectives of different technologies, this chapter introduces a cyber SA model named SKRM, which is proposed to integrate the isolated perspectives into a framework. Based on one of the SKRM layers, called Operating System Layer, this chapter presents a runtime system named Patrol, that reveals zero-day attack paths in the enterprise-level networks. To overcome the limitation of Patrol and achieve better accuracy and efficiency, this chapter further illustrates the usage of Bayesian Networks at the low level of Operating System to reveal zero-day attack paths in a probabilistic way.
View
View
HexPADS: A Platform to Detect “Stealth” Attacks
Conference Paper
  • Apr 2016
Current systems are under constant attack from many different sources. Both local and remote attackers try to escalate their privileges to exfiltrate data or to gain arbitrary code execution. While inline defense mechanisms like DEP, ASLR, or stack canaries are important, they have a local, program centric view and miss some attacks. Intrusion Detection Systems (IDS) use runtime monitors to measure current state and behavior of the system to detect an attack orthogonal to active defenses. Attacks change the execution behavior of a system. Our attack detection system HexPADS detects attacks through divergences from normal behavior using attack signatures. HexPADS collects information from the operating system on runtime performance metrics with measurements from hardware performance counters for individual processes. Cache behavior is a strong indicator of ongoing attacks like rowhammer, side channels, covert channels, or CAIN attacks. Collecting performance metrics across all running processes allows the correlation and detection of these attacks. In addition, HexPADS can mitigate the attacks or significantly reduce their effectiveness with negligible overhead to benign processes.
View
View
Intrusion Detection and Prevention on Flow of Big Data Using Bacterial Foraging
Article
  • Jan 2014
Rapid connectivity and exchange of information across the globe with extension of computer networks during the past decade has led to security threats in network communication and has become a critical concern for network management. It is necessary to retain high security measures to ensure safe and trusted communication across the network. Diverse soft-computing-based methods have been devised in the past for the perfection of intrusion detection systems on host-based and host-independent systems. This chapter discusses the flow-based anomaly detector for intrusion in network by self-learning process with characteristics of bacterial forging approach. This approach handles the network-flow and attack on network traffic in an automated fashion. This approach works on host-independent systems and on stream of network rather than payload length where data behavior of flow in network is analyzed. This model provides a cataloging of attacks and resistance mechanism techniques to avoid intrusion.
View
View
A Sense of Self for Unix Process
Conference Paper
Full-text available
  • Jun 1996
A method for anomaly detection is introduced in which “normal” is defined by short-range correlations in a process' system calls. Initial experiments suggest that the definition is stable during normal behaviour for standard UNIX programs. Further; it is able to detect several common intrusions involving sendmail and 1pr. This work is part of a research program aimed at building computer security systems that incorporate the mechanisms and algorithms used by natural immune systems
View
View
View
Heterogeneous Data Translations Based on Environment Grammars
Article
  • Oct 1989
The interactive exchange and translation of data between heterogeneuus computer systems depend not only on hardware and op ersting-system characteristics, But also on the proprietary format im- posed by the software systems maintaining it. For functionally com- parable software systems, we present a syntax-driven translation methodology based on environment grammars. Environment gram- mars are related to two-level grammars and attribute grammars, and they lend themselves to the spedflcatbn of parameterized language classes such as those formed by data in different proprietary formats. Under certain constraints they can also be parsed efiiently. We dis- cuss these constraints, demonstrate the use of the methodology for re- lational data, and present the design of a data translator for hetero- geneous relational database management systems. A prototype of this translator has been implemented and used to exchange relations be- tween remote INGRES, Framis, and Sibyl systems.
View
An Intrusion-Detection Model
Article
  • Feb 1987
A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system. Index Terms-Abnormal behavior, auditing, intrusions, monitoring, profiles, security, statistical measures. I. INTRODUCTION
View
View
Classification and detection of computer intrusions
Article
  • Jan 1995
Some computer security breaches cannot be prevented using access and information flow control techniques. These breaches may be a consequence of system software bugs, hardware or software failures, incorrect system administration procedures, or failure of the system authentication module. Intrusion detection techniques can have a significant role in the detection of computer abuse in such cases. This dissertation describes a pattern matching approach to representing and detecting intrusions, a hitherto untried approach in this field. We have classified intrusions on the basis of structural interrelationships among observable system events. The classification formalizes detection of specific exploitations by examining their manifestations in the system event trace. Thus, we can talk about intrusion signatures belonging to particular categories in the classification, instead of vulnerabilities that result in intrusions. The classification developed in this dissertation can also be used for developing computational models to detect intrusions in each category by exploiting the common structural interrelationships of events comprising the signatures in that category. We can then look at signatures of interest that can be matched efficiently, instead of attempting to devise a comprehensive set of techniques to detect any violation of the security policy. We define and justify a computational model in which intrusions from our classification can be represented and matched. We also present experimental results based on an implementation of the model tested against real-world intrusions.
View
Automated detection of vulnerabilities in privileged programs by execution monitoring
Conference Paper
  • Jan 1995
Presents a method for detecting exploitations of vulnerabilities in privileged programs by monitoring their execution using audit trails, where the monitoring is with respect to specifications of the security-relevant behavior of the programs. Our work is motivated by the intrusion detection paradigm, but is an attempt to avoid ad hoc approaches to codifying misuse behavior. Our approach is based on the observation that although privileged programs can be exploited (due to errors) to cause security compromises in systems because of the privileges accorded to them, the intended behavior of privileged programs is, of course, limited and benign. The key, then, is to specify the intended behavior (i.e. the program policy) and to detect any action by a privileged program that is outside the intended behavior and that imperils security. We describe a program policy specification language, which is based on simple predicate logic and regular expressions. In addition, we present specifications of privileged programs in Unix, and a prototype execution monitor for analyzing audit trails with respect to these specifications. The program policies are surprisingly concise and clear, and in addition, capable of detecting exploitations of known vulnerabilities in these programs. Although our work has been motivated by the known vulnerabilities in Unix, we believe that by tightly restricting the behavior of all privileged programs, exploitations of unknown vulnerabilities can be detected. As a check on the specifications, work is in progress on verifying them with respect to an abstract security policy
View
USTAT: a real-time intrusion detection system for UNIX
Conference Paper
  • Jun 1993
The author presents the design and implementation of a real-time intrusion detection tool, called USTAT, a state transition analysis tool for UNIX. This is a UNIX-specific implementation of a generic design developed by A. Porras and R.A. Kemmerer (1992) as STAT, a state transition analysis tool. State transition analysis is a new approach to representing computer penetrations. In STAT, a penetration is identified as a sequence of state changes that take the computer system from some initial state to a target compromised state. The development of the first USTAT prototype, which is for SunOS 4.1.1, is discussed. USTAT makes use of the audit trails that are collected by the C2 basic security module of SunOS, and it keeps track of only those critical actions that must occur for the successful completion of the penetration. This approach differs from other rule-based penetration identification tools that pattern match sequences of audit records
View
Detection of Anomalous Computer Session Activity
Conference Paper
  • Jun 1989
The authors discusses Wisdom and Sense (W&S), a computer security anomaly detection system. W&S is statistically based. It automatically generates rules from historical data and, in terms of those rules, identifies computer transactions that are at variance with historically established usage patterns. Issues addressed include how W&S generates rules from a necessarily small sample of all possible transactions, how W&S deals with inherently categorical data, and how W&S assists system security officers in their review of audit logs. Preliminary results with W&S show that the software does periodically detect anomalies of high interest even in data though to be free of such events
View
Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-based Approach Also available at http://seclab.cs.ucdavis Automated Detection of Vulnerabilities in Privileged Programs Using Exe-cution Monitoring
  • Oct 1978
  • 558-565
  • B Kernighan
  • D Ritchie
  • C The
  • C Language
  • G Ko
  • K Fink
  • Levitt
B. Kernighan and D. Ritchie, The C Programming Language. Englewood Cliffs, NJ: Prentice Hall, 1978. C. KO, Execution Monitoring of Security-Critical Programs in a Distributed System: A Specification-based Approach. PhD thesis, Depart-ment of Computer Science, University of Cali-fornia, Davis, September 1996. Also available at http://seclab.cs.ucdavis.edu/Nko/thesis/paper.ps. C. KO, G. Fink, and K. Levitt, " Automated Detection of Vulnerabilities in Privileged Programs Using Exe-cution Monitoring, " in Proceedings of the 10th Com-puter Security Application Conference, (Orlando, FL), December 5-9, 1994. S. Kumax, Classification and Detection of Computer Intrusions. PhD thesis, Department of Computer Sci-ence, Purdue University, August 1995. L. Lamport, " Time, clocks, and the ordering of events in a distributed system, " Communications of the ACM, vol. 21, no. 7, pp. 558-565, 1978.
Computer security threat monitoring and surveillance An intrusion-detection model A sense of self for unix processes
  • May 1980
  • 120-128
  • L Wall
  • R L Schwartz
  • Programming Ped
  • J P Sepas
  • D E Anderson
  • Denning
  • Forrest
L. Wall and R. L. Schwartz, Programming Ped. Sepas-J. P. Anderson, " Computer security threat monitoring and surveillance, " Technical report, James P. Ander-son Co., Fort Washington, PA, April 1980. D. E. Denning, " An intrusion-detection model, " IEEE Transactions on Software Engineering, vol. 13, no. 2, S. Forrest et al., " A sense of self for unix processes, " in Proceedings of the 1996 Symposium on Security and Privacy, (Oakland, CA), May 6-8 1996, pp. 120-128.
Mountain View, California, Solaris SHIELD Basic Security Module
  • Sep 1994
  • Sunsoft
SunSoft, Mountain View, California, Solaris SHIELD Basic Security Module, August 1994.
USTAT: A real-time intrusion detection sys-tem for Unix The NIDES statistical component description and justification
  • Apr 1994
  • K Ilgun
  • H S Javitz
  • A Valdes
K. Ilgun, " USTAT: A real-time intrusion detection sys-tem for Unix, " in Proceedings of the 1993 Symposium on Security and Privacy, (Oakland, CA), May 24-26, H. S. Javitz and A. Valdes, " The NIDES statistical component description and justification,'' Technical re-port, Computer Science Laboratory, SRI International, Menlo Park, CA, March 1994.
Rdist -remote file dis-tribution program
  • Jan 1993
  • Sun Microsystem
Sun Microsystem, Man Pages: Rdist -remote file dis-tribution program, Novermber 1993.