No full-text available
To read the full-text of this research,
you can request a copy directly from the author.
A Stream-Based Approach to Intrusion Detection
Abstract
Integrating security in the development and operation of information systems is the cornerstone of SecDevOps. From an operational perspective, one of the key activities for achieving such an integration is the detection of incidents (such as intrusions), especially in an automated manner. However, one of the stumbling blocks of an automated approach to intrusion detection is the management of the large volume of information typically produced by this type of solution. Existing works on the topic have concentrated on the reduction of volume by increasing the precision of the detection approach, thus lowering the rate of false alarms. However, another less explored possibility is to reduce the volume of evidence gathered for each alarm raised. This chapter explores the concept of intrusion detection from the angle of complex event processing. It provides a formalization of the notion of pattern matching in a sequence of events produced by an arbitrary system, by framing the task as a runtime monitoring problem. It then focuses on the topic of incident reporting and proposes a technique to automatically extract relevant elements of a stream that explain the occurrence of an intrusion. These relevant elements generally amount to a small fraction of all the data ingested for an alarm to be triggered and thus help reduce the volume of evidence that needs to be examined by manual means. The approach is experimentally evaluated on a proof-of-concept implementation of these principles.
ResearchGate has not been able to resolve any citations for this publication.
Explainability is the process of linking part of the inputs given to a calculation to its output, in such a way that the selected inputs somehow “cause” the result. We establish the formal foundations of a notion of explainability for arbitrary abstract functions manipulating nested data structures. We then establish explanation relationships for a set of elementary functions, and for compositions thereof. A fully functional implementation of these concepts is finally presented and experimentally evaluated.
Added value can be extracted from event logs generated by business processes in various ways. However, although complex computations can be performed over event logs, the result of such computations is often difficult to explain; in particular, it is hard to determine what parts of an input log actually matters in the production of that result. This paper describes a framework to provide explainable results for queries executed over sequences of events, where individual output values can be precisely traced back to the data elements of the log that contribute to (i.e. “explain”) the result. This framework has been implemented into the BeepBeep event processing engine and empirically evaluated on various queries.
In this paper, we show the application of ASTDs to intrusion detection. ASTD is an executable, modular and graphical notation that allows for the composition of hierarchical state machines with process algebra operators to model complex attack phases. Overall, ASTD attack specifications are more concise than industrial tools like Snort, Zeek, and other attack languages in the literature. For intrusion detection, iASTD (the ASTD interpreter) and Zeek provided similar results. iASTD produced less false positives and a smaller number of true positives per attack than Snort, which is an important factor to deal with huge amounts of events. The processing time of iASTD on the real-time testbed is slower than Snort and Zeek, but it can be improved by compiling ASTD specifications into Zeek scripts.
Software-defined networking (SDN) is a promising approach to networking that provides an abstraction layer for the physical network. This technology has the potential to decrease the networking costs and complexity within huge data centers. Although SDN offers flexibility, it has design flaws with regard to network security. To support the ongoing use of SDN, these flaws must be fixed using an integrated approach to improve overall network security. Therefore, in this paper, we propose a recurrent neural network (RNN) model based on a new regularization technique (RNN-SDR). This technique supports intrusion detection within SDNs. The purpose of regularization is to generalize the machine learning model enough for it to be performed optimally. Experiments on the KDD Cup 1999, NSL-KDD, and UNSW-NB15 datasets achieved accuracies of 99.5%, 97.39%, and 99.9%, respectively. The proposed RNN-SDR employs a minimum number of features when compared with other models. In addition, the experiments also validated that the RNN-SDR model does not significantly affect network performance in comparison with other options. Based on the analysis of the results of our experiments, we conclude that the RNN-SDR model is a promising approach for intrusion detection in SDN environments.
Fault injections are increasingly used to attack/test secure applications. In this paper, we define formal models of runtime monitors that can detect fault injections that result in test inversion attacks and arbitrary jumps in the control flow. Runtime verification monitors offer several advantages. The code implementing a monitor is small compared to the entire application code. Monitors have a formal semantics; and we prove that they effectively detect attacks. Each monitor is a module dedicated to detecting an attack and can be deployed as needed to secure the application. A monitor can run separately from the application or it can be weaved inside the application. Our monitors have been validated by detecting simulated attacks on a program that verifies a user PIN.
The Physical Internet and hyperconnected logistics concepts promise an open, more efficient, and environmentally friendly supply chain for goods. Blockchain and Internet of Things (IoT) technologies are increasingly regarded as main enablers of improvements in this domain. We describe how blockchain and smart contracts present the potential of being applied to hyperconnected logistics by showing a concrete example of its implementation.
Intrusion detection system (IDS) can effectively identify anomaly behaviors in the network; however, it still has low detection rate and high false alarm rate especially for anomalies with fewer records. In this paper, we propose an effective IDS by using hybrid data optimization which consists of two parts: data sampling and feature selection, called DO_IDS. In data sampling, the Isolation Forest (iForest) is used to eliminate outliers, genetic algorithm (GA) to optimize the sampling ratio, and the Random Forest (RF) classifier as the evaluation criteria to obtain the optimal training dataset. In feature selection, GA and RF are used again to obtain the optimal feature subset. Finally, an intrusion detection system based on RF is built using the optimal training dataset obtained by data sampling and the features selected by feature selection. The experiment will be carried out on the UNSW-NB15 dataset. Compared with other algorithms, the model has obvious advantages in detecting rare anomaly behaviors.
Designing clean, reusable, and repeatable experiments for a research paper does not have to be difficult. We report on our efforts to create an integrated toolchain for running, processing, and including the results of computer experiments in scientific publications.
Event logs and event streams can be found in software systems of very diverse kinds. For instance, workflow management systems and ERP platforms produce event logs in some common format based on XML.
Financial transaction systems also keep a log of their operations in some standardized and documented format, as is the case for web servers such as Apache and Microsoft IIS. Network monitors also receive streams of packets whose various headers and fields can be analyzed. Recently, even the world of video games has seen an increasing trend towards the logging of players’ realtime activities.
Analyzing the wealth of information contained in these logs can serve multiple purposes. Business process logs can be used to reconstruct a workflow based on a sample of its possible executions; financial database logs can be audited for compliance to regulations; suspicious or malicious activity can be detected by studying patterns in network or server logs. However, the available tools to process logs or streams of events are often large systems that are hard to setup, and even simple examples seem needlessly complicated.
In this book, you will learn about BeepBeep, a versatile Java library intended to make the processing of event streams both fun and simple.
Through more than a hundred simple, illustrated code examples, you will see how running event processing tasks can be done in just a few lines of code—and what is more, code that you actually understand. From generating plots to computing statistics and evaluating temporal logic specifications, BeepBeep can prove a handy addition to a developer’s toolbox.
This paper describes a plug-in extension of the BeepBeep 3 event stream processing engine. The extension allows one to write a custom grammar defining a particular specification language on event traces. A built-in interpreter can then convert expressions of the language into chains of BeepBeep processors through just a few lines of code, making it easy for users to create their own domain-specific languages.
Sophisticated Intrusion attacks against various types of networks are ever increasing today with the exploitation of modern technologies which often severely affect wireless networks. In order to improve the effectiveness of Intrusion Detection Systems (IDSs), data analysis methods such as data mining and classification methods are often integrated with IDSs. Though, numerous studies have contributed in various ways to improve the utilization of data mining for IDS, effective solution often depends on the network setting where the IDS is deployed. In this work, we propose an efficient IDS based on hybrid heuristic optimization algorithm which is inspired by magnetic field theory in physics that deals with attraction between particles scattered in the search space. Our developed algorithm works in extracting the most relevant features that can assist in accurately detecting the network attacks. These features are extracted by tagged index values that represent the information gain out of the training course of the classifier to be used as a base for our developed IDS. In order to improve the accuracy of ANN (Artificial Neural Network) classifier, we have integrated our proposed hybrid MOA-PSO (Magnetic Optimization Algorithm-Particle Swarm Optimization) technique. Experimental results show that using our proposed IDS based on hybrid MOA-PSO technique provides more accuracy level compared to the use of ANN based on MOA, PSO and Genetic Algorithm (GA). Updated KDD CUP Dataset is formed and used during the training and testing phases, where this dataset consists of mixed data traffics between attacks and normal activities. Our results show significant gain in terms of efficiency compared to other alternative mechanisms.
Intrusion Detection System (IDS) provides an important basis for the network defense. Due to the development of the cloud computing and social network, massive amounts of data are generated, which inevitably brings much pressure to IDS. And therefore, it becomes crucial to efficiently divide the data into different classes over big data according to data features. Moreover, we can further determine whether one is normal behavior or not based on the classes information. Although the clustering approach based on Kmeans for IDS has been well studied, unfortunately directly using it in big data environment may suffer from inappropriateness. On the one hand, the efficiency of data clustering needs to be improved. On the other hand, differ from the classification, there is no unified evaluation indicator for clustering issue, and thus, it is necessary to study which indicator is more suitable for evaluating the clustering results of IDS. In this study, we propose a clustering method for IDS based on Mini Batch Kmeans combined with Principal Component Analysis. Firstly, a preprocessing method is proposed to digitize the strings and then the dataset is normalized so as to improve the clustering efficiency. Secondly, the Principal Component Analysis method is used to reduce the dimension of the processed dataset aiming to further improve the clustering efficiency, and then Mini Batch Kmeans method is used for data clustering. More specifically, we use Kmeans++ to initialize the centers of cluster in order to avoid the algorithm getting into the local optimum, in addition, we choose the Calsski Harabasz indicator so that the clustering result is more easily determined. Compared with the other methods, the experimental results and the time complexity analysis show that our proposed method is effective and efficient. Above all, our proposed clustering method can be used for IDS over big data environment.
Runtime enforcement is an effective method to ensure the compliance of program with user-defined security policies. In this paper we show how the stream event processor tool BeepBeep can be used to monitor the security properties of Java programs. The proposed approach relies on AspectJ to generate a trace capturing the program’s runtime behavior. This trace is then processed by BeepBeep, a complex event processing tool that allows complex data-driven policies to be stated and verified with ease. Depending on the result returned by BeepBeep, AspectJ can then be used to halt the execution or take other corrective action. The proposed method offers multiple advantages, notable flexibility in devising and stating expressive user-defined security policies.
The aim of this chapter is to act as a primer for those wanting to learn about Runtime Verification (RV). We start by providing an overview of the main specification languages used for RV. We then introduce the standard terminology necessary to describe the monitoring problem, covering the pragmatic issues of monitoring and instrumentation, and discussing extensively the monitorability problem.
Internet of Things (IoT) brings the third development wave of the global information industry which makes users, network and perception devices cooperate more closely. However, if IoT has security problems, it may cause a variety of damage and even threaten human lives and properties. To improve the abilities of monitoring, providing emergency response and predicting the development trend of IoT security, a new paradigm called network security situation awareness (NSSA) is proposed. However, it is limited by its ability to mine and evaluate security situation elements from multi-source heterogeneous network security information. To solve this problem, this paper proposes an IoT network security situation awareness model using situation reasoning method based on semantic ontology and user-defined rules. Ontology technology can provide a unified and formalized description to solve the problem of semantic heterogeneity in the IoT security domain. In this paper, four key sub-domains are proposed to reflect an IoT security situation: context, attack, vulnerability and network flow. Further, user-defined rules can compensate for the limited description ability of ontology, and hence can enhance the reasoning ability of our proposed ontology model. The examples in real IoT scenarios show that the ability of the network security situation awareness that adopts our situation reasoning method is more comprehensive and more powerful reasoning abilities than the traditional NSSA methods.
We present R2U2, a novel framework for runtime monitoring of security properties and diagnosing of security threats on-board Unmanned Aerial Systems (UAS). R2U2, implemented in FPGA hardware, is a real-time, Realizable, Responsive, Unobtrusive Unit for runtime system analysis, now including security threat detection. R2U2 is designed to continuously monitor inputs from on-board components such as the GPS, the ground control station, other sensor readings, actuator outputs, and flight software status. By simultaneously monitoring and performing statistical reasoning, attack patterns and post-attack discrepancies in the UAS behavior can be detected. R2U2 uses runtime observer pairs for Linear and Metric Temporal Logics for property monitoring and Bayesian networks for diagnosis of system health during runtime. We discuss the design and implementation that now enables R2U2 to handle security threats and present simulation results of several attack scenarios on the NASA DragonEye UAS.
This paper studies physical consequences of unobservable false data injection (FDI) attacks designed only with information inside a sub-network of the power system. The goal of this attack is to overload a chosen target line without being detected via measurements. To overcome the limited information, a multiple linear regression model is developed to learn the relationship between the external network and the attack sub-network from historical data. The worst possible consequences of such FDI attacks are evaluated by solving a bi-level optimization problem wherein the first level models the limited attack resources, while the second level formulates the system response to such attacks via DC optimal power flow (OPF). The attack model with limited information is reflected in the DC OPF formulation that only takes into account the system information for the attack sub-network. The vulnerability of this attack model is illustrated on the IEEE 24-bus RTS and IEEE 118-bus systems.
Vehicular ad hoc networks (VANETs) have become one of the most promising and fastest growing subsets of mobile ad hoc networks (MANETs). They are comprised of smart vehicles and roadside units (RSU) which communicate through unreliable wireless media. By their very nature, they are very susceptible to attacks which may result in life-endangering situations. Due to the potential for serious consequences, it is vital to develop security mechanisms in order to detect such attacks against VANETs. This paper aims to survey such possible attacks and the corresponding detection mechanisms that are proposed in the literature. The attacks are classified and explained along with their effects, and the solutions are presented together with their advantages and disadvantages. An evaluation and summary table which provides a holistic view of the solutions surveyed is also presented.
Non-Nested Generalized Exemplars (NNGE) is a state of the art data mining algorithm which uses distance between a new example and a set of exemplars for classification. The State Extraction Method (STEM) preprocesses power system Wide Area Measurement System (WAMS) data to reduce data size while maintaining critical patterns. Together NNGE+STEM make an effective Event and Intrusion Detection System (EIDS) which can effectively classify power system events and cyberattacks in real time. This paper documents the results of two experiments in which NNGE+STEM was used to classify cyber power contingency, control action, and cyber-attack events. Experimental results show that NNGE+STEM achieved greater than 94 and 97% accuracy for multiclass and binary class classification. Additionally, the NNGE+STEM false positive rate was below 0.5%, the average classification time was 0.2 milliseconds, and the classifier had low memory requirements.
We explore of use of the tool BeepBeep, a monitor for the temporal logic LTL-FO, in interpreting assembly traces, focusing on security-related applications. LTL-FO is an extension of LTL, which includes first order quantification. We show that LTL-FO is a sufficiently expressive formalism to state a number of interesting program behaviors, and demonstrate experimentally that BeepBeep can efficiently verify the validity of the properties on assembly traces in tractable time.
We introduce Lola 2.0, a stream-based specification language for the precise description of complex security properties in network traffic. The language extends the specification language Lola with two new features: template stream expressions, which allow input data to be carried along the stream, and dynamic stream generation, where new monitors can be invoked during the monitoring process for the monitoring of new subtasks on their own time scale. Lola 2.0 is simple and expressive: it combines the ease-of-use of rule-based specification languages like Snort with the expressiveness of heavy-weight scripting languages or temporal logics previously needed for the description of complex stateful dependencies and statistical measures. Lola 2.0 specifications are monitored by incrementally constructing output streams from input streams, while maintaining a store of partially evaluated expressions. We demonstrate the flexibility and expressivity of Lola 2.0 using a prototype implementation on several practical examples.
The activities of daily living of a patient in a smart home environment can be detected to a large extent by the
real-time analysis of characteristics of the habitat’s electrical consumption. However, reasoning over the conduct of these activities occurs at a much higher level of abstraction than what the sensors generally produce. In this paper, we leverage the concept of Complex Event Processing (CEP), in which low-level data streams are progressively transformed into higher-level ones, to the task of activity recognition. We show how the use of an appropriate representation for each level of abstraction can greatly simplify the process. We also report on the use of an existing event stream processor to successfully implement the complete chain, from low-level sensor data up to a sequence of discrete and high-level actions.
With rapid advances in sensor, computer, and 1 communication networks, modern power systems have become 2 complicated cyber-physical systems. Assessing and enhancing 3 cyber-physical system security is, therefore, of utmost importance 4 for the future electricity grid. In a successful false data injection 5 attack (FDIA), an attacker compromises measurements from grid 6 sensors in such a way that undetected errors are introduced into 7 estimates of state variables such as bus voltage angles and magni-8 tudes. In evading detection by commonly employed residue-based 9 bad data detection tests, FDIAs are capable of severely threat-10 ening power system security. Since the first published research 11 on FDIAs in 2009, research into FDIA-based cyber-attacks has 12 been extensive. This paper gives a comprehensive review of state-13 of-the-art in FDIAs against modern power systems. This paper 14 first summarizes the theoretical basis of FDIAs, and then dis-15 cusses both the physical and the economic impacts of a successful 16 FDIA. This paper presents the basic defense strategies against 17 FDIAs and discusses some potential future research directions in 18 this field.
Machine learning consists of algorithms that are first trained with reference input to “learn” its specifics and then used on unseen input for classification purposes. Mobile ad-hoc wireless networks (MANETs) have drawn much attention to research community due to their advantages and growing demand. However, they appear to be more susceptible to various attacks harming their performance than any other kind of network. Intrusion Detection Systems represent the second line of defense against malevolent behavior to MANETs, since they monitor network activities in order to detect any malicious attempt performed by intruders. Due to the inherent distributed architecture of MANET, traditional cryptography schemes cannot completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying machine learning methods for IDS these challenges can be overcome. In this paper, we present the most prominent models for building intrusion detection systems by incorporating machine learning in the MANET scenario. We have structured our survey into four directions of machine learning methods: classification approaches, association rule mining techniques, neural networks and instance based learning approaches. We analyze the most well-known approaches and present notable achievements but also drawbacks or flaws that these methods have. Finally, in concluding our survey we provide some findings of paramount importance identifying open issues in the MANET field of interest.
Intrusion Detection has been heavily studied in both industry and academia, but cybersecurity analysts still desire much more alert accuracy and overall threat analysis in order to secure their systems within cyberspace. Improvements to Intrusion Detection could be achieved by embracing a more comprehensive approach in monitoring security events from many different heterogeneous sources. Correlating security events from heterogeneous sources can grant a more holistic view and greater situational awareness of cyber threats. One problem with this approach is that currently, even a single event source (e.g., network traffic) can experience Big Data challenges when considered alone. Attempts to use more heterogeneous data sources pose an even greater Big Data challenge. Big Data technologies for Intrusion Detection can help solve these Big Heterogeneous Data challenges. In this paper, we review the scope of works considering the problem of heterogeneous data and in particular Big Heterogeneous Data. We discuss the specific issues of Data Fusion, Heterogeneous Intrusion Detection Architectures, and Security Information and Event Management (SIEM) systems, as well as presenting areas where more research opportunities exist. Overall, both cyber threat analysis and cyber intelligence could be enhanced by correlating security events across many diverse heterogeneous sources.
WiFi has become the de facto wireless technology for achieving short- to medium-range device connectivity. While early attempts to secure this technology have been proved inadequate in several respects, the current more robust security amendments will inevitably get outperformed in the future, too. In any case, several security vulnerabilities have been spotted in virtually any version of the protocol rendering the integration of external protection mechanisms a necessity. In this context, the contribution of this paper is multifold. First, it gathers, categorizes, thoroughly evaluates the most popular attacks on 802.11 and analyzes their signatures. Second, it offers a publicly available dataset containing a rich blend of normal and attack traffic against 802.11 networks. A quite extensive first-hand evaluation of this dataset using several machine learning algorithms and data features is also provided. Given that to the best of our knowledge the literature lacks such a rich and well-tailored dataset, it is anticipated that the results of the work at hand will offer a solid basis for intrusion detection in the current as well as next-generation wireless networks.
Runtime verification is the process of checking a property on a trace of events produced by the execution of a computational system. Runtime verification techniques have recently focused on parametric specifications where events take data values as parameters. These techniques exist on a spectrum inhabited by both efficient and expressive techniques. These characteristics are usually shown to be conflicting – in state-of-the-art solutions, efficiency is obtained at the cost of loss of expressiveness and vice-versa. To seek a solution to this conflict we explore a new point on the spectrum by defining an alternative runtime verification approach. We introduce a new formalism for concisely capturing expressive specifications with parameters. Our technique is more expressive than the currently most efficient techniques while at the same time allowing for optimizations.
We present a specification language and algorithms for the online and offline monitoring of synchronous systems including circuits and embedded systems. Such monitoring is useful not only for testing, but also under actual deployment. The specification language is simple and expressive; it can describe both correctness/failure assertions along with interesting statistical measures that are useful for system profiling and coverage analysis. The algorithm for online monitoring of queries in this language follows a partial evaluation strategy: it incrementally constructs output streams from input streams, while maintaining a store of partially evaluated expressions for forward references. We identify a class of specifications, characterized syntactically, for which the algorithm's memory requirement is independent of the length of the input streams. Being able to bound memory requirements is especially important in online monitoring of large input streams. We extend the concepts used in the online algorithm to construct an efficient offline monitoring algorithm for large traces. We have implemented our algorithm and applied it to two industrial systems, the PCI bus protocol and a memory controller. The results demonstrate that our algorithms are practical and that our specification language is sufficiently expressive to handle specifications of interest to industry.
MMT (Mont image Monitoring Tool) is a monitoring solution that combines: data capture, filtering and storage, events extraction, statistics collection, traffic analysis and reporting. In the context of the PIMI and DIAMONDS projects, Mont image is developing MMT-Security: a security analysis solution (part of MMT) that inspects network traffic against a set of security properties denoting both security rules and attacks. This tool has been applied to an industrial case study provided by Thales Group that consists of a QoS-aware ad-hoc radio communication protocol.
An increasing number of popular SOAP web services exhibit a stateful behavior, where a successful interaction is determined as much by the correct format of messages as by the sequence in which they are exchanged with a client. The set of such constraints forms a "message contract" that needs to be enforced on both sides of the transaction; it often includes constraints referring to actual data elements inside messages. We present an algorithm for the runtime monitoring of such message contracts with data parameterization. Their properties are expressed in LTL-FO+, an extension of Linear Temporal Logic that allows first-order quantification over the data inside a trace of XML messages. An implementation of this algorithm can transparently enforce an LTL-FO+ specification using a small and invisible Java applet. Violations of the specification are reported on-the-fly and prevent erroneous or out-of-sequence XML messages from being exchanged. Experimentats on commercial web services from Amazon.com and Google indicate that LTL-FO+ is an appropriate language for expressing their message contracts, and that its processing overhead on sample traces is acceptable for both a client-side or a server-side enforcement architecture.
Nowadays, network technologies are essential for transferring and storing various information of users, companies, and industries. However, the growth of the information transfer rate expands the attack surface, offering a rich environment to intruders. Intrusion detection systems (IDSs) are widespread systems able to passively or actively control intrusive activities in a defined host and network perimeter. Recently, different IDSs have been proposed by integrating various detection techniques, generic or adapted to a specific domain and to the nature of attacks operating on. The cybersecurity landscape deals with tremendous diverse event streams that exponentially increase the attack vectors. Event stream processing (ESP) methods appear to be solutions that leverage event streams to provide actionable insights and faster detection. In this paper, we briefly describe domains (as well as their vulnerabilities) on which recent papers were based. We also survey standards for vulnerability assessment and attack classification. Afterwards, we carry out a classification of intrusion detection systems, evaluation metrics and datasets. Next, we provide the technical details and an evaluation of the most recent work on IDS techniques and ESP approaches covering different dimensions (axes): domains, architectures and local communication technologies. Finally, we discuss challenges and strategies to improve IDS in terms of accuracy, performance, and robustness.
Recent developments in Information and Communication Technologies (ICT) and online healthcare services have created a huge volume of health data. With the advancements in machine learning approaches, the research on Disease Prediction Support System (DPSS) has attracted many researchers globally. In this article, we present a hybrid reasoning-based methodology on predicting diseases. The combinatorial advantage of Fuzzy sety theory, k-nearest neighbor and case-based reasoning helps to yield enhanced prediction results. Though DPSS facilitates promising healthcare services, data security and privacy are still crucial challenging issues to be addressed. The DPSS is extended as a Privacy-Aware Disease Prediction Support System (PDPSS) using Paillier Homomorphic Encryption to preserve patients’ sensitive information from unauthorized user access. The proposed prediction model is evaluated with the statistical evaluation metrics, and the experimental results reveal the improved performance of PDPSS in enhanced prediction accuracy and better security.
Modern shipboard power systems (SPSs) with advanced cyber infrastructure need urgent attention because they have higher risk of cyber attacks. In particular, the false data injection (FDI) attacks can interfere with state estimation by tampering with measurement devices, or they may also directly target the central control system. This paper proposes a two-fold strategy to mitigate the effects of such an unconventional FDI attack, using battery to actively reduce load curtailment. To detect signs of malicious data, a multi-agent system (MAS) that checks commands from the central energy management system (EMS) is employed. A novel bilevel optimization problem is formulated to model the interaction between the battery and the compromised SPS. A heuristic defense parameter is developed to improve the detection of corrupted commands. The merits of proposed scheme are evaluated using risk analysis model. The results of the case studies prove that a combination of autonomous battery with MAS-based heuristic method is effective in mitigating the effects of the cyber attack.
Wireless networks are more vulnerable to cyberattacks than cable networks. Compared with the misuse intrusion detection techniques based on pattern matching, the techniques based on model checking U+0028 MC U+0029 have a series of comparative advantages. However, the temporal logics employed in the existing latter techniques cannot express conveniently the complex attacks with synchronization phenomenon. To address this problem, we formalize a novel temporal logic language called attack signature description language U+0028 ASDL U+0029. On the basis of it, we put forward an ASDL model checking algorithm. Furthermore, we use ASDL programs, which can be considered as temporal logic formulas, to describe attack signatures, and employ other ASDL programs to create an audit log. As a result, the ASDL model checking algorithm can be presented for automatically verifying whether or not the latter programs satisfy the formulas, that is, whether or not the audit log coincides with the attack signatures. Thus, an intrusion detection algorithm based on ASDL is obtained. The case studies and simulations show that the new method can find coordinated chop-chop attacks.
With the development of network technologies such as IoTs, D2D and SDN/NFV, etc., convenient network connections with various networks have stepped into our social life, and make the Cyber Space become a fundamental infrastructure of the modern society. The crucial importance of network security has raised the requirement of security measurement on a heterogeneous networking system. However, the research on this topic is still in its infancy. According to the existing security evaluation schemes of intrusion and malware detection, we believe the network data related to security should be the key for effective network security measurement. A study of the algorithms in terms of data analysis for Data Dimension Reduction, Data Classification and Data Composition becomes essential and urgent for achieving the goal of network security measurement. In this paper, we focus on the problem of big data analysis methods for security measurement, and mainly investigate the existing algorithms in different processes of big data analysis. We also evaluate the existing methods in terms of accuracy, validity and their support on security related data analysis. Through survey, we indicate open issues and propose future research trends in the field of network security measurement.
Supervisory control and data acquisition (SCADA) systems are highly distributed systems used to control and monitor geographically dispersed assets—often scattered over thousands of square kilometers— in which centralized data acquisition is critical to system operation [1]. These large-scale industrial control systems (ICSs) have been playing an extremely important role in most safety-critical infrastructures [2], such as electric power grids, transportation systems, communication networks, oil and gas pipelines, water distribution and irrigation networks, and multiple facilities including heating, ventilation and air conditioning systems for buildings, and traffic control systems for airports—the list is long. These safetycritical assets, however, are becoming increasingly susceptible to cyber–physical attacks1 on both physical and cyber layers [3].
The utility providers are estimated to lose billions of dollars annually due to energy theft. Although the implementation of smart grids offers technical and social advantages, the smart meters deployed in smart grids are susceptible to more attacks and network intrusions by energy thieves as compared to conventional mechanical meters. To mitigate non-technical losses due to electricity thefts and inaccurate smart meters readings, utility providers are leveraging on the energy consumption data collected from the advanced metering infrastructure implemented in smart grids to identify possible defective smart meters and abnormal consumers’ consumption patterns. In this paper, we design two linear regression-based algorithms to study consumers’ energy utilization behavior and evaluate their anomaly coefficients so as to combat energy theft caused by meter tampering and detect defective smart meters. Categorical variables and detection coefficients are also introduced in the model to identify the periods and locations of energy frauds as well as faulty smart meters. Simulations are conducted and the results show that the proposed algorithms can successfully detect all the fraudulent consumers and discover faulty smart meters in a neighborhood area network.
Runtime verification is the process of observing a sequence of events generated by a running system and comparing it to some formal specification for potential violations. We show how the use of a runtime monitor can greatly speed up the testing phase of a video game under development by automating the detection of bugs when the game is being played. We take advantage of the fact that a video game, contrarily to generic software, follows a special structure that contains a "game loop." This game loop can be used to centralize the instrumentation and generate events based on the game's internal state. We report on experiments made on a sample of six real-world video games of various genres and sizes by successfully instrumenting and efficiently monitoring various temporal properties over their execution, including actual bugs reported in the games' bug tracking database in the course of their development.
The next generation wireless networks are expected to operate in fully automated fashion to meet the burgeoning capacity demand and to serve users with superior quality of experience. Mobile wireless networks can leverage spatio-temporal information about user and network condition to embed the system with end-to-end visibility and intelligence. Big data analytics has emerged as a promising approach to unearth meaningful insights and to build artificially intelligent models with assistance of machine learning tools. Utilizing aforementioned tools and techniques, this paper contributes in two ways. First, we utilize mobile network data (big data) – call detail record (CDR) – to analyze anomalous behavior of mobile wireless network. For anomaly detection purposes, we use unsupervised clustering techniques namely k-means clustering and hierarchical clustering. We compare the detected anomalies with ground truth information to verify their correctness. From the comparative analysis, we observe that when the network experiences abruptly high (unusual) traffic demand at any location and time, it identifies that as anomaly. This helps in identifying regions of interest (RoI) in the network for special action such as resource allocation, fault avoidance solution etc. Second, we train a neural-network based prediction model with anomalous and anomaly-free data to highlight the effect of anomalies in data while training/building intelligent models. In this phase, we transform our anomalous data to anomaly-free and we observe that the error in prediction while training the model with anomaly-free data has largely decreased as compared to the case when the model was trained with anomalous data.
To defend against complex attacks, collaborative intrusion detection networks (CIDNs) have been developed to enhance the detection accuracy, which enable an IDS to collect information and learn experience from others. However, this kind of networks is vulnerable to malicious nodes which are utilized by insider attacks (e.g., betrayal attacks). In our previous research, we developed a notion of intrusion sensitivity and identified that it can help improve the detection of insider attacks, whereas it is still a challenge for these nodes to automatically assign the values. In this article, we therefore aim to design an intrusion sensitivity-based trust management model that allows each IDS to evaluate the trustworthiness of others by considering their detection sensitivities, and further develop a supervised approach, which employs machine learning techniques to automatically assign the values of intrusion sensitivity based on expert knowledge. In the evaluation, we compare the performance of three different supervised classifiers in assigning sensitivity values and investigate our trust model under different attack scenarios and in a real wireless sensor network. Experimental results indicate that our trust model can enhance the detection accuracy of malicious nodes and achieve better performance as compared with similar models.
Computer systems evolve to be more complex and vulnerable. Cyber attacks have also grown to be more sophisticated and harder to detect. Intrusion detection is the process of monitoring and identifying unauthorized system access or manipulation. It becomes increasingly difficult for a single intrusion detection system (IDS) to detect all attacks due to limited knowledge about attacks. Collaboration among intrusion detection devices can be used to gain higher detection accuracy and cost efficiency as compared to its traditional single host-based counterpart. Through cooperation, a local IDS can detect new attacks that may be known to other IDSs, which may be from different vendors. However, how to utilize the diagnosis from different IDSs to perform intrusion detection is the key challenge. This paper proposes a system architecture of a collaborative intrusion detection network (CIDN), in which trustworthy and efficient feedback aggregation is a key component. To achieve a reliable and trustworthy CIDN, we present a framework called FACID, which leverages data analytical models and hypothesis testing methods for efficient, distributed and sequential feedback aggregations. FACID provides an inherent trust evaluation mechanism and reduces communication overhead needed for IDSs as well as the computational resources and memory needed to achieve satisfactory feedback aggregation results when the number of collaborators of an IDS is large. Our simulation results corroborate our theoretical results and demonstrate the properties of cost efficiency and accuracy compared to other heuristic methods. The analytical result on the lower-bound of the average number of acquaintances for consultation is essential for the design and configuration of IDSs in a collaborative environment.
Collaborative sensing helps in achieving a more accurate sensing decision than individual sensing in cognitive radio network (CRN). In an infrastructure-based CRN, each node sends its local sensing report to the fusion center (FC), which uses a fusion rule to aggregate the local sensing reports. However, collaborative sensing is vulnerable to the spectrum sensing data falsification attack, in which a node falsifies its local sensing report before sending it to the FC with the intention of disrupting the final sensing decision of the FC. In practice, the strategy of an attacker is not known. However, the collection of sensing reports at the FC can be useful for data mining with the objective of identifying the attackers. In this paper, we present a method that uses clustering techniques for detection and isolation of such attackers. We employ two clustering techniques, viz., K-medoids clustering and agglomerative hierarchical clustering. Unlike threshold detection that requires some predefined threshold value as input, the proposed approach detects the attackers using only the collection of sensing reports at the FC. We also present how we can use the proposed approach on streaming data (sensing reports), and thus, detect and isolate attackers on the fly. Comparative numerical simulation results support the validity of the approach.
Cloning attacks seriously impede the security of radio-frequency identification (RFID) applications. This paper tackles deterministic clone detection for anonymous RFID systems without tag identifiers (IDs) as a priori. Existing clone detection protocols either cannot apply to anonymous RFID systems due to necessitating the knowledge of tag IDs or achieve only probabilistic detection with a few clones tolerated. This paper proposes three protocols-BASE, DeClone, and DeClone+-toward fast and deterministic clone detection for large anonymous RFID systems. BASE leverages the observation that clone tags make tag cardinality exceed ID cardinality. DeClone is built on a recent finding that clone tags cause collisions that are hardly reconciled through rearbitration. For DeClone to achieve detection certainty, this paper designs breadth first tree traversal toward quickly verifying unreconciled collisions and hence the cloning attack. DeClone+ further incorporates optimization techniques that promise faster clone detection when clone ratio is relatively high. The performance of the proposed protocols is validated through analysis and simulation. This paper also suggests feasible extensions to enrich their applicability to distributed design.
We propose and analyze a behavior-rule specification-based technique for intrusion detection of medical devices embedded in a medical cyber physical system (MCPS) in which the patient's safety is of the utmost importance. We propose a methodology to transform behavior rules to a state machine, so that a device that is being monitored for its behavior can easily be checked against the transformed state machine for deviation from its behavior specification. Using vital sign monitor medical devices as an example, we demonstrate that our intrusion detection technique can effectively trade false positives off for a high detection probability to cope with more sophisticated and hidden attackers to support ultra safe and secure MCPS applications. Moreover, through a comparative analysis, we demonstrate that our behavior-rule specification-based IDS technique outperforms two existing anomaly-based techniques for detecting abnormal patient behaviors in pervasive healthcare applications.
The lineage of a datum records its processing history. Because such information can be used to trace the source of anomalies and errors in processed data sets, it is valuable to users for a variety of applications, including the investigation of anomalies and debugging. Traditional data lineage approaches rely on metadata. However, metadata does not scale well to fine-grained lineage, especially in large data sets. For example, it is not feasible to store all of the information that is necessary to trace from a specific floating-point value in a processed data set to a particular satellite image pixel in a source data set. In this paper, we propose a novel method to support fine-grained data lineage. Rather than relying on metadata, our approach lazily computes the lineage using a limited amount of information about the processing operators and the base data. We introduce the notions of weak inversion and verification. While our system does not perfectly invert the data, it uses weak inversion and verification to provide a number of guarantees about the lineage it generates. We propose a design for the implementation of weak inversion and verification in an object-relational database management system.