A Unified Alert Fusion Model For Intelligent Analysis Of Sensor Data In An Intrusion Detection Environment

Siraj, Ambareen

05 August 2006

The need for higher-level reasoning capabilities beyond low-level sensor abilities has prompted researchers to use different types of sensor fusion techniques for better situational awareness in the intrusion detection environment. These techniques primarily vary in terms of their mission objectives. Some prioritize alerts for alert reduction, some cluster alerts to identify common attack patterns, and some correlate alerts to identify multi-staged attacks. Each of these tasks has its own merits. Unlike previous efforts in this area, this dissertation combines the primary tasks of sensor alert fusion, i.e., alert prioritization, alert clustering and alert correlation into a single framework such that individual results are used to quantify a confidence score as an overall assessment for global diagnosis of a system?s security health. Such a framework is especially useful in a multi-sensor environment where the sensors can collaborate with or complement each other to provide increased reliability, making it essential that the outputs of the sensors are fused in an effective manner in order to provide an improved understanding of the security status of the protected resources in the distributed environment. This dissertation uses a possibilistic approach in intelligent fusion of sensor alerts with Fuzzy Cognitive Modeling in order to accommodate the impreciseness and vagueness in knowledge-based reasoning. We show that our unified architecture for sensor fusion provides better insight into the security health of systems. A new multi-level alert clustering method is developed to accommodate inexact matching in alert features and is shown to provide relevance to more alerts than traditional exact clustering. Alert correlation with a new abstract incident modeling technique is shown to deal with scalability and uncertainty issues present in traditional alert correlation. New concepts of dynamic fusion are presented for overall situation assessment, which a) in case of misuse sensors, combines results of alert clustering and alert correlation, and b) in case of anomaly sensors, corroborates evidence from primary and secondary sensors for deriving the final conclusion on the systems? security health.

information fusion

intrusion detection

fuzzy cognitive modeling

network security

sensor fusion

Design and Analysis of Anomaly Detection and Mitigation Schemes for Distributed Denial of Service Attacks in Software Defined Network. An Investigation into the Security Vulnerabilities of Software Defined Network and the Design of Efficient Detection and Mitigation Techniques for DDoS Attack using Machine Learning Techniques

Sangodoyin, Abimbola O.

January 2019

Software Defined Networks (SDN) has created great potential and hope to overcome the need for secure, reliable and well managed next generation networks to drive effective service delivery on the go and meet the demand for high data rate and seamless connectivity expected by users. Thus, it is a network technology that is set to enhance our day-to-day activities. As network usage and reliance on computer technology are increasing and popular, users with bad intentions exploit the inherent weakness of this technology to render targeted services unavailable to legitimate users. Among the security weaknesses of SDN is Distributed Denial of Service (DDoS) attacks. Even though DDoS attack strategy is known, the number of successful DDoS attacks launched has seen an increment at an alarming rate over the last decade. Existing detection mechanisms depend on signatures of known attacks which has not been successful in detecting unknown or different shades of DDoS attacks. Therefore, a novel detection mechanism that relies on deviation from confidence interval obtained from the normal distribution of throughput polled without attack from the server. Furthermore, sensitivity analysis to determine which of the network metrics (jitter, throughput and response time) is more sensitive to attack by introducing white Gaussian noise and evaluating the local sensitivity using feed-forward artificial neural network is evaluated. All metrics are sensitive in detecting DDoS attacks. However, jitter appears to be the most sensitive to attack. As a result, the developed framework provides an avenue to make the SDN technology more robust and secure to DDoS attacks.

Software Defined Networks (SDN)

Network security

Attack detection

Attack mitigation

Controller

Design and Implementation of a Deep Learning based Intrusion Detection System in Software-Defined Networking Environment

Niyaz, Quamar

January 2017

No description available.

Computer Engineering

Computer Science

Design and Implementation Security Testbed (HANSim) and Intrusion Detection System (IDS) for the Home Area Network in the Smart Grid

Tong, Jizhou

January 2017

No description available.

Computer Science

PARALLEL CLUSTER FORMATION FOR SECURED COMMUNICATION IN WIRELESS AD HOC NETWORKS

SHAH, VIVEK

January 2004

No description available.

Computer Science

Ad Hoc Networks

Network Security

Key Distribution

Key Management

Wireless Communications

Methods for Hospital Network and Computer Security

Hausrath, Nathaniel L.

16 August 2011

No description available.

Information Technology

hospital it Security

information security

network security

computer security

hospital information security

security

Utvärdering av penetrationstestningriktat mot nätverk / An evaluation of penetration testing aimed toward computer networks

Rios, Mauricio, Strandberg, Martin

January 2022

I och med samhällets ökande digitalisering stiger behoven för att kunna fastställa att säkerheten hos datornätverk ligger på en adekvat nivå. När det gäller informations- säkerhet fastnar fokus lätt på enskilda enheter men idag består i regel de flesta orga- nisationer av större datanätverk där information finns åtkomlig på ett flertal sätt. Denna rapport försöker utröna huruvida det går att kvantifierbart påvisa effektivite- ten hos de säkerhetsåtgärder som nätverkstekniker implementerar i syfte att höja säkerheten i en organisations datornätverk. För att mäta säkerhetsförbättringar kombineras en penetrationstestningsstandard med en hotmodelleringsmetod som sedan appliceras på ett nätverk i en laborations- miljö. I ett första skede appliceras dessa på ett sårbart nätverk för att ge en insikt om det ursprungliga säkerhetsläget. Därefter implementeras ett urval av skyddsåtgärder på det sårbara datornätverket vilka baserat på vilka säkerhetsbrister som har upp- täckts. I ett nästa steg appliceras både penetrationstester och hotmodellering återi- gen på samma sätt som tidigare och därefter jämförs resultaten från före och efter att sårbarheterna har åtgärdats. När resultaten jämförs påvisas de säkerhetshöjande åtgärdernas effekt. Tack vare kombinationen av både penetrationstester och hotmodellering tydliggörs även re- sultaten både bredare och mer djupgående än vad användandet av enbart en av me- toderna hade visat på. Dessa resultat visar att metoden med applikation av kombinerade penetrationstester och hotmodelleringar, både före och efter att säkerhetsluckor har åtgärdats, kan an-vändas som ett kvalitetsintyg för säkerhetsarbeten riktade mot datornätverk. / Following the increasing digitalization of society there is a growing need to ensure that the security of computer networks is at an adequate level. When it comes to net- work security, focus tend to fall on individual devices, but nowadays most organiza- tions consist of large computer networks where information is accessible in several different ways. This thesis attempts to determine whether it is possible to ensure the effectiveness of the security measures implemented by network engineers to improve an organisation’s security stance. In order to measure security, a combination of a penetration testing standard and threat modelling is applied to a network in a laboratory environment. First, these are applied to a vulnerable network. Then, a selection of protection measures are imple- mented on the vulnerable network based on the results from the methodology. In a next step, both penetration testing and threat modelling are reapplied. The com- bined results, before and after the vulnerabilities have been addressed, can then be compared to each other. When comparing the results, the impact of the security improving measures becomes clear. Due to the use of both penetration testing and threat modelling the results are further clarified compared to what the use of only one of the methods would have shown. These results shows that the method of combining penetration testing with threat modelling in two stages, both before and after security measures have been imple- mented, can be used as a quality certificate for security work directed at computernetworks.

penetration testning

threat modelling

network security

penetrationstestning

hotmodellering

nätverkssäkerhet

Computer Systems

Datorsystem

Achieving Data Privacy and Security in Cloud

Huang, Xueli

January 2016

The growing concerns in term of the privacy of data stored in public cloud have restrained the widespread adoption of cloud computing. The traditional method to protect the data privacy is to encrypt data before they are sent to public cloud, but heavy computation is always introduced by this approach, especially for the image and video data, which has much more amount of data than text data. Another way is to take advantage of hybrid cloud by separating the sensitive data from non-sensitive data and storing them in trusted private cloud and un-trusted public cloud respectively. But if we adopt the method directly, all the images and videos containing sensitive data have to be stored in private cloud, which makes this method meaningless. Moreover, the emergence of the Software-Defined Networking (SDN) paradigm, which decouples the control logic from the closed and proprietary implementations of traditional network devices, enables researchers and practitioners to design new innovative network functions and protocols in a much easier, flexible, and more powerful way. The data plane will ask the control plane to update flow rules when the data plane gets new network packets with which it does not know how to deal with, and the control plane will then dynamically deploy and configure flow rules according to the data plane's requests, which makes the whole network could be managed and controlled efficiently. However, this kind of reactive control model could be used by hackers launching Distributed Denial-of-Service (DDoS) attacks by sending large amount of new requests from the data plane to the control plane. For image data, we divide the image is into pieces with equal size to speed up the encryption process, and propose two kinds of method to cut the relationship between the edges. One is to add random noise in each piece, the other is to design a one-to-one mapping function for each piece to map different pixel value into different another one, which cuts off the relationship between pixels as well the edges. Our mapping function is given with a random parameter as inputs to make each piece could randomly choose different mapping. Finally, we shuffle the pieces with another random parameter, which makes the problems recovering the shuffled image to be NP-complete. For video data, we propose two different methods separately for intra frame, I-frame, and inter frame, P-frame, based on their different characteristic. A hybrid selective video encryption scheme for H.264/AVC based on Advanced Encryption Standard (AES) and video data themselves is proposed for I-frame. For each P-slice of P-frame, we only abstract small part of them in private cloud based on the characteristic of intra prediction mode, which efficiently prevents P-frame being decoded. For cloud running with SDN, we propose a framework to keep the controller away from DDoS attack. We first predict the amount of new requests for each switch periodically based on its previous information, and the new requests will be sent to controller if the predicted total amount of new requests is less than the threshold. Otherwise these requests will be directed to the security gate way to check if there is a attack among them. The requests that caused the dramatic decrease of entropy will be filter out by our algorithm, and the rules of these request will be made and sent to controller. The controller will send the rules to each switch to make them direct the flows matching with the rules to honey pot. / Computer and Information Science

Computer Science

Big Data

Cloud Computing

Data Security

Network Security

Sdn

Performance Evaluation Study of Intrusion Detection Systems.

Alhomoud, Adeeb M., Munir, Rashid, Pagna Disso, Jules F., Al-Dhelaan, A., Awan, Irfan U.

2011 August 1917

With the thriving technology and the great increase in the usage of computer networks, the risk of having these network to be under attacks have been increased. Number of techniques have been created and designed to help in detecting and/or preventing such attacks. One common technique is the use of Network Intrusion Detection / Prevention Systems NIDS. Today, number of open sources and commercial Intrusion Detection Systems are available to match enterprises requirements but the performance of these Intrusion Detection Systems is still the main concern. In this paper, we have tested and analyzed the performance of the well know IDS system Snort and the new coming IDS system Suricata. Both Snort and Suricata were implemented on three different platforms (ESXi virtual server, Linux 2.6 and FreeBSD) to simulate a real environment. Finally, in our results and analysis a comparison of the performance of the two IDS systems is provided along with some recommendations as to what and when will be the ideal environment for Snort and Suricata.

Attacks

; Intrusion Detection Systems (IDS)

; Traffic

; Performance evaluation

; Packet drops

; Suricata

; Snort

; Alerts

; Network security

Detecting k-Balanced Trusted Cliques in Signed Social Networks

Hao, F., Yau, S.S., Min, Geyong, Yang, L.T.

January 2014

No / k-Clique detection enables computer scientists and sociologists to analyze social networks' latent structure and thus understand their structural and functional properties. However, the existing k-clique-detection approaches are not applicable to signed social networks directly because of positive and negative links. The authors' approach to detecting k-balanced trusted cliques in such networks bases the detection algorithm on formal context analysis. It constructs formal contexts using the modified adjacency matrix after converting a signed social network into an unweighted one. Experimental results demonstrate that their algorithm can efficiently identify the trusted cliques.