Application of a Layered Hidden Markov Model in the Detection of Network Attacks

Taub, Lawrence

01 January 2013

Network-based attacks against computer systems are a common and increasing problem. Attackers continue to increase the sophistication and complexity of their attacks with the goal of removing sensitive data or disrupting operations. Attack detection technology works very well for the detection of known attacks using a signature-based intrusion detection system. However, attackers can utilize attacks that are undetectable to those signature-based systems whether they are truly new attacks or modified versions of known attacks. Anomaly-based intrusion detection systems approach the problem of attack detection by detecting when traffic differs from a learned baseline. In the case of this research, the focus was on a relatively new area known as payload anomaly detection. In payload anomaly detection, the system focuses exclusively on the payload of packets and learns the normal contents of those payloads. When a payload's contents differ from the norm, an anomaly is detected and may be a potential attack. A risk with anomaly-based detection mechanisms is they suffer from high false positive rates which reduce their effectiveness. This research built upon previous research in payload anomaly detection by combining multiple techniques of detection in a layered approach. The layers of the system included a high-level navigation layer, a request payload analysis layer, and a request-response analysis layer. The system was tested using the test data provided by some earlier payload anomaly detection systems as well as new data sets. The results of the experiments showed that by combining these layers of detection into a single system, there were higher detection rates and lower false positive rates.

anomaly detection

hidden markov model

intrusion detection

network security

payload anomaly detection

security

Computer Sciences

Interactive Anomaly Detection With Reduced Expert Effort

Cheng, Lingyun, Sundaresh, Sadhana

January 2020

In several applications, when anomalies are detected, human experts have to investigate or verify them one by one. As they investigate, they unwittingly produce a label - true positive (TP) or false positive (FP). In this thesis, we propose two methods (PAD and Clustering-based OMD/OJRank) that exploit this label feedback to minimize the FP rate and detect more relevant anomalies, while minimizing the expert effort required to investigate them. These two methods iteratively suggest the top-1 anomalous instance to a human expert and receive feedback. Before suggesting the next anomaly, the methods re-ranks instances so that the top anomalous instances are similar to the TP instances and dissimilar to the FP instances. This is achieved by learning to score anomalies differently in various regions of the feature space (OMD-Clustering) and by learning to score anomalies based on the distance to the real anomalies (PAD). An experimental evaluation on several real-world datasets is conducted. The results show that OMD-Clustering achieves statistically significant improvement in both detection precision and expert effort compared to state-of-the-art interactive anomaly detection methods. PAD reduces expert effort but there was no improvement in detection precision compared to state-of-the-art methods. We submitted a paper based on the work presented in this thesis, to the ECML/PKDD Workshop on "IoT Stream for Data Driven Predictive Maintenance".

Interactive Anomaly Detection

Outlier Detection

User Feedback

Expert Effort

Engineering and Technology

Teknik och teknologier

Détection et agrégation d'anomalies dans les données issues des capteurs placés dans des smartphones / Detection and aggregation of anomalies in data from smartphone sensors

Nguyen, Van Khang

17 December 2019

Les réseaux sans fils et mobiles se sont énormément développés au cours de ces dernières années. Loin d'être réservés aux pays industrialisés, ces réseaux nécessitant une infrastructure fixe limitée se sont aussi imposés dans les pays émergents et les pays en voie de développement. En effet, avec un investissement structurel relativement très faible en comparaison de celui nécessaire à l'implantation d'un réseau filaire, ces réseaux permettent aux opérateurs d'offrir une couverture du territoire très large, avec un coût d'accès au réseau (prix du téléphone et des communications) tout à fait acceptable pour les utilisateurs. Aussi, il n'est pas surprenant qu'aujourd'hui, dans la majorité des pays, le nombre de téléphones sans fil soit largement supérieur à celui des téléphones fixes. Ce grand nombre de terminaux disséminé sur l'ensemble de la planète est un réservoir inestimable d'information dont une infime partie seulement est aujourd'hui exploitée. En effet, en combinant la position d'un mobile et sa vitesse de déplacement, il devient possible d'en déduire la qualité des routes ou du trafic routier. Dans un autre registre, en intégrant un thermomètre et/ou un hygromètre dans chaque terminal, ce qui à grande échelle impliquerait un coût unitaire dérisoire, ces terminaux pourraient servir de relai pour une météo locale plus fiable. Dans ce contexte, l'objectif de cette thèse consiste à étudier et analyser les opportunités offertes par l'utilisation des données issues des terminaux mobiles, de proposer des solutions originales pour le traitement de ces grands masses de données, en insistant sur les optimisations (fusion, agrégation, etc.) pouvant être réalisées de manière intermédiaire dans le cadre de leur transport vers les(s) centre(s) de stockage et de traitement, et éventuellement d'identifier les données non disponibles aujourd'hui sur ces terminaux mais qui pourraient avoir un impact fort dans les années à venir. Un prototype présentant un exemple typique d'utilisation permettra de valider les différentes approches. / Mobile and wireless networks have developed enormously over the recent years. Far from being restricted to industrialized countries, these networks which require a limited fixed infrastructure, have also imposed in emerging countries and developing countries. Indeed, with a relatively low structural investment as compared to that required for the implementation of a wired network, these networks enable operators to offer a wide coverage of the territory with a network access cost (price of devices and communications) quite acceptable to users. Also, it is not surprising that today, in most countries, the number of wireless phones is much higher than landlines. This large number of terminals scattered across the planet is an invaluable reservoir of information that only a tiny fraction is exploited today. Indeed, by combining the mobile position and movement speed, it becomes possible to infer the quality of roads or road traffic. On another level, incorporating a thermometer and / or hygrometer in each terminal, which would involve a ridiculous large-scale unit cost, these terminals could serve as a relay for more reliable local weather. In this context, the objective of this thesis is to study and analyze the opportunities offered by the use of data from mobile devices to offer original solutions for the treatment of these big data, emphasizing on optimizations (fusion, aggregation, etc.) that can be performed as an intermediate when transferred to center(s) for storage and processing, and possibly identify data which are not available now on these terminals but could have a strong impact in the coming years. A prototype including a typical sample application will validate the different approaches.

Système de capteurs de smartphones

Détection d'anomalies

Agrégation d’anomalies

Crowdsensing

Smartphone sensing

Anomaly detection

Anomaly aggregation

Crowdsensing

A modelling methodology to quantify the impact of plant anomalies on ID fan capacity in coal fired power plants

Khobo, Rendani Yaw-Boateng Sean

13 September 2020

In South Africa, nearly 80 % of electricity is generated from coal fired power plants. Due to the complexity of the interconnected systems that make up a typical power plant, analysis of the root causes of load losses is not a straightforward process. This often leads to losses incorrectly being ascribed to the Induced Draught (ID) fan, where detection occurs, while the problem actually originates elsewhere in the plant. The focus of this study was to develop and demonstrate a modelling methodology to quantify the effects of major plant anomalies on the capacity of ID fans in coal fired power plants. The ensuing model calculates the operating point of the ID fan that is a result of anomalies experienced elsewhere in the plant. This model can be applied in conjunction with performance test data as part of a root cause analysis procedure. The model has three main sections that are integrated to determine the ID fan operating point. The first section is a water/steam cycle model that was pre-configured in VirtualPlantTM. The steam plant model was verified via energy balance calculations and validated against original heat balance diagrams. The second is a draught group model developed using FlownexSETM. This onedimensional network is a simplification of the flue gas side of the five main draught group components, from the furnace inlet to the chimney exit, characterising only the aggregate heat transfer and pressure loss in the system. The designated ID fan model is based on the original fan performance curves. The third section is a Boiler Mass and Energy Balance (BMEB) specifically created for this purpose to: (1) translate the VirtualPlant results for the steam cycle into applicable boundary conditions for the Flownex draught group model; and (2) to calculate the fluid properties applicable to the draught group based on the coal characteristics and combustion process. The integrated modelling methodology was applied to a 600 MW class coal fired power plant to investigate the impact of six major anomalies that are typically encountered. These are: changes in coal quality; increased boiler flue gas exit temperatures; air ingress into the boiler; air heater inleakage to the flue gas stream; feed water heaters out-of-service; and condenser backpressure degradation. It was inter alia found that a low calorific value (CV) coal of 14 MJ/kg compared to a typical 17 MJ/kg reduced the fan's capacity by 2.1 %. Also, having both HP FWH out of service decreased the fan's capacity by 16.2 %.

Engineering

Induced Draft Fan

Draught plant

anomaly detection

Fan Capacity Limitations

Evaluating Online Learning Anomaly Detection on Intel Neuromorphic Chip and Memristor Characterization Tool

Jaoudi, Yassine

09 August 2021

No description available.

Computer Engineering

Electrical Engineering

Anomaly detection

online learning

neuromorphic computing

memristor.

Metody klasifikace síťového provozu / Methods for Network Traffic Classification

Jacko, Michal

January 2017

This paper deals with a problem of detection of network traffic anomaly and classification of network flows. Based on existing methods, paper describes proposal and implementaion of a tool, which can automatically classify network flows. The tool uses CUDA platform for network data processing and computation of network flow metrics using graphics processing unit. Processed flows are subsequently classified by proposed methods for network anomaly detection.

Statistická analýza anomálií v senzorových datech / Statistical Analysis of Anomalies in Sensor Data

Gregorová, Kateřina

January 2019

This thesis deals with the failure mode detection of aircraft engines. The main approach to the detection is searching for anomalies in the sensor data. In order to get a comprehensive idea of the system and the particular sensors, the description of the whole system, namely the aircraft engine HTF7000 as well as the description of the sensors, are dealt with at the beginning of the thesis. A proposal of the anomaly detection algorithm based on three different detection methods is discussed in the second chapter. The above-mentioned methods are SVM (Support Vector Machine), K-means a ARIMA (Autoregressive Integrated Moving Average). The implementation of the algorithm including graphical user interface proposal are elaborated on in the next part of the thesis. Finally, statistical analysis of the results,the comparison of efficiency particular models and the discussion of outputs of the proposed algorithm can be found at the end of the thesis.

Vhodná strategie pro detekci bezpečnostních incidentů v průmyslových sítích / Appropriate strategy for security incident detection in industrial networks

Kuchař, Karel

January 2020

This diploma thesis is focused on problematics of the industrial networks and offered security by the industrial protocols. The goal of this thesis is to create specific methods for detection of security incidents. This thesis is mainly focused on protocols Modbus/TCP and DNP3. In the theoretical part, the industrial protocols are described, there are defined vectors of attacks and is described security of each protocol. The practical part is focused on the description and simulation of security incidents. Based on the data gathered from the simulations, there are identified threats by the introduced detection methods. These methods are using for detecting the security incident an abnormality in the network traffic by created formulas or machine learning. Designed methods are implemented to IDS (Intrusion Detection System) of the system Zeek. With the designed methods, it is possible to detect selected security incidents in the destination workstation.

Využití strojového učení pro detekci anomálií na základě analýzy systémových logů / System Log Analysis for Anomaly Detection Using Machine Learning

Šiklóši, Miroslav

January 2020

Táto diplomová práca sa venuje problematike využitia strojového učenia na detekciu anomálií na základe analýzy systémových logov. Navrhnuté modely sú založené na algoritmoch strojového učenia s učiteľom, bez učiteľa a na hlbokom učení. Funkčnosť a správanie týchto algoritmov sú objasnené ako teoreticky, tak aj prakticky. Okrem toho boli využité metódy a postupy na predspracovanie dát predtým, než boli vložené do modelov strojového učenia. Navrhnuté modely sú na konci porovnané s využitím viacerých metrík a otestované na syslogoch, ktoré modely predtým nevideli. Najpresnejší výkon podali modely Klasifikátor rozhodovacích stromov, Jednotriedny podporný vektorový stroj a model Hierarchické zoskupovanie, ktoré správne označili 93,95%, 85,66% a 85,3% anomálií v uvedenom poradí.

Detekce útoku SlowDrop / SlowDrop attack detection

Náčin, Peter

January 2021

The diploma thesis is focused on the detection of a slow DoS attack named SlowDrop. The attack tries to imitate a legitimate person with a slow internet connection and does not show a new strong signature, so the attack is difficult to detect. The diploma thesis is based on the work of Ing. Mazanek in which the SlowDrop attack script was created. At the theoretical level, the issue of DoS attacks is described in general, but also in particular. Furthermore, the work develops methods for solving the problem of SlowDrop attack detection. The methods are then defined in detail and tested in a simulation environment. The practical part describes data analysis, signature detection, anomaly detection using neural networks and a detection script. In all practical parts, the used technologies and solution procedures are described in detail. The specific implementation of the solution and the achieved results are also presented. Finally, the individual results are evaluated, compared individually, but also among themselves. The obtained results show that the attack is detectable using a neural network and by created detection script.