Global ETD Search

81	Hypervisor-based cloud anomaly detection using supervised learning techniques Nwamuo, Onyekachi 23 January 2020 (has links) Although cloud network flows are similar to conventional network flows in many ways, there are some major differences in their statistical characteristics. However, due to the lack of adequate public datasets, the proponents of many existing cloud intrusion detection systems (IDS) have relied on the DARPA dataset which was obtained by simulating a conventional network environment. In the current thesis, we show empirically that the DARPA dataset by failing to meet important statistical characteristics of real-world cloud traffic data centers is inadequate for evaluating cloud IDS. We analyze, as an alternative, a new public dataset collected through cooperation between our lab and a non-profit cloud service provider, which contains benign data and a wide variety of attack data. Furthermore, we present a new hypervisor-based cloud IDS using an instance-oriented feature model and supervised machine learning techniques. We investigate 3 different classifiers: Logistic Regression (LR), Random Forest (RF), and Support Vector Machine (SVM) algorithms. Experimental evaluation on a diversified dataset yields a detection rate of 92.08% and a false-positive rate of 1.49% for the random forest, the best performing of the three classifiers. / Graduate Cloud Anomaly Detection ISOT-CID CLoud Network vs Conventional Network DARPA 1998 IDS Dataset Hypervisor-Based Intrusion Detection
82	The Resilience of Deep Learning Intrusion Detection Systems for Automotive Networks : The effect of adversarial samples and transferability on Deep Learning Intrusion Detection Systems for Controller Area Networks / Motståndskraften hos Deep Learning Intrusion Detection Systems för fordonsnätverk : Effekten av kontradiktoriska prover och överförbarhet på Deep Learning Intrusion Detection Systems för Controller Area Networks Zenden, Ivo January 2022 (has links) This thesis will cover the topic of cyber security in vehicles. Current vehicles contain many computers which communicate over a controller area network. This network has many vulnerabilities which can be leveraged by attackers. To combat these attackers, intrusion detection systems have been implemented. The latest research has mostly focused on the use of deep learning techniques for these intrusion detection systems. However, these deep learning techniques are not foolproof and possess their own security vulnerabilities. One such vulnerability comes in the form of adversarial samples. These are attacks that are manipulated to evade detection by these intrusion detection systems. In this thesis, the aim is to show that the known vulnerabilities of deep learning techniques are also present in the current state-of-the-art intrusion detection systems. The presence of these vulnerabilities shows that these deep learning based systems are still to immature to be deployed in actual vehicles. Since if an attacker is able to use these weaknesses to circumvent the intrusion detection system, they can still control many parts of the vehicles such as the windows, the brakes and even the engine. Current research regarding deep learning weaknesses has mainly focused on the image recognition domain. Relatively little research has investigated the influence of these weaknesses for intrusion detection, especially on vehicle networks. To show these weaknesses, firstly two baseline deep learning intrusion detection systems were created. Additionally, two state-of-the-art systems from recent research papers were recreated. Afterwards, adversarial samples were generated using the fast gradient-sign method on one of the baseline systems. These adversarial samples were then used to show the drop in performance of all systems. The thesis shows that the adversarial samples negatively impact the two baseline models and one state-of-the-art model. The state-of-the-art model’s drop in performance goes as high as 60% in the f1-score. Additionally, some of the adversarial samples need as little as 2 bits to be changed in order to evade the intrusion detection systems. / Detta examensarbete kommer att täcka ämnet cybersäkerhet i fordon. Nuvarande fordon innehåller många datorer som kommunicerar över ett så kallat controller area network. Detta nätverk har många sårbarheter som kan utnyttjas av angripare. För att bekämpa dessa angripare har intrångsdetekteringssystem implementerats. Den senaste forskningen har mestadels fokuserat på användningen av djupinlärningstekniker för dessa intrångsdetekteringssystem. Dessa djupinlärningstekniker är dock inte idiotsäkra och har sina egna säkerhetsbrister. En sådan sårbarhet kommer i form av kontradiktoriska prover. Dessa är attacker som manipuleras för att undvika upptäckt av dessa intrångsdetekteringssystem. I det här examensarbetet kommer vi att försöka visa att de kända sårbarheterna hos tekniker för djupinlärning också finns i de nuvarande toppmoderna systemen för intrångsdetektering. Förekomsten av dessa sårbarheter visar att dessa djupinlärningsbaserade system fortfarande är för omogna för att kunna användas i verkliga fordon. Eftersom om en angripare kan använda dessa svagheter för att kringgå intrångsdetekteringssystemet, kan de fortfarande kontrollera många delar av fordonet som rutorna, bromsarna och till och med motorn. Aktuell forskning om svagheter i djupinlärning har främst fokuserat på bildigenkänningsdomänen. Relativt lite forskning har undersökt inverkan av dessa svagheter för intrångsdetektering, särskilt på fordonsnätverk. För att visa dessa svagheter skapades först två baslinjesystem för djupinlärning intrångsdetektering. Dessutom återskapades två toppmoderna system från nya forskningsartiklar. Efteråt genererades motstridiga prover med hjälp av den snabba gradient-teckenmetoden på ett av baslinjesystemen. Dessa kontradiktoriska prover användes sedan för att visa nedgången i prestanda för alla system. Avhandlingen visar att de kontradiktoriska proverna negativt påverkar de två baslinjemodellerna och en toppmodern modell. Den toppmoderna modellens minskning av prestanda går så högt som 60% i f1-poängen. Dessutom behöver några av de kontradiktoriska samplen så lite som 2 bitar att ändras för att undvika intrångsdetekteringssystem. Vehicle Security Deep Learning Controller Area Network Intrusion Detection System Adversarial Samples Fordonssäkerhet Deep Learning Controller Area Network Intrusion Detection System kontradiktoriska prover Computer and Information Sciences Data- och informationsvetenskap
83	An autonomous host-based intrusion detection and prevention system for Android mobile devices. Design and implementation of an autonomous host-based Intrusion Detection and Prevention System (IDPS), incorporating Machine Learning and statistical algorithms, for Android mobile devices Ribeiro, José C.V.G. January 2019 (has links) This research work presents the design and implementation of a host-based Intrusion Detection and Prevention System (IDPS) called HIDROID (Host-based Intrusion Detection and protection system for andROID) for Android smartphones. It runs completely on the mobile device, with a minimal computation burden. It collects data in real-time, periodically sampling features that reflect the overall utilisation of scarce resources of a mobile device (e.g. CPU, memory, battery, bandwidth, etc.). The Detection Engine of HIDROID adopts an anomaly-based approach by exploiting statistical and machine learning algorithms. That is, it builds a data-driven model for benign behaviour and looks for the outliers considered as suspicious activities. Any observation failing to match this model triggers an alert and the preventive agent takes proper countermeasure(s) to minimise the risk. The key novel characteristic of the Detection Engine of HIDROID is the fact that it requires no malicious data for training or tuning. In fact, the Detection Engine implements the following two anomaly detection algorithms: a variation of K-Means algorithm with only one cluster and the univariate Gaussian algorithm. Experimental test results on a real device show that HIDROID is well able to learn and discriminate normal from anomalous behaviour, demonstrating a very promising detection accuracy of up to 0.91, while maintaining false positive rate below 0.03. Finally, it is noteworthy to mention that to the best of our knowledge, publicly available datasets representing benign and abnormal behaviour of Android smartphones do not exist. Thus, in the context of this research work, two new datasets were generated in order to evaluate HIDROID. / Fundação para a Ciência e Tecnologia (FCT-Portugal) with reference SFRH/BD/112755/2015, European Regional Development Fund (FEDER), through the Competitiveness and Internationalization Operational Programme (COMPETE 2020), Regional Operational Program of the Algarve (2020), Fundação para a Ciência e Tecnologia; i-Five .: Extensão do acesso de espectro dinâmico para rádio 5G, POCI-01-0145-FEDER-030500, Instituto de telecomunicações, (IT-Portugal) as the host institution. Security Intrusion detection Android 5G Prevention Host-based Malware detection Host-based IDS Statistical anomaly detection Machine learning
84	Intrusion Detection in Mobile Adhoc Networks Kumar, Kavitha January 2009 (has links) No description available. Computer Science Electrical Engineering Mobile Ad hoc networks MANETs with mobile nodes Intrusion Detection in MANETs
85	Scalable framework for turn-key honeynet deployment Brzeczko, Albert Walter 22 May 2014 (has links) Enterprise networks present very high value targets in the eyes of malicious actors who seek to exfiltrate sensitive proprietary data, disrupt the operations of a particular organization, or leverage considerable computational and network resources to further their own illicit goals. For this reason, enterprise networks typically attract the most determined of attackers. These attackers are prone to using the most novel and difficult-to-detect approaches so that they may have a high probability of success and continue operating undetected. Many existing network security approaches that fall under the category of intrusion detection systems (IDS) and intrusion prevention systems (IPS) are able to detect classes of attacks that are well-known. While these approaches are effective for filtering out routine attacks in automated fashion, they are ill-suited for detecting the types of novel tactics and zero-day exploits that are increasingly used against the enterprise. In this thesis, a solution is presented that augments existing security measures to provide enhanced coverage of novel attacks in conjunction with what is already provided by traditional IDS and IPS. The approach enables honeypots, a class of tech- nique that observes novel attacks by luring an attacker to perform malicious activity on a system having no production value, to be deployed in a turn-key fashion and at large scale on enterprise networks. In spite of the honeypot’s efficacy against tar- geted attacks, organizations can seldom afford to devote capital and IT manpower to integrating them into their security posture. Furthermore, misconfigured honeypots can actually weaken an organization’s security posture by giving the attacker a stag- ing ground on which to perform further attacks. A turn-key approach is needed for organizations to use honeypots to trap, observe, and mitigate novel targeted attacks. Honeynet Cloud computing Information security Computer networks Security measures
86	Shilling attack detection in recommender systems. Bhebe, Wilander. January 2015 (has links) M. Tech. Information Networks / The growth of the internet has made it easy for people to exchange information resulting in the abundance of information commonly referred to as information overload. It causes retailers to fail to make adequate sales since the customers are swamped with a lot of options and choices. To lessen this problem retailers have begun to find it useful to make use of algorithmic approaches to determine which content to show consumers. These algorithmic approaches are known as recommender systems. Collaborative Filtering recommender systems suggest items to users based on other users reported prior experience with those items. These systems are, however, vulnerable to shilling attacks since they are highly dependent on outside sources of information. Shilling is a process in which syndicating users can connive to promote or demote a certain item, where malicious users benefit from introducing biased ratings. It is, however, critical that shilling detection systems are implemented to detect, warn and shut down shilling attacks within minutes. Modern patented shilling detection systems employ: (a) classification methods, (b) statistical methods, and (c) rules and threshold values defined by shilling detection analysts, using their knowledge of valid shilling cases and the false alarm rate as guidance. The goal of this dissertation is to determine a context for, and assess the performance of Meta-Learning techniques that can be integrated in the shilling detection process.
87	Dynamic Game-Theoretic Models to Determine the Value of Intrusion Detection Systems in the Face of Uncertainty Moured, David Paul 27 January 2015 (has links) Firms lose millions of dollars every year to cyber-attacks and the risk to these companies is growing exponentially. The threat to monetary and intellectual property has made Information Technology (IT) security management a critical challenge to firms. Security devices, including Intrusion Detections Systems (IDS), are commonly used to help protect these firms from malicious users by identifying the presence of malicious network traffic. However, the actual value of these devices remains uncertain among the IT security community because of the costs associated with the implementation of different monitoring strategies that determine when to inspect potentially malicious traffic and the costs associated with false positive and negative errors. Game theoretic models have proven effective for determining the value of these devices under several conditions where firms and users are modeled as players. However, these models assume that both the firm and attacker have complete information about their opponent and lack the ability to account for more realistic situations where players have incomplete information regarding their opponent's payoffs. The proposed research develops an enhanced model that can be used for strategic decision making in IT security management where the firm is uncertain about the user's utility of intrusion. By using Harsanyi Transformation Analysis, the model provides the IT security research community with valuable insight into the value of IDS when the firm is uncertain of the incentives and payoffs available to users choosing to hack. Specifically, this dissertation considers two possible types of users with different utility for intrusion to gain further insights about the players' strategies. The firm's optimal strategy is to start the game with the expected value of the user's utility as an estimate. Under this strategy, the firm can determine the user's utility with certainty within one iteration of the game. After the first iteration, the game may be analyzed as a game of perfect information. Game Theory Intrusion Detection Systems Security Planning Computer Sciences Computer Security Theory and Algorithms
88	Enhanced Deployment Strategy for Role-based Hierarchical Application Agents in Wireless Sensor Networks with Established Clusterheads Gendreau, Audrey A. 01 January 2014 (has links) Efficient self-organizing virtual clusterheads that supervise data collection based on their wireless connectivity, risk, and overhead costs, are an important element of Wireless Sensor Networks (WSNs). This function is especially critical during deployment when system resources are allocated to a subsequent application. In the presented research, a model used to deploy intrusion detection capability on a Local Area Network (LAN), in the literature, was extended to develop a role-based hierarchical agent deployment algorithm for a WSN. The resulting model took into consideration the monitoring capability, risk, deployment distribution cost, and monitoring cost associated with each node. Changing the original LAN methodology approach to model a cluster-based sensor network depended on the ability to duplicate a specific parameter that represented the monitoring capability. Furthermore, other parameters derived from a LAN can elevate costs and risk of deployment, as well as jeopardize the success of an application on a WSN. A key component of the approach presented in this research was to reduce the costs when established clusterheads in the network were found to be capable of hosting additional detection agents. In addition, another cost savings component of the study addressed the reduction of vulnerabilities associated with deployment of agents to high volume nodes. The effectiveness of the presented method was validated by comparing it against a type of a power-based scheme that used each node's remaining energy as the deployment value. While available energy is directly related to the model used in the presented method, the study deliberately sought out nodes that were identified with having superior monitoring capability, cost less to create and sustain, and are at low-risk of an attack. This work investigated improving the efficiency of an intrusion detection system (IDS) by using the proposed model to deploy monitoring agents after a temperature sensing application had established the network traffic flow to the sink. The same scenario was repeated using a power-based IDS to compare it against the proposed model. To identify a clusterhead's ability to host monitoring agents after the temperature sensing application terminated, the deployed IDS utilized the communication history and other network factors in order to rank the nodes. Similarly, using the node's communication history, the deployed power-based IDS ranked nodes based on their remaining power. For each individual scenario, and after the IDS application was deployed, the temperature sensing application was run for a second time. This time, to monitor the temperature sensing agents as the data flowed towards the sink, the network traffic was rerouted through the new intrusion detection clusterheads. Consequently, if the clusterheads were shared, the re-routing step was not preformed. Experimental results in this research demonstrated the effectiveness of applying a robust deployment metric to improve upon the energy efficiency of a deployed application in a multi-application WSN. It was found that in the scenarios with the intrusion detection application that utilized the proposed model resulted in more remaining energy than in the scenarios that implemented the power-based IDS. The algorithm especially had a positive impact on the small, dense, and more homogeneous networks. This finding was reinforced by the smaller percentage of new clusterheads that was selected. Essentially, the energy cost of the route to the sink was reduced because the network traffic was rerouted through fewer new clusterheads. Additionally, it was found that the intrusion detection topology that used the proposed approach formed smaller and more connected sets of clusterheads than the power-based IDS. As a consequence, this proposed approach essentially achieved the research objective for enhancing energy use in a multi-application WSN. agent cluster efficiency energy intrusion detection wireless sensor networks Computer Sciences
89	An insider misuse threat detection and prediction language Magklaras, Georgios Vasilios January 2012 (has links) Numerous studies indicate that amongst the various types of security threats, the problem of insider misuse of IT systems can have serious consequences for the health of computing infrastructures. Although incidents of external origin are also dangerous, the insider IT misuse problem is difficult to address for a number of reasons. A fundamental reason that makes the problem mitigation difficult relates to the level of trust legitimate users possess inside the organization. The trust factor makes it difficult to detect threats originating from the actions and credentials of individual users. An equally important difficulty in the process of mitigating insider IT threats is based on the variability of the problem. The nature of Insider IT misuse varies amongst organizations. Hence, the problem of expressing what constitutes a threat, as well as the process of detecting and predicting it are non trivial tasks that add up to the multi- factorial nature of insider IT misuse. This thesis is concerned with the process of systematizing the specification of insider threats, focusing on their system-level detection and prediction. The design of suitable user audit mechanisms and semantics form a Domain Specific Language to detect and predict insider misuse incidents. As a result, the thesis proposes in detail ways to construct standardized descriptions (signatures) of insider threat incidents, as means of aiding researchers and IT system experts mitigate the problem of insider IT misuse. The produced audit engine (LUARM – Logging User Actions in Relational Mode) and the Insider Threat Prediction and Specification Language (ITPSL) are two utilities that can be added to the IT insider misuse mitigation arsenal. LUARM is a novel audit engine designed specifically to address the needs of monitoring insider actions. These needs cannot be met by traditional open source audit utilities. ITPSL is an XML based markup that can standardize the description of incidents and threats and thus make use of the LUARM audit data. Its novelty lies on the fact that it can be used to detect as well as predict instances of threats, a task that has not been achieved to this date by a domain specific language to address threats. The research project evaluated the produced language using a cyber-misuse experiment approach derived from real world misuse incident data. The results of the experiment showed that the ITPSL and its associated audit engine LUARM provide a good foundation for insider threat specification and prediction. Some language deficiencies relate to the fact that the insider threat specification process requires a good knowledge of the software applications used in a computer system. As the language is easily expandable, future developments to improve the language towards this direction are suggested. 005.8
90	Stream splitting in support of intrusion detection Judd, John David 06 1900 (has links) Approved for public release, distribution is unlimited / One of the most significant challenges with modern intrusion detection systems is the high rate of false alarms that they generate. In order to lower this rate, we propose to reduce the amount of traffic sent a given intrusion detection system via a filtering process termed stream splitting. Each packet arriving at the system is treated as belonging to a connection. Each connection is then assigned to a network stream. A network stream can then be sent to an analysis engine tailored specifically for that type of data. To demonstrate a stream-splitting capability, both an extendable multi-threaded architecture and prototype were developed. This system was tested to ensure the ability to capture traffic and found to be able to do so with minimal loss at network speeds up to 20 Mb/s, comparable to several open-source analysis programs. The stream splitter was also shown to be able to correctly implement a traffic separation scheme. / Ensign, United States Navy Electronic alarm systems Computer networks Security measures Intrusion detection system Stream splitting Fuzzy logic

Search results