Global ETD Search

91	The Human Analysis Element of Intrusion Detection: A Cognitive Task Model and Interface Design and Implications Ellis, Brenda Lee 01 January 2009 (has links) The use of monitoring and intrusion detection tools are common in today's network security architecture. The combination of tools generates an abundance of data which can result in cognitive overload of those analyzing the data. ID analysts initially review alerts generated by intrusion detection systems to determine the validity of the alerts. Since a large number of alerts are false positives, analyzing the data can severely reduce the number of unnecessary and unproductive investigations. The problem remains that this process is resource intensive. To date, very little research has been done to clearly determine and document the process of intrusion detection. In order to rectify this problem, research was conducted which involved several phases. Fifteen individuals were selected to participate in a cognitive task analysis. The results of the cognitive task analysis were used to develop a prototype interface which was tested by the participants. A test of the participants' knowledge after the use of the prototype revealed an increase in both effectiveness and efficiency in analyzing alerts. Specifically, the findings revealed an increase in effectiveness as 72% of the participants made better determinations using the prototype interface. The results also showed an increase in efficiency when 72% of the participants analyzed and validated alerts in less time while using the prototype interface. These findings, based on empirical data, showed that the use of the task diagram and prototype interface helped to reduce the amount of time it previously took to analyze alerts generated by intrusion detection systems. Cognitive Task Analysis Human Computer Interface Intrusion Detection Network Security PARI Method Task Diagram Computer Sciences
92	Définition et évaluation d'un mécanisme de génération de règles de corrélation liées à l'environnement. / Definition and assessment of a mechanism for the generation of environment specific correlation rules Godefroy, Erwan 30 September 2016 (has links) Dans les systèmes d'informations, les outils de détection produisent en continu un grand nombre d'alertes.Des outils de corrélation permettent de réduire le nombre d'alertes et de synthétiser au sein de méta-alertes les informations importantes pour les administrateurs.Cependant, la complexité des règles de corrélation rend difficile leur écriture et leur maintenance.Cette thèse propose par conséquent une méthode pour générer des règles de corrélation de manière semi-automatique à partir d’un scénario d’attaque exprimé dans un langage de niveau d'abstraction élevé.La méthode repose sur la construction et l'utilisation d’une base de connaissances contenant une modélisation des éléments essentiels du système d’information (par exemple les nœuds et le déploiement des outils de détection). Le procédé de génération des règles de corrélation est composé de différentes étapes qui permettent de transformer progressivement un arbre d'attaque en règles de corrélation.Nous avons évalué ce travail en deux temps. D'une part, nous avons déroulé la méthode dans le cadre d'un cas d'utilisation mettant en jeu un réseau représentatif d'un système d'une petite entreprise.D'autre part, nous avons mesuré l'influence de fautes touchant la base de connaissances sur les règles de corrélation générées et sur la qualité de la détection. / Information systems produce continuously a large amount of messages and alerts. In order to manage this amount of data, correlation system are introduced to reduce the alerts number and produce high-level meta-alerts with relevant information for the administrators. However, it is usually difficult to write complete and correct correlation rules and to maintain them. This thesis describes a method to create correlation rules from an attack scenario specified in a high-level language. This method relies on a specific knowledge base that includes relevant information on the system such as nodes or the deployment of sensor. This process is composed of different steps that iteratively transform an attack tree into a correlation rule. The assessment of this work is divided in two aspects. First, we apply the method int the context of a use-case involving a small business system. The second aspect covers the influence of a faulty knowledge base on the generated rules and on the detection. Corrélation d’alertes Scénario d’attaque Règles de corrélation Détection d’intrusion Alerts correlation Attack scenario Correlation rules Intrusion detection
93	Comparison of systems to detect rogue access points Lennartsson, Alexander, Melander, Hilda January 2019 (has links) A hacker might use a rogue access point to gain access to a network, this poses athreat to the individuals connected to it. The hacker might have the potential to leakcorporate data or steal private information. The detection of rogue access points istherefore of importance to prevent any damage to both businesses and individuals.Comparing different software that detects rogue access points increases the chanceof someone finding a solution that suits their network. The different type of softwarethat are compared are intrusion detection systems, wireless scanners and a Ciscowireless lan controller. The parameters that are being compared are; cost, compat-ibility, detection capability and implementation difficulty. In order to obtain resultssome of the parameters require testing. As there are three types of software, threeexperiment environments should be conducted. Our research indicates that alreadyexisting network equipment or the size of the network affects the results from theexperiments. Network Intrusion Detection Rogue Access Points WirelessScanner Wireless Lan Controller Software Comparisons Computer Sciences Datavetenskap (datalogi)
94	Incremental Support Vector Machine Approach for DoS and DDoS Attack Detection Seunghee Lee (6636224) 14 May 2019 (has links) <div> <div> <div> <p>Support Vector Machines (SVMs) have generally been effective in detecting instances of network intrusion. However, from a practical point of view, a standard SVM is not able to handle large-scale data efficiently due to the computation complexity of the algorithm and extensive memory requirements. To cope with the limitation, this study presents an incremental SVM method combined with a k-nearest neighbors (KNN) based candidate support vectors (CSV) selection strategy in order to speed up training and test process. The proposed incremental SVM method constructs or updates the pattern classes by incrementally incorporating new signatures without having to load and access the entire previous dataset in order to cope with evolving DoS and DDoS attacks. Performance of the proposed method is evaluated with experiments and compared with the standard SVM method and the simple incremental SVM method in terms of precision, recall, F1-score, and training and test duration.<br></p> </div> </div> </div> Applied Computer Science SVM Incremental SVM ISVM KNN algorithm Incremental learning Intrusion Detection System (IDS)
95	Método de interrogação de fibra óptica para detecção de intrusão / Optic fiber interrogation method for intrusion detection Febbo, Maurino de 24 June 2016 (has links) Neste trabalho é proposto um método de interrogação de fibra óptica com arquitetura reduzida, que pode ser empregado em sistemas distribuídos de detecção de intrusão de médias e longas distâncias, como para proteção de perímetros, divisas, faixa de dutos, plantas industriais, ou outras instalações, usando uma fibra óptica comum como elemento sensor. O método é baseado na técnica Brillouin Optical Time Domain Analysis (BOTDA), porém dispensando-se a varredura sequencial com diferentes frequências, o que simplifica o sistema, reduz custos e melhora o tempo de resposta. O trabalho consiste de uma abordagem geral sobre o tema, sendo apresentada a teoria básica dos fenômenos de espalhamento não linear em fibras ópticas, o detalhamento do método de interrogação proposto e a descrição dos experimentos realizados em laboratório, seguida de uma analise e comentários quanto ao desempenho alcançado, bem como de algumas de sugestões para melhor explorar o potencial do método. / In this research work is proposed an optic fiber interrogation method with reduced architecture, that can be applied in distributed intrusion detection systems of medium and long distances, such as for the protection of pipeline\'s right of way, perimeters, boundaries, industrial plants or others installations, using a standard optic fiber as a sensor. The proposed method is based on a Brillouin Time Domain Analysis (BOTDA), however dispensing the sequential frequency sweeping, what simplifies the system, reduce its costs and improve the response time. The work comprehends a general discussion of the subject, being presented the basic theory of the nonlinear scattering phenomena in optic fibers, the description of the proposed interrogation method and the conducted in lab experiments, followed by an analysis and comments on the achieved performance, as well as a few suggestions to better explore the potential of the method. BOTDA BOTDA Brillouin sensor Detecção de intrusão Distributed sensing Intrusion detection Sensor Brillouin Sensor distribuído
96	Avaliação de técnicas de captura para sistemas detectores de intrusão. / Evaluation of capture techniques for intrusion detection systems. Tavares, Dalton Matsuo 04 July 2002 (has links) O objetivo principal do presente trabalho é apresentar uma proposta que permita a combinação entre uma solução de captura de pacotes já existente e não muito flexível (sniffer) e o conceito de agentes móveis para aplicação em redes segmentadas. Essa pesquisa possui como foco principal a aplicação da técnica captura de pacotes em SDIs network based, utilizando para isso o modelo desenvolvido no ICMC (Cansian, 1997) e posteriormente adequado ao ambiente de agentes móveis (Bernardes, 1999). Assim sendo, foi especificada a camada base do ambiente desenvolvido em (Bernardes, 1999) visando as interações entre seus agentes e o agente de captura de pacotes. / The main objective of the current work is to present a proposal that allows the combination between an existent and not so flexible packet capture solution (sniffer) and the concept of mobile agents for application in switched networks. This research focuses the application of the packet capture technique in IDSs network-based, using for this purpose the model developed at ICMC (Cansian, 1997) and later adjusted to the mobile agents environment (Bernardes, 1999). Therefore, the base layer of the developed environment (Bernardes, 1999} was specified focusing the interactions between its agents and the packet capture agent. agentes móveis captura em switches capture over switches intrusion detection systems mobile agents sistemas de detecção de intrusão
97	Détection d'intrusion pour des réseaux embarqués automobiles : une approche orientée langage / Intrusion detection for automotive embedded networks : a language oriented approach Studnia, Ivan 22 September 2015 (has links) Les calculateurs embarqués dans les automobiles, ou ECU (Electronic Control Unit) sont responsables d’un nombre croissant de fonctionnalités au sein du véhicule. Pour pouvoir coordonner leurs actions, ces calculateurs s’échangent des données via des bus de communication et forment ainsi un véritable réseau embarqué. Si historiquement ce réseau pouvait être considéré comme un système fermé, l’apparition de nombreux moyens de communication dans les automobiles a ouvert ce réseau au monde extérieur et fait émerger de nombreuses problématiques de sécurité dans ce domaine.Nos travaux s’inscrivent dans une démarche de mise en place de moyens de sécurité-immunité dans les réseaux automobiles. La thématique de la sécurité-immunité dans l’automobile étant un sujet relativement récent, un effort particulier a été apporté à la définition du contexte. Ainsi, dans ce manuscrit, nous décrivons les menaces qui peuvent cibler ces systèmes embarqués, proposons une classification des scénarios d’attaques puis présentons les différents mécanismes de sécurité pouvant être appliqués aux systèmes embarqués d’une automobile.Ensuite, afin de compléter les mesures de sécurité préventives mises en place pour empêcher un attaquant de pénétrer au coeur du réseau embarqué, nous proposons dans cette thèse un système de détection d’intrusion pour les réseaux automobiles embarqués. Celui-ci, conçu à partir des spécifications du ou des systèmes à surveiller, intègre notamment des mécanismes permettant d’effectuer une corrélation des messages observés sur le réseau afin d’identifier des séquences de messages suspectes. Après avoir décrit formellement le fonctionnement de notre système de détection, nous présentons de premières expérimentations visant à valider notre méthode et à évaluer ses performances. / In today’s automobiles, embedded computers, or ECUs (Electronic Control Units) are responsible for an increasing number of features in a vehicle. In order to coordinate their actions, these computers are able to exchange data over communication buses, effectively constituting an embedded network. While this network could previously be considered a closed system, the addition of means of communication in automobiles has opened this network to the outside world, thus raising many security issues.Our research work focuses on these issues and aims at proposing efficient architectural security mechanisms for protecting embedded automotive networks. The security of embedded automotive systems being a relatively recent topic, we first put a strong focus on defining the context. For that purpose, we describe the threats that can target a car’s embedded systems, provide a classification of the possible attack scenarios and present a survey of protection mechanisms in embedded automotive networks.Then, in order to complement the preventive security means that aim at stopping an attacker from entering the embedded network, we introduce an Intrusion Detection System (IDS) fit for vehicular networks. Leveraging the high predictability of embedded automotive systems, we use language theory to elaborate a set of attack signatures derived from behavioral models of the automotive calculators in order to detect a malicious sequence of messages transiting through the internal network. After a formal description of our IDS, we present a first batch of experiments aimed at validating our approach and assessing its performances. Sécurité Automobile Détection d’Intrusions Réseaux Embarqués Security Automotive Intrusion Detection Embedded Networks 004
98	Détection d'intrusions pour les systèmes de contrôle industriels / Intrusion detection for industrial control systems Koucham, Oualid 12 November 2018 (has links) L’objectif de ce travail de thèse est le développement de techniques de détection d’intrusions et de corrélation d’alertes spécifiques aux systèmes de contrôle industriels (ICS). Cet intérêt est justifié par l’émergence de menaces informatiques visant les ICS, et la nécessité de détecter des attaques ciblées dont le but est de violer les spécifications sur le comportement correct du processus physique.Dans la première partie de nos travaux, nous nous sommes intéressés à l’inférence automatique de spécifications pour les systèmes de contrôle séquentiels et ce à des fins de détection d’intrusions. La particularité des systèmes séquentiels réside dans leur logique de contrôle opérant par étapes discrètes. La détection d’intrusions au sein de ces systèmes a été peu étudiée malgré leur omniprésence dans plusieurs domaines d’application. Dans notre approche, nous avons adopté le formalisme de la logique temporelle linéaire (LTL) et métrique (MTL) permettant de représenter des propriétés temporelles d’ordre qualitatif et quantitatif sur l’état des actionneurs et des capteurs. Un algorithme d’inférence de propriétés a été développé afin d’automatiser la génération des propriétés à partir de motifs de spécifications couvrant les contraintes les plus communes. Cette approche vise à pallier le nombre conséquent de propriétés redondantes inférées par les approches actuelles.Dans la deuxième partie de nos travaux, nous cherchons à combiner l’approche de détection d’intrusions développée dans le premier axe avec des approches de détection d’intrusions classiques. Pour ce faire, nous explorons une approche de corrélation tenant compte des spécificités des systèmes industriels en deux points: (i) l’enrichissement et le prétraitement d’alertes venant de domaines différents (cyber et physique), et (ii) la mise au point d’une politique de sélection d’alertes tenant compte du contexte d’exécution du processus physique. Le premier point part du constat que, dans un système industriel, les alertes qui sont remontées au corrélateur sont caractérisées par des attributs hétérogènes (attributs propres aux domaines cyber et physique). Cependant, les approches de corrélation classiques présupposent une certaine homogénéité entre les alertes. Afin d’y remédier, nous développons une approche d’enrichissement des alertes du domaine physique par des attributs du domaine cyber sur la base d’informations relatives aux protocoles supportés par les contrôleurs et à la distribution des variables du processus au sein des contrôleurs. Le deuxième point concerne le développement d’une politique de sélection d’alertes qui adapte dynamiquement les fenêtres de sélection des alertes selon l’évolution des sous-processus.Les résultats de l’évaluation de nos approches de détection et de corrélation montrent des performances améliorées sur la base de métriques telles que le nombre de propriétés inférées, le taux de réduction des alertes et la complétude des corrélations. / The objective of this thesis is to develop intrusion detection and alert correlation techniques geared towards industrial control systems (ICS). Our interest is driven by the recent surge in cybersecurity incidents targeting ICS, and the necessity to detect targeted attacks which induce incorrect behavior at the level of the physical process.In the first part of this work, we develop an approach to automatically infer specifications over the sequential behavior of ICS. In particular, we rely on specification language formalisms such as linear temporal logic (LTL) and metric temporal logic (MTL) to express temporal properties over the state of the actuators and sensors. We develop an algorithm to automatically infer specifications from a set of specification patterns covering the most recurring properties. In particular, our approach aims at reducing the number of redundant and unfalsifiable properties generated by the existing approaches. To do so, we add a pre-selection stage which allows to restrict the search for valid properties over non redundant portions of the execution traces. We evaluate our approach on a complex physical process steered by several controllers under process oriented attacks. Our results show that a significant reduction in the number of inferred properties is possible while achieving high detection rates.In the second part of this work, we attempt to combine the physical domain intrusion detection approach developed in the first part with more classical cyber domain intrusion detection approaches. In particular, we develop an alert correlation approach which takes into account some specificities of ICS. First, we explore an alert enrichment approach that allows to map physical domain alerts into the cyber domain. This is motivated by the observation that alertscoming from different domains are characterized by heterogeneous attributes which makes any direct comparison of the alerts difficult. Instead, we enrich the physical domain alerts with cyber domain attributes given knowledge about the protocols supported by the controllers and the memory mapping of process variables within the controllers.In this work, we also explore ICS-specific alert selection policies. An alert selection policy defines which alerts will be selected for comparison by the correlator. Classical approaches often rely on sliding, fixed size, temporal windows as a basis for their selection policy. Instead, we argue that given the complex interdependencies between physical subprocesses, agreeing on analert window size is challenging. Instead, we adopt selection policies that adapt to the state of the physical process by dynamically adjusting the size of the alert windows given the state of the subprocesses within the physical process. Our evaluation results show that our correlator achieves better correlation metrics in comparison with classical temporal based approaches. Détection d'intrusions Système de contrôle industriels Cybersécurité Intrusion detection Industrial control systems Cybersecurity 004 620
99	Machine Learning-driven Intrusion Detection Techniques in Critical Infrastructures Monitored by Sensor Networks Otoum, Safa 23 April 2019 (has links) In most of critical infrastructures, Wireless Sensor Networks (WSNs) are deployed due to their low-cost, flexibility and efficiency as well as their wide usage in several infrastructures. Regardless of these advantages, WSNs introduce various security vulnerabilities such as different types of attacks and intruders due to the open nature of sensor nodes and unreliable wireless links. Therefore, the implementation of an efficient Intrusion Detection System (IDS) that achieves an acceptable security level is a stimulating issue that gained vital importance. In this thesis, we investigate the problem of security provisioning in WSNs based critical monitoring infrastructures. We propose a trust based hierarchical model for malicious nodes detection specially for Black-hole attacks. We also present various Machine Learning (ML)-driven IDSs schemes for wirelessly connected sensors that track critical infrastructures. In this thesis, we present an in-depth analysis of the use of machine learning, deep learning, adaptive machine learning, and reinforcement learning solutions to recognize intrusive behaviours in the monitored network. We evaluate the proposed schemes by using KDD'99 as real attacks data-sets in our simulations. To this end, we present the performance metrics for four different IDSs schemes namely the Clustered Hierarchical Hybrid IDS (CHH-IDS), Adaptively Supervised and Clustered Hybrid IDS (ASCH-IDS), Restricted Boltzmann Machine-based Clustered IDS (RBC-IDS) and Q-learning based IDS (QL-IDS) to detect malicious behaviours in a sensor network. Through simulations, we analyzed all presented schemes in terms of Accuracy Rates (ARs), Detection Rates (DRs), False Negative Rates (FNRs), Precision-recall ratios, F_1 scores and, the area under curves (ROC curves) which are the key performance parameters for all IDSs. To this end, we show that QL-IDS performs with ~ 100% detection and accuracy rates. Wireless Sensor Networks (WSNs) Networks security Deep Learning Machine Learning Reinforcement Learning Intrusion Detection System
100	Empirical Measurement of Defense in Depth Boggs, Nathaniel January 2015 (has links) Measurement is a vital tool for organizations attempting to increase, evaluate, or simply maintain their overall security posture over time. Organizations rely on defense in depth, which is a layering of multiple defenses, in order to strengthen overall security. Measuring organizations' total security requires evaluating individual security controls such as firewalls, antivirus, or intrusion detection systems alone as well as their joint effectiveness when deployed together in defense in depth. Currently, organizations must rely on best practices rooted in ad hoc expert opinion, reports on individual product performance, and marketing hype to make their choices. When attempting to measure the total security provided by a defense in depth architecture, dependencies between security controls compound the already difficult task of measuring a single security control accurately. We take two complementary approaches to address this challenge of measuring the total security provided by defense in depth deployments. In our first approach, we use direct measurement where for some set of attacks, we compute a total detection rate for a set of security controls deployed in defense in depth. In order to compare security controls operating on different types of data, we link together all data generated from each particular attack and track the specific attacks detected by each security control. We implement our approach for both the drive-by download and web application attack vectors across four separate layers each. We created an extensible automated framework for web application data generation using public sources of English text. For our second approach, we measure the total adversary cost that is the total effort, resources, and time required to evade security controls deployed in defense in depth. Dependencies between security controls prevent us from simply summing the adversary cost to evade individual security controls in order to compute a total adversary cost. We create a methodology that accounts for these dependencies especially focusing on multiplicative relationships where the adversary cost of evading two security controls together is more than the sum of the adversary costs to evade each individually. Using the insight gained into the multiplicative dependency, we design a method for creating sets of multiplicative security controls. Additionally, we create a prototype to demonstrate our methodology for empirically measuring total adversary cost using attack tree visualizations and a database design capable of representing dependent relationships between security controls. Firewalls (Computer security) Virus inhibitors Computer security Computer science

Search results