Cloud intrusion detection based on change tracking and a new benchmark dataset

Aldribi, Abdulaziz

30 August 2018

The adoption of cloud computing has increased dramatically in recent years due to at- tractive features such as flexibility, cost reductions, scalability, and pay per use. Shifting towards cloud computing is attracting not only industry but also government and academia. However, given their stringent privacy and security policies, this shift is still hindered by many security concerns related to the cloud computing features, namely shared resources, virtualization and multi-tenancy. These security concerns vary from privacy threats and lack of transparency to intrusions from within and outside the cloud infrastructure. There- fore, to overcome these concerns and establish a strong trust in cloud computing, there is a need to develop adequate security mechanisms for effectively handling the threats faced in the cloud. Intrusion Detection Systems (IDSs) represent an important part of such mech- anisms. Developing cloud based IDS that can capture suspicious activity or threats, and prevent attacks and data leakage from both inside and outside the cloud environment is paramount. However, cloud computing is faced with a multidimensional and rapidly evolv- ing threat landscape, which makes cloud based IDS more challenging. Moreover, one of the most significant hurdles for developing such cloud IDS is the lack of publicly available datasets collected from a real cloud computing environment. In this dissertation, we intro- duce the first public dataset of its kind, named ISOT Cloud Intrusion Dataset (ISOT-CID), for cloud intrusion detection. The dataset consists of several terabytes of data, involving normal activities and a wide variety of attack vectors, collected over multiple phases and periods of time in a real cloud environment. We also introduce a new hypervisor-based cloud intrusion detection system (HIDS) that uses online multivariate statistical change analysis to detect anomalous network behaviors. As a departure from the conventional monolithic network IDS feature model, we leverage the fact that a hypervisor consists of a collection of instances, to introduce an instance-oriented feature model that exploits indi- vidual as well as correlated behaviors of instances to improve the detection capability. The proposed approach is evaluated using ISOT-CID and the experiments along with results are presented. / Graduate / 2020-08-14

Cloud Computing

Intrusion Detection

Cloud computing Dataset

Change Point

Arquitetura Multi-Agentes para DetecÃÃo de IntrusÃo Distribuida / Multi-agents Architecture for Distributed Intrusion Detection

Vinicius da Silva Thiago

29 June 2012

A crescente preocupaÃÃo com a seguranÃa da informaÃÃo em redes de computadores à responsÃvel por produzir constantemente novas formas de defender as mesmas. Dentro desse contexto, o desenvolvimento de novas formas de detecÃÃo de intrusÃo assume um papel muito importante na proteÃÃo das informaÃÃes. Os sistemas de detecÃÃo de intrusÃo precisam ser eficientes e ao mesmo tempo nÃo devem sobrecarregar a rede ou a capacidade de processamento dos nÃs que a compÃem. Com o objetivo de ser eficiente, um sistema deve basear as suas decisÃes em tantas fontes de informaÃÃo quanto forem possÃveis e organizar o conhecimento de forma que permita uma comunicaÃÃo funcional entre essas fontes. Este trabalho descreve a proposta de uma arquitetura de um Sistema de DetecÃÃo de IntrusÃo DistribuÃdo que utiliza agentes mÃveis e uma ontologia para o compartilhamento da informaÃÃo. Os agentes mÃveis proporcionam uma maneira prÃtica de distribuir o processo de detecÃÃo, possibilitando cooperaÃÃo ponto a ponto entre os nÃs da rede sem gerar muito trÃfego adicional. A ontologia fornece uma maneira organizada de armazenar e compartilhar o conhecimento. A arquitetura proposta foi implementada utilizando a linguagem de programaÃÃo Java e o framework JADE e foi montado um laboratÃrio de testes para verificar o funcionamento do sistema. Os resultados obtidos com os testes confirmaram que uma arquitetura distribuÃda multi-agentes que faz uso de uma ontologia pode ser eficiente na detecÃÃo de ataques a redes e sistemas. / The growing concern about information security in computer networks is responsible for constantly producing new ways to defend them. Within this context, the development of new ways of intrusion detection plays an important role in protecting the information. Detection systems must be efficient and, at the same time, must not overload the network or the processing capabilities of the nodes within it. In order to be effective, a system must base its decisions on as many sources of information as possible and organize knowledge in a way that allows a functional communication between those sources. This dissertation describes the proposal for a Distributed Intrusion Detection System architecture that uses mobile agents and an ontology for information sharing. Mobile agents provide a convenient way to distribute the detection process, enabling peer to peer cooperation between network nodes without generating much additional traffic. The ontology provides an organized way of storing and sharing knowledge. The proposed architecture has been implemented using the Java programming language and JADE framework and a test laboratory has been assembled to verify the operation of the system. The tests results confirmed that a distributed multi-agent architecture that uses an ontology can be effective in detecting attacks on networks and systems.

DetecÃÃo

IntrusÃo

Agentes

Detection

intrusion

agents

CIENCIA DA COMPUTACAO

Self-adaptable Security Monitoring for IaaS Cloud Environments / Supervision de sécurité auto-adaptative dans les clouds IaaS

Giannakou, Anna

06 July 2017

Les principales caractéristiques des clouds d'infrastructure (laaS), comme l'élasticité instantanée et la mise à disposition automatique de ressources virtuelles, rendent ces clouds très dynamiques. Cette nature dynamique se traduit par de fréquents changements aux différents niveaux de l'infrastructure virtuelle. Étant données la criticité et parfois la confidentialité des informations traitées dans les infrastructures virtuelles des clients, la supervision de sécurité est une préoccupation importante pour les clients comme pour le fournisseur de cloud. Malheureusement, les changements dynamiques altèrent la capacité du système de supervision de sécurité à détecter avec succès les attaques ciblant les infrastructures virtuelles. Dans cette thèse, nous avons conçu un système de supervision de sécurité auto-adaptatif pour les clouds laaS. Ce système est conçu pour adapter ses composants en fonction des différents changements pouvant se produire dans une infrastructure de cloud. Notre système est instancié sous deux formes ciblant des équipements de sécurité différents : SAIDS, un système de détection d'intrusion réseau qui passe à l'échelle, et AL-SAFE, un firewall applicatif fondé sur l'introspection. Nous avons évalué notre prototype sous l'angle de la performance, du coût, et de la sécurité pour les clients comme pour le fournisseur. Nos résultats montrent que notre prototype impose un coût additionnel tolérable tout en fournissant une bonne qualité de détection. / Rapid elasticity and automatic provisioning of virtual resources are some of the main characteristics of laaS clouds. The dynamic nature of laaS clouds is translated to frequent changes that refer to different levels of the virtual infrastructure. Due to the critical and sometimes private information hosted in tenant virtual infrastructures, security monitoring is of great concern for both tenants and the provider. Unfortunately, the dynamic changes affect the ability of a security monitoring framework to successfully detect attacks that target cloud-hosted virtual infrastructures. In this thesis we have designed a self-adaptable security monitoring framework for laaS cloud environments that is designed to adapt its components based on different changes that occur in a virtual infrastructure. Our framework has two instantiations focused on different security devices: SAIDS, a scalable network intrusion detection system, and AL-SAFE, an introspection-based application-level firewall. We have evaluated our prototype focusing on performance, cost and security for both tenants and the provider. Our results demonstrate that our prototype imposes a tolerable overhead while providing accurate detection results.

Firewalls

Sécurité

Security

Self-adaptation

Clouds

Intrusion detection

Firewalls

005

Identification of Chlorinated Solvent Sources in the Indoor Air of Private Residences around Hill Air Force Base, Utah

Hall, Andrew Jensen

01 December 2008

Volatile chlorinated solvents such as trichloroethylene (TCE), 1,2 dichloroethane (1,2 DCA), and perchloroethylene (PCE) have been identified in the indoor air of residences located near Hill Air Force Base (AFB), Utah. These vapors can originate from either volatilization of contaminates from shallow contaminated groundwater and transport into residences or from sources within the residence. The focus of the thesis was the development of a testing strategy for determining sources of TCE, 1,2 DCA, and PCE in the indoor air of residences near Hill AFB. Eight residences were selected for this study by Hill AFB based on prior detections of TCE, 1,2 DCA, and PCE in indoor air. Residents were asked to turn off the heating, ventilation, and air conditioning (HVAC) system and keep windows and doors closed for at least 3 hours prior to the sampling visit to reduce mixing of residence air. Indoor air samples were collected on Tenax© sorbent tubes from various locations within the residences to determine the location of the potential source(s). Sampling tubes were analyzed by thermal desorption gas chromatography/mass spectrometry (GC/MS). Results from a tracer experiment using sulfur hexafluoride gas confirmed the effectiveness of sampling approach. In cases where elevated levels of chlorinated solvents were found, the suspected source materials(s) were removed and the room air was re-sampled. If removal of the materials reduced or eliminated indoor air contamination, an emission chamber was used to determine contaminant emission from the materials. Sources were identified in three of the sampled residences. Sampling in two of the residences was discontinued due to scheduling problems. Sources were not located in the remaining residences. The emission of contaminants from items identified as sources in two of the residences was measured using an emission chamber developed for this project. An ornament from residence U8-8452 emitted 36.4 ng/min/cm2 of 1,2 DCA. The emission of 1,2 DCA from a wedding dress located at residence U8-8211 was below the method detection limit of 1.99 pg/min/cm2 but the emission of PCE was 18.9 ng/min/cm2 and decreased by a factor of 7 during repeated measurements.

1

2 Dichloromethane

Emission

Perchloroethylene

Trichloroethylene

Vapor Intrusion

Environmental Engineering

An Artificial Immune System Approach to Preserving Security in Computer Networks

Ranang, Martin Thorsen

January 2002

<p>It is believed that many of the mechanisms present in the biological immune system are well suited for adoption to the field of computer intrusion detection, in the form of artificial immune systems. In this report mechanisms in the biological immune system are introduced, their parallels in artificial immune systems are presented, and how they may be applied to intrusion detection in a computer environment is discussed. An artificial immune system is designed, implemented and applied to detect intrusive behavior in real network data in a simulated network environment. The effect of costimulation and clonal proliferation combined with somatic hypermutation to perform affinity maturation of detectors in the artificial immune system is explored through experiments. An exact expression for the probability of a match between two randomly chosen strings using the r-contiguous matching rule is developed. The use of affinity maturation makes it possible to perform anomaly detection by using smaller sets of detectors with a high level of specificity while maintaining a high level of cover and diversity, which increases the number of true positives, while keeping a low level of false negatives.</p>

artificial intelligence

ai

artificial immune system

network intrusion detection

An Artificial Immune System Approach to Preserving Security in Computer Networks

Ranang, Martin Thorsen

January 2002

It is believed that many of the mechanisms present in the biological immune system are well suited for adoption to the field of computer intrusion detection, in the form of artificial immune systems. In this report mechanisms in the biological immune system are introduced, their parallels in artificial immune systems are presented, and how they may be applied to intrusion detection in a computer environment is discussed. An artificial immune system is designed, implemented and applied to detect intrusive behavior in real network data in a simulated network environment. The effect of costimulation and clonal proliferation combined with somatic hypermutation to perform affinity maturation of detectors in the artificial immune system is explored through experiments. An exact expression for the probability of a match between two randomly chosen strings using the r-contiguous matching rule is developed. The use of affinity maturation makes it possible to perform anomaly detection by using smaller sets of detectors with a high level of specificity while maintaining a high level of cover and diversity, which increases the number of true positives, while keeping a low level of false negatives.

artificial intelligence

ai

artificial immune system

network intrusion detection

Detection of covert channel communications based on intentionally corrupted frame check sequences

Najafizadeh, Ali

01 July 2011

This thesis presents the establishment of a covert-channel in wireless networks in the form of frames with intentionally corrupted Frame Check Sequences (FCSs). Previous works had alluded to the possibility of using this kind of covert-channel as an attack vector. We modify a simulation tool, called Sinalgo, which is used as a test bed for generating hypothetical scenarios for establishing a covert-channel. Single and Multi-Agent systems have been proposed as behaviour-based intrusion detection mechanisms, which utilize statistical information about network traffic. This utilized statistical information is used to detect covert-channel communications. This work highlights the potential impact of having this attack perpetrated in communications equipment with a low chance of being detected, if properly crafted. / UOIT

Wireless networks

Covert-channel

Hidden-channel

Behavioural intrusion detection

Les amas sulfurés à zinc-cuivre archéens du Lac Scott, Chibougamau, Québec

Carignan, Geneviève

January 2010

La propriété Lac Scott est située à environ 20 kilomètres à l'ouest de la ville de Chibougamau, dans la sous-Province de l'Abitibi. Elle est sur le flanc nord de l'anticlinal de Chibougamau et comprend les roches volcaniques directement au nord du pluton de Chibougamau. Elle est composée d'un assemblage de roches volcaniques et intrusives. La rhyolite de la Formation de Waconichi est l'hôte des quatre lentilles de sulfures massifs volcanogènes de la propriété: la lentille Selco-Scott, la lentille 800, la lentille centrale et la lentille ouest. Elles sont réparties sur deux horizons. Les lentilles Selco-Scott, 800 et ouest sont sur l'horizon Selco tandis que la lentille centrale est située sur l'horizon Nord. L'étude pétrographique de la minéralisation a permis de déterminer la distribution minéralogique à travers les différents amas minéralisés. La principale différence entre les lentilles est le pourcentage des différents minéraux. La pyrite est le minéral dominant dans toutes les lentilles. La sphalérite est le minéral économique le plus abondant, se situant entre 10 à 15%. La chalcopyrite est stable à travers les différents amas et représente environ de 5 à 10% des sulfures. Deux minéraux présentent de grandes variations de pourcentage, la magnétite et la pyrrhotite. En effet, leur distribution est variable passant de 2 à 10% pour la magnétite et de 1 à 25% pour la pyrrhotite. Les lentilles ouest et centrale sont celles qui contiennent le plus de pyrrhotite et de zones de stockwerk et les lentilles 800 et centrale sont celles qui contiennent le plus de magnétite. L'analyse des compositions des sphalérites a démontré que les lentilles centrale et ouest possèdent des sphalérites de plus haute température. La combinaison de la distribution minéralogique, du type de minéralisation et des compositions des sphalérites a permis de définir un gradient thermique des fluides dont la température augmente vers l'ouest. Les isotopes de soufre sont typiques des sulfures massifs volcanogènes archéens et ont permis de déterminer la température de formation des sulfures qui est en moyenne 275°C. La profondeur d'eau de 600 mètres de formation des amas sulfurés a pu être définie à partir de cette température d'ébullition. Le pluton de Chibougamau a eu une influence assez restreinte sur les amas minéralisés. Il a modifié leurs textures, mais il n'a pas modifié les compositions des sphalérites ni altéré les isotopes de soufre des sulfures. Le pluton a peu d'effets sur les minéralisations, il semble en équilibre chimique avec son environnement. Le métamorphisme régional a affecté les roches volcaniques de la propriété en les métamorphisant au faciès des schistes verts, mais aucun indice ne nous permet de croire qu'il a perturbé l'évolution des lentilles. ______________________________________________________________________________ MOTS-CLÉS DE L’AUTEUR : Sulfures massifs volcanogènes, Métamorphisme, Intrusion, Abitibi, Chibougamau.

Métamorphisme

Intrusion (Géologie)

Sulfure (Minéralogie)

Chibougamau (Région)

Minéralisation

A Fuzzy-logic based Alert Prioritization Engine for IDSs: Architecture and Configuration

Alsubhi, Khalid

January 2008

Intrusion Detection Systems (IDSs) are designed to monitor a networked environment and generate alerts whenever abnormal activities are detected. The number of these alerts can be very large making their evaluation by security analysts a difficult task. The management is complicated by the need to configure the different components of alert evaluation systems. In addition, IDS alert management techniques, such as clustering and correlation, suffer from involving unrelated alerts in their processes and consequently provide results that are inaccurate and difficult to manage. Thus, the tuning of an IDS alert management system in order to provide optimal results remains a major challenge, which is further complicated by the large spectrum of potential attacks the system can be subject to. This thesis considers the specification and configuration issues of FuzMet, a novel IDS alert management system which employs several metrics and a fuzzy-logic based approach for scoring and prioritizing alerts. In addition, it features an alert rescoring technique that leads to a further reduction of the number of alerts. We study the impact of different configurations of the proposed metrics on the accuracy and completeness of the alert scores generated by FuzMet. Our approach is validated using the 2000 DARPA intrusion detection scenario specific datasets and comparative results between the Snort IDS alert scoring and FuzMet alert prioritization scheme are presented. A considerable number of simulations were conducted in order to determine the optimal configuration of FuzMet with selected simulation results presented and analyzed.

Security

Intrusion detection

alert management

IDS

Computer Science

An Analysis and Comparison of The Security Features of Firewalls and IDSs

Sulaman, Sardar Muhammad

January 2011

In last few years we have observed a significant increase in the usage of computing devices and their capabilities to communicate with each other. With the increase in usage and communicating capabilities the higher level of network security is also required. Today the main devices used for the network security are the firewalls and IDS/IPS that provide perimeter defense. Both devices provide many overlapping security features but they have different aims, different protection potential and need to be used together. A firewall is an active device that implements ACLs and restricts unauthorized access to protected resources. An IDS only provides information for further necessary actions, not necessarily perimeter related, but some of these needed actions can be automated, such as automatic blocking in the firewall of attacking sites, which creates an IPS. This thesis report analyzed some common firewall and IDS products, and described their security features, functionalities, and limitations in detail. It also contains the comparison of the security features of the both devices. The firewall and IDS perform different functions for the network security, so they should be used in layered defense architecture. The passwords, firewalls, IDSs/IPSs and physical security all together provide a layered defense and complement each other. The firewall and IDS alone cannot offer sufficient network protection against the network attacks, and they should be used together to enhance the defense-in-depth or layered approach.

Firewall

Intrusion Detection

Anomaly

Access Control

Packet Inspection

Signatures

IDS