Abstracting and correlating heterogeneous events to detect complex scenarios

Panichprecha, Sorot

January 2009

The research presented in this thesis addresses inherent problems in signaturebased intrusion detection systems (IDSs) operating in heterogeneous environments. The research proposes a solution to address the difficulties associated with multistep attack scenario specification and detection for such environments. The research has focused on two distinct problems: the representation of events derived from heterogeneous sources and multi-step attack specification and detection. The first part of the research investigates the application of an event abstraction model to event logs collected from a heterogeneous environment. The event abstraction model comprises a hierarchy of events derived from different log sources such as system audit data, application logs, captured network traffic, and intrusion detection system alerts. Unlike existing event abstraction models where low-level information may be discarded during the abstraction process, the event abstraction model presented in this work preserves all low-level information as well as providing high-level information in the form of abstract events. The event abstraction model presented in this work was designed independently of any particular IDS and thus may be used by any IDS, intrusion forensic tools, or monitoring tools. The second part of the research investigates the use of unification for multi-step attack scenario specification and detection. Multi-step attack scenarios are hard to specify and detect as they often involve the correlation of events from multiple sources which may be affected by time uncertainty. The unification algorithm provides a simple and straightforward scenario matching mechanism by using variable instantiation where variables represent events as defined in the event abstraction model. The third part of the research looks into the solution to address time uncertainty. Clock synchronisation is crucial for detecting multi-step attack scenarios which involve logs from multiple hosts. Issues involving time uncertainty have been largely neglected by intrusion detection research. The system presented in this research introduces two techniques for addressing time uncertainty issues: clock skew compensation and clock drift modelling using linear regression. An off-line IDS prototype for detecting multi-step attacks has been implemented. The prototype comprises two modules: implementation of the abstract event system architecture (AESA) and of the scenario detection module. The scenario detection module implements our signature language developed based on the Python programming language syntax and the unification-based scenario detection engine. The prototype has been evaluated using a publicly available dataset of real attack traffic and event logs and a synthetic dataset. The distinct features of the public dataset are the fact that it contains multi-step attacks which involve multiple hosts with clock skew and clock drift. These features allow us to demonstrate the application and the advantages of the contributions of this research. All instances of multi-step attacks in the dataset have been correctly identified even though there exists a significant clock skew and drift in the dataset. Future work identified by this research would be to develop a refined unification algorithm suitable for processing streams of events to enable an on-line detection. In terms of time uncertainty, identified future work would be to develop mechanisms which allows automatic clock skew and clock drift identification and correction. The immediate application of the research presented in this thesis is the framework of an off-line IDS which processes events from heterogeneous sources using abstraction and which can detect multi-step attack scenarios which may involve time uncertainty.

Establishing the Software-Defined Networking Based Defensive System in Clouds

January 2014

abstract: Cloud computing is regarded as one of the most revolutionary technologies in the past decades. It provides scalable, flexible and secure resource provisioning services, which is also the reason why users prefer to migrate their locally processing workloads onto remote clouds. Besides commercial cloud system (i.e., Amazon EC2), ProtoGENI and PlanetLab have further improved the current Internet-based resource provisioning system by allowing end users to construct a virtual networking environment. By archiving the similar goal but with more flexible and efficient performance, I present the design and implementation of MobiCloud that is a geo-distributed mobile cloud computing platform, and G-PLaNE that focuses on how to construct the virtual networking environment upon the self-designed resource provisioning system consisting of multiple geo-distributed clusters. Furthermore, I conduct a comprehensive study to layout existing Mobile Cloud Computing (MCC) service models and corresponding representative related work. A new user-centric mobile cloud computing service model is proposed to advance the existing mobile cloud computing research. After building the MobiCloud, G-PLaNE and studying the MCC model, I have been using Software Defined Networking (SDN) approaches to enhance the system security in the cloud virtual networking environment. I present an OpenFlow based IPS solution called SDNIPS that includes a new IPS architecture based on Open vSwitch (OVS) in the cloud software-based networking environment. It is enabled with elasticity service provisioning and Network Reconfiguration (NR) features based on POX controller. Finally, SDNIPS demonstrates the feasibility and shows more efficiency than traditional approaches through a thorough evaluation. At last, I propose an OpenFlow-based defensive module composition framework called CloudArmour that is able to perform query, aggregation, analysis, and control function over distributed OpenFlow-enabled devices. I propose several modules and use the DDoS attack as an example to illustrate how to composite the comprehensive defensive solution based on CloudArmour framework. I introduce total 20 Python-based CloudArmour APIs. Finally, evaluation results prove the feasibility and efficiency of CloudArmour framework. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2014

Computer science

Intrusion Detection System

Intrusion Prevention System

Mobile Cloud Computing

Network Security

OpenFlow

Software-Defined Networking

Etudes des propriétés hydromécaniques des sols argileux non saturés proches de la saturation / The study of the hydromechanical properties of unsaturated clayey soils close to saturation

Li, Zhong-Sen

12 March 2015

Cette thèse présente un ensemble de résultats expérimentaux sur une argile remaniée non saturée proche de la saturation, dont le degré de saturation est généralement supérieur à 70%.Après une série d’essais de caractérisation physique et mécanique du matériau, plusieurs méthodes expérimentales ont été utilisées pour étudier le comportement et certaines pathologies du sol compacté telles que l’orniérage et le matelassage.Une étude systématique du comportement du sol compacté sur chemins de drainage-humidification dans différents états initiaux a été effectuée, complétée par des mesures de succion par papier filtre et psychromètre. Les essais de porosimétrie par intrusion de mercure ont apporté un éclairage sur la microstructure du sol.La thèse a également permis d’étudier les variations de pression interstitielle du sol compacté sur chemin triaxial non drainé en utilisant la technique de translation d’axes, où quelques améliorations et modifications du montage ont été proposées. / This thesis present an experimental study of an unsaturated clayey soil close to saturation, whose degree of saturation is generally above 70%.After characterizing the physical and mechanical properties of the material, several experimental methods were used to study the behaviour and some pathologies of the compacted soil, such as rutting and quilting.A systematic study of the behaviour of the compacted soil on drying-wetting paths starting from different initial states was carried out, completed by suction measurements using filter-paper and psychrometer. Mercury intrusion porosimetry tests gave an insight of the soil microstructure.The thesis also addressed the question of the pore pressure variations of the compacted soil on undrained triaxial path using the axis-translation technique, where some improvements and modifications of the testing device were proposed.

Argile non saturée

Porosimétrie par intrusion de mercure

Sol compacté -- essais

Unsaturated clayey soil

Mercury intrusion porosimetry

Compacted soil -- tests

Enhanced Prediction of Network Attacks Using Incomplete Data

Arthur, Jacob D.

01 January 2017

For years, intrusion detection has been considered a key component of many organizations’ network defense capabilities. Although a number of approaches to intrusion detection have been tried, few have been capable of providing security personnel responsible for the protection of a network with sufficient information to make adjustments and respond to attacks in real-time. Because intrusion detection systems rarely have complete information, false negatives and false positives are extremely common, and thus valuable resources are wasted responding to irrelevant events. In order to provide better actionable information for security personnel, a mechanism for quantifying the confidence level in predictions is needed. This work presents an approach which seeks to combine a primary prediction model with a novel secondary confidence level model which provides a measurement of the confidence in a given attack prediction being made. The ability to accurately identify an attack and quantify the confidence level in the prediction could serve as the basis for a new generation of intrusion detection devices, devices that provide earlier and better alerts for administrators and allow more proactive response to events as they are occurring.

artificial intelligence

continuous layered confusion matrix

intrusion confidence level

intrusion detection

network attacks

real time detection

Computer Sciences

Synthesis of Hydrophobic Zeolites for Energetic Applications / Synthèse de Zéolithes Hydrophobes pour des Applications en Energétique

Ronchi, Laura

17 October 2017

Les zéolithes sont des solides microporeux cristallins largement utilisés en adsorption, catalyse, échange ionique et comme tamis moléculaires. Les zéolithes hydrophobes purement siliciques (zéosils) peuvent être utilisées pour le stockage et l’absorption de l’énergie mécanique par intrusion d’eau à haute pression. En fonction du système “zéosil-eau”, lorsque la pression est relâchée (extrusion), le système peut restituer, dissiper ou absorber l’énergie mécanique fournie pendant la compression (intrusion) et donc, il peut montrer un comportement de type ressort, amortisseur ou pare-chocs. Récemment, il a été remarqué que l’intrusion de solutions salines peut améliorer considérablement les performances énergétiques de ces systèmes par une augmentation de la pression d’intrusion. Pendant ce travail, l’intrusion d’eau et de solutions de LiCl a été étudiée pour différentes zéosils pour mieux comprendre la relation qui existe entre la structure des zéosils (dimension des pores, type et dimensionnalité du système poreux) et le comportement ou les performances énergétiques du système “zéosil-liquide intrusé”.Les expériences avec des zéosils qui présentent une structure à cage ont confirmé une pression d’intrusion plus faible par rapport à celles observées par les zéosils ayant une structure à canaux. La pression d’intrusion augmente fortement avec la concentration de LiCl pour les zéosils caractérisés par de petites ouvertures des pores, spécialement pour ceux qui ont des cages, tandis que cette augmentation est plus faible lorsque de grandes ouvertures de pores sont présentes. Il a été aussi montré une influence de la concentration du sel sur le comportement, probablement, due à la nature particulière des solutions très concentrées. / Zeolites are microporous crystalline solids widely used in adsorption, catalysis, ion exchange and molecular sieving. Hydrophobic pure-silica zeolites (zeosils) can be used for mechanical energy absorption and storage by high pressure intrusion-extrusion of water. Depending on the “zeosil-water” system, when the pressure is released (extrusion), the system is able to restore, dissipate or absorb the supplied mechanical energy during the compression step (intrusion) and therefore to display a spring, shock absorber or bumper behavior. Recently, it was found that the use of aqueous salt solutions could considerably improve the energetic performances of such systems by an increase of the intrusion pressure.In this work the intrusion of water and LiCl solutions was studied for different zeosils in order to understand the relationship between the structure of zeosils (pore size, pore system type and dimensionality) and the behavior or the energetic performances of “zeosil-liquid” systems. The experiments with cage-type zeosils confirmed a lower intrusion pressure in comparison with channel-type ones. The intrusion pressure strongly increases with the LiCl content for the zeosils with small pore openings, particularly, for the cage-type ones, while for larger pores this increase is less important. An influence of salt concentration on the behavior of “zeosils-liquid” systems probably due to the particular nature of highly concentrated solutions was also shown.

Zeolithes purement siliciques

Stockage d'énergie

Absorption d'énergie

Intrusion-extrusion

Pure-silica zeolites

Energy storage

Energy absorption

Intrusion-extrusion

549.68

Increasing the Trustworthiness ofAI-based In-Vehicle IDS usingeXplainable AI

Lundberg, Hampus

January 2022

An in-vehicle intrusion detection system (IV-IDS) is one of the protection mechanisms used to detect cyber attacks on electric or autonomous vehicles where anomaly-based IDS solution have better potential at detecting the attacks especially zero-day attacks. Generally, the IV-IDS generate false alarms (falsely detecting normal data as attacks) because of the difficulty to differentiate between normal and attack data. It can lead to undesirable situations, such as increased laxness towards the system, or uncertainties in the event-handling following a generated alarm. With the help of sophisticated Artificial Intelligence (AI) models, the IDS improves the chances of detecting attacks. However, the use of such a model comes at the cost of decreased interpretability, a trait that is argued to be of importance when ascertaining various other valuable desiderata, such as a model’s trust, causality, and robustness. Because of the lack of interpretability in sophisticated AI-based IV-IDSs, it is difficult for humans to trust such systems, let alone know what actions to take when an IDS flags an attack. By using tools found in the area of eXplainable AI (XAI), this thesis aims to explore what kind of explanations could be produced in accord with model predictions, to further increase the trustworthiness of AI-based IV-IDSs. Through a comparative survey, aspects related to trustworthiness and explainability are evaluated on a custom, pseudo-global, visualization-based explanation (”VisExp”), and a rule based explanation. The results show that VisExp increase the trustworthiness,and enhanced the  explainability of the AI-based IV-IDS.

Intrusion Detection System

In-Vehicle Intrusion Detection System

Machine Learning

Deep Learning

Explainable Artificial Intelligence

Trustworthiness.

Computer Systems

Datorsystem

Evaluating the efficiency of Host-based Intrusion Detection Systems protecting web applications

Willerton, Adam, Gustafsson, Rasmus

January 2022

Background. Web applications are a more significant part of our digital experience, and the number of users keeps continuously growing. Social media alone accounts for more than half of the world’s population. Therefore these applications have become a lucrative target for attackers, and we have seen several attacks against them. One such example saw attackers manage to compromise a twitter account [15], leading to false information being published, causing the New York stock exchange to drop 150 points, erasing 136 billion dollars in equity market value. There are methods to protect web applications, such as web application firewalls or content security policies. Still, another candidate for defending these applications is Host-based Intrusion Detection Systems (HIDS). This study aims to assess the efficiency of these HIDS when defending against web applications. Objectives. The main objective of the thesis is to create an efficiency evaluating model for a HIDS when protecting web applications. Additionally, we will test two open-source HIDS against web applications built to emulate a vulnerable environment and measure these HIDS efficiencies with the model mentioned above. Methods. To reach the objectives of our thesis, a literature review regarding what metrics to evaluate the efficiency of a HIDS was conducted. This allowed us to construct a model for which we evaluated the efficiency of our selected HIDS. In this model, we use 3 categories, each containing multiple metrics. Once completed, the environment hosting our vulnerable applications and their HIDS was set up, followed by the attacks of the applications. The data generated by the HIDS gave us the data required to make our efficiency evaluation which was performed through the lens of the previously mentioned model. Results. The result shows a low overall efficiency from the two HIDS when regarding the category attack detection. The most efficient of the two could be determined. Of the two evaluated, Wazuh and Samhain; we determined Wazuh to be the more efficient HIDS. We identified several components required to improve their attack detection. Conclusions. Through the use of our model, we concluded that the HIDS Wazuh had higher efficiency than the HIDS Samhain. However both HIDS had low performances regarding their ability to detect attacks. Some specific components need to be implemented within these systems before they can reliably be used for defending web applications.

Intrusion Detection System

IDS

Host-based Intrusion Detection System

HIDS

Web applications

Efficiency

Computer and Information Sciences

Data- och informationsvetenskap

A novel intrusion detection system (IDS) architecture. Attack detection based on snort for multistage attack scenarios in a multi-cores environment.

Pagna Disso, Jules F.

January 2010

Recent research has indicated that although security systems are developing, illegal intrusion to computers is on the rise. The research conducted here illustrates that improving intrusion detection and prevention methods is fundamental for improving the overall security of systems. This research includes the design of a novel Intrusion Detection System (IDS) which identifies four levels of visibility of attacks. Two major areas of security concern were identified: speed and volume of attacks; and complexity of multistage attacks. Hence, the Multistage Intrusion Detection and Prevention System (MIDaPS) that is designed here is made of two fundamental elements: a multistage attack engine that heavily depends on attack trees and a Denial of Service Engine. MIDaPS were tested and found to improve current intrusion detection and processing performances. After an intensive literature review, over 25 GB of data was collected on honeynets. This was then used to analyse the complexity of attacks in a series of experiments. Statistical and analytic methods were used to design the novel MIDaPS. Key findings indicate that an attack needs to be protected at 4 different levels. Hence, MIDaPS is built with 4 levels of protection. As, recent attack vectors use legitimate actions, MIDaPS uses a novel approach of attack trees to trace the attacker¿s actions. MIDaPS was tested and results suggest an improvement to current system performance by 84% whilst detecting DDOS attacks within 10 minutes.

Intrusion Detection System (IDS)

Visibility of attacks

Performance evaluation

Snort

Computer network security

ARROS: Distributed Adaptive Real-Time Network Intrusion Response

Karunanidhi, Karthikeyan

14 April 2006

No description available.

Computer Science

NETWORK INTRUSION RESPONSE

AUTOMATED, AUTOMATIC RESPONSE

COMPUTER SECURITY

NETWORK SECURITY

ACTIVE INTRUSION RESPONSE

ARROS, IRS, IR

Intrusion Detection and Recovery of a Cyber-Power System

Zhu, Ruoxi

06 June 2024

The advent of Information and Communications Technology (ICT) in power systems has revolutionized the monitoring, operation, and control mechanisms through advanced control and communication functions. However, this integration significantly elevates the vulnerability of modern power systems to cyber intrusions, posing severe risks to the integrity and reliability of the power grid. This dissertation presents the results of a comprehensive study into the detection of cyber intrusions and restoration of cyber-power systems post-attack with a focus on IEC 61850 based substations and recovery methodologies in the cyber-physical system framework. The first step of this study is to develop a novel Intrusion Detection System (IDS) specifically designed for deployment in automated substations. The proposed IDS effectively identifies falsified measurements within Manufacturing Messaging Specification (MMS) messages by verifying the consistency of electric circuit laws. This distributed approach helps avoid the transfer of contaminated measurements from substations to the control center, ensuring the integrity of SCADA systems. Utilizing a cyber-physical system testbed and the IEEE 39-bus test system, the IDS demonstrates high detection accuracy and validates its efficacy in real-time operational environments. Building upon the intrusion detection methodology, this dissertation advances into cyber system recovery strategies, which are designed to meet the challenges of restoring a power grid as a cyber-physical system following catastrophic cyberattacks. A novel restoration strategy is proposed, emphasizing the self-recovery of a substation automation system (SAS) within the substation through dynamic network reconfiguration and collaborative efforts among Intelligent Electronic Devices (IEDs). This strategy, validated through a cyber-power system testbed incorporating SDN technology and IEC 61850 protocol, highlights the critical role of cyber recovery in maintaining grid resilience. Further, this research extends its methodology to include a cyber-physical system restoration strategy that integrates an optimization-based multi-system restoration approach with cyber-power system simulation for constraint checking. This innovative strategy developed and validated using an Software Defined Networking (SDN) network for the IEEE 39-bus system, demonstrates the capability to efficiently restore the cyber-power system and maximize restoration capability following a large-scale cyberattack. Overall, this dissertation makes original contributions to the field of power system security by developing and validating effective mechanisms for the detection of and recovery from cyber intrusions in the cyber-power system. Here are the main contributions of this dissertation: 1) This work develops a distributed IDS, specifically designed for the substation automation environment, capable of pinpointing the targets of cyberattacks, including sophisticated attacks involving multiple substations. The effectiveness of this IDS in a real-time operational context is validated to demonstrate its efficiency and potential for widespread deployment. 2) A novel recovery strategy is proposed to restore the critical functions of substations following cyberattacks. This strategy emphasizes local recovery procedures that leverage the collaboration of devices within the substation network, circumventing the need for external control during the initial recovery phase. The implementation and validation of this method through a cyber-physical system testbed—specifically, within an IEC 61850 based Substation Automation System (SAS)—underscores its practicality and effectiveness in real-world scenarios. 3) The dissertation results in a new co-restoration strategy that integrates mixed integer linear programming to sequentially optimize the restoration of generators, power components, and communication nodes. This approach ensures optimal restoration decisions within a limited time horizon, enhancing the recovery capabilities of the cyber-power system. The application of an SDN based network simulator facilitates accurate modeling of cyber-power system interactions, including communication constraints and dynamic restoration scenarios. The strategy's adaptability is further improved by real-time assessment of the feasibility of the restoration sequence incorporating power flow and communication network constraints to ensure an effective recovery process. / Doctor of Philosophy / Electricity is a critical service that supports the society and economy. Today, electric power systems are becoming smarter, using advanced Information and Communications Technology to manage and distribute electricity more efficiently. This new technology creates a smart grid, a network that not only delivers power but also uses computers and other tools to remotely monitor electricity flows and address any issues that may arise. However, these smart systems with high connectivity utilizing information and communication systems can be vulnerable to cyberattacks, which could disrupt the electricity supply. To protect against these threats, this study is focused on creating systems that can detect when an abnormal condition is taking place in the cyber-power grid. These detection systems are designed to detect and identify signs of cyberattacks at key points in the power network, particularly at substations, which play a vital role in the delivery of electricity. Substations control the power grid operating conditions to make sure that electricity service is reliable and efficient for the consumers Just like traffic lights help manage the flow of vehicles, substations manage the flow of electricity to make sure electric energy is delivered to where it needed. Once a cyberattack is detected, the next step is to stop the attack and mitigate the impact it may have made to ensure that the power grid returns to normal operations as quickly as possible. This dissertation is concerned with the development and validation of analytical and computational methods to quickly identify the cyberattacks and prevent the disruptions to the electricity service. Also, the focus of this work is also on a coordinated recovery of both the cyber system ( digital controls and monitoring) and power system (physical infrastructure including transformers and transmission and distribution lines). This co-restoration approach is key to sustain the critical electricity service and ensures that the grid is resilient against the cyber threats. By developing strategies that address both the cyber and physical aspects, the proposed methodology aims to minimize downtime and reduce the impact of large-scale cyberattacks on the electrical infrastructure. The impact of the results of this dissertation is the enhancement of security and resilience of the electric energy supply in an era where the risks of cyber threats are increasingly significantly. Overall, by developing new methodologies to detect and respond to cyberattacks, the cyber-power system's capability to withstand and recover from cyberattacks is enhanced in the increasingly technology-dependent power grid environment.

Intrusion Detection

Intrusion Mitigation

Cyber Resilience

Cyber-Physical System

Cyber System Recovery

SCADA

DNP3

Digital Substations

IEC 61850