Behavior-based Worm Detection

Stafford, John, Stafford, John

January 2012

The Internet has become a core component of our lives and businesses. Its reliability and availability are of paramount importance. There are many types of malware that impact the availability of the Internet, including network worms, bot-nets, viruses, etc. Detecting such attacks is a critical component of defending against them. This dissertation focuses on detecting and understanding self-propagating network worms, a type of malware with a proven record of disrupting the Internet. According to

Intrusion detection

Malware

Networks

Worm

Rejection, Rumination, and Revenge: a Test of the Relational Goal Pursuit Theory of Stalking Perpetration

Fay, Benjamin A

11 August 2012

Applying Relational Goal Pursuit Theory (RGT), the present study examined the motivations for obsessive relational intrusion (ORI). Participants (n = 509) were randomly assigned to conditions that 1) primed relational or retaliatory goals, then 2) exposed to a negative romantic relationship vignette (relationship disappointment vs. explicit rejection vs. “nice” rejection), and 3) then were either induced to ruminate about the vignette events or were not. Participants reported how likely they would be to think about pursuit (e.g., frequent calls) and aggressive (e.g., threats) ORI. Contrary to expectations, rejection elicited less ORI than the relationship disappointment condition. However, it was found that 1) the ORI scale broke into a threeactor, instead of twoactor, model of pursuit, aggressive, and surveillance behavior, and 2) that motivations for each type varied. Relational goals predicted pursuit. Retaliation predicted aggression. Motives for surveillance behaviors were linked to both desires for revenge and reconciliation.

breakup

Obsessive Relational Intrusion

stalking

A Lightweight Intrusion Detection System for the Cluster Environment

Liu, Zhen

02 August 2002

As clusters of Linux workstations have gained in popularity, security in this environment has become increasingly important. While prevention methods such as access control can enhance the security level of a cluster system, intrusions are still possible and therefore intrusion detection and recovery methods are necessary. In this thesis, a system architecture for an intrusion detection system in a cluster environment is presented. A prototype system called pShield based on this architecture for a Linux cluster environment is described and its capability to detect unique attacks on MPI programs is demonstrated. The pShield system was implemented as a loadable kernel module that uses a neural network classifier to model normal behavior of processes. A new method for generating artificial anomalous data is described that uses a limited amount of attack data in training the neural network. Experimental results demonstrate that using this method rather than randomly generated anomalies reduces the false positive rate without compromising the ability to detect novel attacks. A neural network with a simple activation function is used in order to facilitate fast classification of new instances after training and to ease implementation in kernel space. Our goal is to classify the entire trace of a program¡¯s execution based on neural network classification of short sequences in the trace. Therefore, the effect of anomalous sequences in a trace must be accumulated. Several trace classification methods were compared. The results demonstrate that methods that use information about locality of anomalies are more effective than those that only look at the number of anomalies. The impact of pShield on system performance was evaluated on an 8-node cluster. Although pShield adds some overhead for each API for MPI communication, the experimental results show that a real world parallel computing benchmark was slowed only slightly by the intrusion detection system. The results demonstrate the effectiveness of pShield as a light-weight intrusion detection system in a cluster environment. This work is part of the Intelligent Intrusion Detection project of the Center for Computer Security Research at Mississippi State University.

distributed system

Intrusion detection

Cluster

Fracture characterization in magmatic rock, a case study of the Sosa-dyke (Neuquén Basin, Argentina) / Spricknätverkskarakterisering i magmatiskt berg, en fallstudie om Sosa-intrusionen (Neuquén Basin, Argentina)

Jim, Nilsson

January 2020

There are many examples worldwide were fossil magmatic intrusions influence the local water and energy supply. Due to that intrusions can act as a conductor and a reservoir, but also as a barrier for fluids and gases in the ground. The decisive feature between conductor or barrier in an intrusion is its fracture network. Hence it is of paramount importance to characterize an intrusion’s fracture network and thus its permeability. However, other than through boreholes magmatic intrusions are rather inaccessible and very little is known about their influence on aquifers and reservoir rocks in the underground. It is therefore important to increase the knowledge of magmatic intrusion by investigate the intrusions that are accessible for us at ground surface. In this study, photos from a case study about the Sosa dyke have been used to map and characterizes the fractures of the Sosa dyke, which is an accessible vertical magmatic intrusion and a part of the Chachahuén volcano complex in the southwestern parts of Argentina. The photos that were used are taken with an UAV (unmanned aerial vehicle), and to analyze the photos, map the fractures and produce the results, software as Agisoft Metashape, MOVE™ and MATLAB with the toolbox FracPaQ was used. The intrusion has two distinct fracture sets, one that is perpendicular to the intrusion margins and one that stretches parallel with the intrusion. The connectivity of the fractures is low, and since the permeability of the fractures largely depends on the connectivity, it is also low. The fracture set that is perpendicular to the intrusion margin is what’s called cooling fractures, which is created as the magma in the intrusion cools. This causes the magma to contract and break, forming fractures perpendicular to the inward migrating solidification front. The fracture set that is parallel with the intrusion is caused by minerals in the magma flow being affected by friction from the intrusion margins. This causes the minerals in the magma to elongate in the direction of flow along the sides of the dyke, creating foliation, enabling fractures to propagate along. These fracture sets are poorly connected which concludes that the mapped area of the Sosa-dyke has a low permeability. / I hela världen finns det många exempel där stelnade magmatiska intrusioner påverka ett områdes vatten och energiförsörjning, på grund av att intrusioner kan agera som ledare och reservoarer men också som barriärer för vätskor och gaser in marken. Den avgörande faktorn mellan ledare och barriärer i en intrusion är dess spricknätverk. Därför är det viktigt att kartlägga och karakterisera en intrusions spricknätverk och därmed också få en uppfattning om dess permeabilitet. Magmatiska intrusioner är förutom genom borrhål ofta svåråtkomliga, det finns därför väldigt lite information om hur de påverkar akviferer och reservoarer i marken. Det är därför viktigt att öka kunskapen om magmatiska intrusioner genom att undersöka intrusionerna som är tillgängliga vid markytan. I denna studie har bilder från en fallstudie om Sosa Intrusionen använts för att kartera och karakterisera sprickor i Sosa intrusionen. Det är en vertikal magmatisk intrusion som är synlig på markytan, och en del av Chachahuén vulkan komplexet i sydvästra Argentina. Bilderna som användes är tagna med en UAV( unmanned aerial vehicle), och för att analysera bilderna, kartera sprickorna och producera resultaten, användes programmen Agisoft Metashape, MOVE™ och MATLAB med FracPaQ verktyget. Intrusionen har två distinkta sprickgrupper, en som är vinkelrät mot intrusionens kanter och en som går parallellt med kanterna. Konnektivitet mellan sprickorna är låg och eftersom permeabiliteten påverkas av konnektiviteten är den också låg. Sprickgruppen som är vinkelrätt mot intrusionskanten är så kallade kylningssprickor och bildas nät magman i intrusionen svalnar. Det leder till att magman kontraherar och spricker, och bildar sprickor som går inåt mot stelningsgränsen och därmed vinkelrätt mot intrusionskanten. Sprickgruppen som går parallellt med intrusionen bildas av att mineral i magmaströmmen påverkas av friktion från intrusionskanterna. Det gör att mineralen lägger sig och sträcks ut i samma riktning som magmaflödet, vilket när magman stelnar bildar svaghetszoner som sprickor kan fortplanta sig i. Dessa sprickgrupper har låg konnektivitet vilket gör att slutsatsen blir att det karterade området av Sosa intrusionen har låg permeabilitet.

dyke

magmatic intrusion

fractures

Sosa dyke

permeability

intrusion

magmatisk intrusion

sprickor

Sosa intrusionen

permeabilitet

Geology

Geologi

An empirical approach to modeling uncertainty in intrusion analysis

Sakthivelmurugan, Sakthiyuvaraja

January 1900

Master of Science / Department of Computing and Information Sciences / Xinming (Simon) Ou / A well-known problem in current intrusion detection tools is that they create too many low-level alerts and system administrators find it hard to cope up with the huge volume. Also, when they have to combine multiple sources of information to confirm an attack, there is a dramatic increase in the complexity. Attackers use sophisticated techniques to evade the detection and current system monitoring tools can only observe the symptoms or effects of malicious activities. When mingled with similar effects from normal or non-malicious behavior they lead intrusion analysis to conclusions of varying confidence and high false positive/negative rates. In this thesis work we present an empirical approach to the problem of modeling uncertainty where inferred security implications of low-level observations are captured in a simple logical language augmented with uncertainty tags. We have designed an automated reasoning process that enables us to combine multiple sources of system monitoring data and extract highly-confident attack traces from the numerous possible interpretations of low-level observations. We have developed our model empirically: the starting point was a true intrusion that happened on a campus network we studied to capture the essence of the human reasoning process that led to conclusions about the attack. We then used a Datalog-like language to encode the model and a Prolog system to carry out the reasoning process. Our model and reasoning system reached the same conclusions as the human administrator on the question of which machines were certainly compromised. We then automatically generated the reasoning model needed for handling Snort alerts from the natural-language descriptions in the Snort rule repository, and developed a Snort add-on to analyze Snort alerts. Keeping the reasoning model unchanged, we applied our reasoning system to two third-party data sets and one production network. Our results showed that the reasoning model is effective on these data sets as well. We believe such an empirical approach has the potential of codifying the seemingly ad-hoc human reasoning of uncertain events, and can yield useful tools for automated intrusion analysis.

Intrusion Detection

Uncertainty

Logic

Computer Science (0984)

Analysis of Data Collected in Pilot Study of Residential Radon in DeKalb County in 2015.

Chan, Sydney

13 May 2016

Dajun DaiRadon is a colorless, odorless, naturally occurring gas. It is currently the second leading cause of lung cancer and the number one cause of lung cancer to non-smokers in the United States. DeKalb County offers free screening for radon for residents. However, screening rates vary across the county. This pilot study focused on 14 selected tracts within DeKalb County with relatively low levels of radon screening. Over 200 households were recruited and homes were tested for indoor radon concentrations on the lowest livable floor over an 8-week period from March – May 2016. Tract-level characteristics were examined to understand the varitations of race, income, education, and poverty status between the 14 selected tracts and all of DeKalb County. The 14 selected tracts were comparable to all of DeKalb County in most factors besides race. Radon was detected in 73% of the homes sample and 4% had levels above the EPA guideline of 4 pCi/L. Multi-variate linear regression was used to compare all housing construction characteristics with radon concentrations and suggested that having a basement was the strongest predictive factor for detectable and/or hazardous levels of radon. Radon screening can identify problems and spur home owners to remediate but low screening rates may impact the potential health impact of free screening programs. More research should be done to identify why screening rates vary in order to identify ways to enhance screening and reduce radon exposure in DeKalb County.

radon

residential radon

lung cancer

vapor intrusion

Exploring Vulnerabilities in Networked Telemetry

Shonubi, Felix, Lynton, Ciara, Odumosu, Joshua, Moten, Daryl

10 1900

ITC/USA 2015 Conference Proceedings / The Fifty-First Annual International Telemetering Conference and Technical Exhibition / October 26-29, 2015 / Bally's Hotel & Convention Center, Las Vegas, NV / The implementation of Integrated Network Enhanced Telemetry (iNET) in telemetry applications provides significant enhancements to telemetry operations. Unfortunately such networking brings the potential for devastating cyber-attacks and networked telemetry is also susceptible to these attacks. This paper demonstrates a worked example of a social engineering attack carried out on a test bed network, analyzing the attack process from launch to detection. For this demonstration, a penetration-testing tool is used to launch the attack. This attack will be monitored to detect its signature using a network monitoring tool, and this signature will then be used to create a rule which will trigger an alert in an Intrusion Detection System. This work highlights the importance of network security in telemetry applications and is critical to current and future telemetry networks as cyber threats are widespread and potentially devastating.

Telemetry

Exploit

Metasploit

Intrusion Detection System (IDS)

Development of a screening model for the migration of contaminated soil vapor into the indoor air environment

Jordan, Matthew Daniel, 1985-

09 November 2010

The migration of contaminants from the subsurface into the indoor air environment, in a process described as soil vapor intrusion, is gaining attention as a potential pathway for exposure to contaminated soil and water. Indoor, outdoor and soil air samples were collected from forty homes in North Texas to investigate the attenuation of trichloroethylene (TCE) from contaminated groundwater into residential buildings. The mean and standard deviation of the soil and indoor air attenuation factors (ratio of indoor air concentration to soil vapor concentration) were 0.14 and 0.17, respectively. Five of the 40 values were greater than 0.1 which is the suggested upper-bound by the U.S. EPA (2002). Statistical tools were used to draw correlative relationships between contaminant groundwater, soil air and indoor air concentrations. The VolaSoil model described by Waitz et al. (1996), was modified for use as a screening tool for future investigations of indoor TCE concentration. Using measured soil vapor data, the model under predicted indoor air TCE concentrations likely due to heterogeneities in the unsaturated subsurface. Inputting groundwater TCE concentrations, the model was able to capture the contaminant migration processes and produce results consistent with measured indoor TCE concentrations. Therefore, the model described in this paper maybe appropriate to be use as a screening tool in future investigations in the contamination area. / text

Soil vapor intrusion

Trichloroethylene

Screening model

Fast sequential implementation of a lightweight, data stream driven, parallel language with application to intrusion detection

Martin, Xavier

18 December 2007

The general problem we consider in this thesis is the following: we have to analyze a stream of data (records, packets, events ...) by successively applying to each piece of data a set of ``rules'. Rules are best viewed as lightweight parallel processes synchronizing on each arrival of a new piece of data. In many applications, such as signature-based intrusion detection, only a few rules are concerned with each new piece of data. But all other rules have to be executed anyway just to conclude that they can ignore it. Our goal is to make it possible to avoid this useless work completely. To do so, we perform a static analysis of the code of each rule and we build a decision tree that we apply to each piece of data before executing the rule. The decision tree tells us whether executing the rule or not will change anything to the global analysis results. The decision trees are built at compile time, but their evaluation at each cycle (i.e., for each piece of data) entails an overhead. Thus we organize the set of all computed decision trees in a way that makes their evaluation as fast as possible. The two main original contributions of this thesis are the following. Firstly, we propose a method to organize the set of decision trees and the set of active rules in such a way that deciding which rules to execute can be made optimally in O(r_u), where r_u is the number of useful rules. This time complexity is thus independent of the actual (total) number of active rules. This method is based on the use of a global decision tree that integrates all individual decision trees built from the code of the rules. Secondly, as such a global tree may quickly become much too large if usual data structures are used, we introduce a novel kind of data structure called sequential tree that allows us to keep global decision trees much smaller in many situations where the individual trees share few common conditions. (When many conditions are shared by individual trees the global tree remains small.) To assess our contribution, we first modify the implementation of ASAX, a generic system for data stream analysis based on the rule paradigm presented above. Then we compare the efficiency of the optimized system with respect to its original implementation, using the MIT Lincoln Laboratory Evaluation Dataset and a classical set of intrusion detection rules. Impressive speed-ups are obtained. Finally, our optimized implementation has been used by Nicolas Vanderavero, in his PhD thesis, for the design of stateful honeytanks (i.e., low-interaction honeypots). It makes it possible to simulate tens of thousands hosts on a single computer, with a high level of realism.

Decision tree

Parallel analyses

Intrusion detection

Incident prioritisation for intrusion response systems

Jumaat, Nor Badrul Anuar

January 2012

The landscape of security threats continues to evolve, with attacks becoming more serious and the number of vulnerabilities rising. To manage these threats, many security studies have been undertaken in recent years, mainly focusing on improving detection, prevention and response efficiency. Although there are security tools such as antivirus software and firewalls available to counter them, Intrusion Detection Systems and similar tools such as Intrusion Prevention Systems are still one of the most popular approaches. There are hundreds of published works related to intrusion detection that aim to increase the efficiency and reliability of detection, prevention and response systems. Whilst intrusion detection system technologies have advanced, there are still areas available to explore, particularly with respect to the process of selecting appropriate responses. Supporting a variety of response options, such as proactive, reactive and passive responses, enables security analysts to select the most appropriate response in different contexts. In view of that, a methodical approach that identifies important incidents as opposed to trivial ones is first needed. However, with thousands of incidents identified every day, relying upon manual processes to identify their importance and urgency is complicated, difficult, error-prone and time-consuming, and so prioritising them automatically would help security analysts to focus only on the most critical ones. The existing approaches to incident prioritisation provide various ways to prioritise incidents, but less attention has been given to adopting them into an automated response system. Although some studies have realised the advantages of prioritisation, they released no further studies showing they had continued to investigate the effectiveness of the process. This study concerns enhancing the incident prioritisation scheme to identify critical incidents based upon their criticality and urgency, in order to facilitate an autonomous mode for the response selection process in Intrusion Response Systems. To achieve this aim, this study proposed a novel framework which combines models and strategies identified from the comprehensive literature review. A model to estimate the level of risks of incidents is established, named the Risk Index Model (RIM). With different levels of risk, the Response Strategy Model (RSM) dynamically maps incidents into different types of response, with serious incidents being mapped to active responses in order to minimise their impact, while incidents with less impact have passive responses. The combination of these models provides a seamless way to map incidents automatically; however, it needs to be evaluated in terms of its effectiveness and performances. To demonstrate the results, an evaluation study with four stages was undertaken; these stages were a feasibility study of the RIM, comparison studies with industrial standards such as Common Vulnerabilities Scoring System (CVSS) and Snort, an examination of the effect of different strategies in the rating and ranking process, and a test of the effectiveness and performance of the Response Strategy Model (RSM). With promising results being gathered, a proof-of-concept study was conducted to demonstrate the framework using a live traffic network simulation with online assessment mode via the Security Incident Prioritisation Module (SIPM); this study was used to investigate its effectiveness and practicality. Through the results gathered, this study has demonstrated that the prioritisation process can feasibly be used to facilitate the response selection process in Intrusion Response Systems. The main contribution of this study is to have proposed, designed, evaluated and simulated a framework to support the incident prioritisation process for Intrusion Response Systems.

621.382