Augmenting Network Flows with User Interface Context to Inform Access Control Decisions

Chuluundorj, Zorigtbaatar

10 October 2019

Whitelisting IP addresses and hostnames allow organizations to employ a default-deny approach to network traffic. Organizations employing a default-deny approach can stop many malicious threats, even including zero-day attacks, because it only allows explicitly stated legitimate activities. However, creating a comprehensive whitelist for a default-deny approach is difficult due to user-supplied destinations that can only be known at the time of usage. Whitelists, therefore, interfere with user experience by denying network traffic to user-supplied legitimate destinations. In this thesis, we focus on creating dynamic whitelists that are capable of allowing user-supplied network activity. We designed and built a system called Harbinger, which leverages user interface activity to provide contextual information in which network activity took place. We built Harbinger for Microsoft Windows operating systems and have tested its usability and effectiveness on four popular Microsoft applications. We find that Harbinger can reduce false positives-positive detection rates from 44%-54% to 0%-0.4% in IP and DNS whitelists. Furthermore, while traditional whitelists failed to detect propagation attacks, Harbinger detected the same attacks 96% of the time. We find that our system only introduced six milliseconds of delay or less for 96% of network activity.

Cybersecurity

Intrusion Detection System

Dynamic Whitelists

Design and Analysis of Intrusion Detection Protocols in Cyber Physical Systems

Mitchel, Robert Raymondl III

23 April 2013

In this dissertation research we aim to design and validate intrusion detection system (IDS) protocols for a cyber physical system (CPS) comprising sensors, actuators, control units, and physical objects for controlling and protecting physical infrastructures.<br />The design part includes host IDS, system IDS and IDS response designs. The validation part includes a novel model-based analysis methodology with simulation validation. Our objective is to maximize the CPS reliability or lifetime in the presence of malicious nodes performing attacks which can cause security failures. Our host IDS design results in a lightweight, accurate, autonomous and adaptive protocol that runs on every node in the CPS to detect misbehavior of neighbor nodes based on state-based behavior specifications. Our system IDS design results in a robust and resilient protocol that can cope with malicious, erroneous, partly trusted, uncertain and incomplete information in a CPS. Our IDS response design results in a highly adaptive and dynamic control protocol that can adjust detection strength in response to environment changes in attacker strength and behavior. The end result is an energy-aware and adaptive IDS that can maximize the CPS lifetime in the presence of malicious attacks, as well as malicious, erroneous, partly trusted, uncertain and incomplete information.<br />We develop a probability model based on stochastic Petri nets to describe the behavior of a CPS incorporating our proposed intrusion detection and response designs, subject to attacks by malicious nodes exhibiting a range of attacker behaviors, including reckless, random, insidious and opportunistic attacker models. We identify optimal intrusion detection settings under which the CPS reliability or lifetime is maximized for each attacker model. Adaptive control for maximizing IDS performance is achieved by dynamically adjusting detection and response strength in response to attacker strength and behavior detected at runtime. We conduct extensive analysis of our designs with four case studies, namely, a mobile group CPS, a medical CPS, a smart grid CPS and an unmanned aircraft CPS. The results show that our adaptive intrusion and response designs operating at optimizing conditions significantly outperform existing anomaly-based IDS techniques for CPSs. / Ph. D.

Intrusion Detection Systems

Cyber Physical Systems

Invested or Invasive?: Applying the Investment Model to Understanding Obsessive Relational Intrusion

Collier, Katherine E

17 May 2014

The present study applied the Investment Model (IM) to predict obsessive relational intrusion (ORI). Participants (n=685) were randomly assigned to read vignettes about a hypothetical relationship termination that manipulated 1) type of rejection, 2) level of investment, and 3) quality of alternatives. Next, participants were asked to report how likely it was that they would engage in pursuit (e.g., leaving gifts and calling) and aggressive (e.g., threatening behaviors) ORI. Contrary to predictions, results indicate that although level of investment affected one’s likelihood of engaging in ORI, quality of alternatives did not. Further, it was expected that a more explicit rejection would lead to greater ORI; however, I found that no rejection lead to more pursuit ORI than either internal or external rejection conditions.

investment model

rejection

stalking

obsessive relational intrusion

Toward Autonomic Security for Industrial Control Systems

Trivedi, Madhulika

14 August 2015

Supervisory control and data acquisition systems are extensively used in the critical infrastructure domain for controlling and managing large-scale industrial applications. This thesis presents a security management structure developed to protect ICS networks from security intrusions. This structure is formed by a combination of several modules for monitoring system-utilization parameters, data processing, detection of known attacks, forensic analysis to support against unknown attacks, estimation of control system-specific variables, and launch of appropriate protection methods. The best protection method to launch in case of an attack is chosen by a multi-criteria analysis controller based on operational costs and efficiency. A time-series ARIMA model is utilized to estimate the future state of the system and to protect it against cyber intrusions. Signature and performance based detection techniques assist in real-time identification of attacks with little or no human intervention. Simulation results for Scanning, Denial of Service and Injection attacks are provided.

cyber

intrusion

scada

autonomic

self-protection

Deep Learning -Based Anomaly Detection System for Guarding Internet of Things Devices

Azumah, Sylvia w.

05 October 2021

No description available.

Information Technology

lstm

deep learning

intrusion detection

Impact of Vividness of Smoking Imagery and Complexity of a Task on Intensity of Nicotine Craving

Baylen, Chelsea A.

04 June 2007

No description available.

Psychology, Clinical

craving

vividness

elaborated intrusion

smoking

Detecting Anomalous Network Traffic With Self-Organizing Maps

Ramadas, Manikantan

04 April 2003

No description available.

Computer Science

Intrusion Detection

Self-Organizing Maps

Battery-Sensing Intrusion Protection System (B-SIPS)

Buennemeyer, Timothy Keith

15 December 2008

This dissertation investigates using instantaneous battery current sensing techniques as a means of detecting IEEE 802.15.1 Bluetooth and 802.11b (Wi-Fi) attacks and anomalous activity on small mobile wireless devices. This research explores alternative intrusion detection methods in an effort to better understand computer networking threats. This research applies to Personal Digital Assistants (PDAs) and smart phones, operating with sensing software in wireless network environments to relay diagnostic battery readings and threshold breaches to indicate possible battery exhaustion attack, intrusion, virus, and worm activity detections. The system relies on host-based software to collect smart battery data to sense instantaneous current characteristics of anomalous network activity directed against small mobile devices. This effort sought to develop a methodology, design and build a net-centric system, and then further explore this non-traditional intrusion detection system (IDS) approach. This research implements the Battery-Sensing Intrusion Protection System (B-SIPS) client detection capabilities for small mobile devices, a server-based Correlation Intrusion Detection Engine (CIDE) for attack correlation with Snort's network-based IDS, device power profiling, graph views, security administrator alert notification, and a database for robust data storage. Additionally, the server-based CIDE provides the interface and filtering tools for a security administrator to further mine our database and conduct forensic analysis. A separate system was developed using a digital oscilloscope to observe Bluetooth, Wi-Fi, and blended attack traces and to create unique signatures. The research endeavor makes five significant contributions to the security field of intrusion detection. First, this B-SIPS work creates an effective intrusion detection approach that can operate on small, mobile host devices in networking environments to sense anomalous patterns in instantaneous battery current as an indicator of malicious activity using an innovative Dynamic Threshold Calculation (DTC) algorithm. Second, the Current Attack Signature Identification and Matching System (CASIMS) provides a means for high resolution current measurements and supporting analytical tools. This system investigates Bluetooth, Wi-Fi, and blended exploits using an oscilloscope to gather high fidelity data. Instantaneous current changes were examined on mobile devices during representative attacks to determine unique attack traces and recognizable signatures. Third, two B-SIPS supporting theoretical models are presented to investigate static and dynamic smart battery polling. These analytical models are employed to examine smart battery characteristics to support the theoretical intrusion detection limits and capabilities of B-SIPS. Fourth, a new genre of attack, known as a Battery Polling Cycle Timing Attack, is introduced. Today's smart battery technology polling rates are designed to support Advanced Power Management needs. Every PDA and smart phone has a polling rate that is determined by the device and smart battery original equipment manufacturers. If an attacker knows the precise timing of the polling rate of the battery's chipset, then the attacker could attempt to craft intrusion packets to arrive within those limited time windows and between the battery's polling intervals. Fifth, this research adds to the body of knowledge about non-traditional attack sensing and correlation by providing a component of an intrusion detection strategy. This work expands today's research knowledge towards a more robust multilayered network defense by creating a novel design and methodology for employing mobile computing devices as a first line of defense to improve overall network security and potentially through extension to other communication mediums in need of defensive capabilities. Mobile computing and communications devices such as PDAs, smart phones, and ultra small general purpose computing devices are the typical targets for the results of this work. Additionally, field-deployed battery operated sensors and sensor networks will also benefit by incorporating security mechanisms developed and described here. / Ph. D.

Security

Power

Mobile

Intrusion Detection

Wireless

Battery

Water Hammer: An Analysis of Plumbing Systems, Intrusion, and Pump Operation

Batterton, Shawn Henry

13 December 2006

This thesis provides a comprehensive look at water hammer with an emphasis on home plumbing systems. The mathematics of water hammer are explained, including the momentum and continuity equations for conduits, system construction, and the four-point implicit finite difference scheme to numerically solve the problem. This paper also shows how the unsteady momentum and continuity equations can be used to solve water distribution problems instead of the steady-state energy and continuity equations, along with the examples problems which show that an unsteady approach is more suitable than the standard Hardy-Cross method. Residential plumbing systems are examined in this paper, household fixtures are modeled for their hydraulic functions, and several water hammer simulations are run using the Water Hammer and Mass Oscillation program (WHAMO). It is determined from these simulations that the amount of air volume in the system is a key factor in controlling water hammer. Abnormal pump operation is clearly explained including a description of the four quadrants and eight zones of operation as well as the mathematics and a numerical scheme for computation. Low pressures caused by transients can lead to intrusion and contamination of the drinking water supply. Several scenarios are simulated using the WHAMO program and cases are provided in which intrusion occurs. From the intrusion scenarios, key factors for intrusion to occur during transients include the starting energy in the system, the magnitude of the transient, the hydraulics of the intrusion opening, and the external energy on the pipe (the level of the groundwater table). A primer for using WHAMO is provided as an appendix as well. / Master of Science

Plumbing

Intrusion

Pump Operation

Water Hammer

Bluetooth Threat Taxonomy

Dunning, John Paul

22 December 2010

Since its release in 1999, Bluetooth has become a commonly used technology available on billions of devices through the world. Bluetooth is a wireless technology used for information transfer by devices such as Smartphones, headsets, keyboard/mice, laptops/desktops, video game systems, automobiles, printers, heart monitors, and surveillance cameras. Dozens of threats have been developed by researchers and hackers which targets these Bluetooth enabled devices. The work in this thesis provides insight into past and current Bluetooth threats along with methods of threat mitigation. The main focus of this thesis is the Bluetooth Threat Taxonomy (BTT); it is designed for classifying threats against Bluetooth enabled technology. The BTT incorporates nine distinct classifications to categorize Bluetooth attack tools and methods and a discussion on 42 threats. In addition, several new threats developed by the author will be discussed. This research also provides means to secure Bluetooth enabled devices. The Bluetooth Attack Detection Engine (BLADE) is as a host-based Intrusion Detection System (IDS) presented to detect threats targeted toward a host system. Finally, a threat mitigation schema is provided to act as a guideline for securing Bluetooth enabled devices. / Master of Science

Intrusion Detection

Taxonomy

Security

Bluetooth

Exploit