Hidden Markov models and alert correlations for the prediction of advanced persistent threats

Ghafir, Ibrahim, Kyriakopoulos, K.G., Lambotharan, S., Aparicio-Navarro, F.J., Assadhan, B., Binsalleeh, H., Diab, D.M.

24 January 2020

Yes / Cyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively. / The Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1.

Advanced persistent threat

Intrusion detection system

Alert correlation

Hidden Markov model

Attack prediction

Effective Denial of Service Attack on Congestion Aware Adaptive Network on Chip

Kadirvel, Vijaya Deepak

24 March 2017

Network-On-Chip (NoC) architecture forms the new design framework in extending single processor to multiprocessor SoC. Similar to other SoCs and systems, NoCs are also susceptible to Denial of Service (DoS) attacks which degrade the performance by limiting the availability of resources to the processing cores. The stability of NoC is maintained by employing hardware monitors to detect illegal/abnormal activity or by congestion aware arbitration to obfuscate and balance the network load. Typical DoS attack model selects a random target resource and injects multiple flooding flits to reduce its functionality. The random DoS attack will not be practically effective on congestion aware NoC as the flooding path flow changes dynamically based on the congestion in network and the same victim node selection will not be effectual on different traffic profiles. Thus this paper proposes an effective DoS attack model to dynamically synthesize the selection of target node in NoC, arbitrating on congestion information. We describe the design and implementation of the proposed attack model and compare the performance degradation for different synthetic traffic profiles against random target selection. We also put forth a novel design of an effective offline congestion aware routing algorithm by exploiting the advantages of deterministic and adaptive routing. The proposed routing technique showed better latency saturation compared to adaptive (DyAD) and deterministic (OE) protocol.

DoS attack

Network on chip

Congestion aware routing

Media framing of terrorist attacks : An insight on how Le Monde and Al-Jazeera framed the perpetrators and the victims in the Charlie Hebdo attack.

Camerlynck, Alexandre, Al-Heibi, Mouhamad

January 2023

Media plays a significant role in people’s daily life, as it is the first lens through which people see events and phenomena happening worldwide. This research aims to investigate how Al-Jazeera (AJ) and Le Monde (LM) portray and frame the victims and perpetrators of the Charlie Hebdo attack on the 7th of January 2015. The process of framing and representation are investigated as to whether there are similarities and/or differences in the identities of victims and perpetrators between AJ and LM. Adopting a social constructivist perspective and by using Entman’s framing theory, along with both social representation theory and social identity theory. A qualitative content analysis is conducted. The findings indicate certain similarities in how these two media outlets frame the victims and the perpetrators of the terrorist attack on Charlie Hebdo such as arguing that the perpetrators’ action does not represent Islam. Both medias also try to create a certain level of proximity with the victims. When it comes to the framing of the perpetrators, more differences appear: while AJ frames them as heroes avenging the prophet, LM framed them as stupid people making unprofessional mistakes.

Charlie Hebdo attack

media framing

Le Monde

Al-Jazeera

victims

perpetrators

social identity

Political Science

Statsvetenskap

IPsec Intrusion Detection Analysis : Using data from an Ericsson Ethernet Interface Board

Amso, Julian, Faienza, Achille

January 2008

IP security (IPsec) is commonly used for protection in Virtual Private Networks (VPN). It is also used for the protection of traffic between nodes in third generation (3G) mobile networks. The main duty of telecommunication operators is to assure the quality of service and availability of the network for their users. Therefore knowledge of threats that could affect these requirements is of relevance. Denial of Service (DoS) and other attacks could constitute serious threats in 3G networks and, if successful, they could lead to financial and reputation damage for the telecommunication operator. One of the goals of each telecommunications vendor is to produce equipment and software in such a way as to reduce the risk of successful attacks upon networks built using their equipment and software. This master’s thesis aims to identify the classes of attacks that could affect the regular operation of an IPsec-protected network. Therefore, the IPsec protocol and its possible weaknesses are explained. As practical demonstration of these ideas, an Intrusion Detection Analyzer prototype for an Ericsson Ethernet Interface board was developed to detect anomalous IPsec-protected traffic. / IP Security (IPsec) protokollet används bl.a. för att skydda Virtuellt Privat Nätverk (VPN). Protokollet används även för att skydda noderna i tredje generationens (3G) mobila nätverk. Telekomoperatöreranas uppgift går bl.a. ut på att se till att de mobila näten är tillgängliga för användarna samt garanterna en viss garanterad tjänstekvalitet. Därför är kunskapen om de olika hoten som påverkar dessa faktorer relevant. Överbelastningsattacker och andra attacker kan utgöra ett stort hot mot bl.a. 3G nät. Om dessa attacker lyckas kan de leda till finansiella skador och ett skadat anseende för telekomoperatörerna. Ett av målen för telekomtillverkarna är att tillverka produkter och program som kan minimera riskerna för en attack och skadorna som åstadkoms på ett nätverk uppbyggt med deras utrustning. Detta examensarbete har som mål att identifiera de olika typer av attacker som kan påverka driften av IPsec-skyddade nätverk. IPsecprotokollet och dess svagheter är förklarade. Svagheter och problem med vissa implementationer nämns också. I detta arbete ingår också att utveckla en Intrusion Detection Analyzer prototyp för ett Ericssons Ethernet Gränssnitt kort för att upptäcka avvikande IPsecskyddad trafik

IPsec

IDS

Intrusion

Attack

Detection

VPN

3G

ET-MFX

Security

Communication Systems

Kommunikationssystem

Population Ecology and Foraging Behavior of Breeding Birds in Bottomland Hardwood Forests of the Lower Roanoke River

Lyons, James Edward

21 March 2001

Nest survival often is lower at habitat edges than in habitat cores because of greater nest predation and parasitism near edges. I studied nest survival of breeding birds in bottomland hardwood forests of the lower Roanoke River, North Carolina. Nesting success was monitored in two forest width classes: narrow bands of levee forest that were dominated by two edge types, and wide, continuous levee forest stands that have edges but most forest is relatively far from edge. Nest success of Acadian Flycatchers and Prothonotary Warblers was similar in narrow and wide levees; nest success of Northern Cardinals was greater in narrow levees. Results of my study indicate that edge effects are not universal, and that amount of contrast at edges may interact with landscape context to alter ecological processes, such as nest predation. Bird populations are remarkably constant over time relative to other taxa, implying strong regulation. Avian population ecologists, however, have not studied regulatory mechanisms as often as seasonal limiting factors. Conversely, avian behavioral ecologists seldom emphasize the population dynamic consequences of habitat selection and reproductive success. This study describes the intersection of individual behavior and population regulation in the context of a new model of population regulation, site dependence, which is based on characteristics of breeding sites and behavior of individuals. I studied habitat distribution, age structure, reproductive output, and breeding site fidelity of Prothonotary Warblers (Protonotaria citrea) in two different bottomland hardwood forest habitats of the lower Roanoke River in North Carolina. Older males (³ 2 yr old) were equally common in cypress-gum swamps and mixed oak hardwood levee forest. Pairing success and success of first nests indicated that older males occupied the most suitable territories available in each habitat. Bird density was three times greater in swamps, and birds nesting in swamps averaged greater clutch sizes and fledged more young per nest than birds in levees. Greater reproductive output was the result of greater fecundity because nest survival and predation pressure appeared equal in the two habitats. Annual return rates for plot immigrants vs. previous residents did not differ in swamps. In levees, newly arriving birds were less likely to return the following year than previous residents. Immigrants most likely occupied low quality sites and dispersed in an attempt to improve breeding site quality. Habitat-specific demography and density patterns of this study indicate ideal preemptive distribution. Variance in site quality, between and within habitats, and preemptive use of sites are consistent with theory of population regulation via site dependence. Foraging behavior often reflects food availability. For example, in habitats where food availability is high, predators should move more slowly and attack prey more often than in habitats where food availability is low. I studied the foraging behavior of breeding Prothonotary Warblers in two habitat types to assess relative food availability and implications for habitat quality. The two habitats, levee and swamp forest, differ in hydrology, forest structure, and tree species composition. I quantified foraging behavior with focal animal sampling and continuous recording during foraging bouts. I measured two aspects of foraging behavior: 1) prey attacks per minute, using four attack types (glean, sally, hover, strike), and 2) number of movements per minute (foraging speed), using three types of movement (hop, short flight [£ 1 m], long flight [>1 m]). Male warblers made significantly more prey attacks per minute in swamp forest than in levee forest; the same trend was evident in females. Foraging speed, however, was not different between habitats for males or females. Results indicate that foraging effort is similar in swamps and levees, but that warblers encounter more prey in swamps. Greater food availability may be related to greater reproductive success of warblers nesting in cypress-gum swamps than in coastal plain levee forest. / Ph. D.

edge effects

site dependence

habitat distribution

movement frequency

population regulation

foraging behavior

nest success

attack rate

A Taxonomy of Computer Attacks with Applications to Wireless Networks

Lough, Daniel Lowry

30 April 2001

The majority of attacks made upon modern computers have been successful due to the exploitation of the same errors and weaknesses that have plagued computer systems for the last thirty years. Because the industry has not learned from these mistakes, new protocols and systems are not designed with the aspect of security in mind; and security that is present is typically added as an afterthought. What makes these systems so vulnerable is that the security design process is based upon assumptions that have been made in the past; assumptions which now have become obsolete or irrelevant. In addition, fundamental errors in the design and implementation of systems repeatedly occur, which lead to failures. This research presents a comprehensive analysis of the types of attacks that are being leveled upon computer systems and the construction of a general taxonomy and methodologies that will facilitate design of secure protocols. To develop a comprehensive taxonomy, existing lists, charts, and taxonomies of host and network attacks published over the last thirty years are examined and combined, revealing common denominators among them. These common denominators, as well as new information, are assimilated to produce a broadly applicable, simpler, and more complete taxonomy. It is shown that all computer attacks can be broken into a taxonomy consisting of improper conditions: <b>V</b>alidation <b>E</b>xposure <b>R</b>andomness <b>D</b>eallocation <b>I</b>mproper <b>C</b>onditions <b>T</b>axonomy; hence described by the acronym <b>VERDICT</b>. The developed methodologies are applicable to both wired and wireless systems, and they are applied to some existing Internet attacks to show how they can be classified under VERDICT. The methodologies are applied to the IEEE 802.11 wireless local area network protocol and numerous vulnerabilities are found. Finally, an extensive annotated bibliography is included. / Ph. D.

computer attack taxonomy

computer security

integrity flaws

wireless security

VERDICT

IEEE 802.11

An Aerodynamic Model for Use in the High Angle of Attack Regime

Stagg, Gregory A.

11 August 1998

Harmonic oscillatory tests for a fighter aircraft using the Dynamic Plunge--Pitch--Roll model mount at Virginia Tech Stability Wind Tunnel are described. Corresponding data reduction methods are developed on the basis of multirate digital signal processing. Since the model is sting mounted, the frequencies associated with sting vibration are included in balance readings thus a linear filter must be used to extract out the aerodynamic responses. To achieve this, a Finite Impulse Response (FIR) is designed using the Remez exchange algorithm. Based on the reduced data, a state–space model is developed to describe the unsteady aerodynamic characteristics of the aircraft during roll oscillations. For this model, we chose to separate the aircraft into panels and model the local forces and moments. Included in this technique is the introduction of a new state variable, a separation state variable which characterizes the separation for each panel. This new variable is governed by a first order differential equation. Taylor series expansions in terms of the input variables were performed to obtain the aerodynamic coefficients of the model. These derivatives, a form of the stability derivative approach, are not constant but rather quadratic functions of the new state variable. Finally, the concept of the model was expanded to allow for the addition of longitudinal motions. Thus, pitching moments will be identified at the same time as rolling moments. The results show that the goal of modeling coupled longitudinal and lateral–directional characteristics at the same time using the same inputs is feasible. / Master of Science

Pitching Moment

Normal Force

Rolling Moment

Aerodynamic Modeling

High Angle of Attack

Algorithms and Frameworks for Accelerating Security Applications on HPC Platforms

Yu, Xiaodong

09 September 2019

Typical cybersecurity solutions emphasize on achieving defense functionalities. However, execution efficiency and scalability are equally important, especially for real-world deployment. Straightforward mappings of cybersecurity applications onto HPC platforms may significantly underutilize the HPC devices' capacities. On the other hand, the sophisticated implementations are quite difficult: they require both in-depth understandings of cybersecurity domain-specific characteristics and HPC architecture and system model. In our work, we investigate three sub-areas in cybersecurity, including mobile software security, network security, and system security. They have the following performance issues, respectively: 1) The flow- and context-sensitive static analysis for the large and complex Android APKs are incredibly time-consuming. Existing CPU-only frameworks/tools have to set a timeout threshold to cease the program analysis to trade the precision for performance. 2) Network intrusion detection systems (NIDS) use automata processing as its searching core and requires line-speed processing. However, achieving high-speed automata processing is exceptionally difficult in both algorithm and implementation aspects. 3) It is unclear how the cache configurations impact time-driven cache side-channel attacks' performance. This question remains open because it is difficult to conduct comparative measurement to study the impacts. In this dissertation, we demonstrate how application-specific characteristics can be leveraged to optimize implementations on various types of HPC for faster and more scalable cybersecurity executions. For example, we present a new GPU-assisted framework and a collection of optimization strategies for fast Android static data-flow analysis that achieve up to 128X speedups against the plain GPU implementation. For network intrusion detection systems (IDS), we design and implement an algorithm capable of eliminating the state explosion in out-of-order packet situations, which reduces up to 400X of the memory overhead. We also present tools for improving the usability of Micron's Automata Processor. To study the cache configurations' impact on time-driven cache side-channel attacks' performance, we design an approach to conducting comparative measurement. We propose a quantifiable success rate metric to measure the performance of time-driven cache attacks and utilize the GEM5 platform to emulate the configurable cache. / Doctor of Philosophy / Typical cybersecurity solutions emphasize on achieving defense functionalities. However, execution efficiency and scalability are equally important, especially for the real-world deployment. Straightforward mappings of applications onto High-Performance Computing (HPC) platforms may significantly underutilize the HPC devices’ capacities. In this dissertation, we demonstrate how application-specific characteristics can be leveraged to optimize various types of HPC executions for cybersecurity. We investigate several sub-areas, including mobile software security, network security, and system security. For example, we present a new GPU-assisted framework and a collection of optimization strategies for fast Android static data-flow analysis that achieve up to 128X speedups against the unoptimized GPU implementation. For network intrusion detection systems (IDS), we design and implement an algorithm capable of eliminating the state explosion in out-of-order packet situations, which reduces up to 400X of the memory overhead. We also present tools for improving the usability of HPC programming. To study the cache configurations’ impact on time-driven cache side-channel attacks’ performance, we design an approach to conducting comparative measurement. We propose a quantifiable success rate metric to measure the performance of time-driven cache attacks and utilize the GEM5 platform to emulate the configurable cache.

Cybersecurity

HPC

GPU

Intrusion Detection

Automata Processor

Android Program Analysis

Cache Side-Channel Attack

Unsteady Nonlinear Aerodynamic Modeling and Applications

Zakaria, Mohamed Yehia

10 May 2016

Unsteady aerodynamic modeling is indispensable in the design process of rotary air vehicles, flapping flight and agile unmanned aerial vehicles. Undesirable vibrations can cause high-frequency variations in motion variables whose effects cannot be well predicted using quasi-steady aerodynamics. Furthermore, one may exploit the lift enhancement that can be generated through an unsteady motion for optimum design of flapping vehicles. Additionally, undesirable phenomena like the flutter of fixed wings and ensuing limit cycle oscillations can be exploited for harvesting energy. In this dissertation, we focus on modeling the unsteady nonlinear aerodynamic response and present various applications where unsteady aerodynamics are very relevant. The dissertation starts with experiments for measuring unsteady loads on an NACA-0012 airfoil undergoing a plunging motion under various operating conditions. We supplement these measurements with flow visualization to obtain better insight into phenomena causing enhanced lift. For the model, we present the frequency response function for the airfoil at various angles of attack. Experiments were performed at reduced frequencies between 0.1 and 0.95 and angles of attack up to 65 degrees. Then, we formulate an optimization problem to unify the transfer function coefficients for each regime independently to obtain one model that represents the global dynamics. An optimization-based finite-dimensional (fourth-order) approximation for the frequency responses is developed. Converting these models to state-space form and writing the entries of the matrices as polynomials in the mean angle of attack, a unified unsteady model was developed. In the second set of experiments, we measured the unsteady plunging forces on the same airfoil at zero forward velocity. The aim is to investigate variations of the added forces associated with the oscillation frequency of the wing section for various angles of attack. Data of the measured forces are presented and compared with predicted forces from potential flow approximations. The results show a significant departure from those estimates, especially at high frequencies indicating that viscous effects play a major role in determining these forces. In the second part of this dissertation, we consider different applications where unsteady loads and nonlinear effects play an important role. We perform a multi-objective aerodynamic optimization problem of the wing kinematics and planform shape of a Pterosaur replica ornithopter. The objective functions included minimization of the required cycle-averaged aerodynamic power and maximization of the propulsive efficiency. The results show that there is an optimum kinematic parameter as well as planform shape to fulfill the two objectives. Furthermore, the effects of preset angle of attack, wind speed and load resistance on the levels of harvested power from a composite beam bonded with the piezoelectric patch are determined experimentally. The results point to a complex relation between the aerodynamic loading and its impact on the static deflection and amplitudes of the limit cycle oscillations as well as the level of power harvested. This is followed by testing of a centimeter scale micro wind turbine that has been proposed to power small devices and to work as a micro energy harvester. The experimental measurements are compared to predicted values from a numerical model. The methods developed in this dissertation provide a systematic approach to identifying unsteady aerodynamic models from numerical or experimental data that may work within different regimes. The resulting reduced-order models are expressed in a state-space form, and they are, therefore, both simple and efficient. These models are low-dimensional linear systems of ordinary differential equations so that they are compatible with modern flight dynamic models. The specific form of the obtained added force model, which defines the added forces as a function of plunging velocity and drag forces, guarantees that the resulting model is accurate over a range of high frequencies. Moreover, presented applications give a sense of the broad range of application of unsteady aerodynamics. / Ph. D.

Unsteady nonlinear aerodynamics

Wind tunnel testing

Flow Visualization

High angles of attack

Energy harvesting

Security Enhanced Communications in Cognitive Networks

Yan, Qiben

08 August 2014

With the advent of ubiquitous computing and Internet of Things (IoT), potentially billions of devices will create a broad range of data services and applications, which will require the communication networks to efficiently manage the increasing complexity. Cognitive network has been envisioned as a new paradigm to address this challenge, which has the capability of reasoning, planning and learning by incorporating cutting edge technologies including knowledge representation, context awareness, network optimization and machine learning. Cognitive network spans over the entire communication system including the core network and wireless links across the entire protocol stack. Cognitive Radio Network (CRN) is a part of cognitive network over wireless links, which endeavors to better utilize the spectrum resources. Core network provides a reliable backend infrastructure to the entire communication system. However, the CR communication and core network infrastructure have attracted various security threats, which become increasingly severe in pace with the growing complexity and adversity of the modern Internet. The focus of this dissertation is to exploit the security vulnerabilities of the state-of-the-art cognitive communication systems, and to provide detection, mitigation and protection mechanisms to allow security enhanced cognitive communications including wireless communications in CRNs and wired communications in core networks. In order to provide secure and reliable communications in CRNs: emph{first}, we incorporate security mechanisms into fundamental CRN functions, such as secure spectrum sensing techniques that will ensure trustworthy reporting of spectrum reading. emph{Second}, as no security mechanism can completely prevent all potential threats from entering CRNs, we design a systematic passive monitoring framework, emph{SpecMonitor}, based on unsupervised machine learning methods to strategically monitor the network traffic and operations in order to detect abnormal and malicious behaviors. emph{Third}, highly capable cognitive radios allow more sophisticated reactive jamming attack, which imposes a serious threat to CR communications. By exploiting MIMO interference cancellation techniques, we propose jamming resilient CR communication mechanisms to survive in the presence of reactive jammers. Finally, we focus on protecting the core network from botnet threats by applying cognitive technologies to detect network-wide Peer-to-Peer (P2P) botnets, which leads to the design of a data-driven botnet detection system, called emph{PeerClean}. In all the four research thrusts, we present thorough security analysis, extensive simulations and testbed evaluations based on real-world implementations. Our results demonstrate that the proposed defense mechanisms can effectively and efficiently counteract sophisticated yet powerful attacks. / Ph. D.

Cognitive radio networks security

Cognitive radio networks

reactive jamming attack

network monitoring

botnet detection