Immune Based Event-Incident Model for Intrusion Detection Systems: A Nature Inspired Approach to Secure Computing

Vasudevan, Swetha

26 June 2007

No description available.

Computer Science

Intrusion Detection Systems

Immune System

Immune Detectors

Intrusion Detection Squad

Multi-Agent System

Performance Evaluation Study of Intrusion Detection Systems.

Alhomoud, Adeeb M., Munir, Rashid, Pagna Disso, Jules F., Al-Dhelaan, A., Awan, Irfan U.

2011 August 1917

With the thriving technology and the great increase in the usage of computer networks, the risk of having these network to be under attacks have been increased. Number of techniques have been created and designed to help in detecting and/or preventing such attacks. One common technique is the use of Network Intrusion Detection / Prevention Systems NIDS. Today, number of open sources and commercial Intrusion Detection Systems are available to match enterprises requirements but the performance of these Intrusion Detection Systems is still the main concern. In this paper, we have tested and analyzed the performance of the well know IDS system Snort and the new coming IDS system Suricata. Both Snort and Suricata were implemented on three different platforms (ESXi virtual server, Linux 2.6 and FreeBSD) to simulate a real environment. Finally, in our results and analysis a comparison of the performance of the two IDS systems is provided along with some recommendations as to what and when will be the ideal environment for Snort and Suricata.

Attacks

; Intrusion Detection Systems (IDS)

; Traffic

; Performance evaluation

; Packet drops

; Suricata

; Snort

; Alerts

; Network security

Development of a high flux neutron radiation detection system for in-core temperature monitoring

Singo, Thifhelimbilu Daphney

03 1900

Thesis (PhD)--Stellenbosch University, 2012. / ENGLISH ABSTRACT: The objective of this research was to develop a neutron detection system that incorporates a mass spectrometer to measure high neutron flux in a nuclear reactor environment. This system consists of slow and fast neutron detector elements for measuring fluxes in those energy regions respectively. The detector should further be capable of withstanding the harsh conditions associated with a high temperature reactor. This novel detector which was initially intended for use in the PBMR reactor has possible applications as an in-core neutron and indirect temperature-monitoring device in any of the HTGR. Simulations of a generic HTGR core model were performed in order to obtain the neutron energy spectrum with emphasis on the behavior of three energy regions, slow, intermediate and fast neutrons within the core at different temperatures. The slow neutron flux which has the characteristic of a Maxwell- Boltzmann distribution were found to shift to larger values of neutron flux at higher energies as the fuel temperature increased, while fast neutron flux spectra remained relatively constant. In addition, the results of the fit of the slow neutron flux with a modified Maxwell-Boltzmann equation confirmed that in the presence of the neutron source, leakage and absorption, the effective neutron temperatures is above the medium temperatures. From these results, it was clear that the detection system will need to monitor both slow and fast neutron flux. Placing neutron detectors inside the reactor core, that are sensitive to a particular energy range of slow and fast neutrons, would thus provide information about the change of temperature in the fuel and hence act as an in-core temperature monitor. A detection mechanism was developed that employs the neutron-induced break-up reaction of 6Li and 12C into α-particles. These materials make excellent neutron converters without interference due to γ-rays, as the contributions from 6Li(γ,np)4He and 12C(γ,3α) reactions are negligible. The mass spectrometer measures the 4He partial pressure as a function of time under high vacuum with the help of pressure gradient provided by a high-vacuum turbomolecular pump and a positive-displacement fore-vacuum pump connected in series. A cryogenic trap, which contains a molecular sieve made of pellets 1.6 mm in diameter, was also designed and manufactured to remove impurities which cause a background in the lighter mass region of the spectrum. The development and testing of the high flux neutron detection system were performed at the iThemba Laboratory for Accelerator Based Sciences (LABS), South Africa. These tests were carried out with a high energy proton beam at the D-line neutron facility, and with a fast neutron beam at the neutron radiation therapy facility. To test the principle and capability of the detection system in measuring high fluxes, a high intensity 66 MeV proton beam was used to produce a large yield of α-particles. This was done because the proton inelastic scattering cross-section with 12C nuclei is similar to that of neutrons, with a threshold energy of about 8 MeV for both reactions. Secondly, the secondary fast neutrons produced from the 9Be(p,n)9B reaction were also measured with the fast neutron detector. The response of this detection system during irradiation was found to be relatively fast, with a rise time of a few seconds. This is seen as a sharp increase in the partial pressure of 4He gas as the proton or neutron beam bombards the 12C material. It was found that the production of 4He with the proton beam was directly proportional to the beam intensity. The number of 4He atoms produced per second was deduced from the partial pressure observed during the irradiation period. With a neutron beam of 1010 s−1 irradiating the detector, the deduced number of 4He atoms was 109 s−1. When irradiation stops, the partial pressure drops exponentially. This response is attributed to a small quantity of 4He trapped in the present design. Overall, the measurements of 4He partial pressure produced during the tests with proton and fast neutron beams were successful and demonstrated proof of principle of the new detection technique. It was also found that this system has no upper neutron flux detection limit; it can be even higher than 1014 n·cm−2·s−1. The lifetime of this detection system in nuclear reactor environment is practically unlimited, as determined by the known ability of stainless steel to keeps its integrity under the high radiation levels. Hence, it is concluded that this high flux neutron detection system is excellent for neutron detection in the presence of high γ-radiation level and provides real-time flux measurements. / AFRIKAANSE OPSOMMING: Die doel van hierdie navorsing was om ’n neutrondetektorstelsel te ontwikkel wat hoë neutronvloed binne in ’n kernreaktor kan meet. Die stelsel bevat twee aparte detektorelemente sodat die termiese sowel as snelneutronvloed gemeet kan word. Die detektor moet verder in staat wees om die strawwe toestande, kenmerkend aan ’n hoë temperatuur reaktor, te kan weerstaan. Die innoverende detektorstelsel, oorspronklik geoormerk vir gebruik in die PBMR reaktor, het toepassingsmoontlikhede as in-kern neutron- sowel as indirekte temperatuurmonitor. Simulasies van ’n generiese model van ’n HTGR reaktorkern is uitgevoer ten einde die neutronenergiespektrum in die kern by verskillende temperature te bekom met klem op die gedrag van neutrone in drie energiegroepe: stadig (termies), intermediêr en snel (vinnig). Daar is bevind dat die stadige neutrone, wat ’n Maxwell-Boltzman verdeling toon, in intensiteit toeneem en dat die piek na hoër energie verskuif met toename in temperatuur, terwyl die vinnige neutronspektrum relatief onveranderd bly. ’n Passing van die stadige spektrum op ’n gemodifiseerde Maxwell-Boltzmann verdeling het bevestig dat die effektiewe neutrontemperatuur weens die teenwoordigheid van bronterme, verliese en absorpsie, hoër as die temperatuur van die medium is. Hierdie resultate maak dit duidelik dat die detektorstelsel beide die stadige sowel as die vinnige neutronvloed moet kan waarneem. Deur detektorelemente wat sensitief is vir die onderskeie spekrale gebiede in die reaktorhart te plaas, kan informasie bekom word wat tot in-kern temperatuur herleibaar is sodat die stelsel inderdaad as indirekte temperatuurmonitor kan dien. Die feit dat alfa-deeltjies geproduseer word in neutron-geïnduseerde opbreekreaksies van 6Li en 12C is as die basis van die nuwe opsporingsmeganisme aangewend. Hierdie materiale funksioneer uitstekend as neutron-selektiewe omsetters in die teenwoordigheid van gamma-strale aangesien laasgenoemde se bydraes tot helium produksie via die 6Li(γ,np)4He en 12C(γ,3α) reaksies, weglaatbaar is. Die massaspektrometer meet die tydgedrag van die 4He parsiële druk binne ’n hoogvakuum wat met behulp van ’n seriegeskakelde kombinasie van ’n turbomolekulêre en positiewe-verplasingsvoorpomp verkry word. ’n Koueval met ’n molekulêre sif, bestaande uit 1.6 mm diameter korrels, is ontwerp en vervaardig om onsuiwerhede te verwyder wat andersins as agtergrond by die ligter gedeelte van die massaspektrum sou wys. Die ontwikkeling en toetsing van die hoëvloed detektorstelsel is te iThembaLABS (iThemba Laboratories for Accelerator Based Sciences) gedoen. Dit is uitgevoer deur gebruik te maak van die hoë energie protonbundel van die D-lyn neutronfasiliteit asook van die bundel vinnige neutrone by die neutronterapiefasiliteit. Om die beginsel en vermoë te toets om by ’n hoë neutronvloed te kan meet, is van die intense 66 MeV protonbudel gebruik gemaak om ’n hoë opbrengs alfa-deeltjies te verkry. Dit is gedoen omdat die reaksiedeursnit vir onelastiese verstrooiing van protone vanaf 12C kerne soortgelyk is aan die van neutrone, met ’n drumpelenergie van 8 MeV vir beide reaksies. Tweedens is die sekondêre vinnige neutrone afkomstig van die 9Be(p,n)9B reaksie ook met die neutrondetektor gemeet. Daar is bevind dat die reaksietyd van die deteksiestelsel tydens bestraling relatief vinnig is, soos gekenmerk deur ’n stygtyd van etlike sekondes. Laasgenoemde manifesteer as ’n toename in die parsiële druk van die 4He sodra die proton- of neutronbundel op die 12C teiken inval. Daar is verder bevind dat die 4He produksie direk eweredig aan die bundelintensiteit is. Vir ’n neutronbundel van nagenoeg 1010 s−1, invallend op die neutrondetektor, is vanaf die gemete parsiële druk afgelei dat die produksie van 4He atome sowat 109 s−1 beloop. In die geheel beoordeel, was die meting van die 4He parsiële druk tydens die toetse met vinnige protone en neutrone suksesvol en het dit die nuwe meetbeginsel bevestig. Dit is verder bevind dat die meetstelsel nie ’n beperking op die boonste neutronvloed plaas nie, maar dat dit vloede van selfs hoër as 1014 s−1 kan hanteer. Die leeftyd van die detektorstelsel in die reaktor is prakties onbeperk en onderhewig aan die bevestigde integriteit van vlekvrystaal onder hoë bestraling. Die gevolgtrekking is dus dat die nuwe detektorstelsel uitstekend geskik is vir die in-tyd meting van ’n baie hoë vloed van neutrone ook in die teenwoordigheid van intense gammabestraling.

Neutron spectroscopy

Nuclear reactor

High fluence

Detector

Dissertations -- Physics

Theses -- Physics

Neutron physics

Neutron transport

High flux neutron detection systems

Using metrics from multiple layers to detect attacks in wireless networks

Aparicio-Navarro, Francisco J.

January 2014

The IEEE 802.11 networks are vulnerable to numerous wireless-specific attacks. Attackers can implement MAC address spoofing techniques to launch these attacks, while masquerading themselves behind a false MAC address. The implementation of Intrusion Detection Systems has become fundamental in the development of security infrastructures for wireless networks. This thesis proposes the designing a novel security system that makes use of metrics from multiple layers of observation to produce a collective decision on whether an attack is taking place. The Dempster-Shafer Theory of Evidence is the data fusion technique used to combine the evidences from the different layers. A novel, unsupervised and self- adaptive Basic Probability Assignment (BPA) approach able to automatically adapt its beliefs assignment to the current characteristics of the wireless network is proposed. This BPA approach is composed of three different and independent statistical techniques, which are capable to identify the presence of attacks in real time. Despite the lightweight processing requirements, the proposed security system produces outstanding detection results, generating high intrusion detection accuracy and very low number of false alarms. A thorough description of the generated results, for all the considered datasets is presented in this thesis. The effectiveness of the proposed system is evaluated using different types of injection attacks. Regarding one of these attacks, to the best of the author knowledge, the security system presented in this thesis is the first one able to efficiently identify the Airpwn attack.

621.382

Um modelo dinâmico de clusterização de dados aplicado na detecção de intrusão

Furukawa, Rogério Akiyoshi

25 April 2003

Atualmente, a segurança computacional vem se tornando cada vez mais necessária devido ao grande crescimento das estatísticas que relatam os crimes computacionais. Uma das ferramentas utilizadas para aumentar o nível de segurança é conhecida como Sistemas de Detecção de Intrusão (SDI). A flexibilidade e usabilidade destes sistemas têm contribuído, consideravelmente, para o aumento da proteção dos ambientes computacionais. Como grande parte das intrusões seguem padrões bem definidos de comportamento em uma rede de computadores, as técnicas de classificação e clusterização de dados tendem a ser muito apropriadas para a obtenção de uma forma eficaz de resolver este tipo de problema. Neste trabalho será apresentado um modelo dinâmico de clusterização baseado em um mecanismo de movimentação dos dados. Apesar de ser uma técnica de clusterização de dados aplicável a qualquer tipo de dados, neste trabalho, este modelo será utilizado para a detecção de intrusão. A técnica apresentada neste trabalho obteve resultados de clusterização comparáveis com técnicas tradicionais. Além disso, a técnica proposta possui algumas vantagens sobre as técnicas tradicionais investigadas, como realização de clusterizações multi-escala e não necessidade de determinação do número inicial de clusters / Nowadays, the computational security is becoming more and more necessary due to the large growth of the statistics that describe computer crimes. One of the tools used to increase the safety level is named Intrusion Detection Systems (IDS). The flexibility and usability of these systems have contributed, considerably, to increase the protection of computational environments. As large part of the intrusions follows behavior patterns very well defined in a computers network, techniques for data classification and clustering tend to be very appropriate to obtain an effective solutions to this problem. In this work, a dynamic clustering model based on a data movement mechanism are presented. In spite of a clustering technique applicable to any data type, in this work, this model will be applied to the detection intrusion. The technique presented in this work obtained clustering results comparable to those obtained by traditional techniques. Besides the proposed technique presents some advantages on the traditional techniques investigated, like multi-resolution clustering and no need to previously know the number of clusters

Análise dos componentes principais

Clusterização de dados

Data clustering

Intrusion detection systems

Principal analisys component

Sistemas de detecção de intrusão

UMA ONTOLOGIA DE APLICAÇÃO PARA APOIO À TOMADA DE DECISÕES EM SITUAÇÕES DE AMEAÇA À SEGURANÇA DA INFORMAÇÃO. / AN ONTOLOGY OF INFORMATION FOR DECISION SUPPORT IN SITUATIONS OF THREAT TO INFORMATION SECURITY.

SILVA, Rayane Meneses da

24 June 2015

Submitted by Maria Aparecida (cidazen@gmail.com) on 2017-08-31T14:44:32Z No. of bitstreams: 1 Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5) / Made available in DSpace on 2017-08-31T14:44:32Z (GMT). No. of bitstreams: 1 Rayane.pdf: 4026589 bytes, checksum: 7e6066416420555456030ab6db3a1231 (MD5) Previous issue date: 2015-06-24 / Many security mechanisms, such as Intrusion Detection Systems (IDSs) have been developed to approach the problem of information security attacks but most of them are traditional information systems in which their threats repositories are not represented semantically. Ontologies are knowledge representation structures that enable semantic processing of information and the construction of knowledge-based systems, which provide greater effectiveness compared to traditional systems. This paper proposes an application ontology called “Application Ontology for the Development of Case-based Intrusion Detection Systems” that formally represents the concepts related to information security domain of intrusion detection systems and “Case Based Reasoning”. The “Case Based Reasoning” is an approach for problem solving in which you can reuse the knowledge of past experiences to solve new problems. The evaluation of the ontology was performed by the development of an Intrusion Detection System that can detect attacks on computer networks and recommend solutions to these attacks. The ontology was specified using the “Ontology Web Language” and the Protégé ontology editor and. It was also mapped to a cases base in Prolog using the “Thea” tool. The results have shown that the developed Intrusion Detection System presented a good effectiveness in detecting attacks that the proposed ontology conceptualizes adequately the domain concepts and tasks. / Muitos mecanismos de segurança, como os Sistemas de Detecção de Intrusão têm sido desenvolvidos para abordar o problema de ataques à Segurança da Informação. Porém, a maioria deles são sistemas de informação tradicionais nos quais seus repositórios de ameaças não são representados semanticamente. As ontologias são estruturas de representação do conhecimento que permitem o processamento semântico das informações bem como a construção dos sistemas baseados em conhecimento, os quais fornecem uma maior efetividade em relação aos sistemas tradicionais. Neste trabalho propõe-se uma ontologia de aplicação denominada “Application Ontology for the Development of Case-based Intrusion Detection Systems” que representa formalmente os conceitos relacionados ao domínio de Segurança da Informação, dos sistemas de detecção de intrusão e do “Case-Based Reasoning”. O “Case-Based Reasoning” é uma abordagem para resolução de problemas nos quais é possível reutilizar conhecimentos de experiências passadas para resolver novos problemas. A avaliação da ontologia foi realizada por meio do desenvolvimento de um Sistema de Detecção de Intrusão que permite detectar ataques a redes de computadores e recomendar soluções a esses ataques. A ontologia foi especificada na linguagem “Ontology Web Language” utilizando o editor de ontologias Protegé e, logo após, mapeada a uma base de casos em Prolog utilizando o ferramenta “Thea”. Os resultados mostraram que o Sistema de Detecção de Intrusão desenvolvido apresentou boa efetividade na detecção de ataques e portanto, conclui-se que a ontologia proposta conceitualiza de forma adequada os conceitos de domínio e tarefa abordados.

Sistemas de Informação

Improving host-based computer security using secure active monitoring and memory analysis

Payne, Bryan D.

03 June 2010

Thirty years ago, research in designing operating systems to defeat malicious software was very popular. The primary technique was to design and implement a small security kernel that could provide security assurances to the rest of the system. However, as operating systems grew in size throughout the 1980's and 1990's, research into security kernels slowly waned. From a security perspective, the story was bleak. Providing security to one of these large operating systems typically required running software within that operating system. This weak security foundation made it relatively easy for attackers to subvert the entire system without detection. The research presented in this thesis aims to reimagine how we design and deploy computer systems. We show that through careful use of virtualization technology, one can effectively isolate the security critical components in a system from malicious software. Furthermore, we can control this isolation to allow the security software a complete view to monitor the running system. This view includes all of the necessary information for implementing useful security applications including the system memory, storage, hardware events, and network traffic. In addition, we show how to perform both passive and active monitoring securely, using this new system architecture. Security applications must be redesigned to work within this new monitoring architecture. The data acquired through our monitoring is typically very low-level and difficult to use directly. In this thesis, we describe work that helps bridge this semantic gap by locating data structures within the memory of a running virtual machine. We also describe work that shows a useful and novel security framework made possible through this new monitoring architecture. This framework correlates human interaction with the system to distinguish legitimate and malicious outgoing network traffic.

Memory analysis

Introspection

Virtualization

Security

Active monitoring

User intent

Computer networks Security measures

Computer security

An Anomaly Behavior Analysis Methodology for Network Centric Systems

Alipour, Hamid Reza

January 2013

Information systems and their services (referred to as cyberspace) are ubiquitous and touch all aspects of our life. With the exponential growth in cyberspace activities, the number and complexity of cyber-attacks have increased significantly due to an increase in the number of applications with vulnerabilities and the number of attackers. Consequently, it becomes extremely critical to develop efficient network Intrusion Detection Systems (IDS) that can mitigate and protect cyberspace resources and services against cyber-attacks. On the other hand, since each network system and application has its own specification as defined in its protocol, it is hard to develop a single IDS which works properly for all network protocols. The keener approach is to design customized detection engines for each protocol and then aggregate the reports from these engines to define the final security state of the system. In this dissertation, we developed a general methodology based on data mining, statistical analysis and protocol semantics to perform anomaly behavior analysis and detection for network-centric systems and their protocols. In our approach, we develop runtime models of protocol's state transitions during a time interval ΔΤ. We consider any n consecutive messages in a session during the time interval ΔΤ as an n-transition pattern called n-gram. By applying statistical analysis over these n-gram patterns we can accurately model the normal behavior of any protocol. Then we use the amount of the deviation from this normal model to quantify the anomaly score of the protocol activities. If this anomaly score is higher than a well-defined threshold the system marks that activity as a malicious activity. To validate our methodology, we have applied it to two different protocols: DNS (Domain Name System) at the application layer and the IEEE 802.11(WiFi) at the data link layer, where we have achieved good detection results (>95%) with low detection errors (<0.1%).

Computer Networks

Domain Name System

IEEE 802.11

Intrusion Detection Systems

Security

Electrical & Computer Engineering

Anomaly Detection

A Modified Genetic Algorithm and Switch-Based Neural Network Model Applied to Misuse-Based Intrusion Detection

Stewart, IAN

17 March 2009

As our reliance on the Internet continues to grow, the need for secure, reliable networks also increases. Using a modified genetic algorithm and a switch-based neural network model, this thesis outlines the creation of a powerful intrusion detection system (IDS) capable of detecting network attacks. The new genetic algorithm is tested against traditional and other modified genetic algorithms using common benchmark functions, and is found to produce better results in less time, and with less human interaction. The IDS is tested using the standard benchmark data collection for intrusion detection: the DARPA 98 KDD99 set. Results are found to be comparable to those achieved using ant colony optimization, and superior to those obtained with support vector machines and other genetic algorithms. / Thesis (Master, Computing) -- Queen's University, 2009-03-03 13:28:23.787

Network security

Intrusion Detection Systems (IDS)

Data mining

Machine learning

Real time detection

Genetic algorithm

Neural networks

Implementa??o de um M?dulo de Supervis?o para um Sistema de Detec??o de Vazamentos em Dutos de Petr?leo

Silva, Rodrigo Eduardo Ferreira da

22 December 2009

Made available in DSpace on 2014-12-17T14:08:36Z (GMT). No. of bitstreams: 1 RodrigoEFS_DISSERT.pdf: 3471454 bytes, checksum: 0d90f092b5f26fd304c7c8d8252178a4 (MD5) Previous issue date: 2009-12-22 / The transport of fluids through pipes is used in the oil industry, being the pipelines an important link in the logistics flow of fluids. However, the pipelines suffer deterioration in their walls caused by several factors which may cause loss of fluids to the environment, justifying the investment in techniques and methods of leak detection to minimize fluid loss and environmental damage. This work presents the development of a supervisory module in order to inform to the operator the leakage in the pipeline monitored in the shortest time possible, in order that the operator log procedure that entails the end of the leak. This module is a component of a system designed to detect leaks in oil pipelines using sonic technology, wavelets and neural networks. The plant used in the development and testing of the module presented here was the system of tanks of LAMP, and its LAN, as monitoring network. The proposal consists of, basically, two stages. Initially, assess the performance of the communication infrastructure of the supervisory module. Later, simulate leaks so that the DSP sends information to the supervisory performs the calculation of the location of leaks and indicate to which sensor the leak is closer, and using the system of tanks of LAMP, capture the pressure in the pipeline monitored by piezoresistive sensors, this information being processed by the DSP and sent to the supervisory to be presented to the user in real time / O transporte de fluidos atrav?s de tubula??es ? utilizado na ind?stria petrol?fera, sendo os dutos um elo importante na log?stica de escoamento de fluidos. Por?m, os dutos sofrem deteriora??o em suas paredes ocasionadas por diversos fatores o que pode provocar a perda de fluidos para o meio exterior, justificando o investimento em t?cnicas e m?todos de detec??o de vazamentos para minimizar a perda do fluido e os danos ambientais provocados. Este trabalho apresenta o desenvolvimento de um m?dulo de supervis?o para que seja informado ao operador a ocorr?ncia de vazamento no duto monitorado no menor tempo poss?vel, com o prop?sito que o operador efetue procedimentos que acarretem no fim do vazamento. Esse m?dulo ? um componente de um sistema que visa ? detec??o de vazamento em dutos petrol?feros utilizando tecnologia s?nica, wavelets e redes neurais. A planta utilizada no desenvolvimento e testes do m?dulo aqui apresentado, foi o sistema de tanques do Laborat?rio de Avalia??o de Medi??o em Petr?leo (LAMP), e a sua Local Area Network (LAN), como rede de supervis?o. A proposta consiste, basicamente, de duas etapas. Inicialmente, avaliar o desempenho da infraestrutura de comunica??o do m?dulo de supervis?o. Posteriormente, simular vazamentos para que o DSP (Digital Signal Processor) envie informa??es para o supervis?rio realizar o c?lculo da localiza??o dos vazamentos e indicar a qual sensor o vazamento ? mais pr?ximo, e usando o sistema de tanques do LAMP, capturar a press?o no duto monitorado atrav?s de sensores piezoresistivos, sendo essa informa??o processada pelo DSP e enviada ao supervis?rio para que seja apresentado ao usu?rio dados em tempo real

Supervis?rio

Sistemas de detec??o de vazamentos

Rede de comunica??o

Modbus

Supervisory

Leak detection systems

Network

Modbus

CNPQ::ENGENHARIAS