Intrusion Identification For Mobile Ad Hoc Networks

Sahoo, Chandramani

03 1900

A Mobile Ad Hoc Network (MANETs) is a collection of wireless hosts that can be rapidly deployed as a multi hop packet radio network without the aid of any established infrastructure or centralized administration. Such networks can be used to enable next generation of battlefield applications envisioned by the military, including situation awareness systems for maneuvering war fighters, and remotely deployed unmanned microsensor networks. Ad Hoc networks can also provide solutions for civilian applications such as disaster recovery and message exchanges among safety and security personnel involved in rescue missions. Existing solutions for wired network Intrusion Detection Systems (IDSs) do not suit wireless Ad Hoc networks. To utilize either misuse detection or anomaly detection to monitor any possible compromises, the IDS must be able to distinguish normal from anomaly activities. To enable intrusion detection in wireless Ad Hoc networks, the research problems are: • How to efficiently collect normal and anomaly patterns of Ad Hoc networks? The lifetime of the hosts is short and Ad Hoc networks do not have traffic concentration points (router, switch). • How to detect anomalies? The loss could be caused by host movement instead of attacks. Unexpectedly long delay could be caused by unreliable channel instead of malicious discard. In this thesis, we have proposed a novel architecture that uses specification based intrusion detection techniques to detect active attacks against the routing protocols of mobile Ad Hoc networks. Our work analyzes some of the vulnerabilities and discuss the attacks against the AODV protocol. Our approach involves the use of an FSM (Finite State Machine) for specifying the AODV routing behavior and the distributed network monitors for detecting the sequence number attack. Our method can detect most of the bad nodes with low false positive rate and the packet delivery ratio can also be increased with high detection rate. For packet dropping attack, we present a distributed technique to detect this attack in wireless Ad Hoc networks. A bad node can forward packets but in fact it fails to do so. In our technique, every node in the network will check the neighboring nodes to detect if any of them fail to forward the packets. Our technique can detect most of the bad nodes with low false positive rate and the packet delivery ratio can also be increased. The proposed solution can be applied to identify multiple malicious nodes cooperating with each other in MANETs and discover secure routes from source to destination by avoiding malicious nodes acting in cooperation. Our technique will detect the sequence number and Packet Dropping attacks in real time within its radio range with no extra overhead. For resource consumption attack, the proposed scheme incurs no extra overhead, as it makes minimal modifications to the existing data structures and functions related to bad listing a node in the existing version of pure AODV. The proposed scheme is more efficient in terms of the resultant routes established, resource reservations, and computational complexity. If multiple malicious nodes collaborate, they in turn will be restricted and isolated by their neighbors, because they monitor and exercise control over forwarding RREQs by nodes. Hence, the scheme successfully prevents Distributed attacks. The proposed scheme shifts the responsibility of monitoring this parameter to the node's neighbor, ensuring compliance of this restriction. This technique solves all of the problems caused due to unnecessary RREQs from a compromised node. Instead of self-control, the control exercised by a node's neighbor results in preventing this attack. Experiments show that the tool provides effective intrusion detection functionality while using only a limited amount of resources. The loop freedom property has been reduced to an invariant on pairs of nodes. Each node decides & transmits its decision to a control center. Robustness to Threats, Robustness to nodes destruction: Loss of Performance (in terms of ratio) is least for Distributed Option and highest for Centralized Option and Robustness to observations deletion. All the proposed schemes were analyzed and tested under different topologies and conditions with varying number of nodes .The proposed algorithms for improving the robustness of the wireless Ad Hoc networks using AODV protocol against Packet Dropping Attack, Sequence Number attack and resource consumption attack have been simulated for an illustrative network of about 30 nodes. Our experiments have shown that the pattern extracted through simulation can be used to detect attacks effectively. The patterns could also be applied to detect similar attacks on other protocols.

Cellular Telephone

Mobile Communication Networks

Intrusion (Communication)

Routing Protocols

Routing (Computer Networks)

Network Security

Wireless Ad Hoc Networks

Mobile Ad Hoc Networks (MANETs)

Intrusion Detection

Ad Hoc On-Demand Distance Vector (AODV)

Intrusion Detection Systems (IDSs)

Intrusion Identification

Communication Engineering

Gerenciamento e Integração das Bases de Dados de Sistemas de Detecção de Intrusões / MANAGEMENT AND INTEGRATION OF BASES DATA SYSTEMS FOR DETECTING INVASION

SILVA, Emanoel Costa Claudino

19 December 2006

Made available in DSpace on 2016-08-17T14:53:13Z (GMT). No. of bitstreams: 1 Emanoel Claudino.pdf: 1555729 bytes, checksum: b4ba5604a13f7f5cbe0d556a5a9eedf8 (MD5) Previous issue date: 2006-12-19 / The digital security has become an important factor for institutions of diverse domains. The Intrusion Detection Systems (IDS) have appeared as a solution for detention and correction of intrusion of pro-active way. Thus, some models of SDIs have appeared to diminish the probability of compromising of on computational systems connected in net, identifying, reporting and answering to these incidents. In face to that diversity of solutions, they lack proposals of standardization of the information used for these Systems, as well as of mechanisms of interoperability and exchange of information between the solutions in use. This dissertation, proposes a model, an architecture and an implementation of a SDI´s Information Manager, using the technologies of Multi- Agents Systems and Web Services. The objective of the Information Manager is to keep the information that are necessary to the development of the inherent functions of a SDI, in a safe and updated way. We also propose a standard of format for storage of these data to insert requirements in the environment, as: Unified Storage, Transparent Access, Uniform Generation of Data and Friendly Interaction. / A Segurança digital tem se tornado fator inegociável para instituições de diversos domínios. Os Sistemas de Detecção de Intrusão (SDIs) têm surgido como uma solução para detecção e correção de intrusão de forma próativa. Assim, vários modelos de SDIs têm surgido para, identificando, reportando e respondendo a estes incidentes, diminuir a probabilidade de comprometimento dos sistemas computacionais ligados em rede. Diante desta diversidade de soluções, faltam propostas de padronização das informações utilizadas por estes Sistemas, bem como de mecanismos de interoperabilidade e troca de informações entre as soluções em uso. Esta dissertação, propõem um modelo, uma arquitetura e uma implementação de um Gerenciador de Informações para SDIs, usando as tecnologias de Sistemas Multiagentes e Web Services. O objetivo do Gerenciador de Informações é manter de forma segura e atualizada as informações que são necessárias ao desenvolvimento das funções inerentes a um SDI. É proposto também, um padrão de formato para armazenamento desses dados, de forma a inserir no ambiente requisitos como: Armazenamento Unificado, Acesso Transparente, Geração de Dados Uniforme e Facilidade de Interoperabilidade.

Gerenciamento de Informações

Sistemas Multiagentes

Segurança de Redes

Information Manager

Intrusion Detection Systems

Multi-Agents Systems

Data Integration Systems for IDS

Net Security

Malware Analysis using Profile Hidden Markov Models and Intrusion Detection in a Stream Learning Setting

Saradha, R

January 2014

In the last decade, a lot of machine learning and data mining based approaches have been used in the areas of intrusion detection, malware detection and classification and also traffic analysis. In the area of malware analysis, static binary analysis techniques have become increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In prior art, a number of clustering and classification techniques have been used to classify the malwares into families and to also identify new malware families, from the behavior reports. In this thesis, we have analysed in detail about the use of Profile Hidden Markov models for the problem of malware classification and clustering. The advantage of building accurate models with limited examples is very helpful in early detection and modeling of malware families. The thesis also revisits the learning setting of an Intrusion Detection System that employs machine learning for identifying attacks and normal traffic. It substantiates the suitability of incremental learning setting(or stream based learning setting) for the problem of learning attack patterns in IDS, when large volume of data arrive in a stream. Related to the above problem, an elaborate survey of the IDS that use data mining and machine learning was done. Experimental evaluation and comparison show that in terms of speed and accuracy, the stream based algorithms perform very well as large volumes of data are presented for classification as attack or non-attack patterns. The possibilities for using stream algorithms in different problems in security is elucidated in conclusion.

Malware (Malicious Software)

Malware, Cyber Attacks

Malware Analysis

Profile Hidden Markov Models

Intrusion Detection Systems

Data Mining

Malware Classification and Clustering

Machine Learning

Malware Detection

Cyber Attacks

Stream-based Learning

Polymorphic Malware Detection

Huffman Encoding

Stream Algorithms

Computer Science

Digital Twin-based Intrusion Detection for Industrial Control Systems

Varghese, Seba

January 2021

Digital twins for industrial control systems have gained significant interest over recent years. This attention is mainly because of the advanced capabilities offered by digital twins in the areas of simulation, optimization, and predictive maintenance. Some recent studies discuss the possibility of using digital twins for intrusion detection in industrial control systems. To this end, this thesis aims to propose a security framework for industrial control systems including its digital twin for security monitoring and a machine learning-based intrusion detection system for real-time intrusion detection. The digital twin solution used in this study is a standalone simulation of an industrial filling plant available as open-source. After thoroughly evaluating the implementation aspects of the existing knowledge-driven open-source digital twin solutions of industrial control systems, this solution is chosen. The cybersecurity analysis approach utilizes this digital twin to model and execute different realistic process-aware attack scenarios and generate a training dataset reflecting the process measurements under normal operations and attack scenarios. A total of 23 attack scenarios are modelled and executed in the digital twin and these scenarios belong to four different attack types, naming command injection, network DoS, calculated measurement injection, and naive measurement injection. Furthermore, the proposed framework also includes a machine learning-based intrusion detection system. This intrusion detection system is designed in two stages. The first stage involves an offline evaluation of the performance of eight different supervised machine learning algorithms on the labelled dataset. In the second stage, a stacked ensemble classifier model that combines the best performing supervised algorithms on different training dataset labels is modelled as the final machine learning model. This stacked ensemble model is trained offline using the labelled dataset and then used for classifying the incoming data samples from the digital twin during the live operation of the system. The results show that the designed intrusion detection system is capable of detecting and classifying intrusions in near real-time (0.1 seconds). The practicality and benefits of the proposed digital twin-based security framework are also discussed in this work. / Digitala tvillingar för industriella styrsystem har fått ett betydande intresse under de senaste åren. Denna uppmärksamhet beror främst på de avancerade möjligheter som digitala tvillingar erbjuder inom simulering, optimering och förutsägbart underhåll. Några färska studier diskuterar möjligheten att använda digitala tvillingar för intrångsdetektering i industriella styrsystem. För detta ändamål syftar denna avhandling till att föreslå ett säkerhetsramverk för industriella styrsystem inklusive dess digitala tvilling för säkerhetsövervakning och ett maskininlärningsbaserat intrångsdetekteringssystem för intrångsdetektering i realtid. Den digitala tvillinglösningen som används i denna studie är en fristående simulering av en industriell fyllningsanläggning som finns tillgänglig som öppen källkod. Efter noggrann utvärdering av implementeringsaspekterna för de befintliga kunskapsdrivna digitala tvillinglösningarna med öppen källkod för industriella styrsystem, väljs denna lösning. Cybersäkerhetsanalysmetoden använder denna digitala tvilling för att modellera och exekvera olika realistiska processmedvetna attackscenarier och generera en utbildningsdataset som återspeglar processmätningarna under normala operationer och attackscenarier. Totalt 23 angreppsscenarier modelleras och utförs i den digitala tvillingen och dessa scenarier tillhör fyra olika angreppstyper, namnskommandoinjektion, nätverks -DoS, beräknad mätinjektion och naiv mätinjektion. Dessutom innehåller det föreslagna ramverket också ett maskininlärningsbaserat system för intrångsdetektering. Detta intrångsdetekteringssystem är utformat i två steg. Det första steget innebär en offline -utvärdering av prestanda för åtta olika algoritmer för maskininlärning övervakad på den märkta datauppsättningen. I det andra steget modelleras en staplad ensemble -klassificerarmodell som kombinerar de bäst presterande övervakade algoritmerna på olika etiketter för utbildningsdataset som den slutliga modellen för maskininlärning. Denna staplade ensemblemodell tränas offline med hjälp av den märkta datauppsättningen och används sedan för att klassificera inkommande dataprover från den digitala tvillingen under systemets levande drift. Resultaten visar att det konstruerade intrångsdetekteringssystemet kan upptäcka och klassificera intrång i nära realtid (0,1 sekunder). Det praktiska och fördelarna med den föreslagna digitala tvillingbaserade säkerhetsramen diskuteras också i detta arbete.

Digital Twin

Intrusion Detection Systems

Industry 4.0

Industrial Control Systems

Machine Learning

Stacked Ensemble Model

Digital tvilling

Intrångsdetekteringssystem

Industri 4.0

Industriella styrsystem

Maskininlärning

Staplad ensemblemodell

Computer and Information Sciences

Data- och informationsvetenskap

Trustworthiness, diversity and inference in recommendation systems

Chen, Cheng

28 September 2016

Recommendation systems are information filtering systems that help users effectively and efficiently explore large amount of information and identify items of interest. Accurate predictions of users' interests improve user satisfaction and are beneficial to business or service providers. Researchers have been making tremendous efforts to improve the accuracy of recommendations. Emerging trends of technologies and application scenarios, however, lead to challenges other than accuracy for recommendation systems. Three new challenges include: (1) opinion spam results in untrustworthy content and makes recommendations deceptive; (2) users prefer diversified content; (3) in some applications user behavior data may not be available to infer users' preference. This thesis tackles the above challenges. We identify features of untrustworthy commercial campaigns on a question and answer website, and adopt machine learning-based techniques to implement an adaptive detection system which automatically detects commercial campaigns. We incorporate diversity requirements into a classic theoretical model and develop efficient algorithms with performance guarantees. We propose a novel and robust approach to infer user preference profile from recommendations using copula models. The proposed approach can offer in-depth business intelligence for physical stores that depend on Wi-Fi hotspots for mobile advertisement. / Graduate / 0984 / cchenv@uvic.ca

Bipartite Graphs

Matchings

NP-hardness

Linear Programming

Submodular Systems

Recommendation Systems

Anomaly Detection

Community Question and Answer Websites

Paid Posters

Adaptive Detection Systems

Weighted Bipartite b-Matching

Conflict Constraints

Optimization

Approximation

Reverse Engineering of Recommendations

Wi-Fi Data Mining

Profile Inference

Copula Modelling

Memory Efficient Regular Expression Pattern Matching Architecture For Network Intrusion Detection Systems

Kumar, Pawan

08 1900

The rampant growth of the Internet has been coupled with an equivalent growth in cyber crime over the Internet. With our increased reliance on the Internet for commerce, social networking, information acquisition, and information exchange, intruders have found financial, political, and military motives for their actions. Network Intrusion Detection Systems (NIDSs) intercept the traffic at an organization’s periphery and try to detect intrusion attempts. Signature-based NIDSs compare the packet to a signature database consisting of known attacks and malicious packet fingerprints. The signatures use regular expressions to model these intrusion activities. This thesis presents a memory efficient pattern matching system for the class of regular expressions appearing frequently in the NIDS signatures. Proposed Cascaded Automata Architecture is based on two stage automata. The first stage recognizes the sub-strings and character classes present in the regular expression. The second stage consumes symbol generated by the first stage upon receiving input traffic symbols. The basic idea is to utilize the research done on string matching problem for regular expression pattern matching. We formally model the class of regular expressions mostly found in NIDS signatures. The challenges involved in using string matching algorithms for regular expression matching has been presented. We introduce length-bound transitions, counter-based states, and associated counter arrays in the second stage automata to address these challenges. The system uses length information along with counter arrays to keep track of overlapped sub-strings and character class based transition. We present efficient implementation techniques for counter arrays. The evaluation of the architecture on practical expressions from Snort rule set showed compression in number of states between 50% to 85%. Because of its smaller memory footprint, our solution is suitable for both software based implementations on network chips as well as FPGA based designs.

Access Control (Computer Networks)

Cryptography

Network Intrusion Detection System

Computer Security

Cyber-attack

Cascaded Automata Architecture

Deterministic Finite Automata

Modified Word-based NFA (M-WNFA)

Network Security

Pattern Matching

Computer Science

Är det någon som gräver efter krypto på min dator? : En studie kring hotet av kryptobrytning

Skåås, Filippa, Olsson, Karin

January 2023

Kryptobrytning är den processen där transaktioner kryptovaluta verifieras.Idag är olaglig kryptobrytning ett stort hot då det utgör en stor del avorganiserad brottslighet. Dessutom kan skadliga kryptobrytningsprogramförkorta en dators livslängd avsevärt. Program som används tillkryptobrytning drar även stora mängder processorkraft, vilket kan göra att endator börjar arbeta långsamt. För att detektera program på en dator går det attta till olika metoder.Syftet med arbetet är att undersöka om det går att identifiera kryptobrytningmed hjälp av verktyg som kan analysera paket som skickas över nätverk frånett kryptobrytningsprogram. Samtidigt observeras det vilka varianter avartefakter som kan urskiljas och vilka andra typer av metoder det finns atttillgå vid detektion av kryptobrytning.Resultatet visar att enbart specifika typer av kryptobrytningsattacker kanupptäckas med paketanalysatorer och systemverktyg eftersom en hackarekan, i de flesta fall, förbipassera verktygen. Däremot visar i de flesta fallresultatet att det finns nackdelar respektive fördelar med varje metod. Detmest effektiva sättet för att skydda privata tillgångar och publikaorganisationers resurser är att använda en flerskiktsstrategi genom attkombinera alla typer av metoder. Ett antal av de artefakter som hittades somkan vara till användning var IP adresser, MAC-adresser, geolokalisering ochmetadata. / Today, illegal crypto mining poses a significant threat because it plays a bigrole in organized crime. In addition, it can shorten the lifespan significantly.Programs dedicated to crypto mining also consume substantial amounts ofprocessing power, which can slow down a computer. Various methods can beemployed to detect such programs on a computer.The purpose of this work is to investigate whether it is possible to identifycrypto mining using tools that can analyze packets transmitted over thenetwork from a crypto mining program. Additionally, it is observed whichvariants of artifacts can be distinguished and what other types of methods areavailable for detecting crypto mining.The result shows that only specific types of crypto mining attacks can bedetected using packet analyzers and system tools, as a hacker can bypass thesetools in most cases. However, the result also indicates that there aredisadvantages and advantages to each method. The most effective way toprotect your assets and organizational resources is to use a multi-layeredstrategy by combining all types of methods. Some of the artifacts found thatmay be useful include IP addresses, MAC addresses, geolocation, andmetadata.

cryptocurrency

packet sniffers

Wireshark

Task Manager

Resource Monitor

Intrusion Detection System

machine learning

kryptovaluta

kryptobrytning

paketanalysatorer

Wireshark

Aktivitetshanteraren

Resursövervakaren

Intrusion Detection Systems

maskininlärning

Other Computer and Information Science

Annan data- och informationsvetenskap

Computer Engineering

Datorteknik

Human Computer Interaction

Interaction Technologies

Interaktionsteknik

Malicious Intent Detection Framework for Social Networks

Fausak, Andrew Raymond

05 1900

Many, if not all people have online social accounts (OSAs) on an online community (OC) such as Facebook (Meta), Twitter (X), Instagram (Meta), Mastodon, Nostr. OCs enable quick and easy interaction with friends, family, and even online communities to share information about. There is also a dark side to Ocs, where users with malicious intent join OC platforms with the purpose of criminal activities such as spreading fake news/information, cyberbullying, propaganda, phishing, stealing, and unjust enrichment. These criminal activities are especially concerning when harming minors. Detection and mitigation are needed to protect and help OCs and stop these criminals from harming others. Many solutions exist; however, they are typically focused on a single category of malicious intent detection rather than an all-encompassing solution. To answer this challenge, we propose the first steps of a framework for analyzing and identifying malicious intent in OCs that we refer to as malicious mntent detection framework (MIDF). MIDF is an extensible proof-of-concept that uses machine learning techniques to enable detection and mitigation. The framework will first be used to detect malicious users using solely relationships and then can be leveraged to create a suite of malicious intent vector detection models, including phishing, propaganda, scams, cyberbullying, racism, spam, and bots for open-source online social networks, such as Mastodon, and Nostr.

Artificial Intelligence (AI)

Machine Learning (ML)

Deep Learning (DL)

Natural Language Processing (NLP)

Cybersecurity

Malicious Intent Detection

Anomaly Detection

Threat Intelligence

Behavior Analysis

Text Classification

Sentiment Analysis

Predictive Modeling

Neural Networks

Supervised Learning

Unsupervised Learning

Reinforcement Learning

Data Mining

Feature Extraction

Algorithmic Bias

Ethics in AI

Cyber Threats

Intrusion Detection Systems (IDS)

Phishing Detection

Social Engineering

Online Behavior Analysis

Artificial Intelligence

Computer Science

Statistics