Modeling and Detection of Content and Packet Flow Anomalies at Enterprise Network Gateway

Lin, Sheng-Ya

02 October 2013

This dissertation investigates modeling techniques and computing algorithms for detection of anomalous contents and traffic flows of ingress Internet traffic at an enterprise network gateway. Anomalous contents refer to a large volume of ingress packets whose contents are not wanted by enterprise users, such as unsolicited electronic messages (UNE). UNE are often sent by Botnet farms for network resource exploitation, information stealing, and they incur high costs in bandwidth waste. Many products have been designed to block UNE, but most of them rely on signature database(s) for matching, and they cannot recognize unknown attacks. To address this limitation, in this dissertation I propose a Progressive E-Message Classifier (PEC) to timely classify message patterns that are commonly associated with UNE. On the basis of a scoring and aging engine, a real-time scoreboard keeps track of detected feature instances of the detection features until they are considered either as UNE or normal messages. A mathematical model has been designed to precisely depict system behaviors and then set detection parameters. The PEC performance is widely studied using different parameters based on several experiments. The objective of anomalous traffic flow detection is to detect selfish Transmission Control Protocol, TCP, flows which do not conform to one of the handful of congestion control protocols in adjusting their packet transmission rates in the face of network congestion. Given that none of the operational parameters in congestion control are carried in the transmitted packets, a gateway can only use packet arrival times to recover states of end to end congestion control rules, if any. We develop new techniques to estimate round trip time (RTT) using EWMA Lomb-Scargle periodogram, detect change of congestion windows by the CUSUM algorithm, and then finally predict detected congestion flow states using a prioritized decision chain. A high level finite state machine (FSM) takes the predictions as inputs to determine if a TCP flow follows a particular congestion control protocol. Multiple experiments show promising outcomes of classifying flows of different protocols based on the ratio of the aberrant transition count to normal transition count generated by FSM.

Network Anomaly Detection

Enterprise network gateway

Towards An Enterprise Self-healing System against Botnets Attacks

Alhomoud, Adeeb M., Awan, Irfan U., Pagna Disso, Jules F.

05 1900

no / Protecting against cyber attacks is no longer a problem of organizations and home users only. Cyber security programs are now a priority of most governments. Cyber criminals have been using botnets to gain control over millions of computer, steel information and commit other malicious activities. In this paper we propose a self-healing architecture that was originally inspired from a nature paradigm and applied in the computer field. Our solution is designed to work within a network domain. We present the initial design of our solution based on the principles of self healing systems and the analysis of botnet behaviour. We discuss how to either neutralize or reverse (correct) their actions ensuring that network operations continue without disruption.

A Next Generation Approach to Combating Botnets

Alhomoud, Adeeb M., Awan, Irfan U., Pagna Disso, Jules F., Younas, M.

04 1900

no / As part of a defense-in-depth security solution for domain-controlled enterprise networks, a proposed self-healing system architecture is designed to increase resiliency against botnets with minimal disruption to network services.

A quantitative measure of the security risk level of enterprise networks

Munir, Rashid, Pagna Disso, Jules F., Awan, Irfan U., Mufti, Muhammad R.

January 2013

No / Along with the tremendous expansion of information technology and networking, the number of malicious attacks which cause disruption to business processes has concurrently increased. Despite such attacks, the aim for network administrators is to enable these systems to continue delivering the services they are intended for. Currently, many research efforts are directed towards securing network further whereas, little attention has been given to the quantification of network security which involves assessing the vulnerability of these systems to attacks. In this paper, a method is devised to quantify the security level of IT networks. This is achieved by electronically scanning the network using the vulnerability scanning tool (Nexpose) to identify the vulnerability level at each node classified according to the common vulnerability scoring system standards (critical, severe and moderate). Probabilistic approach is then applied to calculate an overall security risk level of sub networks and entire network. It is hoped that these metrics will be valuable for any network administrator to acquire an absolute risk assessment value of the network. The suggested methodology has been applied to a computer network of an existing UK organization with 16 nodes and a switch.

A comprehensive approach to enterprise network security management

Homer, John

January 1900

Doctor of Philosophy / Department of Computing and Information Sciences / Xinming (Simon) Ou / Enterprise network security management is a vitally important task, more so now than ever before. Networks grow ever larger and more complex, and corporations, universities, government agencies, etc. rely heavily on the availability of these networks. Security in enterprise networks is constantly threatened by thousands of known software vulnerabilities, with thousands more discovered annually in a wide variety of applications. An overwhelming amount of data is relevant to the ongoing protection of an enterprise network. Previous works have addressed the identification of vulnerabilities in a given network and the aggregated collection of these vulnerabilities in an attack graph, clearly showing how an attacker might gain access to or control over network resources. These works, however, do little to address how to evaluate or properly utilize this information. I have developed a comprehensive approach to enterprise network security management. Compared with previous methods, my approach realizes these issues as a uniform desire for provable mitigation of risk within an enterprise network. Attack graph simplification is used to improve user comprehension of the graph data and to enable more efficient use of the data in risk assessment. A sound and effective quantification of risk within the network produces values that can form a basis for valuation policies necessary for the application of a SAT solving technique. SAT solving resolves policy conflicts and produces an optimal reconfiguration, based on the provided values, which can be verified by a knowledgeable human user for accuracy and applicability within the context of the enterprise network. Empirical study shows the effectiveness and efficiency of these approaches, and also indicates promising directions for improvements to be explored in future works. Overall, this research comprises an important step toward a more automated security management initiative.

Enterprise network security analysis

Risk assessment

Attack Graph

Security metric

Computer Science (0984)

Organizacijos tinklo saugos politikos įgyvendinimo įvertinimas automatizuotomis priemonėmis / Assessment of enterprise network security policy implementation using automated means

Gurejevas, Dmitrijus

25 August 2010

Kiekviena organizacija apdoroja informacija kompiuterinėse sistemose ir negali apsieiti be organizacijos informacinių sistemų saugos. Stiprinant organizacijos saugą ir investuojant lėšas, yra poreikis žinoti saugos lygį. Norint išlaikyti saugą tame pačiame lygyje, saugos įvertinimo darbai turi būti atliekami dažnai. Bet jie yra sudėtingi, vykdomi lėtai, rezultatai yra aktualūs tik įvertinimo vykdymo metu. Šias problemas išspręs nuolatinis tinklo stebėjimas, automatizuotas pažeidimų fiksavimas, saugos lygio įvertinimo pateikimas skaitine reikšme, tam kad sekti saugos lygio kitimus laike. Todėl darbe yra sukuriamas automatizuotas įrankis kuris nuolat stebi tinklą ir atsižvelgiant į sukurtą metodiką fiksuoja pažeidimus. Metodika susieja organizacijos saugos politiką su automatizuotu įrankiu ir suteikia jam galimybę apskaičiuoti bendrą saugos įvertinimą atsižvelgiant į saugos politikos pažeidimų kiekį ir jų riziką. Pažeidimų fiksavimui yra pasirinktas „Snort“ įrankis dirbantis NIDS režimu pagal specialiai sukurtas taisykles. Pažeidimų informacija saugoma MySql duomenų bazėje. Saugos lygio įvertinimo skaičiavimui ir atvaizdavimui yra naudojama PHP kalba. / Every organization process information in information systems and cannot manage without the protection of organization information systems. Due to reinforcing protection of organization and investments, a need to know the level of protection exists. In order to retain the same level of protection, security assessment works should be performed regularly. However, they are complicated, performed slowly, and the results are relevant only during the assessment. The above mentioned problems can be solved constantly monitoring the network, registering the violations with the help of automated means, presenting the evaluation of the level of protection in numeric values, so that the changes in the level of security in time could be traced. Therefore, in the following work an automated mean, constantly monitoring the network and registering the violations according to the crated methodology, is created. Methodology relates organization security policy with the automated mean and provides it with the possibility to calculate the general evaluation of security considering the number and the level of risk of violations. The „Snort“ tool, working in NIDS mode according to specially created rules, is chosen to register the violations. Information regarding the violations is saved in MySql data base. PHP language is applied to calculate and map the assessment of the level of security.

Informatics Engineering

Organizacijos tinklas

Įvertinimas

Skaitinė reikšmė

Saugos politika

Enterprise network

Assessment

Numerical value

Security policy

Intelligent-Agent-Based Management of Heterogeneous Networks for the Army Enterprise

Richards, Clyde E., Jr.

09 1900

Approved for public release; distribution in unlimited. / The Army is undergoing a major realignment in accordance with the Joint Vision 2010/2020 transformation to establish an enterprise command that is the single authority to operate and manage the Army Enterprise Information Infrastructure (Infrastructure). However, there are a number of critical network management issues that the Army will have to overcome before attaining the full capabilities to manage the full spectrum of Army networks at the enterprise level. The Army network environment consists of an excessive number of heterogeneous applications, systems, and network architectures that are incompatible. There are a number of legacy systems and proprietary platforms. Most of the NM architectures in the Army are based on traditional centralized NM approaches such as the Simple Network Management Protocol (SNMP). Although SNMP is the most pervasive protocol, it lacks the scalability, reliability, flexibility and adaptability necessary to effectively support an enterprise network as large and complex as the Army. Attempting to scale these technologies to this magnitude can be extremely difficult and very costly. This thesis makes the argument that intelligent-agent-based technologies are a leading solution, among the other current technologies, to achieve the Army's enterprise network management goals. / Major, United States Army

Intelligent Agent

SNMP

Enterprise Network Management

CoABS

Army Enterprise Infostructure

Global Information Grid

Adapting the Single-Request/Multiple-Response Message Exchange Pattern to Web Services

Ruth, Michael

20 May 2005

Single-Request/Multiple-Response (SRMR) is an important messaging exchange pattern because it can be used to model many real world problems elegantly. However, SRMR messaging is not directly supported by Web services, and, since it requires Callback to function it is hampered by current in-practice security schemes, such as firewalls and proxy servers. In this thesis, a framework will be proposed to support SRMR and Callback in the context of Web services and the realities of network security. The central component of the proposed solution is a Clearinghouse Web service (CWS), which serves as a communication proxy and realizes the correlation of responses with requests. One and only one CWS will be needed per enterprise that wishes to handle any number of SRMR Web services and their respective clients. Using the framework and related code generation utilities, a non-trivial case study, a Purchase Order System, has been implemented.

Enterprise network security

Web services

Message exchange pattern

Callback

Clearinghouse

Framework

Formação e gerência de redes de empresas: avaliação da aplicabilidade da estrutura do produto em obras de construção civil / not available

Nascimento, Gustavo Brandão Soares do

08 June 2005

A construção civil, especialmente nos últimos anos, tem se assemelhado à configuração organizacional denominada rede de empresas, devido a mudanças estruturais em sua forma de produção e relacionamento firma-empregado. A adoção de novas técnicas e ferramentas para o aumento da competitividade é necessária, para o desenvolvimento das empresas do setor. A estrutura do produto, ferramenta intensamente utilizada na indústria de manufatura, se apresenta como um instrumento no auxílio à competitividade das empresas de construção civil, especialmente nas áreas relativas a suprimento e a fluxo de materiais. / The civil construction sector, specially in last years, has been similar to the organizational configuration called network enterprise, because the structural changes in the production form and employee relationship. The use of new techniques and tools to improve the competitiveness is necessary to develop the sector companies. The product structure, used oftenly in manufacturing industry, is a tool that helps the competitiveness of the firms in construction sector, specially in supply and materials flow management.

Civil construction

Construção civil

Enterprise network

Estrutura de produto

Fluxo de materiais

Materials flow

Product structure

Rede de empresas

Identificação de competências essenciais para formação e gerência de redes de empresas da construção civil / Identification of core competences to formation and management of enterprise networks in civil construction

Rossetti, Anibal Martins

22 July 2005

No setor da construção civil as perspectivas gerenciais das organizações são de adaptar-se aos novos cenários e uma das formas é a de formar redes de empresas. Para formar e gerenciar redes de empresas é necessária a adequação de competências essenciais, pois organizações bem sucedidas são aquelas que demonstram desenvolver suas competências essenciais para oferecer padrão de excelência em bens e serviços. Neste trabalho são analisadas as propostas e os possíveis desdobramentos sobre o escopo compreendendo o processo de formação de redes de empresas e posteriormente é sugerida uma sistematização para identificar as competências essenciais para a formação e gerenciamento de redes de empresas da construção civil, empresas estas que possuam objetivos comuns e que mantenham a independência e individualidade para, assim, formar uma rede que permita a realização de ações conjuntas, facilitando a solução de problemas comuns e viabilizar novas oportunidades. As empresas por fim identificadas unem-se em uma rede e conseguem reduzir custos, dividir riscos, conquistar novos mercados, qualificar produtos e serviços e ter acesso à novas tecnologias. A aplicação prática do trabalho é feita através de um estudo de caso exploratório em uma obra de construção civil buscando as competências contidas nas empresas participantes para, assim, poder afirmar quais são as competências essenciais para formação da rede e quais poderão trazer benefícios à mesma ou a outras que virão a se formar. Espera-se com o resultado desta pesquisa determinar quais empresas são capazes de operar em um negócio em forma de rede de empresas, envolvendo profunda avaliação de competências essenciais, verificando se as mesmas irão garantir uma adequada sustentação competitiva nos mercados almejados. / In the civil construction, the management perspectives of organizations are to adapt to new sceneries and one of the ways is to create enterprise networks. To create and management enterprise networks it is necessary the adequation the core competence, because well succeeded organizations are those which demonstrate to develop its core competences to offer excellent standards in goods and services. In this work proposals and possible results of the issues concerning to the process of networks formation area analyzed. It is also suggest a systematization to identify core competence to the formation and management of enterprise networks in civil construction sector that have common goals and maintain the independence and individuality, to create a network that allows the accomplishment of joined actions, making the solution of common problems easier and making new opportunities feasible. These enterprises, finally identified, join themselves in a network and can reduce costs, divide risks, reach new markets, qualify products and services, and have access to new technologies. The practical application of this work is done throughout a case study which explores a civil construction task arming to identify the competence inserted in the participate enterprise, that it will be possible to affirm which the core competence to the formation of the network and which are able to bring benefits to itself and to others enterprise networks. It is intended, as a result of this research, to determine which enterprises are capable to operate in a new business, in a network configuration, involving deep evaluation of core competences and verifying if they will guarantee a competitive sustentation in desired markets.

Civil construction

Competências essenciais

Construção civil

Core competences

Enterprise network

Redes de empresas