Towards Self-Healing Systems: Re-establishing Trust in Compromised Systems

Grizzard, Julian B.

10 April 2006

Computer systems are subject to a range of attacks that can compromise their intended operations. Conventional wisdom states that once a system has been compromised, the only way to recover is to format and reinstall. In this work, we present methods to automatically recover or self-heal from a compromise. We term the system an intrusion recovery system. The design consists of a layered architecture in which the production system and intrusion recovery system run in separate isolated virtual machines. The intrusion recovery system monitors the integrity of the production system and repairs state if a compromise is detected. A method is introduced to track the dynamic control flow graph of the production system guest kernel. A prototype of the system was built and tested against a suite of rootkit attacks. The system was able to recover from all attacks at a cost of about a 30% performance penalty.

Virtual machine

End-user security

Intrusion detection

Intrusion recovery

Rootkits

Endpoint Intrusion Detection and Response Agents in Embedded RAN Products : A suitability and performance evaluation / Intrångsdetektering och respons inom ändpunkter i inbyggda RAN produkter : En studie kring lämplighet och prestanda

Hashem, Yousef, Zildzic, Elmedin

January 2022

Endpoint detection and response is an integral part of the security of large-scale networks. Embedded hardware, such as those found at Ericsson Radio Access Network endpoints, have strict performance requirements that need to be met. This fact makes implementing intrusion detection non-trivial, as intrusion detection software often generate a lot of processing overhead. Wazuh, an established open-source distributed and centralized intrusion detection and response system, shows a lot of promise as a large-scale intrusion detection system. It is very modular and has various capabilities that can be utilized in different ways to minimize processing overhead. One of these capabilities is native support for the native Linux syscall monitoring tool AuditD. While AuditD is very capable, it can introduce severe performance penalties in certain scenarios. Falco is another syscall monitoring tool that shows promise with regards to performance, and also has more features than AuditD; which is why Falco is included as a direct comparison to AuditD. This study evaluates Wazuh, AuditD, and Falco based on a set of requirements set by Ericsson, including flexibility, scalability and reliability, by enacting performance benchmarks with normal background operations active. The results of this study show that, with the correct configuration, Wazuh can be used as an intrusion detection system in embedded systems with limited hardware, where AuditD and Falco can serve as a great addition to detecting indicators of compromise. The solution is to use a minimal intrusion detection ruleset, and in the event of suspicious activity, activate more modules to increase threat detection at the cost of CPU overhead and execution time for normal system operation.

intrusion detection

wazuh

security

edr

intrusion response

Computer Engineering

Datorteknik

Intrusion detection and response model to enhance security in cognitive radio networks / Ifeoma Ugochi Ohaeri

Ohaeri, Ifeoma Ugochi

January 2012

With the rapid proliferation of new technologies and services in the wireless domain, spectrum scarcity has become a major concern. Cognitive radios (CRs) arise as a promising solution to the scarcity of spectrum. A basic operation of the CRs is spectrum sensing. Whenever a primary signal is detected, CRs have to vacate the specific spectrum band. Malicious users can mimic incumbent transmitters so as to enforce CRs to vacate the specific band. Cognitive radio networks (CRNs) are expected to bring an evolution to the spectrum scarcity problem through intelligent use of the fallow spectrum bands. However, as CRNs are wireless in nature, they face all common security threats found in the traditional wireless networks. Common security combating measures for wireless environments consist of authorization, authentication, and access control. But CRNs face new security threats and challenges that have arisen due to their unique cognitive (self-configuration, self-healing, self-optimization, and self-protection) characteristics. Because of these new security threats, the use of traditional security combating measures would be inadequate to address the challenges. Consequently, this research work proposes an Intrusion Detection and Response Model (IDRM) to enhance security in cognitive radio networks. Intrusion detection monitors all the activities in order to detect the intrusion. It searches for security violation incidents, recognizes unauthorized accesses, and identifies information leakages. Unfortunately, system administrators neither can keep up with the pace that an intrusion detection system is delivering responses or alerts, nor can they react within adequate time limits. Therefore, an automatic response system has to take over this task by reacting without human intervention within the cognitive radio network. / Thesis (M.Sc.(Computer Science) North-West University, Mafikeng Campus, 2012

Intrusion detection systems

Computer security

APPLICATION OF INTRUSION DETECTION SOFTWARE TO PROTECT TELEMETRY DATA IN OPEN NETWORKED COMPUTER ENVIRONMENTS.

Kalibjian, Jeffrey R.

10 1900

International Telemetering Conference Proceedings / October 23-26, 2000 / Town & Country Hotel and Conference Center, San Diego, California / Over the past few years models for Internet based sharing and selling of telemetry data have been presented [1] [2] [3] at ITC conferences. A key element of these sharing/selling architectures was security. This element was needed to insure that information was not compromised while in transit or to insure particular parties had a legitimate right to access the telemetry data. While the software managing the telemetry data needs to be security conscious, the networked computer hosting the telemetry data to be shared or sold also needs to be resistant to compromise. Intrusion Detection Systems (IDS) may be used to help identify and protect computers from malicious attacks in which data can be compromised.

Intrusion Detection Systems

Computer Security

An Adaptive Database Intrusion Detection System

Barrios, Rita M.

01 January 2011

Intrusion detection is difficult to accomplish when attempting to employ current methodologies when considering the database and the authorized entity. It is a common understanding that current methodologies focus on the network architecture rather than the database, which is not an adequate solution when considering the insider threat. Recent findings suggest that many have attempted to address this concern with the utilization of various detection methodologies in the areas of database authorization, security policy management and behavior analysis but have not been able to find an adequate solution to achieve the level of detection that is required. While each of these methodologies has been addressed on an individual basis, there has been very limited work to address the methodologies as a single entity in an attempt to function within the detection environment in a harmonious fashion. Authorization is at the heart of most database implementations however, is not enough to prevent a rogue, authorized entity from instantiating a malicious action. Similarly, eliminating the current security policies only exacerbates the problem due to a lack of knowledge in a fashion when the policies have been modified. The behavior of the authorized entity is the most significant concern in terms of intrusion detection. However, behavior identification methodologies alone will not produce a complete solution. The detection of the insider threat during database access by merging the individual intrusion detection methodologies as noted will be investigated. To achieve the goal, this research is proposing the creation of a procedural framework to be implemented as a precursor to the effecting of the data retrieval statement. The intrusion model and probability thresholds will be built utilizing the intrusion detection standards as put forth in research and industry. Once an intrusion has been indicated, the appropriate notifications will be distributed for further action by the security administrator while the transaction will continue to completion. This research is proposing the development of a Database Intrusion Detection framework with the introduction of a process as defined in this research, to be implemented prior to data retrieval. This addition will enable an effective and robust methodology to determine the probability of an intrusion by the authorized entity, which will ultimately address the insider threat phenomena.

Database

Intrusion Detection

Computer Sciences

Dyke-induced earthquakes during the 2014-15 Bárðarbunga-Holuhraun rifting event, Iceland

Woods, Jennifer

January 2019

Understanding dykes is vital as they serve both as bodies that build the crust and as conduits that feed eruptions. The 2014-15 Bárðarbunga-Holuhraun rifting event comprised the best-monitored dyke intrusion to date and the largest eruption in Iceland in 230 years. Over a 13 day period magma propagated laterally from the subglacial Bárðarbunga volcano, Iceland, along a 48 km path before erupting in the Holuhraun lava field on 29 August 2014. A huge variety of seismicity was produced, including over 30,000 volcano-tectonic earthquakes (VTs) associated with the dyke propagation at ∼ 6 km depth below sea level, and long-period seismicity - both long-period earthquakes (LPs) and tremor - associated with the eruption processes. The Cambridge University seismic network in central Iceland recorded the dyke seismicity in unprecedented detail, allowing high resolution analyses to be carried out. This dissertation comprises two parts: study of 1) the volcano-tectonic dyke-induced seismicity and 2) the long-period seismicity associated with eruption processes. Volcano-tectonic earthquakes induced by the lateral dyke intrusion were relocated, using cross-correlated, sub-sample relative travel times. The ∼ 100 m spatial resolution achieved reveals the complexity of the dyke propagation pathway and dynamics (jerky, segmented), and allows us to address the precise relationship between the dyke and seismicity. The spatio-temporal characteristics of the induced seismicity can be directly linked in the first instance to propagation of the tip and opening of the dyke, and following this - after dyke opening - indicate a relationship with magma pressure changes (i.e. dyke inflation/deflation), followed by a general 'post-opening' decay. Seismicity occurs only at the base of the dyke, where dyke-imposed stresses - combined with the background tectonic stress (from regional extension over > 200 years since last rifting) - are sufficient to induce failure of pre-existing weaknesses in the crust, while the greatest opening is at shallower depths. Emplacement oblique to the spreading ridge resulted in left-lateral shear motion along the distal dyke section (studied here), and a prevalence of left-lateral shear failure. Fault plane strikes are predominately independent of the orientation of lineations delineated by the hypocenters, indicating that they are controlled by the underlying host rock fabric. Long-period earthquakes and tremor were systematically detected and located during the dyke propagation phase and the first week of the eruption. Clusters of highly similar, repetitive LPs were identified, with a peak frequency of ∼ 1 Hz and clear P and S phases followed by a long-duration coda. The source mechanisms were remarkably consistent between clusters and also fundamentally different to those of the VTs. The clusters were accurately located near each of three ice cauldrons (depressions formed by basal melting) that were observed on the surface of Dyngjujökull glacier above the path of the dyke. Most events were in the vicinity of the northernmost cauldron, at shallower depth than the VTs associated with lateral dyke propagation. At the two northerly cauldrons, periods of shallow seismic tremor following the clusters of LPs were also observed. Given that the LPs occurred at ∼ 4 km depth and in swarms during times of dyke-stalling, it is inferred that they result from excitation of magmatic fluid-filled cavities and indicate magma ascent. The tremor may then represent the climax of the vertical melt movement, arising from either rapid, repeated excitation of the same LP cavities, or sub-glacial eruption processes. This long-period seismicity therefore highlights magma pathways between the depth of the dyke-VT earthquakes and the surface. Notably, no tremor is detected associated with each cauldron, despite melt reaching the base of the overlying ice cap, a concern for hazard forecasting.

Design of Efficient FPGA Circuits For Matching Complex Patterns in Network Intrusion Detection Systems

Clark, Christopher R.

03 March 2004

The objective of this research is to design and develop a reconfigurable string matching co-processor using field-programmable gate array (FPGA) technology that is capable of matching thousands of complex patterns at gigabit network rates for network intrusion detection systems (NIDS). The motivation for this work is to eliminate the most significant bottleneck in current NIDS software, which is the pattern matching process. The tasks involved with this research include designing efficient, high-performance hardware circuits for pattern matching and integrating the pattern matching co-processor with other NIDS components running on a network processor. The products of this work include a system to translate standard intrusion detection patterns to FPGA pattern matching circuits that support all the functionality required by modern NIDS. The system generates circuits efficient enough to enable the entire ruleset of a popular NIDS containing over 1,500 patterns and 17,000 characters to fit into a single low-end FPGA chip and process data at an input rate of over 800 Mb/s. The capacity and throughput both scale linearly, so larger and faster FPGA devices can be used to further increase performance. The FPGA co-processor allows the task of pattern matching to be completely offloaded from a NIDS, significantly improving the overall performance of the system.

Network security

Intrusion detection

IDS

Implementation and Evaluation of A Low-Cost Intrusion Detection System For Community Wireless Mesh Networks

2015 February 1900

Rural Community Wireless Mesh Networks (WMN) can be great assets to rural communities, helping them connect to the rest of their region and beyond. However, they can be a liability in terms of security. Due to the ad-hoc nature of a WMN, and the wide variety of applications and systems that can be found in such a heterogeneous environment there are multiple points of intrusion for an attacker. An unsecured WMN can lead to privacy and legal problems for the users of the network. Due to the resource constrained environment, traditional Intrusion Detection Systems (IDS) have not been as successful in defending these wireless network environments, as they were in wired network deployments. This thesis proposes that an IDS made up of low cost, low power devices can be an acceptable base for a Wireless Mesh Network Intrusion Detection System. Because of the device's low power, cost and ease of use, such a device could be easily deployed and maintained in a rural setting such as a Community WMN. The proposed system was compared to a standard IDS solution that would not cover the entire network, but had much more computing power but also a higher capital cost as well as maintenance costs. By comparing the low cost low power IDS to a standard deployment of an open source IDS, based on network coverage and deployment costs, a determination can be made that a low power solution can be feasible in a rural deployment of a WMN.

WMN, IDS, Intrusion Detection System.

The thermal history of the Western Lower Saxony Basin, Germany

Adriasola Muñoz, Yvonne

January 2006

Zugl.: Aachen, Techn. Hochsch., Diss., 2006

Geochemische Untersuchungen an Gesteinen aus Karbonatit-Pyroxenit-Syenit-Komplexen in Tamil Nadu, Südindien Wechselbeziehungen und Stoffaustauschprozesse /

Möller, Andrea.

Unknown Date

Universiẗat, Diss., 2004--Hamburg.