Memory Efficient Regular Expression Pattern Matching Architecture For Network Intrusion Detection Systems

Kumar, Pawan

08 1900

The rampant growth of the Internet has been coupled with an equivalent growth in cyber crime over the Internet. With our increased reliance on the Internet for commerce, social networking, information acquisition, and information exchange, intruders have found financial, political, and military motives for their actions. Network Intrusion Detection Systems (NIDSs) intercept the traffic at an organization’s periphery and try to detect intrusion attempts. Signature-based NIDSs compare the packet to a signature database consisting of known attacks and malicious packet fingerprints. The signatures use regular expressions to model these intrusion activities. This thesis presents a memory efficient pattern matching system for the class of regular expressions appearing frequently in the NIDS signatures. Proposed Cascaded Automata Architecture is based on two stage automata. The first stage recognizes the sub-strings and character classes present in the regular expression. The second stage consumes symbol generated by the first stage upon receiving input traffic symbols. The basic idea is to utilize the research done on string matching problem for regular expression pattern matching. We formally model the class of regular expressions mostly found in NIDS signatures. The challenges involved in using string matching algorithms for regular expression matching has been presented. We introduce length-bound transitions, counter-based states, and associated counter arrays in the second stage automata to address these challenges. The system uses length information along with counter arrays to keep track of overlapped sub-strings and character class based transition. We present efficient implementation techniques for counter arrays. The evaluation of the architecture on practical expressions from Snort rule set showed compression in number of states between 50% to 85%. Because of its smaller memory footprint, our solution is suitable for both software based implementations on network chips as well as FPGA based designs.

Access Control (Computer Networks)

Cryptography

Network Intrusion Detection System

Computer Security

Cyber-attack

Cascaded Automata Architecture

Deterministic Finite Automata

Modified Word-based NFA (M-WNFA)

Network Security

Pattern Matching

Computer Science

Engineering Ecosystems of Systems: UML Profile, Credential Design, and Risk-balanced Cellular Access Control

Bissessar, David

14 December 2021

This thesis proposes an Ecosystem perspective for the engineering of SoS and CPS and illustrates the impact of this perspective in three areas of contribution category First, from a conceptual and Systems Engineering perspective, a conceptual framework including the Ecosystems of System Unified Language Modeling (EoS-UML) profile, a set of Ecosystem Ensemble Diagrams, the Arms :Length Trust Model and the Cyber Physical Threat Model are provided. Second, having established this conceptual view of the ecosystem, we recognize unique role of the cryptographic credentials within it, towards enabling the ecosystem long-term value proposition and acting as a value transfer agent, implementing careful balance of properties meet stakeholder needs. Third, we propose that the ecosystem computers can be used as a distributed compute engine to run Collaborative Algorithms. To demonstrate, we define access control scheme, risk-balanced Cellular Access Control (rbCAC). The rbCAC algorithm defines access control within a cyber-physical environment in a manner which balances cost, risk, and net utility in a multi-authority setting. rbCAC is demonstrated it in an Air Travel and Border Services scenario. Other domains are also discussed included air traffic control threat prevention from drone identity attacks in protected airspaces. These contributions offer significant material for future development, ongoing credential and ecosystem design, including dynamic perimeters and continuous-time sampling, intelligent and self optimizing ecosystems, runtime collaborative platform design contracts and constraints, and analysis of APT attacks to SCADA systems using ecosystem approaches.

cryptography

digital credentials

biometrics

fuzzy extractors

ecosystems

systems engineering

UML

EoS-UML

digital credential design

rbCAC

SoS

Systems of Systems

CPS

Cyber-physical Systems

Distributed Computing

Collaborative Computing

Design by Contract

Design by Smart Contract

rbCAC

Ecosystem Ensemble Diagram

Confusion Matrix

Classifier Evaluation

Emergent Behavior

Ecosystems Enginering

Portál univerzálního protokolu řízení přístupu / Portal of the universal access control protocol

Čepelák, Tomáš

January 2014

The paper focuses on the issue of access control. It presents an universal bilateral protocol of access control of ACP. The paper describes the messages and its sequences that AC portals uses for communication. It describes the functions and features of the modules from which the portal is composed. The paper suggests the concept of a modular AC portal solutions including the design of basic modules. It also outlines possible test scenarios. Under this proposal is generated functional AC portal on the .NET Framework platform using the C\# programming language. The portal provides access to local assets or to the assets on other computers in the local network. Created application is tested according to the scenarios proposed in both the network version and the local version of the AC portal. Test results are objectively evaluated and commented.

Privacy preserving software engineering for data driven development

Tongay, Karan Naresh

14 December 2020

The exponential rise in the generation of data has introduced many new areas of research including data science, data engineering, machine learning, artificial in- telligence to name a few. It has become important for any industry or organization to precisely understand and analyze the data in order to extract value out of the data. The value of the data can only be realized when it is put into practice in the real world and the most common approach to do this in the technology industry is through software engineering. This brings into picture the area of privacy oriented software engineering and thus there is a rise of data protection regulation acts such as GDPR (General Data Protection Regulation), PDPA (Personal Data Protection Act), etc. Many organizations, governments and companies who have accumulated huge amounts of data over time may conveniently use the data for increasing business value but at the same time the privacy aspects associated with the sensitivity of data especially in terms of personal information of the people can easily be circumvented while designing a software engineering model for these types of applications. Even before the software engineering phase for any data processing application, often times there can be one or many data sharing agreements or privacy policies in place. Every organization may have their own way of maintaining data privacy practices for data driven development. There is a need to generalize or categorize their approaches into tactics which could be referred by other practitioners who are trying to integrate data privacy practices into their development. This qualitative study provides an understanding of various approaches and tactics that are being practised within the industry for privacy preserving data science in software engineering, and discusses a tool for data usage monitoring to identify unethical data access. Finally, we studied strategies for secure data publishing and conducted experiments using sample data to demonstrate how these techniques can be helpful for securing private data before publishing. / Graduate

Data Privacy

Privacy

Data Engineering

Software Engineering

Data Driven Developers

Data Science

Privacy Preserving

Data Driven Development

Machine Learning

One class SVM

Data Usage Monitoring

Health data

k-anonymity

l-diversity

differential privacy

Information management

Secure data sharing

Survey

Audits and access control

Data Privacy Tactics

Securing sensor network

Zare Afifi, Saharnaz

January 2014

Indiana University-Purdue University Indianapolis (IUPUI) / A wireless sensor network consists of lightweight nodes with a limited power source. They can be used in a variety of environments, especially in environments for which it is impossible to utilize a wired network. They are easy/fast to deploy. Nodes collect data and send it to a processing center (base station) to be analyzed, in order to detect an event and/or determine information/characteristics of the environment. The challenges for securing a sensor network are numerous. Nodes in this network have a limited amount of power, therefore they could be faulty because of a lack of battery power and broadcast faulty information to the network. Moreover, nodes in this network could be prone to different attacks from an adversary who tries to eavesdrop, modify or repeat the data which is collected by other nodes. Nodes may be mobile. There is no possibility of having a fixed infrastructure. Because of the importance of extracting information from the data collected by the sensors in the network there needs to be some level of security to provide trustworthy information. The goal of this thesis is to organize part of the network in an energy efficient manner in order to produce a suitable amount of integrity/security. By making nodes monitor each other in small organized clusters we increase security with a minimal energy cost. To increase the security of the network we use cryptographic techniques such as: public/ private key, manufacturer signature, cluster signature, etc. In addition, nodes monitor each other's activity in the network, we call it a "neighborhood watch" In this case, if a node does not forward data, or modifies it, and other nodes which are in their transmission range can send a claim against that node.

Cluster-Base Network

Threshold Signature

Data Aggregation

Wireless Network

Ad-hoc Network

Neighborhood Watch

Threshold signatures -- Research

Computer networks -- Security measures

Wireless communication systems

Wireless LANs

Group signatures (Computer security)

Data protection

Computer security -- Management

Sensor networks -- Research

Pattern recognition systems

Computers -- Access control

Computer network protocols

Prostředí pro tvorbu interaktivních webových stránek / Interactive Web Page Design Environment

Moravec, Jaroslav

January 2008

This master's thesis describes an environment for creation and management of interactive web pages. It deals with both the structure design and the visual part. The basic idea is that the page consists of individual elements that can be arbitrarily composed together. There exist several kinds of such elements: interactive, content, database and informative elements. Furthermore, the environment includes tools for account management, access control, database administration, auditing, multilanguage support and some more.

Determination of Real-Time Network Configuration for Self-Adaptive Automotive Systems

Zhang, Ziming

17 April 2015

The Electric/Electronic architecture of vehicle becomes more complex and costly, self-adaption can reduce the system, enhance the adaptive meanwhile reduce energy consumption and costs. The self-adaption needs the cooperation of both hardware and software reconfigurations, such that after the software is reconfigured the automotive network continues to fulfill the time constraints for time-critical applications. The thesis focuses on the real-time network reconfiguration. It uses EAST-ADL to model a real-time automotive system with timing events and constraints, which conforms to AUTOSAR timing extensions. The network media access is analyzed based on the model and a scheduling algorithm is developed. Then the concept is implemented by a use case, which is transformed from an EAST-ADL model to an executable simulation.:1. Introduction 2. Research Fundamentals 2.1. AUTOSAR Specifications for Modeling Function Communication 2.2. Media Access Control in Real-time Network 3. Function Communication Model and Determination of Network Configuration 3.1. Function Communication Model 3.2. Scheduling Algorithm for Media Access 4. Implementation of Communication Model and Plugin for Model Transformation 4.1. EAST-ADL Modeling Language 4.2. Implementation of Function Communication Model in EAST-ADL 4.3. Model Transformation Plugin and Simulation Tool Integration 5. Evaluation of the Function Communication Model 5.1. Use-Case Model for Evaluation 5.2. Time Values of Use-Case Model 5.3. Analysis and Evaluation of Simulation Result 6. Conclusion and Outlook 6.1. Conclusion of the Work 6.2. Outlook of the Future Work A. OMNeT++ Simulation Log B. EAST-ADL Model to Artop Model Mapping Bibliography Nomenclature

info:eu-repo/classification/ddc/000

ddc:000

Echtzeit; AUTOSAR

Role Based Access Control (RBAC) in the context of Smart Grids : Implementing and Evaluating a Role Based Access Control System for Configuration Loading in a Substation from a Desktop / Rollbaserad åtkomstkontroll (RBAC) för smarta nät : Implementering och utvärdering av ett rollbaserat åtkomstkontrollsystem för konfigurationsinläsning i en transformatorstation från en datorapplikation.

Ducornaud, Gatien

January 2023

Access control is a crucial aspect of cybersecurity, and Role Based Access Control (RBAC) is a typical framework for controlling the access to specific resources. However, in the context of Smart Grids, the usual authentication solution of using a trusted identity provider might not be possible to provide authentication of a user, as systems cannot rely on external services. This, in addition to devices in a substation being usually strictly controlled, means that having an RBAC limited to a desktop application can be necessary. Moreover, the cost of adding additional layers of security needs to be considered too, as the cost of adding specific features can vary significantly. This thesis thus looks into the existing solutions for desktop applications in substations, explains their viability and implements an RBAC system using Group Nesting in Windows user management, in the context of a configuration loading application on a main computer in a substation. It is then used to evaluate the cost of this new solution, in terms of maintainability, usability and flexibility, compared to the gained security. This is done by using static analysis of both codebases, and evaluation of usability and security. It shows that security can be added for a reasonable cost using Group Nesting in Smart Grids if the focus is to delegate some tasks to the directory, improving on the security of the application and the system as a whole. / Åtkomstkontroll är en viktig aspekt av cybersäkerhet, och rollbaserad åtkomstkontroll (RBAC) är ett typiskt ramverk för att kontrollera åtkomsten till specifika resurser. I smarta nät kan det dock hända att den vanliga autentiseringslösningen med en betrodd identitetsleverantör inte är tillräcklig för att autentisera en användare, eftersom systemen inte kan förlita sig på externa tjänster. Detta, förutom att enheterna i en transformatorstation vanligtvis är strikt kontrollerade, innebär att det kan vara nödvändigt att ha en RBAC som är begränsad till en datorapplikation. Dessutom måste kostnaden för att lägga till ytterligare säkerhetslager också beaktas, eftersom kostnaden för att lägga till specifika funktioner kan variera avsevärt. Denna avhandling omfattar därför dels undersökning av de befintliga lösningarna för datorapplikation i transformatorstationer, dels redogörelse av genomförbarheten och dels implementeringen av ett RBAC-system. Implementationen använder funktionen Group Nesting i Windows-användarhantering och integrerades i en applikation för konfigurationsinläsning på en huvuddator i en transformatorstation. Därefter utvärderas kostnaden för denna nya lösning i fråga om underhållbarhet, användbarhet och flexibilitet i förhållande till den ökade säkerheten. Detta görs med hjälp av statisk analys av de båda mjukvarulösningarna och utvärdering av användbarhet och säkerhet. Det visar att säkerheten kan ökas till en rimlig kostnad med hjälp av Group Nesting i smarta nät, om fokus ligger på att delegera vissa uppgifter till en katalog, vilket förbättrar säkerheten i applikationen och systemet som helhet. / Le contrôle ’daccès est un aspect essentiel de la cybersécurité, et utiliser des rôles pour implémenter cela est souvent le modèle recommandé. Pour autant, dans le contexte des réseaux électriques intelligents, il ’nest pas toujours possible de posséder un parti tiers fiable qui puisse faire autorité car il ne faut pas dépendre de systèmes extérieurs. ’Cest particulièrement vrai dans une sous-station où les ordinateurs connectés ont un rôle strictement défini. Ainsi il peut être nécessaire ’davoir un système de contrôle ’daccès basé sur les rôles (RBAC, Role-Based Access Control) uniquement contenu sur un ordinateur. Il faut de plus pouvoir estimer le coût de cette sécurité supplémentaire. Ce rapport évalue les solutions existantes dans cette situation et leur viabilité, et implémente un RBAC grâce à ’limbrication de groupe ’dutilisateur Windows, pour une application desktop pour le chargement de configuration pour l´ordinateur central ’dune sous-station. Cette implémentation est ensuite utilisée pour estimer les coûts associés à ’lajout ’dun RBAC en termes de maintenabilité, ’dutilisabilité et de flexibilité par rapport aux gains de sécurité. Cela est fait à travers des outils ’danalyse statique sur le code avant et après implémentation et ’dautres techniques ’danalyse de la sécurité et de la maintenabilité. Cela permet de montrer que, avec ’limbrication de groupes, il est possible ’dobtenir un niveau de sécurité satisfaisant tout en limitant les coûts associés, grâce au fait de déléguer les fonctions de gestion ’dutilisateur à un système de directory (répertoire).

Role Based Access Control (RBAC)

Cybersecurity

Smart Grid

Substation

Desktop Applications

Cybersécurité

Réseau électrique intelligent

Sous-Station

Application Desktop

Rollbaserad åtkomstkontroll (RBAC)

Cybersäkerhet

Smarta nät

Transformatorstation

datorapplikation

Software Engineering

Programvaruteknik

Computer and Information Sciences

Data- och informationsvetenskap

[en] MACHINE LEARNING-BASED MAC PROTOCOLS FOR LORA IOT NETWORKS / [pt] PROTOCOLOS MAC BASEADOS EM APRENDIZADO DE MÁQUINA PARA REDES DE INTERNET DAS COISAS DO TIPO LORA

DAYRENE FROMETA FONSECA

24 June 2020

[pt] Com o rápido crescimento da Internet das Coisas (IoT), surgiram novas tecnologias de comunicação sem fio para atender aos requisitos de longo alcance, baixo custo e baixo consumo de energia exigidos pelos aplicativos de IoT. Nesse contexto, surgiram as redes de longa distância de baixa potência (LPWANs), as quais oferecem diferentes soluções que atendem aos requisitos dos aplicativos de IoT mencionados anteriormente. Entre as soluções LPWAN existentes, o LoRaWAN tem-se destacado por receber atenção significativa da indústria e da academia nos últimos anos. Embora o LoRaWAN ofereça uma combinação atraente de transmissões de dados de longo alcance e baixo consumo de energia, ele ainda enfrenta vários desafios em termos de confiabilidade e escalabilidade. No entanto, devido a sua natureza de código aberto e à flexibilidade do esquema de modulação no qual ele se baseia (Long Range (LoRa) permite o ajuste de fatores de espalhamento e a potência de transmissão), o LoRaWAN também oferece importantes possibilidades de melhorias. Esta dissertação aproveita a adequação dos algoritmos de Aprendizagem por Reforço (RL) para resolver tarefas de tomada de decisão e os utiliza para ajustar dinamicamente os parâmetros de transmissão dos dispositivos finais LoRaWAN. O sistema proposto, chamado RL-LoRa, mostra melhorias significativas em termos de confiabilidade e escalabilidade quando comparado ao LoRaWAN. Especificamente, diminui a taxa de erro de pacote (PER) média do LoRaWAN em 15 porcento, o que pode aumentar ainda mais a escalabilidade da rede. / [en] With the massive growth of the Internet of Things (IoT), novel wireless communication technologies have emerged to address the long-range, lowcost, and low-power consumption requirements of the IoT applications. In this context, the Low Power Wide Area Networks (LPWANs) have appeared, offering different solutions that meet the IoT applications requirements mentioned before. Among the existing LPWAN solutions, LoRaWAN has stood out for receiving significant attention from both industry and academia in recent years. Although LoRaWAN offers a compelling combination of long-range and low-power consumption data transmissions, it still faces several challenges in terms of reliability and scalability. However, due to its open-source nature and the flexibility of the modulation scheme it is based on (Long Range (LoRa) modulation allows the adjustment of spreading factors and transmit power), LoRaWAN also offers important possibilities for improvements. This thesis takes advantage of the appropriateness of the Reinforcement Learning (RL) algorithms for solving decision-making tasks, and use them to dynamically adjust the transmission parameters of LoRaWAN end devices. The proposed system, called RL-LoRa, shows significant improvements in terms of reliability and scalability when compared with LoRaWAN. Specifically, it decreases the average Packet Error Ratio (PER) of LoRaWAN by 15 percent, which can further increase the network scalability.

[pt] PARAMETROS DE TRANSMISSAO

[pt] LORAWAN

[pt] MODULACAO LORA

[en] LOW POWER WIDE AREA NETWORKS

[en] REINFORCEMENT LEARNING ALGORITHMS

[en] TRANSMISSION PARAMETERS

[en] LORAWAN

[en] LORA MODULATION

[en] MEDIUM ACCESS CONTROL PROTOCOLS

符号分割多元接続によるバケット通信に関する研究

小川, 明, 片山, 正昭, 山里, 敬也

03 1900

科学研究費補助金 研究種目:基盤研究(B)(2) 課題番号:07455160 研究代表者:小川 明 研究期間:1995-1996年度

符号分割多元接続

アクセス制御

スル-プット解析

Access Control

無線パケット通信

Code Division Multiple Access

Packet Radio System

無形バケット通信

Throughput Analysis

スル-プット特性

セルラ環境

スプレッドアロハ方式

送信許可制御法

Cellular Environment

ラルラ環境