Effective monitoring of slow suspicious activites on computer networks

Kalutarage, H. K.

January 2013

Slow and suspicious activities on modern computer networks are increasingly hard to detect. An attacker may take days, weeks or months to complete an attack life cycle. A particular challenge is to monitor for stealthy attempts deliberately designed to stay beneath detection thresholds. This doctoral research presents a theoretical framework for effective monitoring of such activities. The main contribution of this work is a scalable monitoring scheme proposed in a Bayesian framework, which allows for detection of multiple attackers by setting a threshold using the Grubbs’ test. Second contribution is a tracing algorithm for such attacks. Network paths from a victim to its immediate visible hops are mapped and profiled in a Bayesian framework and the highest scored path is prioritised for monitoring. Third contribution explores an approach to minimise data collection by employing traffic sampling. The traffic is sampled using the stratification sampling technique with optimum allocation method. Using a 10% sampling rate was sufficient to detect simulated attackers, and some network parameters affected on sampling error. Final contribution is a target-centric monitoring scheme to detect nodes under attack. Target-centric approach is quicker to detect stealthy attacks and has potential to detect collusion as it completely independent from source information. Experiments are carried out in a simulated environment using the network simulator NS3. Anomalous traffic is generated along with normal traffic within and between networks using a Poisson arrival model. Our work addresses a key problem of network security monitoring: a scalable monitoring scheme for slow and suspicious activities. State size, in terms of a node score, is a small number of nodes in the network and hence storage is feasible for very large networks.

005.8

Evaluation of two host-based intrusion prevention systems

Labbe, Keith G.

06 1900

Host-based intrusion-prevention systems are recently popular technologies which protect computer systems from malicious attacks. Instead of merely detecting exploits, the systems attempt to prevent the exploits from succeeding on the host they protect. This research explores the threats that have led to the development of these systems and the techniques many use to counter those problems. We then evaluate two current intrusion-prevention products (McAfee Entercept and the Cisco Security Agent) as to their success in preventing exploits. Our tests used live viruses, worms, Trojan horses, and remote exploits which were turned loose on an isolated two-computer network. We make recommendations about deployment of the two products based on the results of our own testing.

Computer security

Computer networks

Security measures

Security systems

Using human interactive security protocols to secure payments

Chen, Bangdao

January 2012

We investigate using Human Interactive Security Protocols (HISPs) to secure payments. We start our research by conducting extensive investigations into the payment industry. After interacting with different payment companies and banks, we present two case studies: online payment and mobile payment. We show how to adapt HISPs for payments by establishing the reverse authentication method. In order to properly and thoroughly evaluate different payment examples, we establish two attack models which cover the most commonly seen attacks against payments. We then present our own payment solutions which aim at solving the most urgent security threats revealed in our case studies. Demonstration implementations are also made to show our advantages. In the end we show how to extend the use of HISPs into other domains.

005.82

IP traceback marking scheme based DDoS defense.

January 2005

Ping Yan. / Thesis submitted in: December 2004. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2005. / Includes bibliographical references (leaves 93-100). / Abstracts in English and Chinese. / Abstract --- p.i / Acknowledgement --- p.iii / Chapter 1 --- INTRODUCTION --- p.1 / Chapter 1.1 --- The Problem --- p.1 / Chapter 1.2 --- Research Motivations and Objectives --- p.3 / Chapter 1.3 --- The Rationale --- p.8 / Chapter 1.4 --- Thesis Organization --- p.9 / Chapter 2 --- BACKGROUND STUDY --- p.10 / Chapter 2.1 --- Distributed Denial of Service Attacks --- p.10 / Chapter 2.1.1 --- Taxonomy of DoS and DDoS Attacks --- p.13 / Chapter 2.2 --- IP Traceback --- p.17 / Chapter 2.2.1 --- Assumptions --- p.18 / Chapter 2.2.2 --- Problem Model and Performance Metrics --- p.20 / Chapter 2.3 --- IP Traceback Proposals --- p.24 / Chapter 2.3.1 --- Probabilistic Packet Marking (PPM) --- p.24 / Chapter 2.3.2 --- ICMP Traceback Messaging --- p.26 / Chapter 2.3.3 --- Logging --- p.27 / Chapter 2.3.4 --- Tracing Hop-by-hop --- p.29 / Chapter 2.3.5 --- Controlled Flooding --- p.30 / Chapter 2.4 --- DDoS Attack Countermeasures --- p.30 / Chapter 2.4.1 --- Ingress/Egress Filtering --- p.33 / Chapter 2.4.2 --- Route-based Distributed Packet Filtering (DPF) --- p.34 / Chapter 2.4.3 --- IP Traceback Based Intelligent Packet Filtering --- p.35 / Chapter 2.4.4 --- Source-end DDoS Attack Recognition and Defense --- p.36 / Chapter 2.4.5 --- Classification of DDoS Defense Methods --- p.38 / Chapter 3 --- ADAPTIVE PACKET MARKING SCHEME --- p.41 / Chapter 3.1 --- Scheme Overview --- p.41 / Chapter 3.2 --- Adaptive Packet Marking Scheme --- p.44 / Chapter 3.2.1 --- Design Motivation --- p.44 / Chapter 3.2.2 --- Marking Algorithm Basics --- p.46 / Chapter 3.2.3 --- Domain id Marking --- p.49 / Chapter 3.2.4 --- Router id Marking --- p.51 / Chapter 3.2.5 --- Attack Graph Reconstruction --- p.53 / Chapter 3.2.6 --- IP Header Overloading --- p.56 / Chapter 3.3 --- Experiments on the Packet Marking Scheme --- p.59 / Chapter 3.3.1 --- Simulation Set-up --- p.59 / Chapter 3.3.2 --- Experimental Results and Analysis --- p.61 / Chapter 4 --- DDoS DEFENSE SCHEMES --- p.67 / Chapter 4.1 --- Scheme I: Packet Filtering at Victim-end --- p.68 / Chapter 4.1.1 --- Packet Marking Scheme Modification --- p.68 / Chapter 4.1.2 --- Packet Filtering Algorithm --- p.69 / Chapter 4.1.3 --- Determining the Filtering Probabilities --- p.70 / Chapter 4.1.4 --- Suppressing Packets Filtering with did Markings from Nearby Routers --- p.73 / Chapter 4.2 --- Scheme II: Rate Limiting at the Sources --- p.73 / Chapter 4.2.1 --- Algorithm of the Rate-limiting Scheme --- p.74 / Chapter 4.3 --- Performance Measurements for Scheme I & Scheme II . --- p.77 / Chapter 5 --- CONCLUSION --- p.87 / Chapter 5.1 --- Contributions --- p.87 / Chapter 5.2 --- Discussion and Future Work --- p.91 / Bibliography --- p.100

Computer networks--Security measures

Internet--Security measures

Computer security

A Framework for Securing e-Government Services : The Case of Tanzania

Karokola, Geoffrey Rwezaura

January 2012

e-Government services are becoming one of the most important and efficient means by which governments (G) interact with businesses (B) and citizens (C). This has brought not only tremendous opportunities but also serious security challenges. Critical information assets are exposed to current and emerging security risks and threats. In the course of this study, it was learnt that e-government services are heavily guided and benchmarked by e-Government maturity models (eGMMs). However, the models lack built-in security services, technical as well as non-technical; leading to lack of strategic objectives alignment between e-government services and security services. Information security has an important role in mitigating security risks and threats posed to e-government services. Security improves quality of the services offered. In light of the above, the goal of this research work is to propose a framework that would facilitate government organisations to effectively offer appropriate secure e-government services. To achieve this goal, an empirical investigation was conducted in Tanzania involving six government organizations. The investigations were inter-foiled by a sequence of structural compositions resulting in a proposition of a framework for securing e-government services which integrates IT security services into eGMMs. The research work was mainly guided by a design science research approach complemented in parts by systemic-holistic and socio-technical approaches. The thesis contributes to the empirical and theoretical body of knowledge within the computer and systems sciences on securing e-government structures. It encompasses a new approach to secure e-government services incorporating security services into eGMMs. Also, it enhances the awareness, need and importance of security services to be an integral part of eGMMs to different groups such as researched organizations, academia, practitioners, policy and decision makers, stakeholders, and the community. / <p>At the time of the doctoral defence the following paper was unpublished and had a status as follows: Paper nr. 6: In press</p>

e-Government

information security

maturity models

services

technical security

non-technical security

A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques

Kasemsri, Rawiroj Robert

12 January 2006

Network security visualization is a relatively new field and is quickly gaining momentum. Network security visualization allows the display and projection of the network or system data, in hope to efficiently monitor and protect the system from any intrusions or possible attacks. Intrusions and attacks are constantly continuing to increase in number, size, and complexity. Textually reading through log files or other textual sources is currently insufficient to secure a network or system. Using graphical visualization, security information is presented visually, and not only by text. Without network security visualization, reading through log files or other textual sources is an endless and aggravating task for network security analysts. Visualization provides a method of displaying large volume of information in a relatively small space. It also makes patterns easier to detect, recognize, and analyze. This can help security experts to detect problems that may otherwise be missed in reading text based log files. Network security visualization has become an active research field in the past six years and a large number of visualization techniques have been proposed. A comprehensive analysis of the existing techniques is needed to help network security designers make informed decisions about the appropriate visualization techniques under various circumstances. Moreover, a taxonomy of the existing visualization techniques is needed to classify the existing network security visualization techniques and present a high level overview of the field. In this thesis, the author surveyed the field of network security visualization. Specifically, the author analyzed the network security visualization techniques from the perspective of data model, visual primitives, security analysis tasks, user interaction, and other design issues. Various statistics were generated from the literatures. Based on this analysis, the author has attempted to generate useful guidelines and principles for designing effective network security visualization techniques. The author also proposed a taxonomy for the security visualization techniques. To the author’s knowledge, this is the first attempt to generate a taxonomy for network security visualization. Finally, the author evaluated the existing network security visualization techniques and discussed their characteristics and limitations. For future research, the author also discussed some open research problems in this field. This research is a step towards a thorough analysis of the problem space and the solution space in network security visualization.

Anomalies

Taxonomy

Security visualization

Network security

Security information

Computer Sciences

The study of incident response in Taiwan

Liaw, Bon-Yen

03 October 2002

Due to the enlargement of the use of Internet, computers are no longer separated systems. On the contrary, the frequency of sharing between computers¡¦ computing abilities, devices, and resources is surprisingly high in the last few decades. This situation makes people have a more convenient network situation. However, dangers also come along. Ever since the event occurred in 1988, the first computer worm (Morris Worm) makes people be aware of this issue. The computer network world has becoming an environment contains many potential dangers. Whereas the computer security incidents are increasing dramatically, many countries have established some specific organizations to solve these problems. TWCERT/CC (Taiwan Computer Emergency Response Team/ Coordination Center) is one of these organizations. The utilities of TWCERT/CC are to help people be aware of computer network dangers, to make responses and coordinate the security incidents inside and outside Taiwan, and to supervise the security circumstances in Taiwan and to announce alerts or take proper actions when the situation is serious. Responding and coordinating those incidents in TWCERT/CC is one crucial everyday job which requires a very complicated procedure. However, without a systematic method to handle the security incidents would be a heavy load for a computer security incident response team. This research is to develop a systematic method and procedure to handle incident and a system can implement this procedure. The goal is to shorten the processing time of incidents and enhance the accuracy of handling incidents, and to analyze the data collected from the system to get useful information.

computer security

security incidents

computer security incident response team

Internet

Design and Implementation of an Environment to Support Development of Methods for Security Assessment

Bengtsson, Johan, Brinck, Peter

January 2008

<p>There is no debate over the importance of IT security. Equally important is the research on security assessment; methods for evaluating the security of IT systems. The Swedish Defense Research Agency has for the last couple of years been conducting research on the area of security assessment. To verify the correctness of these methods, tools are implemented.</p><p>This thesis presents the design and implementation of an environment to support and aid future implementations and evaluations of security assessment methods. The aim of this environment, known as the New Tool Environment, NTE, is to assist the developer by facilitating the more time consuming parts of the implementation. A large part of this thesis is devoted to the development of a database solution, which results in an object/relational data access layer.</p>

IT Security

Security Assessment

Security Assessment Tool

Information technology

Informationsteknologi

Swiss Armed Forces XXI - the answer to current or future threats /

Schmidlin, Marco.

January 2004

Thesis (M.A. in Security Studies (Defense Decision Making and Planning))--Naval Postgraduate School, June 2004. / Thesis advisor(s): Donald Abenheim. Includes bibliographical references (p. 107-115). Also available online.

Future of the U.S.-Japan security alliance : foundation for a multilateral security regime in Asia? /

Allen, Keith W.

January 2003

Thesis (M.A. in National Security Affairs)--Naval Postgraduate School, June 2003. / Thesis advisor(s): Edward A. Olsen, Gaye Christoffersen. Includes bibliographical references (p. 109-119). Also available online.