Global ETD Search

361	Metoder för motverkande av bruteforce-attacker mot Wi-Fi Protected Setup Forsman, Erik, Skoglund, Andreas January 2012 (has links) Konfigurationsprotokollet Wi-Fi protected setup (WPS) har vissa brister idess design gällande hur autentiseringen av den PIN-kod som används för attansluta en enhet till ett trådlöst nätverk är implementerad. Dessa brister kanutnyttjas av en attackerare för att utföra en bruteforce-attack som på enrelativt kort tid kan identifiera den korrekta koden. Detta arbete har tagit frammetoder för att motverka eller fördröja attacker mot WPS-protokollet sommed relativt enkla medel kan implementeras i befintliga nätverk. Genomutförda praktiska experiment där en fristående server upptäckt en attack ochgenomfört olika försvarsmetoder har de mekanismer som presenterats utvärderats. Slutsatsen är att den effektivaste metoden för att avbryta en bruteforce-attackmot protokollet är att automatiskt byta ut PIN-koden då en attack upptäcks. / Wi-Fi protected setup (WPS), a protocol used to configure wireless clients, isflawed in regard to the design of the authentication procedure for the PIN-code used to connect a new device. This flaw can be exploited by an attackerto perform a brute force attack to identify the code. This report presentsmethods to counteract brute force attacks performed against the WPS-protocol. The study has been performed by practical experiments where thecountermeasures have been evaluated and their performance has beenmeasured. With simple means, such as a third party acting on the routersbehalf in implementing countermeasures against the attacker, the attack canbe counteracted. The conclusion is that the most effective way of countering the WPS-bruteforce attack presented is to automatically replace the PIN-code with arandomly generated one when an attack is detected. Wi-Fi protected setup WPS intrusion detection IDS wireless networks Wi-Fi protected setup WPS intrångsdetektering IDS trådlösa nätverk Computer Sciences Datavetenskap (datalogi)
362	Network security monitoring and anomaly detection in industrial control system networks Mantere, M. (Matti) 19 May 2015 (has links) Abstract Industrial control system (ICS) networks used to be isolated environments, typically separated by physical air gaps from the wider area networks. This situation has been changing and the change has brought with it new cybersecurity issues. The process has also exacerbated existing problems that were previously less exposed due to the systems’ relative isolation. This process of increasing connectivity between devices, systems and persons can be seen as part of a paradigm shift called the Internet of Things (IoT). This change is progressing and the industry actors need to take it into account when working to improve the cybersecurity of ICS environments and thus their reliability. Ensuring that proper security processes and mechanisms are being implemented and enforced on the ICS network level is an important part of the general security posture of any given industrial actor. Network security and the detection of intrusions and anomalies in the context of ICS networks are the main high-level research foci of this thesis. These issues are investigated through work on machine learning (ML) based anomaly detection (AD). Potentially suitable features, approaches and algorithms for implementing a network anomaly detection system for use in ICS environments are investigated. After investigating the challenges, different approaches and methods, a proof-ofconcept (PoC) was implemented. The PoC implementation is built on top of the Bro network security monitoring framework (Bro) for testing the selected approach and tools. In the PoC, a Self-Organizing Map (SOM) algorithm is implemented using Bro scripting language to demonstrate the feasibility of using Bro as a base system. The implemented approach also represents a minimal case of event-driven machine learning anomaly detection (EMLAD) concept conceived during the research. The contributions of this thesis are as follows: a set of potential features for use in machine learning anomaly detection, proof of the feasibility of the machine learning approach in ICS network setting, a concept for event-driven machine learning anomaly detection, a design and initial implementation of user configurable and extendable machine learning anomaly detection framework for ICS networks. / Tiivistelmä Kehittyneet yhteiskunnat käyttävät teollisuuslaitoksissaan ja infrastruktuuriensa operoinnissa monimuotoisia automaatiojärjestelmiä. Näiden automaatiojärjestelmien tieto- ja kyberturvallisuuden tila on hyvin vaihtelevaa. Laitokset ja niiden hyödyntämät järjestelmät voivat edustaa usean eri aikakauden tekniikkaa ja sisältää useiden eri aikakauden heikkouksia ja haavoittuvaisuuksia. Järjestelmät olivat aiemmin suhteellisen eristyksissä muista tietoverkoista kuin omista kommunikaatioväylistään. Tämä automaatiojärjestelmien eristyneisyyden heikkeneminen on luonut uuden joukon uhkia paljastamalla niiden kommunikaatiorajapintoja ympäröivälle maailmalle. Nämä verkkoympäristöt ovat kuitenkin edelleen verrattaen eristyneitä ja tätä ominaisuutta voidaan hyödyntää niiden valvonnassa. Tässä työssä esitetään tutkimustuloksia näiden verkkojen turvallisuuden valvomisesta erityisesti poikkeamien havainnoinnilla käyttäen hyväksi koneoppimismenetelmiä. Alkuvaiheen haasteiden ja erityispiirteiden tutkimuksen jälkeen työssä käytetään itsejärjestyvien karttojen (Self-Organizing Map, SOM) algoritmia esimerkkiratkaisun toteutuksessa uuden konseptin havainnollistamiseksi. Tämä uusi konsepti on tapahtumapohjainen koneoppiva poikkeamien havainnointi (Event-Driven Machine Learning Anomaly Detection, EMLAD). Työn kontribuutiot ovat seuraavat, kaikki teollisuusautomaatioverkkojen kontekstissa: ehdotus yhdeksi anomalioiden havainnoinnissa käytettävien ominaisuuksien ryhmäksi, koneoppivan poikkeamien havainnoinnin käyttökelpoisuuden toteaminen, laajennettava ja joustava esimerkkitoteutus uudesta EMLAD-konseptista toteutettuna Bro NSM työkalun ohjelmointikielellä. anomaly detection cybersecurity industrial control system security information security intrusion detection machine learning network security automaatiojärjestelmien turvallisuus koneoppiminen kyberturvallisuus poikkeamien havainnointi tietoturva tunkeutumisen havainnointi
363	Time-Delay Switch Attack on Networked Control Systems, Effects and Countermeasures Sargolzaei, Arman 15 May 2015 (has links) In recent years, the security of networked control systems (NCSs) has been an important challenge for many researchers. Although the security schemes for networked control systems have advanced in the past several years, there have been many acknowledged cyber attacks. As a result, this dissertation proposes the use of a novel time-delay switch (TDS) attack by introducing time delays into the dynamics of NCSs. Such an attack has devastating effects on NCSs if prevention techniques and countermeasures are not considered in the design of these systems. To overcome the stability issue caused by TDS attacks, this dissertation proposes a new detector to track TDS attacks in real time. This method relies on an estimator that will estimate and track time delays introduced by a hacker. Once a detector obtains the maximum tolerable time delay of a plant’s optimal controller (for which the plant remains secure and stable), it issues an alarm signal and directs the system to its alarm state. In the alarm state, the plant operates under the control of an emergency controller that can be local or networked to the plant and remains in this stable mode until the networked control system state is restored. In another effort, this dissertation evaluates different control methods to find out which one is more stable when under a TDS attack than others. Also, a novel, simple and effective controller is proposed to thwart TDS attacks on the sensing loop (SL). The modified controller controls the system under a TDS attack. Also, the time-delay estimator will track time delays introduced by a hacker using a modified model reference-based control with an indirect supervisor and a modified least mean square (LMS) minimization technique. Furthermore, here, the demonstration proves that the cryptographic solutions are ineffective in the recovery from TDS attacks. A cryptography-free TDS recovery (CF-TDSR) communication protocol enhancement is introduced to leverage the adaptive channel redundancy techniques, along with a novel state estimator to detect and assist in the recovery of the destabilizing effects of TDS attacks. The conclusion shows how the CF-TDSR ensures the control stability of linear time invariant systems. Time-Delay Switch Attack Security of Networked Control Systems Robust Control Adaptive Communication Channel Intrusion Detection Controls and Control Theory Power and Energy Systems and Communications
364	A Low-Complexity Algorithm For Intrusion Detection In A PIR-Based Wireless Sensor Network Subramanian, Ramanathan 05 1900 (has links) (PDF) This thesis investigates the problem of detecting an intruder in the presence of clutter in a Passive Infra-Red (PIR) based Wireless Sensor Network (WSN). As one of the major objectives in a WSN is to maximize battery life, data transmission and local computations must be kept to a minimum as they are expensive in terms of energy. But, as intrusion being a rare event and cannot be missed, local computations expend more energy than data transmission. Hence, the need for a low-complexity algorithm for intrusion detection is inevitable. A low-complexity algorithm for intrusion detection in the presence of clutter arising from wind-blown vegetation, using PIR sensors is presented. The algorithm is based on a combination of Haar Transform (HT) and Support Vector Machine (SVM) based training. The amplitude and frequency of the intruder signature is used to differentiate it from the clutter signal. The HT was preferred to Discrete Fourier Transform (DFT) in computing the spectral signature because of its computational simplicity -just additions and subtractions suffice (scaling coefficients taken care appropriately). Intruder data collected in a laboratory and clutter data collected from various types of vegetation were fed into SVM for training. The optimal decision rule returned by SVM was then used to separate intruder from clutter. Simulation results along with some representative samples in which intrusions were detected and the clutter being rejected by the algorithm is presented. The implementation of the proposed intruder-detection algorithm in a network setting comprising of 20 sensing nodes is discussed. The field testing performance of the algorithm is then discussed. The limitations of the algorithm is also discussed. A closed-form analytical expression for the signature generated by a human moving along a straight line in the vicinity of the PIR sensor at constant velocity is provided. It is shown to be a good approximation by showing a close match with the real intruder waveforms. It is then shown how this expression can be exploited to track the intruder from the signatures of three well-positioned sensing nodes. Wireless Sensor Network (WSN) Algorithms Intrusion Detection Intruder Detection Algorithm Passive Infra-Red (PIR) Intruder Signature PIR Sensors Sensors Wireless Networks Communication Engineering
365	Pattern Synthesis Techniques And Compact Data Representation Schemes For Efficient Nearest Neighbor Classification Pulabaigari, Viswanath 01 1900 (has links) (PDF) No description available. Nearest Neighbor Classification Pattern Synthesis Partition Pattern Synthesis Ovelap Based Pattern Synthesis Network Intrusion Detection Data Representation NN Classification NN Classifier Synthetic Patterns Nearest Neighbor Classifier Computer Science
366	Supervision de la sécurité pour des réseaux ad hoc mobiles : un système léger, robuste, et fiable de détection d'intrusion / Security supervision of mobile ad hoc networks : a lightweight, robust and reliable Intrusion detection system Alattar, Mouhannad 12 July 2013 (has links) Les réseaux mobiles ad hoc, appelé généralement MANET ( Mobile Ad hoc NETwork ) continuent augmenter leur présence dans notre vie. Ils deviennent une pierre angulaire du commerce, de la société, de l'armée, de la science, et même des applications de future. Cependant, ces réseaux opèrent souvent dans des environnements ouverts, ce qui les rend particulièrement vulnérables aux nombreux menaces. Ainsi, les méthodes traditionnelles de sécuriser les réseaux s'appuyant sur les techniques de prévention, par exemple le pare-feu et le cryptage, ne sont plus suffisants et doivent être enrichies par des mécanismes réactifs comme le système de détection d'intrusions (ou Intrusion Detection System(IDS)). Concevoir un IDS pour les MANETs est assez difficile parce qu'il doit à la fois assurer une précision de détection élevée, prendre en compte les ressources limitées (en terme de mémoire, de batteries et la bande passante), et adapter à la nature dynamique de ces réseaux. En plus, le système de détection ne devrait pas être une cible d'attaques ou la falsification. Nous avons proposé dans cette thèse un système robuste, léger et efficace de détection qui répond aux exigences de MANETs. Nous avons d'abord étudié les attaques qui menacent les MANETs, en se concentrant sur les attaques visant le protocole de routage OLSR (Optimized Link State Routing). Ensuite, nous présentons notreIDS qui offre un taux élevé d'attaques ainsi que le maintien efficacement les ressources limitées du réseau. A cet effet, notre système analyse les traces de routage au lieu de surveiller le trafic afin d'identifier tout évidence d’activité suspecte. Après, il fait correspondre les évidences à un ensemble de signatures prédéfinies; une signature est perçue comme étant un ensemble partiellement ordonné d’événements caractérisant une intrusion. En outre, notre IDS dépend du degré de suspicion des évidences afin de manière à efficacement limiter le nombre et la durée de ses opérations coûteuses entermes de ressources. Vers une meilleure gestion des ressources disponibles, nous utilisons également l'intervalle deconfiance pour mesurer la fiabilité de détection. Cette mesure statistique permet à: (i) éviter le gaspillage de ressources résultant de collecte et de traitement des évidences redondantes, et (ii) prendre correctement la décision liées à la détection, par exemple déclarer le noeud suspect comme étant un intrus. Afin d'améliorer la robustesse de notre IDS, nous le couple avec un modèle de crédit basé sur l'entropie. Ce modèle surveille le comportement des noeuds lors de la détection afin d’assigner un crédit pour chaque noeud dans le réseau. Notre IDS se base sur les crédits attribuées aux noeuds afin de réduire les effets néfastes des évidences falsifiées fournies par les noeuds méfiants. Le modèle decrédit proposé prend en compte le niveau de risque des attaques. Plus précisément, le taux de perte de crédit d'un noeud méfiants est relié aux conséquences de l'attaque dont ce noeud a essayé d'aider. Notre IDS et les modèles couplés ont été expérimentées sur différents scénarios de la mobilité et de la densité. Les résultats montrent que notre détecteur offrent un taux de détection élevé, en combinaison avec un entretien remarquable des ressources disponibles. De plus, il présente une robustesse importante contre les faux évidences de détection. / Mobile Ad hoc NETworks (referred to as MANETs) continue increasing their presence in our every day life. They become a corner stone in the commercial, the society, the military, the science, and even the next-generation applications. However, these networks mostly operate over open environments and are therefore vulnerable to a large body of threats. Traditional ways of securing networks relying on preventive techniques, e.g., firewall and encryption, are not sufficient and should henceforth be coupled with a reactive security solution, e.g., the Intrusion Detection Systems (IDSs). Designing anIDS for MANETs is quite challenging because such IDS must not only ensure a high detection accuracy but also take into account the limited resources (e.g., battery life and bandwidth) and the dynamic nature of these networks. Moreover, the designed IDS itself should not be a target of attacks and/or falsification. In this thesis, we respond to these requirements by proposing a lightweight and robust Intrusion Detection System (IDS), dedicated to protecting MANETs. We first explore the space of attacks that threaten MANETs, focusing on the attacks targeting the Optimized Link State Routing protocol. We then introduce our IDS that offers a high rate of attacks along with maintaining efficiently the limited resources in the network. Indeed, contrary to existing systems that monitor the packets going through the host, our system distinguishes itself by parsing and analyzing logs in order to identify patterns of misuse. It further depends on the level of suspicion andgravity involved so as to efficiently restrict the number and the duration of its costly operations, in terms of resources. Towards a better management of the available resources, we also use the confidence interval as a measure of detection reliability. This statistical measure allows our IDS to: (i) identify the redundant evidences, hence the waste of resources resulting from gathering and processing them is avoided, and (ii) correctly make the critical detection-related decisions. In order to enhance the robustness of our IDS, we couple it with an entropy-based trust model that assigns, based on theirunlawful participation in the detection, a low trustworthiness to the misbehaving nodes. Thanks to the estimated trustworthiness, our IDS reduces the bad effects of the falsified feedback provided by the distrustful nodes. The proposed trust model is a risk-aware whereas the higher the risk of an attack, the higher (resp. the lower) is the trust in the nodes which help in detecting (resp. colluding) it. The proposed IDS and the coupled models have been experimented on different scenarios of mobility and density. The results show that our detector offer a high detection rate along with a remarkablemaintenance of the available resources. Moreover, it presents a significant robustness against the falsified detection-related evidences. Sécurité Détection d'intrusion Routage ad oc Conservation de ressources Fiabilité Intervalle de confiance Truste Security Intrusion detection Ad hoc routing Resources maintaining Detection reliability 005.8
367	Vylepšení Adversariální Klasifikace v Behaviorální Analýze Síťové Komunikace Určené pro Detekci Cílených Útoků / Improvement of Adversarial Classification in Behavioral Analysis of Network Traffic Intended for Targeted Attack Detection Sedlo, Ondřej January 2020 (has links) V této práci se zabýváme vylepšením systémů pro odhalení síťových průniků. Konkrétně se zaměřujeme na behaviorální analýzu, která využívá data extrahovaná z jednotlivých síťových spojení. Tyto informace využívá popsaný framework k obfuskaci cílených síťových útoků, které zneužívají zranitelností v sadě soudobých zranitelných služeb. Z Národní databáze zranitelností od NIST vybíráme zranitelné služby, přičemž se omezujeme jen na roky 2018 a 2019. Ve výsledku vytváříme nový dataset, který sestává z přímých a obfuskovaných útoků, provedených proti vybraným zranitelným službám, a také z jejich protějšků ve formě legitimního provozu. Nový dataset vyhodnocujeme za použití několika klasifikačních technik, a demonstrujeme, jak důležité je trénovat tyto klasifikátory na obfuskovaných útocích, aby se zabránilo jejich průniku bez povšimnutí. Nakonec provádíme křížové vyhodnocení datasetů pomocí nejmodernějšího datasetu ASNM-NPBO a našeho datasetu. Výsledky ukazují důležitost opětovného trénování klasifikátorů na nových zranitelnostech při zachování dobrých schopností detekovat útoky na staré zranitelnosti.
368	Knot Flow Classification and its Applications in Vehicular Ad-Hoc Networks (VANET) Schmidt, David 01 May 2020 (has links) Intrusion detection systems (IDSs) play a crucial role in the identification and mitigation for attacks on host systems. Of these systems, vehicular ad hoc networks (VANETs) are difficult to protect due to the dynamic nature of their clients and their necessity for constant interaction with their respective cyber-physical systems. Currently, there is a need for a VANET-specific IDS that meets this criterion. To this end, a spline-based intrusion detection system has been pioneered as a solution. By combining clustering with spline-based general linear model classification, this knot flow classification method (KFC) allows for robust intrusion detection to occur. Due its design and the manner it is constructed, KFC holds great potential for implementation across a distributed system. The purpose of this thesis was to explain and extrapolate the afore mentioned IDS, highlight its effectiveness, and discuss the conceptual design of the distributed system for use in future research. Machine Learning Internet of Things Internet of Vehicles Intrusion Detection Knot Flow Classification Data Science Artificial Intelligence and Robotics Information Security Other Computer Sciences
369	Near Real-time Detection of Masquerade attacks in Web applications : catching imposters using their browsing behavor Panopoulos, Vasileios January 2016 (has links) This Thesis details the research on Machine Learning techniques that are central in performing Anomaly and Masquerade attack detection. The main focus is put on Web Applications because of their immense popularity and ubiquity. This popularity has led to an increase in attacks, making them the most targeted entry point to violate a system. Speciﬁcally, a group of attacks that range from identity theft using social engineering to cross site scripting attacks, aim at exploiting and masquerading users. Masquerading attacks are even harder to detect due to their resemblance with normal sessions, thus posing an additional burden. Concerning prevention, the diversity and complexity of those systems makes it harder to deﬁne reliable protection mechanisms. Additionally, new and emerging attack patterns make manually conﬁgured and Signature based systems less eﬀective with the need to continuously update them with new rules and signatures. This leads to a situation where they eventually become obsolete if left unmanaged. Finally the huge amount of traﬃc makes manual inspection of attacks and False alarms an impossible task. To tackle those issues, Anomaly Detection systems are proposed using powerful and proven Machine Learning algorithms. Gravitating around the context of Anomaly Detection and Machine Learning, this Thesis initially deﬁnes several basic deﬁnitions such as user behavior, normality and normal and anomalous behavior. Those deﬁnitions aim at setting the context in which the proposed method is targeted and at deﬁning the theoretical premises. To ease the transition into the implementation phase, the underlying methodology is also explained in detail. Naturally, the implementation is also presented, where, starting from server logs, a method is described on how to pre-process the data into a form suitable for classiﬁcation. This preprocessing phase was constructed from several statistical analyses and normalization methods (Univariate Selection, ANOVA) to clear and transform the given logs and perform feature selection. Furthermore, given that the proposed detection method is based on the source and1request URLs, a method of aggregation is proposed to limit the user privacy and classiﬁer over-ﬁtting issues. Subsequently, two popular classiﬁcation algorithms (Multinomial Naive Bayes and Support Vector Machines) have been tested and compared to deﬁne which one performs better in our given situations. Each of the implementation steps (pre-processing and classiﬁcation) requires a number of diﬀerent parameters to be set and thus a method called Hyper-parameter optimization is deﬁned. This method searches for the parameters that improve the classiﬁcation results. Moreover, the training and testing methodology is also outlined alongside the experimental setup. The Hyper-parameter optimization and the training phases are the most computationally intensive steps, especially given a large number of samples/users. To overcome this obstacle, a scaling methodology is also deﬁned and evaluated to demonstrate its ability to handle larger data sets. To complete this framework, several other options have been also evaluated and compared to each other to challenge the method and implementation decisions. An example of this, is the "Transitions-vs-Pages" dilemma, the block restriction eﬀect, the DR usefulness and the classiﬁcation parameters optimization. Moreover, a Survivability Analysis is performed to demonstrate how the produced alarms could be correlated aﬀecting the resulting detection rates and interval times. The implementation of the proposed detection method and outlined experimental setup lead to interesting results. Even so, the data-set that has been used to produce this evaluation is also provided online to promote further investigation and research on this ﬁeld. / Det här arbetet behandlar forskningen på maskininlärningstekniker som är centrala i utförandet av detektion av anomali- och maskeradattacker. Huvud-fokus läggs på webbapplikationer på grund av deras enorma popularitet och att de är så vanligt förekommande. Denna popularitet har lett till en ökning av attacker och har gjort dem till den mest utsatta punkten för att bryta sig in i ett system. Mer specifikt så syftar en grupp attacker som sträcker sig från identitetsstölder genom social ingenjörskonst, till cross-site scripting-attacker, på att exploatera och maskera sig som olika användare. Maskeradattacker är ännu svårare att upptäcka på grund av deras likhet med vanliga sessioner, vilket utgör en ytterligare börda. Vad gäller förebyggande, gör mångfalden och komplexiteten av dessa system det svårare att definiera pålitliga skyddsmekanismer. Dessutom gör nya och framväxande attackmönster manuellt konfigurerade och signaturbaserade system mindre effektiva på grund av behovet att kontinuerligt uppdatera dem med nya regler och signaturer. Detta leder till en situation där de så småningom blir obsoleta om de inte sköts om. Slutligen gör den enorma mängden trafik manuell inspektion av attacker och falska alarm ett omöjligt uppdrag. För att ta itu med de här problemen, föreslås anomalidetektionssystem som använder kraftfulla och beprövade maskininlärningsalgoritmer. Graviterande kring kontexten av anomalidetektion och maskininlärning, definierar det här arbetet först flera enkla definitioner såsom användarbeteende, normalitet, och normalt och anomalt beteende. De här definitionerna syftar på att fastställa sammanhanget i vilket den föreslagna metoden är måltavla och på att definiera de teoretiska premisserna. För att under-lätta övergången till implementeringsfasen, förklaras även den bakomliggande metodologin i detalj. Naturligtvis presenteras även implementeringen, där, med avstamp i server-loggar, en metod för hur man kan för-bearbeta datan till en form som är lämplig för klassificering beskrivs. Den här för´-bearbetningsfasen konstruerades från flera statistiska analyser och normaliseringsmetoder (univariate se-lection, ANOVA) för att rensa och transformera de givna loggarna och utföra feature selection. Dessutom, givet att en föreslagen detektionsmetod är baserad på käll- och request-URLs, föreslås en metod för aggregation för att begränsa problem med överanpassning relaterade till användarsekretess och klassificerare. Efter det så testas och jämförs två populära klassificeringsalgoritmer (Multinomialnaive bayes och Support vector machines) för att definiera vilken som fungerar bäst i våra givna situationer. Varje implementeringssteg (för-bearbetning och klassificering) kräver att ett antal olika parametrar ställs in och således definieras en metod som kallas Hyper-parameter optimization. Den här metoden söker efter parametrar som förbättrar klassificeringsresultaten. Dessutom så beskrivs tränings- och test-ningsmetodologin kortfattat vid sidan av experimentuppställningen. Hyper-parameter optimization och träningsfaserna är de mest beräkningsintensiva stegen, särskilt givet ett stort urval/stort antal användare. För att övervinna detta hinder så definieras och utvärderas även en skalningsmetodologi baserat på dess förmåga att hantera stora datauppsättningar. För att slutföra detta ramverk, utvärderas och jämförs även flera andra alternativ med varandra för att utmana metod- och implementeringsbesluten. Ett exempel på det är ”Transitions-vs-Pages”-dilemmat, block restriction-effekten, DR-användbarheten och optimeringen av klassificeringsparametrarna. Dessu-tom så utförs en survivability analysis för att demonstrera hur de producerade alarmen kan korreleras för att påverka den resulterande detektionsträ˙säker-heten och intervalltiderna. Implementeringen av den föreslagna detektionsmetoden och beskrivna experimentuppsättningen leder till intressanta resultat. Icke desto mindre är datauppsättningen som använts för att producera den här utvärderingen också tillgänglig online för att främja vidare utredning och forskning på området. Naive Bayes SVM Support Vector Machines Machine Learning IDS Intrusion Detection System Web Application scikit-learn Elektroteknik och elektronik Communication Systems Kommunikationssystem
370	Detecting Lateral Movement in Microsoft Active Directory Log Files : A supervised machine learning approach Uppströmer, Viktor, Råberg, Henning January 2019 (has links) Cyberattacker utgör ett stort hot för dagens företag och organisationer, med engenomsnittlig kostnad för ett intrång på ca 3,86 miljoner USD. För att minimera kostnaden av ett intrång är det viktigt att detektera intrånget i ett så tidigt stadium som möjligt. Avancerande långvariga hot (APT) är en sofistikerad cyberattack som har en lång närvaro i offrets nätverk. Efter attackerarens första intrång kommer fokuset av attacken skifta till att få kontroll över så många enheter som möjligt på nätverket. Detta steg kallas för lateral rörelse och är ett av de mest kritiska stegen i en APT. Syftet med denna uppsats är att undersöka hur och hur väl lateral rörelse kan upptäckas med hjälp av en maskininlärningsmetod. I undersökningen jämförs och utvärderas fem maskininlärningsalgoritmer med upprepad korsvalidering följt av statistisk testning för att bestämma vilken av algoritmerna som är bäst. Undersökningen konkluderar även vilka attributer i det undersökta datasetet som är väsentliga för att detektera laterala rörelser. Datasetet kommer från en Active Directory domänkontrollant där datasetets attributer är skapade av korrelerade loggar med hjälp av datornamn, IP-adress och användarnamn. Datasetet består av en syntetisk, samt, en verklig del vilket skapar ett semi-syntetiskt dataset som innehåller ett multiklass klassifierings problem. Experimentet konkluderar att all fem algoritmer klassificerar rätt med en pricksäkerhet (accuracy) på 0.998. Algoritmen RF presterar med den högsta f-measure (0.88) samt recall (0.858), SVM är bäst gällande precision (0.972) och DT har denlägsta inlärningstiden (1237ms). Baserat på resultaten indikerar undersökningenatt algoritmerna RF, SVM och DT presterar bäst i olika scenarier. Till exempel kan SVM användas om en låg mängd falsk positiva larm är viktigt. Om en balanserad prestation av de olika prestanda mätningarna är viktigast ska RF användas. Undersökningen konkluderar även att en stor mängd utav de undersökta attributerna av datasetet kan bortses i framtida experiment, då det inte påverkade prestandan på någon av algoritmerna. / Cyber attacks raise a high threat for companies and organisations worldwide. With the cost of a data breach reaching $3.86million on average, the demand is high fora rapid solution to detect cyber attacks as early as possible. Advanced persistent threats (APT) are sophisticated cyber attacks which have long persistence inside the network. During an APT, the attacker will spread its foothold over the network. This stage, which is one of the most critical steps in an APT, is called lateral movement. The purpose of the thesis is to investigate lateral movement detection with a machine learning approach. Five machine learning algorithms are compared using repeated cross-validation followed statistical testing to determine the best performing algorithm and feature importance. Features used for learning the classifiers are extracted from Active Directory log entries that relate to each other, with a similar workstation, IP, or account name. These features are the basis of a semi-synthetic dataset, which consists of a multiclass classification problem. The experiment concludes that all five algorithms perform with an accuracy of 0.998. RF displays the highest f1-score (0.88) and recall (0.858), SVM performs the best with the performance metric precision (0.972), and DT has the lowest computational cost (1237ms). Based on these results, the thesis concludes that the algorithms RF, SVM, and DT perform best in different scenarios. For instance, SVM should be used if a low amount of false positives is favoured. If the general and balanced performance of multiple metrics is preferred, then RF will perform best. The results also conclude that a significant amount of the examined features can be disregarded in future experiments, as they do not impact the performance of either classifier. Advanced Persistent Threat Lateral Movement Active Directory Multiclass Classification Intrusion Detection System Avancerade långvariga hot Lateral rörelse Active Directory Multiklassklassificering Intrångsdetektering Computer Systems Datorsystem

Search results