Injeção de ataques baseado em modelo para teste de protocolos de segurança / Model-based attack injection for security protocols testing

Morais, Anderson Nunes Paiva

14 August 2018

Orientadores: Eliane Martins, Ricardo de Oliveira Anido / Dissertação (mestrado) - Universidade Estadual de Campinas, Instituto de Computação / Made available in DSpace on 2018-08-14T04:24:04Z (GMT). No. of bitstreams: 1 Morais_AndersonNunesPaiva.pdf: 1792317 bytes, checksum: e8304b24c7765a959814665bcaff15c8 (MD5) Previous issue date: 2009 / Resumo: Neste trabalho apresentamos uma proposta de geração de ataques para testes de protocolos de segurança. O objetivo é detectar vulnerabilidades de um protocolo, que um atacante pode explorar para causar falhas de segurança. Nossa proposta usa um injetor de falhas para emular um atacante que possui total controle do sistema de comunicação. Como o sucesso dos testes depende principalmente dos ataques injetados, nós propomos uma abordagem baseada em modelos para a geração de ataques. O modelo representa ataques conhecidos e reportados do protocolo sob teste. A partir deste modelo, cenários de ataque são gerados. Os cenários estão em um formato que é independente do injetor de falhas usado. Usando refinamentos e transformações, pode-se converter a descrição do cenário de ataque em scripts específicos do injetor de falhas. A proposta pode ser completamente apoiada por ferramentas de software. Nós ilustramos o uso da proposta com um estudo de caso, um protocolo de segurança para dispositivos móveis / Abstract: We present an attack injection approach for security protocols testing. The goal is to uncover protocol vulnerabilities that an attacker can exploit to cause security failures. Our approach uses a fault injector to emulate an attacker that has control over the communication system. Since the success of the tests depends greatly on the attacks injected, we propose a model-based approach for attack generation. The model represents reported known attacks to the protocol under test. From this model, attack scenarios are generated. The scenarios are in a format that is independent of the fault injector used. Using refinements and transformations, the abstract scenario specification can be converted to the specific fault injector scripts. The approach can be completely supported by tools. We illustrate the use of the approach in a case study, a security protocol for mobile devices / Universidade Estadual de Campi / Tolerancia a Falhas / Mestre em Ciência da Computação

Tolerância à falha (Computação)

Redes de computadores - Protocolos

Fault-tolerant computing

Computer networks - Security measures

Software engineering - Security measures

Computer network - Protocols

Uma abordagem para a correlação de eventos de segurança baseada em tecnicas de aprendizado de maquina / An approach to the correlation of security events based upon machine learning techniques

Stroeh, Kleber

08 March 2009

Orientador: Edmundo Roberto Mauro Madeira / Dissertação (mestrado) - Universidade Estadual de Campinas, Instituto de Computação / Made available in DSpace on 2018-08-15T00:38:33Z (GMT). No. of bitstreams: 1 Stroeh_Kleber_M.pdf: 2516792 bytes, checksum: c036c25bc2fd2e2815780d3a5fedfde0 (MD5) Previous issue date: 2009 / Resumo: Organizações enfrentam o desafio crescente de garantir a segurança da informação junto às suas infraestruturas tecnológicas. Abordagens estáticas à segurança, como a defesa de perímetros, têm se mostrado pouco eficazes num novo cenário marcado pelo aumento da complexidade dos sistemas _ e conseqüentemente de suas vulnerabilidades - e pela evolução e automatização de ataques. Por outro lado, a detecção dinâmica de ataques por meio de IDSs (Intrusion Detection Systems) apresenta um número demasiadamente elevado de falsos positivos. Este trabalho propõe uma abordagem para coleta e normalização, e fusão e classificação de alertas de segurança. Tal abordagem envolve a coleta de alertas de diferentes fontes, e sua normalização segundo modelo de representação padronizado - IDMEF (Intrusion Detection Message Exchange Format). Os alertas normalizados são agrupados em meta-alertas (fusão ou agrupamento), os quais são classificados _ através de técnicas de aprendizado de máquina _ entre ataques e alarmes falsos. Uma implementação desta abordagem foi testada junto aos dados do desafio DARPA e Scan of the Month, contando com três implementações distintas de classificadores (SVM - Support Vector Machine -, Rede Bayesiana e Árvore de Decisão), bem como uma coletânea (ensemble) de SVM com Rede Bayesiana, atingindo resultados bastante relevantes. / Abstract: Organizations face the ever growing challenge of providing security within their IT infrastructures. Static approaches to security, such as perimetral defense, have proven less than effective in a new scenario characterized by increasingly complex systems _ and, therefore, more vulnerable - and by the evolution and automation of cyber attacks. Moreover, dynamic detection of attacks through IDSs (Instrusion Detection Systems ) presents too many false positives to be effective. This work presents an approach to collect and normalize, as well as to fuse and classify security alerts. This approach involves collecting alerts from different sources and normalizing them according to standardized structures - IDMEF (Intrusion Detection Message Exchange Format ). The normalized alerts are grouped into meta-alerts (fusion or clustering), which are later classified - through machine learning techniques _ into attacks or false alarms. An implementation of this approach is tested against DARPA Challenge and Scan of the Month, using three different classification techniques, as well as an ensemble of SVM and Bayesian Network, having achieved very relevant results. / Mestrado / Redes de Computadores / Mestre em Ciência da Computação

Inteligência artificial

Aprendizado de máquina

Computer networks - Security measures

Artificial intelligence

Machine learning

An investigation into the state-of-practice of information security within Zambian copper mines: a case study

Lukweza, Chishala

January 2011

Zambian copper mines have embraced the use of information technologies for strategic operations and competitive advantage. This dependence on these technologies has not only been seen in the physical aspects of business operations but also in the use of information systems such as Enterprise Resource Planning Systems (ERPs) for strategic decision making and increased usage of Industrial Control Systems (ICS’) that are meant to enhance operational efficiency in production areas. A survey was conducted to explore leadership perceptions on information security practices in Zambian copper mines and an ISO/IEC 27002 Audit Tool was administered to middle management in a particular mine for an in-depth analysis of their information security practices. Results revealed that although information security controls may have been put in place in these organisations, there are still areas that require attention. Senior management and middle management have different perceptions as to the extent to which information security practices are conducted in these copper mines. This implies that management may not be fully involved in certain aspects of these organisations’ information security practices. The results concluded that management needs to be fully involved and provide support for information security programs. Furthermore, these information security programs should be standardised so as to effectively protect these organisations’ information assets. This should also include the involvement of personnel as key players in the information security process.

Information technology -- Zambia

A framework for high speed lexical classification of malicious URLs

Egan, Shaun Peter

January 2014

Phishing attacks employ social engineering to target end-users, with the goal of stealing identifying or sensitive information. This information is used in activities such as identity theft or financial fraud. During a phishing campaign, attackers distribute URLs which; along with false information, point to fraudulent resources in an attempt to deceive users into requesting the resource. These URLs are made obscure through the use of several techniques which make automated detection difficult. Current methods used to detect malicious URLs face multiple problems which attackers use to their advantage. These problems include: the time required to react to new attacks; shifts in trends in URL obfuscation and usability problems caused by the latency incurred by the lookups required by these approaches. A new method of identifying malicious URLs using Artificial Neural Networks (ANNs) has been shown to be effective by several authors. The simple method of classification performed by ANNs result in very high classification speeds with little impact on usability. Samples used for the training, validation and testing of these ANNs are gathered from Phishtank and Open Directory. Words selected from the different sections of the samples are used to create a `Bag-of-Words (BOW)' which is used as a binary input vector indicating the presence of a word for a given sample. Twenty additional features which measure lexical attributes of the sample are used to increase classification accuracy. A framework that is capable of generating these classifiers in an automated fashion is implemented. These classifiers are automatically stored on a remote update distribution service which has been built to supply updates to classifier implementations. An example browser plugin is created and uses ANNs provided by this service. It is both capable of classifying URLs requested by a user in real time and is able to block these requests. The framework is tested in terms of training time and classification accuracy. Classification speed and the effectiveness of compression algorithms on the data required to distribute updates is tested. It is concluded that it is possible to generate these ANNs in a frequent fashion, and in a method that is small enough to distribute easily. It is also shown that classifications are made at high-speed with high-accuracy, resulting in little impact on usability.

Computer security -- Research

Computer crimes -- Prevention

Phishing

A mobile toolkit and customised location server for the creation of cross-referencing location-based services

Ndakunda, Shange-Ishiwa Tangeni

January 2013

Although there are several Software Development kits and Application Programming Interfaces for client-side location-based services development, they mostly involve the creation of self-referencing location-based services. Self-referencing location-based services include services such as geocoding, reverse geocoding, route management and navigation which focus on satisfying the location-based requirements of a single mobile device. There is a lack of open-source Software Development Kits for the development of client-side location-based services that are cross-referencing. Cross-referencing location-based services are designed for the sharing of location information amongst different entities on a given network. This project was undertaken to assemble, through incremental prototyping, a client-side Java Micro Edition location-based services Software Development Kit and a Mobicents location server to aid mobile network operators and developers alike in the quick creation of the transport and privacy protection of cross-referencing location-based applications on Session Initiation Protocol bearer networks. The privacy of the location information is protected using geolocation policies. Developers do not need to have an understanding of Session Initiation Protocol event signaling specifications or of the XML Configuration Access Protocol to use the tools that we put together. The developed tools are later consolidated using two sample applications, the friend-finder and child-tracker services. Developer guidelines are also provided, to aid in using the provided tools.

Digital communications

Java (Computer program language)

User interfaces (Computer systems)

An enterprise information security model for a micro finance company: a case study

Owen, Morné

January 2009

The world has entered the information age. How the information is used within an organization will determine success or failure of the organisation. This study aims to provide a model, that once implemented, will provide the required protection for the information assets. The model is based on ISO 27002, an international security standard. The primary objective is to build a model that will provide a holistic security system specifically for a South African Micro Finance Company (MFC). The secondary objectives focuses on successful implementation of such a model, the uniqueness of the MFC that should be taken into account, and the maintenance of the model once implemented to ensure ongoing relevance. A questionnaire conducted at the MFC provided insight into the perceived understanding of information security. The questionnaire results were used to ensure the model solution addressed current information security shortcomings within the MFC. This study found that the information security controls in ISO 27002 should be applicable to any industry. The uniqueness for the MFC is not in the security controls, but rather in the regulations and laws applicable to it.

A standards-based security model for health information systems

Thomson, Steven Michael

January 2008

In the healthcare environment, various types of patient information are stored in electronic format. This prevents the re-entering of information that was captured previously. In the past this information was stored on paper and kept in large filing cabinets. However, with the technology advancements that have occurred over the years, the idea of storing patient information in electronic systems arose. This led to a number of electronic health information systems being created, which in turn led to an increase in possible security risks. Any organization that stores information of a sensitive nature must apply information security principles in order to ensure that the stored information is kept secure. At a basic level, this entails ensuring the confidentiality, integrity and availability of the information, which is not an easy feat in today’s distributed and networked environments. This paved the way for organized standardization activities in the areas of information security and information security management. Throughout history, there have been practices that were created to help “standardize” industries of all areas, to the extent that there are professional organizations whose main objective it is to create such standards to help connect industries all over the world. This applies equally to the healthcare environment, where standardization took off in the late eighties. Healthcare organizations must follow standardized security measures to ensure that patient information stored in health information systems is kept secure. However, the proliferation in standards makes it difficult to understand, adopt and deploy these standards in a coherent manner. This research, therefore, proposes a standards-based security model for health information systems to ensure that such standards are applied in a manner that contributes to securing the healthcare environment as a whole, rather than in a piecemeal fashion.

Risk Assessment of Aviation Security and Evaluation of Aviation Security Policies

Yalcinkaya, Ramazan

08 1900

Comprising many airplanes, airports, aircrew, and employees, aviation industry is a large sector that is very vulnerable to attacks, whether it is from terrorists or criminals. Aviation history is fraught with examples of airport bombings, hijackings, and sabotage terrorist attacks. The most destructive of which is the tragedy of September 11, 2001, the cornerstone of today's aviation security policies. This study uses risk assessment tools to determine the dimensions of danger and threats against the aviation industry and addresses how vulnerable the aviation sector is. After vulnerabilities and threats are examined, possible impacts of attacks against the aviation security are discussed. This study also explores the pre and post September 11 policies that governments and policy makers develop to reduce risks in aviation sector. In addition, it discusses weaknesses and strengths of these policies which surfaced during the implementations. Finally, this study proposes some recommendations based on vulnerabilities and threats of aviation security.

aviation security

risk assessment

aviation security policies

air terrorism

9/11 attacks

Mathematical security models for multi-agent distributed systems

Ma, Chunyan

01 January 2004

This thesis presents the developed taxonomy of the security threats in agent-based distributed systems. Based on this taxonomy, a set of theories is developed to facilitate analyzng the security threats of the mobile-agent systems. We propose the idea of using the developed security risk graph to model the system's vulnerabilties.

Computer security -- Mathematical models

Computer networks -- Security measures

Information Security

E‐Shape Analysis

Sroufe, Paul

12 1900

The motivation of this work is to understand E-shape analysis and how it can be applied to various classification tasks. It has a powerful feature to not only look at what information is contained, but rather how that information looks. This new technique gives E-shape analysis the ability to be language independent and to some extent size independent. In this thesis, I present a new mechanism to characterize an email without using content or context called E-shape analysis for email. I explore the applications of the email shape by carrying out a case study; botnet detection and two possible applications: spam filtering and social-context based finger printing. The second part of this thesis takes what I apply E-shape analysis to activity recognition of humans. Using the Android platform and a T-Mobile G1 phone I collect data from the triaxial accelerometer and use it to classify the motion behavior of a subject.

Email shape

daily activities

accelerometer

botnet

spam

Spam filtering (Electronic mail)

Human activity recognition.