# Biblio

Found 169 results

Filters: Keyword is Intrusion detection  [Clear All Filters]
2019-12-05
.  2018.  IEEE INFOCOM 2018 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). :778-783.

The concept of Virtualized Network Functions (VNFs) aims to move Network Functions (NFs) out of dedicated hardware devices into software that runs on commodity hardware. A single NF consists of multiple VNF instances, usually running on virtual machines in a cloud infrastructure. The elastic management of an NF refers to load management across the VNF instances and the autonomic scaling of the number of VNF instances as the load on the NF changes. In this paper, we present EL-SEC, an autonomic framework to elastically manage security NFs on a virtualized infrastructure. As a use case, we deploy the Snort Intrusion Detection System as the NF on the GENI testbed. Concepts from control theory are used to create an Elastic Manager, which implements various controllers - in this paper, Proportional Integral (PI) and Proportional Integral Derivative (PID) - to direct traffic across the VNF Snort instances by monitoring the current load. RINA (a clean-slate Recursive InterNetwork Architecture) is used to build a distributed application that monitors load and collects Snort alerts, which are processed by the Elastic Manager and an Attack Analyzer, respectively. Software Defined Networking (SDN) is used to steer traffic through the VNF instances, and to block attack traffic. Our results show that virtualized security NFs can be easily deployed using our EL-SEC framework. With the help of real-time graphs, we show that PI and PID controllers can be used to easily scale the system, which leads to quicker detection of attacks.

2019-12-02
.  2018.  2018 IEEE 3rd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC). :1208–1214.
Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.
2019-11-26
.  2018.  2018 6th International Symposium on Digital Forensic and Security (ISDFS). :1-5.

Phishing is a form of cybercrime where an attacker imitates a real person / institution by promoting them as an official person or entity through e-mail or other communication mediums. In this type of cyber attack, the attacker sends malicious links or attachments through phishing e-mails that can perform various functions, including capturing the login credentials or account information of the victim. These e-mails harm victims because of money loss and identity theft. In this study, a software called Anti Phishing Simulator'' was developed, giving information about the detection problem of phishing and how to detect phishing emails. With this software, phishing and spam mails are detected by examining mail contents. Classification of spam words added to the database by Bayesian algorithm is provided.

2019-11-04
.  2018.  2018 Second International Conference on Intelligent Computing and Control Systems (ICICCS). :129-133.

.  2018.  2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI). :1017–1021.
A significant amount of attempt has been lately committed for the progress of Database Management Systems (DBMS) that ensures high assertion and high security. Common security measures for database like access control measures, validation, encryption technologies, etc are not sufficient enough to secure the data from all the threats. By using an anomaly detection system, we are able to enhance the security feature of the Database management system. We are taking an assumption that the database access control is role based. In this paper, a mechanism is proposed for finding the anomaly in database by using machine learning technique such as classification. The importance of providing anomaly detection technique to a Role-Based Access Control database is that it will help for the protection against the insider attacks. The experimentation results shows that the system is able to detect intrusion effectively with high accuracy and high F1-score.
2019-08-26
.  2018.  2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). :18-21.

We propose a novel cross-stack sensor framework for realizing lightweight, context-aware, high-interaction network and endpoint deceptions for attacker disinformation, misdirection, monitoring, and analysis. In contrast to perimeter-based honeypots, the proposed method arms production workloads with deceptive attack-response capabilities via injection of booby-traps at the network, endpoint, operating system, and application layers. This provides defenders with new, potent tools for more effectively harvesting rich cyber-threat data from the myriad of attacks launched by adversaries whose identities and methodologies can be better discerned through direct engagement rather than purely passive observations of probe attempts. Our research provides new tactical deception capabilities for cyber operations, including new visibility into both enterprise and national interest networks, while equipping applications and endpoints with attack awareness and active mitigation capabilities.

2019-08-05
.  2018.  2018 Fifth International Conference on Parallel, Distributed and Grid Computing (PDGC). :512-516.

From the last few years, security in wireless sensor network (WSN) is essential because WSN application uses important information sharing between the nodes. There are large number of issues raised related to security due to open deployment of network. The attackers disturb the security system by attacking the different protocol layers in WSN. The standard AODV routing protocol faces security issues when the route discovery process takes place. The data should be transmitted in a secure path to the destination. Therefore, to support the process we have proposed a trust based intrusion detection system (NL-IDS) for network layer in WSN to detect the Black hole attackers in the network. The sensor node trust is calculated as per the deviation of key factor at the network layer based on the Black hole attack. We use the watchdog technique where a sensor node continuously monitors the neighbor node by calculating a periodic trust value. Finally, the overall trust value of the sensor node is evaluated by the gathered values of trust metrics of the network layer (past and previous trust values). This NL-IDS scheme is efficient to identify the malicious node with respect to Black hole attack at the network layer. To analyze the performance of NL-IDS, we have simulated the model in MATLAB R2015a, and the result shows that NL-IDS is better than Wang et al. [11] as compare of detection accuracy and false alarm rate.

.  2018.  2018 1st IEEE International Conference on Hot Information-Centric Networking (HotICN). :242–243.

Information centric network (ICN) based Mobile Edge Computing (MEC) network has drawn growing attentions in recent years. The distributed network architecture brings new security problems, especially the identity security problem. Because of the cloud platform deployed on the edge of the MEC network, multiple channel attributes can be easily obtained and processed. Thus this paper proposes a multiple channel attributes based spoofing detection mechanism. To further reduce the complexity, we also propose an improved clustering algorithm. The simulation results indicate that the proposed spoofing detection method can provide near-optimal performance with extremely low complexity.

2019-06-28
.  2018.  Proceedings of the 2018 Workshop on IoT Security and Privacy. :1-7.

The IETF's push towards standardizing the Manufacturer Usage Description (MUD) grammar and mechanism for specifying IoT device behavior is gaining increasing interest from industry. The ability to control inappropriate communication between devices in the form of access control lists (ACLs) is expected to limit the attack surface on IoT devices; however, little is known about how MUD policies will get enforced in operational networks, and how they will interact with current and future intrusion detection systems (IDS). We believe this paper is the first attempt to translate MUD policies into flow rules that can be enforced using SDN, and in relating exception behavior to attacks that can be detected via off-the-shelf IDS. Our first contribution develops and implements a system that translates MUD policies to flow rules that are proactively configured into network switches, as well as reactively inserted based on run-time bindings of DNS. We use traces of 28 consumer IoT devices taken over several months to evaluate the performance of our system in terms of switch flow-table size and fraction of exception traffic that needs software inspection. Our second contribution identifies the limitations of flow-rules derived from MUD in protecting IoT devices from internal and external network attacks, and we show how our system is able to detect such volumetric attacks (including port scanning, TCP/UDP/ICMP flooding, ARP spoofing, and TCP/SSDP/SNMP reflection) by sending only a very small fraction of exception packets to off-the-shelf IDS.

2019-06-10
.  2018.  2018 International Conference on Computing, Power and Communication Technologies (GUCON). :111-114.

This computer era leads human to interact with computers and networks but there is no such solution to get rid of security problems. Securities threats misleads internet, we are sometimes losing our hope and reliability with many server based access. Even though many more crypto algorithms are coming for integrity and authentic data in computer access still there is a non reliable threat penetrates inconsistent vulnerabilities in networks. These vulnerable sites are taking control over the user's computer and doing harmful actions without user's privileges. Though Firewalls and protocols may support our browsers via setting certain rules, still our system couldn't support for data reliability and confidentiality. Since these problems are based on network access, lets we consider TCP/IP parameters as a dataset for analysis. By doing preprocess of TCP/IP packets we can build sovereign model on data set and clump cluster. Further the data set gets classified into regular traffic pattern and anonymous pattern using KNN classification algorithm. Based on obtained pattern for normal and threats data sets, security devices and system will set rules and guidelines to learn by it to take needed stroke. This paper analysis the computer to learn security actions from the given data sets which already exist in the previous happens.

.  2018.  2018 IEEE International Symposium on Smart Electronic Systems (iSES) (Formerly iNiS). :108–113.

Mobile ad hoc networks (MANETs) are self-configuring, dynamic networks in which nodes are free to move. These nodes are susceptible to various malicious attacks. In this paper, we propose a distributed trust-based security scheme to prevent multiple attacks such as Probe, Denial-of-Service (DoS), Vampire, User-to-Root (U2R) occurring simultaneously. We report above 95% accuracy in data transmission and reception by applying the proposed scheme. The simulation has been carried out using network simulator ns-2 in a AODV routing protocol environment. To the best of the authors' knowledge, this is the first work reporting a distributed trust-based prevention scheme for preventing multiple attacks. We also check the scalability of the technique using variable node densities in the network.

.  2018.  2018 3rd Technology Innovation Management and Engineering Science International Conference (TIMES-iCON). :1–4.

Mobile Ad-Hoc Networks (MANETs) are prone to many security attacks. One such attack is the blackhole attack. This work proposes a simple and effective application layer based intrusion detection scheme in a MANET to detect blackholes. The proposed algorithm utilizes mobile agents (MA) and wtracert (modified version of Traceroute for MANET) to detect multiple black holes in a DSR protocol based MANET. Use of MAs ensure that no modifications need to be carried out in the underlying routing algorithms or other lower layers. Simulation results show successful detection of single and multiple blackhole nodes, using the proposed detection mechanism, across varying mobility speeds of the nodes.

.  2018.  2018 3rd International Conference for Convergence in Technology (I2CT). :1–4.

In Mobile Ad-hoc Network (MANET), we cannot predict the clear picture of the topology of a node because of its varying nature. Without notice participation and departure of nodes results in lack of trust relationship between nodes. In such circumstances, there is no guarantee that path between two nodes would be secure or free of malicious nodes. The presence of single malicious node could lead repeatedly compromised node. After providing security to route and data packets still, there is a need for the implementation of defense mechanism that is intrusion detection system(IDS) against compromised nodes. In this paper, we have implemented IDS, which defend against some routing attacks like the black hole and gray hole successfully. After measuring performance we get marginally increased Packet delivery ratio and Throughput.

2019-05-01
.  2018.  2018 IEEE International Conference on Communications (ICC). :1-7.

In big data era, machine learning is one of fundamental techniques in intrusion detection systems (IDSs). Poisoning attack, which is one of the most recognized security threats towards machine learning- based IDSs, injects some adversarial samples into the training phase, inducing data drifting of training data and a significant performance decrease of target IDSs over testing data. In this paper, we adopt the Edge Pattern Detection (EPD) algorithm to design a novel poisoning method that attack against several machine learning algorithms used in IDSs. Specifically, we propose a boundary pattern detection algorithm to efficiently generate the points that are near to abnormal data but considered to be normal ones by current classifiers. Then, we introduce a Batch-EPD Boundary Pattern (BEBP) detection algorithm to overcome the limitation of the number of edge pattern points generated by EPD and to obtain more useful adversarial samples. Based on BEBP, we further present a moderate but effective poisoning method called chronic poisoning attack. Extensive experiments on synthetic and three real network data sets demonstrate the performance of the proposed poisoning method against several well-known machine learning algorithms and a practical intrusion detection method named FMIFS-LSSVM-IDS.

.  2018.  2018 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET). :1-6.

Nowadays, most of the world's population has become much dependent on computers for banking, healthcare, shopping, and telecommunication. Security has now become a basic norm for computers and its resources since it has become inherently insecure. Security issues like Denial of Service attacks, TCP SYN Flooding attacks, Packet Dropping attacks and Distributed Denial of Service attacks are some of the methods by which unauthorized users make the resource unavailable to authorized users. There are several security mechanisms like Intrusion Detection System, Anomaly detection and Trust model by which we can be able to identify and counter the abuse of computer resources by unauthorized users. This paper presents a survey of several security mechanisms which have been implemented using Fuzzy logic. Fuzzy logic is one of the rapidly developing technologies, which is used in a sophisticated control system. Fuzzy logic deals with the degree of truth rather than the Boolean logic, which carries the values of either true or false. So instead of providing only two values, we will be able to define intermediate values.

.  2018.  2018 2nd Cyber Security in Networking Conference (CSNet). :1-3.

Rapid development of internet and network technologies has led to considerable increase in number of attacks. Intrusion detection system is one of the important ways to achieve high security in computer networks. However, it have curse of dimensionality which tends to increase time complexity and decrease resource utilization. To improve the ability of detecting anomaly intrusions, a combined algorithm is proposed based on Weighted Fuzzy C-Mean Clustering Algorithm (WFCM) and Fuzzy logic. Decision making is performed in two stages. In the first stage, WFCM algorithm is applied to reduce the input data space. The reduced dataset is then fed to Fuzzy Logic scheme to build the fuzzy sets, membership function and the rules that decide whether an instance represents an anomaly or not.

2019-03-28
.  2018.  2018 21st Saudi Computer Society National Computer Conference (NCC). :1-6.

The rapid growth of population and industrialization has given rise to the way for the use of technologies like the Internet of Things (IoT). Innovations in Information and Communication Technologies (ICT) carries with it many challenges to our privacy's expectations and security. In Smart environments there are uses of security devices and smart appliances, sensors and energy meters. New requirements in security and privacy are driven by the massive growth of devices numbers that are connected to IoT which increases concerns in security and privacy. The most ubiquitous threats to the security of the smart grids (SG) ascended from infrastructural physical damages, destroying data, malwares, DoS, and intrusions. Intrusion detection comprehends illegitimate access to information and attacks which creates physical disruption in the availability of servers. This work proposes an intrusion detection system using data mining techniques for intrusion detection in smart grid environment. The results showed that the proposed random forest method with a total classification accuracy of 98.94 %, F-measure of 0.989, area under the ROC curve (AUC) of 0.999, and kappa value of 0.9865 outperforms over other classification methods. In addition, the feasibility of our method has been successfully demonstrated by comparing other classification techniques such as ANN, k-NN, SVM and Rotation Forest.

2019-03-18
.  2018.  Proceedings of the Fifth Cybersecurity Symposium. :13:1–13:4.
The advent of machine learning has made it a popular tool in various areas. It has also been applied in network intrusion detection. However, machine learning hasn't been sufficiently explored in the cyberphysical domains such as smart grids. This is because a lot of factors weigh in while using these tools. This paper is about intrusion detection in smart grids and how some machine learning techniques can help achieve this goal. It considers the problems of feature and classifier selection along with other data ambiguities. The goal is to apply the machine learning ensemble classifiers on the smart grid traffic and evaluate if these methods can detect anomalies in the system.
2019-03-15
.  2018.  2018 IEEE International Conference on Applied System Invention (ICASI). :1107-1110.
In practice, Defenders need a more efficient network detection approach which has the advantages of quick-responding learning capability of new network behavioural features for network intrusion detection purpose. In many applications the capability of Deep Learning techniques has been confirmed to outperform classic approaches. Accordingly, this study focused on network intrusion detection using convolutional neural networks (CNNs) based on LeNet-5 to classify the network threats. The experiment results show that the prediction accuracy of intrusion detection goes up to 99.65% with samples more than 10,000. The overall accuracy rate is 97.53%.
2019-03-06
.  2018.  Proceedings of the 4th International Conference on Frontiers of Educational Technologies. :117-121.

In recent years, new and devastating cyber attacks amplify the need for robust cybersecurity practices. Preventing novel cyber attacks requires the invention of Intrusion Detection Systems (IDSs), which can identify previously unseen attacks. Many researchers have attempted to produce anomaly - based IDSs, however they are not yet able to detect malicious network traffic consistently enough to warrant implementation in real networks. Obviously, it remains a challenge for the security community to produce IDSs that are suitable for implementation in the real world. In this paper, we propose a new approach using a Deep Belief Network with a combination of supervised and unsupervised machine learning methods for port scanning attacks detection - the task of probing enterprise networks or Internet wide services, searching for vulnerabilities or ways to infiltrate IT assets. Our proposed approach will be tested with network security datasets and compared with previously existing methods.

.  2018.  2018 IEEE/ACS 15th International Conference on Computer Systems and Applications (AICCSA). :1-7.

Cybersecurity plays a critical role in protecting sensitive information and the structural integrity of networked systems. As networked systems continue to expand in numbers as well as in complexity, so does the threat of malicious activity and the necessity for advanced cybersecurity solutions. Furthermore, both the quantity and quality of available data on malicious content as well as the fact that malicious activity continuously evolves makes automated protection systems for this type of environment particularly challenging. Not only is the data quality a concern, but the volume of the data can be quite small for some of the classes. This creates a class imbalance in the data used to train a classifier; however, many classifiers are not well equipped to deal with class imbalance. One such example is detecting malicious HMTL files from static features. Unfortunately, collecting malicious HMTL files is extremely difficult and can be quite noisy from HTML files being mislabeled. This paper evaluates a specific application that is afflicted by these modern cybersecurity challenges: detection of malicious HTML files. Previous work presented a general framework for malicious HTML file classification that we modify in this work to use a $\chi$2 feature selection technique and synthetic minority oversampling technique (SMOTE). We experiment with different classifiers (i.e., AdaBoost, Gentle-Boost, RobustBoost, RusBoost, and Random Forest) and a pure detection model (i.e., Isolation Forest). We benchmark the different classifiers using SMOTE on a real dataset that contains a limited number of malicious files (40) with respect to the normal files (7,263). It was found that the modified framework performed better than the previous framework's results. However, additional evidence was found to imply that algorithms which train on both the normal and malicious samples are likely overtraining to the malicious distribution. We demonstrate the likely overtraining by determining that a subset of the malicious files, while suspicious, did not come from a malicious source.

2019-02-13
.  2018.  Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. :1883–1898.
Cyber threat hunting is the process of proactively and iteratively formulating and validating threat hypotheses based on security-relevant observations and domain knowledge. To facilitate threat hunting tasks, this paper introduces threat intelligence computing as a new methodology that models threat discovery as a graph computation problem. It enables efficient programming for solving threat discovery problems, equipping threat hunters with a suite of potent new tools for agile codifications of threat hypotheses, automated evidence mining, and interactive data inspection capabilities. A concrete realization of a threat intelligence computing platform is presented through the design and implementation of a domain-specific graph language with interactive visualization support and a distributed graph database. The platform was evaluated in a two-week DARPA competition for threat detection on a test bed comprising a wide variety of systems monitored in real time. During this period, sub-billion records were produced, streamed, and analyzed, dozens of threat hunting tasks were dynamically planned and programmed, and attack campaigns with diverse malicious intent were discovered. The platform exhibited strong detection and analytics capabilities coupled with high efficiency, resulting in a leadership position in the competition. Additional evaluations on comprehensive policy reasoning are outlined to demonstrate the versatility of the platform and the expressiveness of the language.
.  2018.  Proceedings of the 13th International Conference on Availability, Reliability and Security. :59:1–59:8.
Shared Threat Intelligence is often imperfect. Especially so called Indicator of Compromise might not be well constructed. This might either be the case if the threat only appeared recently and recordings do not allow for construction of high quality Indicators or the threat is only observed by sharing partners lesser capable to model the threat. However, intrusion detection based on imperfect intelligence yields low quality results. Within this paper we illustrate how one is able to overcome these shortcomings in data quality and is able to achieve solid intrusion detection. This is done by assigning individual weights to observables listed in a STIX™ report to express their significance for detection. For evaluation, an automatized toolchain was developed to mimic the Threat Intelligence sharing ecosystem from initial detection over reporting, sharing, and determining compromise by STIX™-formated data. Multiple strategies to detect and attribute a specific threat are compared using this data, leading up to an approach yielding a F1-Score of 0.79.
2019-02-08
.  2018.  2018 IEEE World Congress on Services (SERVICES). :35-36.

This research proposes a system for detecting known and unknown Distributed Denial of Service (DDoS) Attacks. The proposed system applies two different intrusion detection approaches anomaly-based distributed artificial neural networks(ANNs) and signature-based approach. The Amazon public cloud was used for running Spark as the fast cluster engine with varying cores of machines. The experiment results achieved the highest detection accuracy and detection rate comparing to signature based or neural networks-based approach.

2019-01-21
.  2018.  2018 13th Asia Joint Conference on Information Security (AsiaJCIS). :102–108.
Advanced persistent threat (APT) has been considered globally as a serious social problem since the 2010s. Adversaries of this threat, at first, try to penetrate into targeting organizations by using a backdoor which is opened with drive-by-download attacks, malicious e-mail attachments, etc. After adversaries' intruding, they usually execute benign applications (e.g, OS built-in commands, management tools published by OS vendors, etc.) for investigating networks of targeting organizations. Therefore, if they penetrate into networks once, it is difficult to rapidly detect these malicious activities only by using anti-virus software or network-based intrusion systems. Meanwhile, enterprise networks are managed well in general. That means network administrators have a good grasp of installed applications and routinely used applications for employees' daily works. Thereby, in order to find anomaly behaviors on well-managed networks, it is effective to observe changes executing their applications. In this paper, we propose a lightweight host-based intrusion detection system by using process generation patterns. Our system periodically collects lists of active processes from each host, then the system constructs process trees from the lists. In addition, the system detects anomaly processes from the process trees considering parent-child relationships, execution sequences and lifetime of processes. Moreover, we evaluated the system in our organization. The system collected 2, 403, 230 process paths in total from 498 hosts for two months, then the system could extract 38 anomaly processes. Among them, one PowerShell process was also detected by using an anti-virus software running on our organization. Furthermore, our system could filter out the other 18 PowerShell processes, which were used for maintenance of our network.