With the growing deployment of host-based and network-based intrusion detection systems in increasingly
large and complex communication networks, managing low-level alerts from these systems becomes
critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or
intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of
alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be
a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators
cannot manage the large number of alerts occurring per second, in particular since most alerts are false
positives. Hence, an emerging track of security research has focused on alert correlation to better identify
true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis
(MONA). This method builds on data correlation to derive network dependencies and manage security
events by linking incoming alerts to network dependencies.
AUTHENTICATION USING TRUST TO DETECT MISBEHAVING NODES IN MOBILE AD HOC NETWO...IJNSA Journal
Providing security in Mobile Ad Hoc Network is crucial problem due to its open shared wireless medium,
multi-hop and dynamic nature, constrained resources, lack of administration and cooperation.
Traditionally routing protocols are designed to cope with routing operation but in practice they may be
affected by misbehaving nodes so that they try to disturb the normal routing operations by launching
different attacks with the intention to minimize or collapse the overall network performance. Therefore
detecting a trusted node means ensuring authentication and securing routing can be expected. In this
article we have proposed a Trust and Q-learning based Security (TQS) model to detect the misbehaving
nodes over Ad Hoc On Demand Distance-Vector (AODV) routing protocol. Here we avoid the misbehaving
nodes by calculating an aggregated reward, based on the Q-learning mechanism by using their historical
forwarding and responding behaviour by the way misbehaving nodes can be isolated.
Anew approach to broadcast in wormhole routed three-dimensional networks is proposed. One of the most
important process in communication and parallel computer is broadcast approach.. The approach of this
case of Broadcasting is to send the message from one source to all destinations in the network which
corresponds to one-to-all communication. Wormhole routing is a fundamental routing mechanism in
modern parallel computers which is characterized with low communication latency. We show how to apply
this approach to 3-D meshes. Wormhole routing is divided the packets into set of FLITS (flow control
digits). The first Flit of the packet (Header Flit) is containing the destination address and all subsets flits
will follow the routing way of the header Flit. In this paper, we consider an efficient algorithm for
broadcasting on an all-port wormhole-routed 3D mesh with arbitrary size. We introduce an efficient
algorithm, Y-Hamiltonian Layers Broadcast(Y-HLB). In this paper the behaviors of this algorithm were
compared to the previous results, our paradigm reduces broadcast latency and is simpler. In this paper our
simulation results show the average of our proposed algorithm over the other algorithms that presented.
DESIGN AND IMPLEMENTATION OF THE ADVANCED CLOUD PRIVACY THREAT MODELING IJNSA Journal
Privacy-preservation for sensitive data has become a challenging issue in cloud computing. Threat
modeling as a part of requirements engineering in secure software development provides a structured
approach for identifying attacks and proposing countermeasures against the exploitation of vulnerabilities
in a system. This paper describes an extension of Cloud Privacy Threat Modeling (CPTM) methodology for
privacy threat modeling in relation to processing sensitive data in cloud computing environments. It
describes the modeling methodology that involved applying Method Engineering to specify characteristics
of a cloud privacy threat modeling methodology, different steps in the proposed methodology and
corresponding products. In addition, a case study has been implemented as a proof of concept to
demonstrate the usability of the proposed methodology. We believe that the extended methodology
facilitates the application of a privacy-preserving cloud software development approach from requirements
engineering to design.
DATA AGGREGATION AND PRIVACY FOR POLICE PATROLSijasuc
With a widespread growth in the potential applications of Wireless Sensor Networks, the need for reliable
security mechanisms for them has increased manifold. This paper proposes a scheme, Privacy for Police
Patrols (PPP), to provide secure data aggregation that relies on multilevel routing. Privacy factors have
been identified and implemented. Aggregates are prepared and the summary of information is gathered
and stored in a repository. The above defined approaches are integrated in police patrol applications and
preliminary results are obtained.
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
Millions of people all over the world are now connected to the Internet for doing business. Therefore, the
demand for Internet and web-based services continues to grow. So, need to install required infrastructure
to balance the computing. In spite the success of new infrastructure, it is susceptible to several critical
malfunctions. Therefore, to guarantee the secure operations on Network and Data, several solutions need
to be developed. The researchers are working in this direction to have the better solution for security.
In distributed environment, at the time of management of resources both computing and networking,
resource allocation and resource utilization, etc, the security is most crucial problem. In this paper, an
extensive review has been made on the different security aspect, different types of attack and techniques to
sustain and block the attack in the distributed environment.
Delay Tolerant Networks (DTNs) have high end-to-end latency, which is often faces disconnection, and unreliable wireless connections. It does not mean a delay service instead DTNs provides a service where network imposes disruption or delay. It operates in challenged networks with extremely limited resources such as memory size, CPU processing power etc. This paper presents an efficient trust managing mechanism for providing secure environment. The proposed dynamic trust management protocol uses a dynamic threshold updating which overcomes the problems with time changing dynamic characteristics by dynamically updating the criteria in response to changing network conditions. This reduces overheads and increases the efficient use of routing network even in conditions change. Also the dynamic threshold update reduces the false detection probability of the malicious nodes. To show the effectiveness of the proposed system, a detailed simulation in the presence of selfish and malicious nodes is performed with ONE simulator. Finally a comparative analysis of our proposed routing with previous routing protocols is also performed. The results demonstrate that presented algorithm deals effectively with selfish behavior with providing significant gain on effective delivery ratio in trade off with message overhead and delay
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...IJNSA Journal
Through continuous observation and modelling of normal behavior in networks, Anomaly-based Network Intrusion Detection System (A-NIDS) offers a way to find possible threats via deviation from the normal model. The analysis of network traffic based on time series model has the advantage of exploiting the relationship between packages within network traffic and observing trends of behaviors over a period of time. It will generate new sequences with good features that support anomaly detection in network traffic and provide the ability to detect new attacks. Besides, an anomaly detection technique, which focuses on the normal data and aims to build a description of it, will be an effective technique for anomaly detection in imbalanced data. In this paper, we propose a combination model of Long Short Term Memory (LSTM) architecture for processing time series and a data description Support Vector Data Description (SVDD) for anomaly detection in A-NIDS to obtain the advantages of them. This model helps parameters in LSTM and SVDD are jointly trained with joint optimization method. Our experimental results with KDD99 dataset show that the proposed combined model obtains high performance in intrusion detection, especially DoS and Probe attacks with 98.0% and 99.8%, respectively.
TRUST ORIENTED SECURITY FRAMEWORK FOR AD HOC NETWORKcscpconf
An ad hoc network is a group of wireless mobile hosts that are connected momentarily through
wireless connections in the dearth of any centralized control or some supporting services. The
mobile ad hoc network is at risk by its environment because of the vulnerabilities at channel and
node level. The conventional security mechanisms deals with only protecting resources from unauthorized access, but are not capable to safeguard the network from who offer resources. Adding trust to the on hand security infrastructures would improvise the security of these environments. A trust oriented security framework for adhoc network using ontological engineering approach is proposed by modeling ad hoc network, the OLSR (Optimized Link State Routing) protocol and trust model as OWL (Ontology Web language) ontologies, which are integrated using Jena. In this model, a trustor can calculate its trust about trustee and use the calculated trust values to make decisions depending on the context of the application or interaction about granting or rejecting it. A number of experiments with a potential implementation of suggested framework are performed to validate the characteristics of a trust oriented model suggested by the literature by this framework
AUTHENTICATION USING TRUST TO DETECT MISBEHAVING NODES IN MOBILE AD HOC NETWO...IJNSA Journal
Providing security in Mobile Ad Hoc Network is crucial problem due to its open shared wireless medium,
multi-hop and dynamic nature, constrained resources, lack of administration and cooperation.
Traditionally routing protocols are designed to cope with routing operation but in practice they may be
affected by misbehaving nodes so that they try to disturb the normal routing operations by launching
different attacks with the intention to minimize or collapse the overall network performance. Therefore
detecting a trusted node means ensuring authentication and securing routing can be expected. In this
article we have proposed a Trust and Q-learning based Security (TQS) model to detect the misbehaving
nodes over Ad Hoc On Demand Distance-Vector (AODV) routing protocol. Here we avoid the misbehaving
nodes by calculating an aggregated reward, based on the Q-learning mechanism by using their historical
forwarding and responding behaviour by the way misbehaving nodes can be isolated.
Anew approach to broadcast in wormhole routed three-dimensional networks is proposed. One of the most
important process in communication and parallel computer is broadcast approach.. The approach of this
case of Broadcasting is to send the message from one source to all destinations in the network which
corresponds to one-to-all communication. Wormhole routing is a fundamental routing mechanism in
modern parallel computers which is characterized with low communication latency. We show how to apply
this approach to 3-D meshes. Wormhole routing is divided the packets into set of FLITS (flow control
digits). The first Flit of the packet (Header Flit) is containing the destination address and all subsets flits
will follow the routing way of the header Flit. In this paper, we consider an efficient algorithm for
broadcasting on an all-port wormhole-routed 3D mesh with arbitrary size. We introduce an efficient
algorithm, Y-Hamiltonian Layers Broadcast(Y-HLB). In this paper the behaviors of this algorithm were
compared to the previous results, our paradigm reduces broadcast latency and is simpler. In this paper our
simulation results show the average of our proposed algorithm over the other algorithms that presented.
DESIGN AND IMPLEMENTATION OF THE ADVANCED CLOUD PRIVACY THREAT MODELING IJNSA Journal
Privacy-preservation for sensitive data has become a challenging issue in cloud computing. Threat
modeling as a part of requirements engineering in secure software development provides a structured
approach for identifying attacks and proposing countermeasures against the exploitation of vulnerabilities
in a system. This paper describes an extension of Cloud Privacy Threat Modeling (CPTM) methodology for
privacy threat modeling in relation to processing sensitive data in cloud computing environments. It
describes the modeling methodology that involved applying Method Engineering to specify characteristics
of a cloud privacy threat modeling methodology, different steps in the proposed methodology and
corresponding products. In addition, a case study has been implemented as a proof of concept to
demonstrate the usability of the proposed methodology. We believe that the extended methodology
facilitates the application of a privacy-preserving cloud software development approach from requirements
engineering to design.
DATA AGGREGATION AND PRIVACY FOR POLICE PATROLSijasuc
With a widespread growth in the potential applications of Wireless Sensor Networks, the need for reliable
security mechanisms for them has increased manifold. This paper proposes a scheme, Privacy for Police
Patrols (PPP), to provide secure data aggregation that relies on multilevel routing. Privacy factors have
been identified and implemented. Aggregates are prepared and the summary of information is gathered
and stored in a repository. The above defined approaches are integrated in police patrol applications and
preliminary results are obtained.
ANALYSIS OF SECURITY ASPECTS FOR DYNAMIC RESOURCE MANAGEMENT IN DISTRIBUTED S...ijcseit
Millions of people all over the world are now connected to the Internet for doing business. Therefore, the
demand for Internet and web-based services continues to grow. So, need to install required infrastructure
to balance the computing. In spite the success of new infrastructure, it is susceptible to several critical
malfunctions. Therefore, to guarantee the secure operations on Network and Data, several solutions need
to be developed. The researchers are working in this direction to have the better solution for security.
In distributed environment, at the time of management of resources both computing and networking,
resource allocation and resource utilization, etc, the security is most crucial problem. In this paper, an
extensive review has been made on the different security aspect, different types of attack and techniques to
sustain and block the attack in the distributed environment.
Delay Tolerant Networks (DTNs) have high end-to-end latency, which is often faces disconnection, and unreliable wireless connections. It does not mean a delay service instead DTNs provides a service where network imposes disruption or delay. It operates in challenged networks with extremely limited resources such as memory size, CPU processing power etc. This paper presents an efficient trust managing mechanism for providing secure environment. The proposed dynamic trust management protocol uses a dynamic threshold updating which overcomes the problems with time changing dynamic characteristics by dynamically updating the criteria in response to changing network conditions. This reduces overheads and increases the efficient use of routing network even in conditions change. Also the dynamic threshold update reduces the false detection probability of the malicious nodes. To show the effectiveness of the proposed system, a detailed simulation in the presence of selfish and malicious nodes is performed with ONE simulator. Finally a comparative analysis of our proposed routing with previous routing protocols is also performed. The results demonstrate that presented algorithm deals effectively with selfish behavior with providing significant gain on effective delivery ratio in trade off with message overhead and delay
A COMBINATION OF TEMPORAL SEQUENCE LEARNING AND DATA DESCRIPTION FOR ANOMALYB...IJNSA Journal
Through continuous observation and modelling of normal behavior in networks, Anomaly-based Network Intrusion Detection System (A-NIDS) offers a way to find possible threats via deviation from the normal model. The analysis of network traffic based on time series model has the advantage of exploiting the relationship between packages within network traffic and observing trends of behaviors over a period of time. It will generate new sequences with good features that support anomaly detection in network traffic and provide the ability to detect new attacks. Besides, an anomaly detection technique, which focuses on the normal data and aims to build a description of it, will be an effective technique for anomaly detection in imbalanced data. In this paper, we propose a combination model of Long Short Term Memory (LSTM) architecture for processing time series and a data description Support Vector Data Description (SVDD) for anomaly detection in A-NIDS to obtain the advantages of them. This model helps parameters in LSTM and SVDD are jointly trained with joint optimization method. Our experimental results with KDD99 dataset show that the proposed combined model obtains high performance in intrusion detection, especially DoS and Probe attacks with 98.0% and 99.8%, respectively.
TRUST ORIENTED SECURITY FRAMEWORK FOR AD HOC NETWORKcscpconf
An ad hoc network is a group of wireless mobile hosts that are connected momentarily through
wireless connections in the dearth of any centralized control or some supporting services. The
mobile ad hoc network is at risk by its environment because of the vulnerabilities at channel and
node level. The conventional security mechanisms deals with only protecting resources from unauthorized access, but are not capable to safeguard the network from who offer resources. Adding trust to the on hand security infrastructures would improvise the security of these environments. A trust oriented security framework for adhoc network using ontological engineering approach is proposed by modeling ad hoc network, the OLSR (Optimized Link State Routing) protocol and trust model as OWL (Ontology Web language) ontologies, which are integrated using Jena. In this model, a trustor can calculate its trust about trustee and use the calculated trust values to make decisions depending on the context of the application or interaction about granting or rejecting it. A number of experiments with a potential implementation of suggested framework are performed to validate the characteristics of a trust oriented model suggested by the literature by this framework
A mobile Ad-hoc network (MANET) is an impulsive network that can be recognized with no predetermined infrastructure. To achieve safe path selection cryptographic key exchange was implemented mostly in turn of huge computational cost. Confidence based coordination in MANET focuses on routing challenges created by selfish nodes, as energy utilization & time factor are key issues in this aspect. The present protocol is focused on fuzzy optimization-based node confidence estimation and path selection with minimum energy utilization. The node with maximum confidence value will give high priority to include in the path for transmission. In the implemented protocol to build a novel confidence-based model multidimensional factors like confidence value, link cost, degree of node and node energy are included as decision-making factors. The proposed protocol CLBNSRM estimates confidence level in four steps to decide a trustworthiness of neighboring node. To estimate the efficiency of the present confidence model various protocols are compared by using attributes like the number of nodes, node speed, malicious node variation, etc. Moreover, different parameters like Packet delivery ratio, Throughput, Residual energy, and Packet dropped are considered with these attribute variations. Experimental results indicate that PDR and Throughput increase although in presence of malicious nodes, along with the utilization of minimal energy. Statistical analysis is carried out for mathematical modeling. This analysis shows that a linear model of an implemented protocol is better than compared protocol with all the aspects.
Efficient radio resource allocation scheme for 5G networks with device-to-devi...IJECEIAES
A vital technology in the next-generation cellular network is device-to-device (D2D) communication. Cellular user enabled with D2D communication provides high spectral efficiency and further increases the coverage area of the cell, especially for the end-cell users and blind spot areas. However, the implementation of D2D communication increases interference among the cellular and D2D users. In this paper, we proposed a radio resource allocation (RRA) algorithm to manage the interference using fractional frequency reuse (FFR) scheme and Hungarian algorithm. The proposed algorithm is divided into three parts. First, the FFR scheme allocates different frequency bands among the cell (inner and outer region) for both the cellular and the D2D users to reduce the interference. Second, the Hungarian weighted bipartite matching algorithm is used to allocate the resources to D2D users with the minimum total system interference, while maintaining the total system sum rate. The cellular users share the resources with more than one D2D pair. Lastly, the local search technique of swapping is used for further allocation to minimize the interference. We implemented two types of assignments, fair multiple assignment, and restricted multiple assignment. We compared our results with existing algorithms which verified that our proposed algorithm provides outstanding results in aspects like interference reduction and system sum rate. For restricted multiple assignment, 60-70% of the D2D users are allocated in average cases.
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNSIJNSA Journal
The domain of Wireless Sensor Networks (WSNs) applications is increasing widely over the last few years. As this new type of networking is characterized by severely constrained node resources, limited network resources and the requirement to operate in an ad hoc manner, implementing security functionality to protect against adversary nodes becomes a challenging task. In this paper, we present a trust-aware, location-based routing protocol which protects the WSN against routing attacks, and also supports large-scale WSNs deployments. The proposed solution has been shown to efficiently detect and avoid malicious nodes and has been implemented in state-of-the-art sensor nodes for a real-life test-bed. This work focuses on the assessment of the implementation cost and on the lessons learned through the design, implementation and validation process.
Even in difficult places to reach, the new networking technique allows the easy deployment of sensor networks although these wireless sensor networks confront a lot of constraints. The major constraint is related to the quality of information sent by the network. The wireless sensor networks use different methods to achieve data to the base station. Data aggregation is an important one, used by these wireless sensor networks. But this aggregated data can be subject to several types of attacks and provides security is necessary to resist against malicious attacks, secure communication between severely resource constrained sensor nodes while maintaining the flexibility of the topology changes. Recently, several secure data aggregation schemes have been proposed for wireless sensor networks, it provides better security compared with traditional aggregation. In this paper, we try to focus on giving a brief statement of the various approaches used for the purpose of secure data aggregation in wireless sensor networks.
Proposed Agent Based Black hole Node Detection Algorithm for Ad-Hoc Wireless...ijcsa
A Mobile ad-hoc network (MANET) is a latest and eme
rging Research topic among researchers. The
reason behind the popularity of MANET is flexibilit
y and independence of network infrastructure. MANET
has some unique characteristic like dynamic network
topology, limited power and limited bandwidth for
communication. MANET has more challenge compare to
any other conventional network. However the
dynamical network topology of MANETs, infrastructur
e-less property and lack of certificate authority m
ake
the security problems of MANETs need to pay more at
tention. This paper represents review of layer wise
security attacks. It also discussed the issues and
challenges of mobile ad hoc network. On the importa
nce of
security issues, this paper proposed intrusion dete
ction framework for detecting network layer threats
such
as black hole attack.
Trust correlation of mobile agent nodes with a regular node in a Adhoc networ...IJECEIAES
A mobile agent offers discrete advantage both in facilitating better transmission as well as controlling the traffic load in Mobile Adhoc Network (MANET). Hence, such forms of network offers maximized dependencies on mobile agents in terms of its trust worthiness. At present, there are various work being carried out towards resisting security breach in MANET; however approaches using mobile agent based mechanism is few to found. Therefore, the proposed system introduces a novel mathematical model where an extensive decision making system has been constructed for identifying the malicious intention of mobile agents in case they go rogues. By adopting multi-tier communication policy and fairness concept, the proposed system offers the capability to resist any form of malicious activity of mobile agent without even presence of any apriori information of adversary. The outcome shows proposed system outshines existing security scheme in MANET.
THE NASH’S BALANCE IN THE THEORY OF GAMES FOR A SECURE MODEL MECHANISM IN ROU...ijcisjournal
The present work is dedicated to study attacks and countermeasure in MANET. After a short introduction to what the Mobile Ad hoc Networks (MANETs) are and network security we present a survey of various attacks in MANETs pertaining to fail routing protocols. We present the different tools used by these attacks and the mechanisms used by the secured routing protocols to counter them. We also study a mechanism of security, named the reputation, proposed for the MANETs and the protocol which implements it. We also propose a secure mechanism which is based on the reputation. Our work ends with a proposal analytical model to the modules of our mechanism and the equilibrium states of our model.
Now a day the technology is improving day by day. The wired network has been changed to wireless network. There are many advantages of wireless network over wired network. One of the main advantage is we can walk around freely in a network area and accesses internet. Security is one of the challenging issues. Intrusion Detection System is one of the systematic ways to detect malicious node in a mobile ad hoc network MANET and it is driven by battery power. This paper gives a survey on various intrusion detection systems in MANET. Praveen Mourya | Prof. Avinash Sharma ""Review on Intrusion Detection in MANETs"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020, URL: https://www.ijtsrd.com/papers/ijtsrd29970.pdf
Paper Url : https://www.ijtsrd.com/engineering/computer-engineering/29970/review-on-intrusion-detection-in-manets/praveen-mourya
PROACTIVE DETECTION OF DDOS ATTACKS IN PUBLISH-SUBSCRIBE NETWORKSIJNSA Journal
Abstract. Information centric networking (ICN) using architectures such as Publish-Subscribe Internet
Routing Paradigm (PSIRP) or Publish-Subscribe Internet Technology (PURSUIT) has been proposed as an
important candidate for the Internet of the future. ICN is an emerging research area that proposes a
transformation of the current host centric Internet architecture into an architecture where information
items are of primary importance. This change allows network functions such as routing and locating to be
optimized based on the information items themselves. The Bloom filter based content delivery is a sourcerouting
scheme that is used in the PSIRP/PURSUIT architectures. Although this mechanism solves many
issues of today’s Internet such as the growth of the routing table and the scalability problems, it is
vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we present a new content delivery
scheme that has the advantages of Bloom filter based approach while at the same time being able to
prevent DDoS attacks on the forwarding mechanism. Our security analysis suggests that with the proposed
approach, the forwarding plane is able to resist attacks such as DDoS with very high probability.
A trust-based authentication framework for security of WPAN using network sli...IJECEIAES
New technologies and their seamless wireless interconnectivity bring along many chal- lenges including security and privacy issues that require immediate attention. Wireless personal area networks (WPANs) are characterized by limited energy resources and computing power which call for lightweight security mechanisms in these networks as a mandatory requirement. In this paper, a lightweight trust-based framework for node authentication in WPAN is proposed. Our main objective is to minimise the effort in distinguishing valid requests of trustworthy nodes from invalid requests of malicious nodes that can result in network compromises. We achieve this through network slicing which divides the network into primary and secondary virtual networks. The proposed framework has three-fold benefits. Firstly, it authenticates nodes’ requests based on a novel method of trust value calculation. Secondly, the framework maintains energy efficiency while authenticating nodes’ requests to access WPAN resources. Finally, the framework provides a solution for the biasing problem that can arise due to unexpected behaviour of malicious users in WPANs. The framework efficacy is illustrated by using a case study to show how it can accurately capture trust relations among nodes while preventing malicious behavior.
MICRO ROTOR ENHANCED BLOCK CIPHER DESIGNED FOR EIGHT BITS MICRO-CONTROLLERS (...IJNSA Journal
The sensor network is a wireless network environment that consists of the many sensors of lightweight and
low-power. Authentication between nodes is very vital for network reliability and the integrity of
information collected by these nodes. Therefore, encryption algorithm for the implementation of reliable
sensor network environments is required to the applicable sensor network. This paper gives a new
proposed cryptosystem (MREBC) that is designed for 8 bits microcontroller systems. MREBC uses the
concept of rotor enhanced block cipher which was initially proposed by the author in [NRSC 2002] on the
first version of REBC. MREBC uses rotors to achieve two basic cryptographic operations; permutation,
and substitution. Round key is generated using rotor too, which is used to achieve ciphertext key
dependency. Rotors implemented using 8 bits successive affine transformation, which achieves memoryless,
normalized ciphertext statistics, and small processing speed trend. The strength of this system is
compared with the RIJNDAEL (AES) cipher. MREBC cipher gives excellent results from security
characteristics and statistical point of view of. communication efficiency of MREBC is compared with AES
through measuring performance by plaintext size, and cost of operation per hop according to the network
scale. Arduino microcontroller board is used to implement both MREBC, and AES in order to compare the
performance of algorithms. Authors suggests to use MREBC to implement a reliable sensor network
environments.
WEARABLE TECHNOLOGY DEVICES SECURITY AND PRIVACY VULNERABILITY ANALYSISIJNSA Journal
Wearable Technology also called wearable gadget, is acategory of technology devices with low processing
capabilities that can be worn by a user with the aim to provide information and ease of access to the master
devices its pairing with. Such examples are Google Glass and Smart watch. The impact of wearable
technology becomes significant when people start their invention in wearable computing, where their
mobile devices become one of the computation sources. However, wearable technology is not mature yet in
term of device security and privacy acceptance of the public. There exists some security weakness that
prompts such wearable devices vulnerable to attack. One of the critical attack on wearable technology is
authentication issue. The low processing due to less computing power of wearable device causethe
developer's inability to equip some complicated security mechanisms and algorithm on the device.In this
study, an overview of security and privacy vulnerabilities on wearable devices is presented.
Малоресурсная криптография - Сергей МартыненкоHackIT Ukraine
Презентация с форума http://hackit-ukraine.com/
Сергей Мартыненко
Ст.преп. кафедры комп. систем и сетей, ХАИ
Малоресурсная криптография
О спикере: Ст. преподаватель кафедры компьютерных сетей и систем. Опыт в области криптографической защиты информации и критических систем более 5 лет. Занимается защитой информации в малоресурсных системах.
THE INTERNET OF THINGS: NEW INTEROPERABILITY, MANAGEMENT AND SECURITY CHALLENGESIJNSA Journal
The Internet of Things (IoT) brings connectivity to about every objects found in the physical space. It
extends connectivity to everyday objects. From connected fridges, cars and cities, the IoT creates
opportunities in numerous domains. However, this increase in connectivity creates many prominent
challenges. This paper provides a survey of some of the major issues challenging the widespread adoption
of the IoT. Particularly, it focuses on the interoperability, management, security and privacy issues in the
IoT. It is concluded that there is a need to develop a multifaceted technology approach to IoT security,
management, and privacy.
A mobile Ad-hoc network (MANET) is an impulsive network that can be recognized with no predetermined infrastructure. To achieve safe path selection cryptographic key exchange was implemented mostly in turn of huge computational cost. Confidence based coordination in MANET focuses on routing challenges created by selfish nodes, as energy utilization & time factor are key issues in this aspect. The present protocol is focused on fuzzy optimization-based node confidence estimation and path selection with minimum energy utilization. The node with maximum confidence value will give high priority to include in the path for transmission. In the implemented protocol to build a novel confidence-based model multidimensional factors like confidence value, link cost, degree of node and node energy are included as decision-making factors. The proposed protocol CLBNSRM estimates confidence level in four steps to decide a trustworthiness of neighboring node. To estimate the efficiency of the present confidence model various protocols are compared by using attributes like the number of nodes, node speed, malicious node variation, etc. Moreover, different parameters like Packet delivery ratio, Throughput, Residual energy, and Packet dropped are considered with these attribute variations. Experimental results indicate that PDR and Throughput increase although in presence of malicious nodes, along with the utilization of minimal energy. Statistical analysis is carried out for mathematical modeling. This analysis shows that a linear model of an implemented protocol is better than compared protocol with all the aspects.
Efficient radio resource allocation scheme for 5G networks with device-to-devi...IJECEIAES
A vital technology in the next-generation cellular network is device-to-device (D2D) communication. Cellular user enabled with D2D communication provides high spectral efficiency and further increases the coverage area of the cell, especially for the end-cell users and blind spot areas. However, the implementation of D2D communication increases interference among the cellular and D2D users. In this paper, we proposed a radio resource allocation (RRA) algorithm to manage the interference using fractional frequency reuse (FFR) scheme and Hungarian algorithm. The proposed algorithm is divided into three parts. First, the FFR scheme allocates different frequency bands among the cell (inner and outer region) for both the cellular and the D2D users to reduce the interference. Second, the Hungarian weighted bipartite matching algorithm is used to allocate the resources to D2D users with the minimum total system interference, while maintaining the total system sum rate. The cellular users share the resources with more than one D2D pair. Lastly, the local search technique of swapping is used for further allocation to minimize the interference. We implemented two types of assignments, fair multiple assignment, and restricted multiple assignment. We compared our results with existing algorithms which verified that our proposed algorithm provides outstanding results in aspects like interference reduction and system sum rate. For restricted multiple assignment, 60-70% of the D2D users are allocated in average cases.
DESIGN AND IMPLEMENTATION OF A TRUST-AWARE ROUTING PROTOCOL FOR LARGE WSNSIJNSA Journal
The domain of Wireless Sensor Networks (WSNs) applications is increasing widely over the last few years. As this new type of networking is characterized by severely constrained node resources, limited network resources and the requirement to operate in an ad hoc manner, implementing security functionality to protect against adversary nodes becomes a challenging task. In this paper, we present a trust-aware, location-based routing protocol which protects the WSN against routing attacks, and also supports large-scale WSNs deployments. The proposed solution has been shown to efficiently detect and avoid malicious nodes and has been implemented in state-of-the-art sensor nodes for a real-life test-bed. This work focuses on the assessment of the implementation cost and on the lessons learned through the design, implementation and validation process.
Even in difficult places to reach, the new networking technique allows the easy deployment of sensor networks although these wireless sensor networks confront a lot of constraints. The major constraint is related to the quality of information sent by the network. The wireless sensor networks use different methods to achieve data to the base station. Data aggregation is an important one, used by these wireless sensor networks. But this aggregated data can be subject to several types of attacks and provides security is necessary to resist against malicious attacks, secure communication between severely resource constrained sensor nodes while maintaining the flexibility of the topology changes. Recently, several secure data aggregation schemes have been proposed for wireless sensor networks, it provides better security compared with traditional aggregation. In this paper, we try to focus on giving a brief statement of the various approaches used for the purpose of secure data aggregation in wireless sensor networks.
Proposed Agent Based Black hole Node Detection Algorithm for Ad-Hoc Wireless...ijcsa
A Mobile ad-hoc network (MANET) is a latest and eme
rging Research topic among researchers. The
reason behind the popularity of MANET is flexibilit
y and independence of network infrastructure. MANET
has some unique characteristic like dynamic network
topology, limited power and limited bandwidth for
communication. MANET has more challenge compare to
any other conventional network. However the
dynamical network topology of MANETs, infrastructur
e-less property and lack of certificate authority m
ake
the security problems of MANETs need to pay more at
tention. This paper represents review of layer wise
security attacks. It also discussed the issues and
challenges of mobile ad hoc network. On the importa
nce of
security issues, this paper proposed intrusion dete
ction framework for detecting network layer threats
such
as black hole attack.
Trust correlation of mobile agent nodes with a regular node in a Adhoc networ...IJECEIAES
A mobile agent offers discrete advantage both in facilitating better transmission as well as controlling the traffic load in Mobile Adhoc Network (MANET). Hence, such forms of network offers maximized dependencies on mobile agents in terms of its trust worthiness. At present, there are various work being carried out towards resisting security breach in MANET; however approaches using mobile agent based mechanism is few to found. Therefore, the proposed system introduces a novel mathematical model where an extensive decision making system has been constructed for identifying the malicious intention of mobile agents in case they go rogues. By adopting multi-tier communication policy and fairness concept, the proposed system offers the capability to resist any form of malicious activity of mobile agent without even presence of any apriori information of adversary. The outcome shows proposed system outshines existing security scheme in MANET.
THE NASH’S BALANCE IN THE THEORY OF GAMES FOR A SECURE MODEL MECHANISM IN ROU...ijcisjournal
The present work is dedicated to study attacks and countermeasure in MANET. After a short introduction to what the Mobile Ad hoc Networks (MANETs) are and network security we present a survey of various attacks in MANETs pertaining to fail routing protocols. We present the different tools used by these attacks and the mechanisms used by the secured routing protocols to counter them. We also study a mechanism of security, named the reputation, proposed for the MANETs and the protocol which implements it. We also propose a secure mechanism which is based on the reputation. Our work ends with a proposal analytical model to the modules of our mechanism and the equilibrium states of our model.
Now a day the technology is improving day by day. The wired network has been changed to wireless network. There are many advantages of wireless network over wired network. One of the main advantage is we can walk around freely in a network area and accesses internet. Security is one of the challenging issues. Intrusion Detection System is one of the systematic ways to detect malicious node in a mobile ad hoc network MANET and it is driven by battery power. This paper gives a survey on various intrusion detection systems in MANET. Praveen Mourya | Prof. Avinash Sharma ""Review on Intrusion Detection in MANETs"" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-2 , February 2020, URL: https://www.ijtsrd.com/papers/ijtsrd29970.pdf
Paper Url : https://www.ijtsrd.com/engineering/computer-engineering/29970/review-on-intrusion-detection-in-manets/praveen-mourya
PROACTIVE DETECTION OF DDOS ATTACKS IN PUBLISH-SUBSCRIBE NETWORKSIJNSA Journal
Abstract. Information centric networking (ICN) using architectures such as Publish-Subscribe Internet
Routing Paradigm (PSIRP) or Publish-Subscribe Internet Technology (PURSUIT) has been proposed as an
important candidate for the Internet of the future. ICN is an emerging research area that proposes a
transformation of the current host centric Internet architecture into an architecture where information
items are of primary importance. This change allows network functions such as routing and locating to be
optimized based on the information items themselves. The Bloom filter based content delivery is a sourcerouting
scheme that is used in the PSIRP/PURSUIT architectures. Although this mechanism solves many
issues of today’s Internet such as the growth of the routing table and the scalability problems, it is
vulnerable to distributed denial-of-service (DDoS) attacks. In this paper, we present a new content delivery
scheme that has the advantages of Bloom filter based approach while at the same time being able to
prevent DDoS attacks on the forwarding mechanism. Our security analysis suggests that with the proposed
approach, the forwarding plane is able to resist attacks such as DDoS with very high probability.
A trust-based authentication framework for security of WPAN using network sli...IJECEIAES
New technologies and their seamless wireless interconnectivity bring along many chal- lenges including security and privacy issues that require immediate attention. Wireless personal area networks (WPANs) are characterized by limited energy resources and computing power which call for lightweight security mechanisms in these networks as a mandatory requirement. In this paper, a lightweight trust-based framework for node authentication in WPAN is proposed. Our main objective is to minimise the effort in distinguishing valid requests of trustworthy nodes from invalid requests of malicious nodes that can result in network compromises. We achieve this through network slicing which divides the network into primary and secondary virtual networks. The proposed framework has three-fold benefits. Firstly, it authenticates nodes’ requests based on a novel method of trust value calculation. Secondly, the framework maintains energy efficiency while authenticating nodes’ requests to access WPAN resources. Finally, the framework provides a solution for the biasing problem that can arise due to unexpected behaviour of malicious users in WPANs. The framework efficacy is illustrated by using a case study to show how it can accurately capture trust relations among nodes while preventing malicious behavior.
MICRO ROTOR ENHANCED BLOCK CIPHER DESIGNED FOR EIGHT BITS MICRO-CONTROLLERS (...IJNSA Journal
The sensor network is a wireless network environment that consists of the many sensors of lightweight and
low-power. Authentication between nodes is very vital for network reliability and the integrity of
information collected by these nodes. Therefore, encryption algorithm for the implementation of reliable
sensor network environments is required to the applicable sensor network. This paper gives a new
proposed cryptosystem (MREBC) that is designed for 8 bits microcontroller systems. MREBC uses the
concept of rotor enhanced block cipher which was initially proposed by the author in [NRSC 2002] on the
first version of REBC. MREBC uses rotors to achieve two basic cryptographic operations; permutation,
and substitution. Round key is generated using rotor too, which is used to achieve ciphertext key
dependency. Rotors implemented using 8 bits successive affine transformation, which achieves memoryless,
normalized ciphertext statistics, and small processing speed trend. The strength of this system is
compared with the RIJNDAEL (AES) cipher. MREBC cipher gives excellent results from security
characteristics and statistical point of view of. communication efficiency of MREBC is compared with AES
through measuring performance by plaintext size, and cost of operation per hop according to the network
scale. Arduino microcontroller board is used to implement both MREBC, and AES in order to compare the
performance of algorithms. Authors suggests to use MREBC to implement a reliable sensor network
environments.
WEARABLE TECHNOLOGY DEVICES SECURITY AND PRIVACY VULNERABILITY ANALYSISIJNSA Journal
Wearable Technology also called wearable gadget, is acategory of technology devices with low processing
capabilities that can be worn by a user with the aim to provide information and ease of access to the master
devices its pairing with. Such examples are Google Glass and Smart watch. The impact of wearable
technology becomes significant when people start their invention in wearable computing, where their
mobile devices become one of the computation sources. However, wearable technology is not mature yet in
term of device security and privacy acceptance of the public. There exists some security weakness that
prompts such wearable devices vulnerable to attack. One of the critical attack on wearable technology is
authentication issue. The low processing due to less computing power of wearable device causethe
developer's inability to equip some complicated security mechanisms and algorithm on the device.In this
study, an overview of security and privacy vulnerabilities on wearable devices is presented.
Малоресурсная криптография - Сергей МартыненкоHackIT Ukraine
Презентация с форума http://hackit-ukraine.com/
Сергей Мартыненко
Ст.преп. кафедры комп. систем и сетей, ХАИ
Малоресурсная криптография
О спикере: Ст. преподаватель кафедры компьютерных сетей и систем. Опыт в области криптографической защиты информации и критических систем более 5 лет. Занимается защитой информации в малоресурсных системах.
THE INTERNET OF THINGS: NEW INTEROPERABILITY, MANAGEMENT AND SECURITY CHALLENGESIJNSA Journal
The Internet of Things (IoT) brings connectivity to about every objects found in the physical space. It
extends connectivity to everyday objects. From connected fridges, cars and cities, the IoT creates
opportunities in numerous domains. However, this increase in connectivity creates many prominent
challenges. This paper provides a survey of some of the major issues challenging the widespread adoption
of the IoT. Particularly, it focuses on the interoperability, management, security and privacy issues in the
IoT. It is concluded that there is a need to develop a multifaceted technology approach to IoT security,
management, and privacy.
OPTIMIZING CONGESTION CONTROL BY USING DEVICES AUTHENTICATION IN SOFTWARE-DEF...IJNSA Journal
The Internet and local networks (LAN) are essential in all organizations and aspects of our lives. These networks' performance should be at high speeds to perform efficiently. This thesis suggests several motions to improve performance. The first is a software-defined network (SDN) distinguished from traditional networks by its ability to program traffic, agility, and support for applications that need big data and virtualization. The second is to control congestion by rerouting traffic to the shortest path. Finally, to modify the above, device authentication reduces congestion and improves network performance.
HOW TO DETECT MIDDLEBOXES: GUIDELINES ON A METHODOLOGYcscpconf
Internet middleboxes such as VPNs, firewalls, and proxies can significantly change handling of traffic streams. They play an increasingly important role in various types of IP networks. If end hosts can detect them, these hosts can make beneficial, and in some cases, crucial improvements in security and performance But because middle boxes have widely varying behavior and effects on the traffic they handle, no single technique has been discovered that can detect all of them.
Devising a detection mechanism to detect any particular type of middle box interference involves many design decisions and has numerous dimensions. One approach to assist with the
complexity of this process is to provide a set of systematic guidelines. This paper is the first attempt to introduce a set of general guidelines (as well as the rationale behind them) to assist researchers with devising methodologies for end-hosts to detect middle boxes by the end-hosts. The guidelines presented here take some inspiration from the previous work of other
researchers using various and often ad hoc approaches. These guidelines, however, are mainly based on our own experience with research on the detection of middle boxes. To assist
researchers in using these guidelines, we also provide an example of how to bring them into play for detection of network compression.
How to detect middleboxes guidelines on a methodologycsandit
Internet middleboxes such as VPNs, firewalls, and proxies can significantly change handling of
traffic streams. They play an increasingly important role in various types of IP networks. If end
hosts can detect them, these hosts can make beneficial, and in some cases, crucial improvements
in security and performance But because middleboxes have widely varying behavior and effects
on the traffic they handle, no single technique has been discovered that can detect all of them.
Devising a detection mechanism to detect any particular type of middlebox interference involves
many design decisions and has numerous dimensions. One approach to assist with the
complexity of this process is to provide a set of systematic guidelines. This paper is the first
attempt to introduce a set of general guidelines (as well as the rationale behind them) to assist
researchers with devising methodologies for end-hosts to detect middleboxes by the end-hosts.
The guidelines presented here take some inspiration from the previous work of other
researchers using various and often ad hoc approaches. These guidelines, however, are mainly
based on our own experience with research on the detection of middleboxes. To assist
researchers in using these guidelines, we also provide an example of how to bring them into
play for detection of network compression
FLOODING ATTACK DETECTION AND MITIGATION IN SDN WITH MODIFIED ADAPTIVE THRESH...IJCNCJournal
Flooding attack is a network attack that sends a large amount of traffic to the victim networks or services to cause denial-of-service. In Software-Defined Networking (SDN) environment, this attack might not only breach the hosts and services but also the SDN controller. Besides, it will also cause a disconnection of links between the controller and the switches. Thus, an effective detection and mitigation technique of flooding attacks is required. Statistical analysis techniques are widely used for the detection and mitigation of flooding attacks. However, the effectiveness of these techniques strongly depends on the defined threshold. Defining the static threshold is a tedious job and most of the time produces a high false positive alarm .In this paper, we proposed the dynamic threshold which is calculated using modified adaptive threshold algorithm (MATA). The original ATA is based on the Exponential Weighted Moving Average (EWMA) formula which produces the high number of false alarms. To reduce the false alarms, the alarm signal will only be generated after a minimum number of consecutive violations of the threshold. This, however, has increased the false negative rate when the network is under attack. In order to reduce this false negative rate, MATA adapted the baseline traffic info of the network infrastructure. The comparative analysis of MATA and ATA are performed through the measurement of false negative rate, and accuracy of detection rate. Our experimental results show that MATA is able to reduce false negative rates up to 17.74% and increase the detection accuracy of 16.11%over the various types of flooding attacks at the transport layer.
IP Traceback for Flooding attacks on Internet Threat Monitors (ITM ) Using Ho...IJNSA Journal
The Internet Threat Monitoring (ITM) is an efficient monitoring system used globally to measure, detect, characterize and track threats such as denial of service (DoS) and distributed Denial of Service (DDoS) attacks and worms. . To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address the flooding attack of DDoS against ITM monitors to exhaust the network resources, such as bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. One possible way to counter DDoS attacks is to trace the attack sources and punish the perpetrators. we propose a novel traceback method for DDoS using Honeypots. IP tracing through honeypot is a single packet tracing method and is more efficient than commonly used packet marking techniques.
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
International Journal of Computational Engineering Research (IJCER) is dedicated to protecting personal information and will make every reasonable effort to handle collected information appropriately. All information collected, as well as related requests, will be handled as carefully and efficiently as possible in accordance with IJCER standards for integrity and objectivity.
As the enormous use of internet increases day by day so as security concern is also raise day by day over
the internet. In this paper we discuss the network security and its related threats and also study the types of
protocols and few issues related to protocols in computer networks. We also simulate the design of 5 node
wired network scenario, its packet drop rate analysis through TCP protocol using NS2 as a simulator.
Analyzed the performance of 5-node network when the packet is drop down by graphical method also
called as Xgraph when rate parameter is in mb and also analyzed the performance of same network by
changing the value of rate parameter at same time so no packets would drop down at same time and also
analyzed the performance by Xgraph method.
STATISTICAL QUALITY CONTROL APPROACHES TO NETWORK INTRUSION DETECTIONIJNSA Journal
In the study of network intrusion, much attention has been drawn to on-time detection of intrusion to safeguard public and private interest and to capture the law-breakers. Even though various methods have been found in literature, some situations warrant us to determine intrusions of network in real-time to prevent further undue harm to the computer network as and when they occur. This approach helps detect the intrusion and has a greater potential to apprehend the law-breaker. The purpose of this article is to formulate a method to this effect that is based on the statistical quality control techniques widely used in the manufacturing and production processes.
Threats have become a big problem since the past few years since computer viruses are widely recognized as a significant computer threat. However, the role of Information Technology security must be revisit again since it is too often, IT security managers find themselves in the hopeless situation of trying to uphold a maximum of security as requested from management. While at the same time they are considered an obstacle in the way of developing and introducing new applications into business and government network environments. This paper will focus on Transmission Control Protocol Synchronize Flooding attack detections using the Internet Protocol header as a platform to detect threats, especially in the IP protocol and TCP protocol, and check packets using anomaly detection system which has many advantages, and applied it under the open source Linux. The problem is to detect TCP SYN Flood attack through internet security. This paper also focusing on detecting threats in the local network by monitoring all the packets that goes through the networks. The results show that the proposed detection method can detect TCP SYN Flooding in both normal and attacked network and alert the user about the attack after sending the report to the administrator. As conclusion, TCP SYN Flood and other attacks can be detected through this traffic monitoring tools if the abnormal behaviors of the packets are recognized such as incomplete TCP three-way handshake application and IP header length.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Security Measure to Detect and Avoid Flooding Attacks using Multi-Agent Syste...IJECEIAES
Security is considered as one of the major challenge when it comes to infrastructure less and self dependent network without any centralized control. The vulnerability of Adhoc Network makes it susceptible to external attacks like flooding of hello messages or propagating fake routing messages etc. Such attacks generates a variety of problems like disturbing the network by flooding messages that results in waste of battery which is a vital resource to maintain the life span of the network. Most importantly cause agents to die when unable to reach destination due to fake routing messages causing a heavy loss on part of the nodes generating them to maintain the route knowledge. The paper proposes a novel technique to identify the flooding attack and measure to overcome them using Multi-Agent system
COMPARISON BETWEEN DIVERGENCE MEASURES FOR ANOMALY DETECTION OF MOBILE AGENTS...ijwmn
This paper deals with detection of SYN flooding attacks which are the most common type of attacks in a Mobile Agent World. We propose a new framework for the detection of flooding attacks by integrating Divergence measures over Sketch data structure. We compare three divergence measures (Hellinger Distance, Chi-square and Power divergence) to analyze their detection accuracy. The performance of the proposed framework is investigated in terms of detection probability and false alarm ratio. We focus on
tuning the parameter of Divergence Measures to optimize the performance. We conduct performance analysis over publicly available real IP traces, in Mobile Agent Network, integrated with flooding attacks. Our experimental results show that Power Divergence outperforms Chi-square divergence and Hellinger
distance in network anomalies detection in terms of detection and false alarm.
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
When service system is under DDoS attacks, it is important to detect anomaly signature at starting time of attack for timely applying prevention solutions. However, early DDoS detection is difficult task because the velocity of DDoS attacks is very high. This paper proposes a DDoS attack detection method by modeling service system as M/G/R PS queue and calculating monitoring parameters based on the model in odder to early detect symptom of DDoS attacks. The proposed method is validated by experimental system and it gives good results.
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
When service system is under DDoS attacks, it is important to detect anomaly signature at starting time of
attack for timely applying prevention solutions. However, early DDoS detection is difficult task because the
velocity of DDoS attacks is very high. This paper proposes a DDoS attack detection method by modeling
service system as M/G/R PS queue and calculating monitoring parameters based on the model in odder to
early detect symptom of DDoS attacks. The proposed method is validated by experimental system and it
gives good results.
A MECHANISM FOR EARLY DETECTING DDOS ATTACKS BASED ON M/G/R PS QUEUEIJNSA Journal
When service system is under DDoS attacks, it is important to detect anomaly signature at starting time of attack for timely applying prevention solutions. However, early DDoS detection is difficult task because the velocity of DDoS attacks is very high. This paper proposes a DDoS attack detection method by modeling service system as M/G/R PS queue and calculating monitoring parameters based on the model in odder to
early detect symptom of DDoS attacks. The proposed method is validated by experimental system and it gives good results.
Similar to USING A DEEP UNDERSTANDING OF NETWORK ACTIVITIES FOR SECURITY EVENT MANAGEMENT (20)
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
USING A DEEP UNDERSTANDING OF NETWORK ACTIVITIES FOR SECURITY EVENT MANAGEMENT
1. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
DOI: 10.5121/ijnsa.2016.8301 1
USING A DEEP UNDERSTANDING OF NETWORK
ACTIVITIES FOR SECURITY EVENT MANAGEMENT
Mona Lange1
, Felix Kuhr2
and Ralf Möller1
1
Institute of Information Systems, Universitat zu Lubeck,
2
Technical Universitat Hamburg-Harburg, Germany
ABSTRACT
With the growing deployment of host-based and network-based intrusion detection systems in increasingly
large and complex communication networks, managing low-level alerts from these systems becomes
critically important. Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or
intrusion prevention systems (IPSs) are collected throughout a monitored network such that large series of
alerts (alert streams) need to be fused. An alert indicates an abnormal behavior, which could potentially be
a sign for an ongoing cyber attack. Unfortunately, in a real data communication network, administrators
cannot manage the large number of alerts occurring per second, in particular since most alerts are false
positives. Hence, an emerging track of security research has focused on alert correlation to better identify
true positive and false positive. To achieve this goal we introduce Mission Oriented Network Analysis
(MONA). This method builds on data correlation to derive network dependencies and manage security
events by linking incoming alerts to network dependencies.
KEYWORDS
Network Dependency Analysis, Security Event Management, Data Correlation
1. INTRODUCTION
The United States intelligence community has identified malicious actors exploiting cyberspace
as a top national security threat [15].Similarly, Dell's annual threat report states a 100% increase
in SCADA attacks [16].This report is based on analysis of data gathered by Dell's global response
intelligence defense network that consists of millions of security sensors in more than 200
countries. In our daily lives, we depend on network services in many aspects (e.g., Internet
banking, email, file sharing, medical services and smart homes).Also, enterprise networks consist
of hundreds or even thousands of network services. Network services operate on distributed sets
of clients and servers and rely on supporting network services, such as Kerberos, Domain Name
System (DNS), and Active Directory. Hence, network services need to interact with each other in
order to function correctly. Engineers use the divide-and-conquer approach and often to fulfill a
task, multiple network services are required. This allows engineers to reuse network services and
not have to re-implement complex customized ones.
Some network services are used in many other network services. We define them as supporting
network services. A failure in a supporting network service leads to a failure in many other
network services. Hence, IT administrators and IT managers are interested in knowledge about
dependencies between network services. Recent efforts have lead to different approaches for
analyzing network traffic to identify dependencies between network services.
2. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
2
For network security it is necessary to understand a distributed system's perimeters. The criticality
of a network event or alert can only be assessed, if it's implications on the monitored systems are
understood.
Traditionally, the success of security information and event management (SIEM) is determined
by the level of protection of critical network devices and applications from attackers. Critical
network devices can be routers, servers, etc. and critical applications can compromise database
management software or tools for monitoring and controlling an infrastructure. At the same time,
it is understood that the ultimate goal of SIEMs is to protect ongoing and planned missions. Using
current methods, it is virtually impossible to determine the impact of events on the attainment of
mission objectives. Do we know which mission elements are affected? A monitored network is
built with a higher-level purpose, a mission, in mind. So why not change our focus from trying to
assess how an event reflects a potential attacker’s behavior to trying to assess its impact on a
monitored network’s ongoing network activities?
1.1. Related Work
Several researches have concentrated on how to reduce the number of alerts reported by host-
based and network intrusion detection systems, intrusion prevention systems or firewalls as well
as decrease their false positive rate [17], [18], [19]. Similarity-based alert correlation approaches
rely on features to compare the similarity of two alerts or the similarity of a single alert to a
cluster of alerts. A similarity-based alert correlation approach is proposed by Cuppens et al. [20],
and Peng et al. [21], who all cluster similar alerts to discover high-level attack scenarios. Others
focus on reducing the problem of aggregating alerts into multi-step attacks to data mining
problem [22], [23] or represent and reason with operators’ preferences regarding the events and
alerts they want analyze in priority [24].Another machine learning based approach focuses on
correlating alerts according to the information in the raw alerts without using any predefined
knowledge [23]. We use a deep understanding of network activities for security event
management. To derive a deep understanding of network activities, we rely on network
dependency analysis.
Often, different network services are required to perform a single task. If at least one service fails,
the whole task could potentially fail. Sherlock [10] introduces an inference graph to represent
dependencies between network services. The dependencies are calculated using co-occurrences
between services. Co-occurrence exists, when two services are used in a defined window. Orion
[11] is another approach to identify dependencies between network services using spike detection
analysis in delay distributions of flow pairs. Two other network-based dependency analysis
approaches are NSDMiner [12] and Rippler [13]. All mentioned approaches are based on network
traffic. Rippler actively embeds communication delays in order to identify network dependencies.
Passive approaches to identifying network dependency do not need additional software on hosts
in the network and do not need any changes of applications or systems. They are analyzing
communication between network services. Sherlock and Orion are presented as host-based
approaches, but it is possible to implement them in a network-based manner without additional
software.
2. NETWORK DEPENDENCY ANALYSIS
Network dependency analysis has the purpose of identifying complex dependencies between
network service and components that may potentially be affected. The goal is to prevent
unexpected consequences. Network dependency analysis requires analyzing network flows ina
monitored infrastructure.
3. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
2.1.Network Flow
Figure 1. Before transmitting data from Initiator to Receiver a TCP connection has to be
initialized by a 3-way handshake (left figure). After data i
performed (right figure).
We conduct a network dependency analysis based on packet headers (e.g. IP, UDP and TCP) and
timing data in network traffic. Hence, our approach oper
with a 3-way handshake (SYN, SYN
with a 4-way handshake (FIN, ACK, FIN, ACK) or RST packet exchange. If network services
communicate frequently, they may forgo
KEEPALIVE messages to maintain a connection in idle
initialization of a TCP session and termination of initialized TCP session
messages to identify network flow boundaries. In comparison the notion of UDP flows is vague,
since UDP is a state- less protocol. This is due to the protocol not having well
for the start and end of a conversation between server and client. In the context of this wo
consider a stream of consecutive UDP packets between server and client as a UDP flow, if the
time difference between to consecutive packets is below a predefined threshold. In our analysis
we exclude all network packet that are necessary for establi
server and client. So given that addit
these end-to-end interactions between network service
The direct dependency between network services
SDEP = {(s
j
i, sl
k) | s
j
isends a packet to s
2.2. Network Packet
The basic building blocks of our approach are
dependent network services. A network packet is exchanged by a source and destination IP
address srcIP and dstIP via source and destination port srcPort and dstPort. In addition, a network
packet relies on a specific transport laye
transport layer protocols TCP and UDP.
We define a network packet as a 6
P = (sIP, sPort, dIP, dP ort, ψ, t),
for source IP addresses sIP , a source ports sP
dPort, a transport protocol Ψ = {UDP, TCP} and timestamps t.
2.4. Network Services
Network services hosted by network devices
all network services hosed by the network device d
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
Figure 1. Before transmitting data from Initiator to Receiver a TCP connection has to be
handshake (left figure). After data is transmitted, a TCP teardown is
We conduct a network dependency analysis based on packet headers (e.g. IP, UDP and TCP) and
ffic. Hence, our approach operates on network flows. A TCP flow starts
way handshake (SYN, SYN-ACK, ACK) between a client and a server and terminates
way handshake (FIN, ACK, FIN, ACK) or RST packet exchange. If network services
communicate frequently, they may forgo the cost of repetitive TCP handshakes by using
KEEPALIVE messages to maintain a connection in idle periods. Figure 1 represents the
initialization of a TCP session and termination of initialized TCP session. We also use these
low boundaries. In comparison the notion of UDP flows is vague,
less protocol. This is due to the protocol not having well-defined boundaries
for the start and end of a conversation between server and client. In the context of this wo
consider a stream of consecutive UDP packets between server and client as a UDP flow, if the
time difference between to consecutive packets is below a predefined threshold. In our analysis
we exclude all network packet that are necessary for establishing a communication between
server and client. So given that additional data is exchanged between network services
end interactions between network services as direct dependencies.
The direct dependency between network services s
j
iand sl
k is denoted as
sends a packet to sl
k in the period under consideration} (1)
blocks of our approach are network packets exchanged between directly
dependent network services. A network packet is exchanged by a source and destination IP
address srcIP and dstIP via source and destination port srcPort and dstPort. In addition, a network
packet relies on a specific transport layer protocol. In the context of this paper we distinguish the
transport layer protocols TCP and UDP.
We define a network packet as a 6-tuple
ψ, t),
dresses sIP , a source ports sPort, destination IP addresses dIP, destination ports
= {UDP, TCP} and timestamps t.
by network devices are related to each other. HOSTS(dj) returns a set of
all network services hosed by the network device dj. HOSTS-1(s) returns the network device
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
3
Figure 1. Before transmitting data from Initiator to Receiver a TCP connection has to be
s transmitted, a TCP teardown is
We conduct a network dependency analysis based on packet headers (e.g. IP, UDP and TCP) and
ates on network flows. A TCP flow starts
ACK, ACK) between a client and a server and terminates
way handshake (FIN, ACK, FIN, ACK) or RST packet exchange. If network services
the cost of repetitive TCP handshakes by using
1 represents the
We also use these
low boundaries. In comparison the notion of UDP flows is vague,
defined boundaries
for the start and end of a conversation between server and client. In the context of this work, we
consider a stream of consecutive UDP packets between server and client as a UDP flow, if the
time difference between to consecutive packets is below a predefined threshold. In our analysis
shing a communication between
network services, we term
in the period under consideration} (1)
changed between directly
dependent network services. A network packet is exchanged by a source and destination IP
address srcIP and dstIP via source and destination port srcPort and dstPort. In addition, a network
r protocol. In the context of this paper we distinguish the
(2)
, destination ports
) returns a set of
(s) returns the network device
4. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
4
hosting network service s. It is possible to associate network service siwith network device dj
using the notation s
j
isuch that dj =HOSTS-1(s
j
i)
2.5. Communication Histogram
Let us suppose that we are mirroring network traffic from an initial time point tmin to a time
point tmax within an IT network. We are observing network packets p ∈ P, which is defined as a
6-tuple according to Equation 2. For communicating network services, we build communication
histogram with a bin size ∆t. In the context of work we set ∆t to 1 second. The number of
histogram bins is
bins =
(tmax − tmin)
/ ∆t, (3)
given that we want to build a communication histogram for network traffic mirrored from time
point tmin to tmax with a bin size ∆t.
Given that we are monitoring a set of S network services then the data structure for all
communication histograms is defined
H : S × S × Ψ → ({0, ··· , bins − 1} → N0), (4)
where the communication histogram bins {0, ··· , bins − 1} are mapped to N0 . Now for every
network packets exchanged between directly dependent network services, assuming it was
received during the considered time period, the corresponding bin H(s, s′, ψ) in the
communication histogram is incremented. The corresponding bin in the communication
histogram is determined by (tmin − t) mod bins, (5) assuming that the network packet p contains
the time stamp t.
2.6. Indirect Dependency
Indirect dependencies are the second category of dependencies. Indirect dependencies are not
easy to identify in network traffic, as they are not as obvious as direct dependencies. A direct
dependency can be derived based on a network packet, which is exchanged by network services
hosted by network devices. It is possible to estimate indirect dependencies by using SDEP+ in a
brute force manner. This technique would overestimate indirect dependencies and does not lead
to a deeper semantic understanding of complex dependencies in networks. We are interested in a
model estimating indirect dependencies with a low rate of false positive. Therefore, we try to
identify indirect dependencies between network services by identifying similar patterns in
communication vectors of direct dependencies. There are two different types of indirect
dependencies in networks: remote-remote (RR) dependencies and local-remote (LR)
dependencies.
Example. An operator in a control center (CC) of an electrical power grid would like to send a
request to a substation’s RTU 37. First, the operator has to use human machine interface for
medium voltage substation (HMI) to specify the request and then forward it to a front end server
(FES), so that the FES sends the request to the remote terminal unit (RTU). Assuming HMI and
FES are different network devices, and the network device hosing the HMI has the name of its
FES and not the IP address. Then it is necessary that first a request is sent to the network device
hosting domain name system to get the IP address of FES. After the network device has
information about the IP address of FES it can send the operator’s request to front end server. So
there is an LR indirect dependency between network services hosted by HMI, the DNS server and
network service hosted by FES. A graphical representation is given in Figure 2.
5. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
Figure 2.Graphical representation of Example 1: Communication between HMI, DNS, FES and RTU 37.
Assuming there exist an indirect
there exist two direct dependencies:
dependency between HMI, front
consist of a communication vector N
dependency, both communication vectors have a similar pattern.
network device dl, the communication vectors are shifted by a processing delay
Processing delay τdelay is the delay between receiving a data packet and sending a new data
packet to another network service. Two d
network services fulfill the following definition.
ISDEPRR = SDEP HOST S
If network service s
j
isends data packets to network service s
network device dl and after processing delay a network service s
service so
n, we have two direct dependencies. These direct dependencies encompass four
network services and represent one RR indirect dependency.
LR indirect dependencies between network services are given, if a network service requires a
supporting network service to perform a task. Therefore, we are interested in identifying local
remote indirect dependencies, too. In Example 1, an LR indirect depend
network service of the network device hosting HMI requires DNS of another network device in
order to send its request to the FES.
ISDEPLR = SDEP HOST S
Using our definitions, there might be many potential indirect dependencies. If a network has N
network devices, theoretically the total number of potential direct dependencies between network
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
Graphical representation of Example 1: Communication between HMI, DNS, FES and RTU 37.
Assuming there exist an indirect dependency between network service s
j
i, sl
k and s
exist two direct dependencies: δ(s
j
i, sl
k) and δ(sl
m, so
n). In Example 1, this is the indirect
front-end server and remote terminal unit. Both direct dependencies
consist of a communication vector Nm for δ(s
j
i,sl
k) and δ(sl
m,so
n). Because of their
dependency, both communication vectors have a similar pattern. Due to a processing delay on
he communication vectors are shifted by a processing delay
is the delay between receiving a data packet and sending a new data
packet to another network service. Two direct dependencies define an indirect dependency
the following definition.
HOST S-1(2)=HOST S-1(1) SDEP
sends data packets to network service sl
k so that the data is processed
and after processing delay a network service sl
m sends data packets to network
, we have two direct dependencies. These direct dependencies encompass four
network services and represent one RR indirect dependency.
indirect dependencies between network services are given, if a network service requires a
supporting network service to perform a task. Therefore, we are interested in identifying local
endencies, too. In Example 1, an LR indirect dependency exists because a
network service of the network device hosting HMI requires DNS of another network device in
order to send its request to the FES.
HOST S-1(1)=HOST S-1(3) SDEP (7)
Using our definitions, there might be many potential indirect dependencies. If a network has N
network devices, theoretically the total number of potential direct dependencies between network
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
5
Graphical representation of Example 1: Communication between HMI, DNS, FES and RTU 37.
and so
n. Then,
). In Example 1, this is the indirect
t. Both direct dependencies
). Because of their indirect
a processing delay on
he communication vectors are shifted by a processing delay τdelay.
is the delay between receiving a data packet and sending a new data
indirect dependency, if the
SDEP (6)
so that the data is processed on
sends data packets to network
, we have two direct dependencies. These direct dependencies encompass four
indirect dependencies between network services are given, if a network service requires a
supporting network service to perform a task. Therefore, we are interested in identifying local-
ists because a
network service of the network device hosting HMI requires DNS of another network device in
SDEP (7)
Using our definitions, there might be many potential indirect dependencies. If a network has N
network devices, theoretically the total number of potential direct dependencies between network
6. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
services is N2 · p2, where p is the number of maximum concurrently operating services per
network device. On most operating systems this value is 65536. Therefore, the number of
potential indirect dependencies between network services could increase polynomial in networks.
Networks containing at least 125 network devices have potentially more than one billion direct
dependencies between network services. So, we need
dependencies. The idea is to consider only potential indirect dep
of being a correct indirect dependency. In our approach, we use normalized cross correlation to
calculate a similarity-value between two communication
and δ(sl
m,so
n). Both communicat
normalized cross correlation.
In Equation (8) we present the normalized cross correla
andδ(sl
m,so
n). Normalized cross correlation
(8)where the mean values of the compared communication vectors are represented by
and , respectively.
communication vectors.
In image processing, normalized cross correlation is used to correlate an image with a
Consider for example, you have a small picture of an orange and multiple larger images of fruit
bowls. Cross correlation helps you identify, if a fruit bowl contains an orange, by matching the
template to the fruit bowl image. Sometimes the
diverging between the larger image and
influence of differing brightness
Indirect dependencies between two network services have a
Furthermore, the number of exchanged
communication histograms, although they are
effect of brightness in image processi
consider the situation that two
although the communication vectors represent an indirect dependency. Communication vectors
between indirect dependencies are not
Communication delays are caused by network latency and processing delays are due to
information being processed, before being passed on.
To obtain high rates in true positive (TP
estimation, communication vectors have to be shifted against each other.
Therefore, is the period a delay or failure in network service s
service sn on device do. To reduce the potential indirect dependencies generated by 3.1.2, we
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
, where p is the number of maximum concurrently operating services per
network device. On most operating systems this value is 65536. Therefore, the number of
potential indirect dependencies between network services could increase polynomial in networks.
Networks containing at least 125 network devices have potentially more than one billion direct
dependencies between network services. So, we need a technique to reduce the number of indirect
dependencies. The idea is to consider only potential indirect dependencies with a high probability
of being a correct indirect dependency. In our approach, we use normalized cross correlation to
between two communication vector of direct dependencies
). Both communication vectors have to have the same length k to calculate the
In Equation (8) we present the normalized cross correlation for communication vectors
). Normalized cross correlationρ is derived by
where the mean values of the compared communication vectors are represented by
and are the standard deviations
In image processing, normalized cross correlation is used to correlate an image with a
Consider for example, you have a small picture of an orange and multiple larger images of fruit
bowls. Cross correlation helps you identify, if a fruit bowl contains an orange, by matching the
template to the fruit bowl image. Sometimes the brightness might differ due to
image and the template. Normalized cross correlation reduces
brightness within image and template.
Indirect dependencies between two network services have a similar pattern shift in time.
exchanged packets does not necessarily have to be
communication histograms, although they are indirectly dependent. This effect is similar to the
image processing. In our approach, we use normalized cross correlation to
consider the situation that two communication vectors diverge in the number of data packets
although the communication vectors represent an indirect dependency. Communication vectors
ect dependencies are not aligned due to communication and processing delays
Communication delays are caused by network latency and processing delays are due to
information being processed, before being passed on.
To obtain high rates in true positive (TP) and low rates in FP and FN indirect dependency
estimation, communication vectors have to be shifted against each other.
is the period a delay or failure in network service sior sk influences
. To reduce the potential indirect dependencies generated by 3.1.2, we
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
6
, where p is the number of maximum concurrently operating services per
network device. On most operating systems this value is 65536. Therefore, the number of
potential indirect dependencies between network services could increase polynomial in networks.
Networks containing at least 125 network devices have potentially more than one billion direct
ber of indirect
endencies with a high probability
of being a correct indirect dependency. In our approach, we use normalized cross correlation to
vector of direct dependenciesδ(s
j
i,sl
k)
ion vectors have to have the same length k to calculate the
tion for communication vectors δ(s
j
i,sl
k)
where the mean values of the compared communication vectors are represented by
are the standard deviations of both
In image processing, normalized cross correlation is used to correlate an image with a template.
Consider for example, you have a small picture of an orange and multiple larger images of fruit
bowls. Cross correlation helps you identify, if a fruit bowl contains an orange, by matching the
due to illumination
template. Normalized cross correlation reduces the
similar pattern shift in time.
identical two
. This effect is similar to the
. In our approach, we use normalized cross correlation to
of data packets
although the communication vectors represent an indirect dependency. Communication vectors
aligned due to communication and processing delays.
Communication delays are caused by network latency and processing delays are due to
) and low rates in FP and FN indirect dependency
(9)
influences network
. To reduce the potential indirect dependencies generated by 3.1.2, we
7. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
introduce a threshold and consider potential indirect dependency
correct identified indirect dependency if
Knowing network dependencies in a monitored
could potentially affect the overall network. For
need to be processed and linked to network dependencies.
3. ALERT PROCESSING
Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion
prevention systems (IPSs) are collected throughout a monitored network such that large series of
alerts (alert streams) need to be fused.
alerts need to be normalized before being further
processing in this fashion, the goal of low
enrichment, verification, and merging.
3.1. Alert Normalization
In the overall LLC architecture, data from the above
engine [1] for real-time data processing. Due to the heterogeneous nature of data formats
provided by probes in a distributed environment, it is necessary implement a normalization
process to allow for coherent handling o
normalization for the a electrical power grid’s communication network
SYSLOG configuration as well as the set of descriptive attributes of normalized alerts is
by the Intrusion Detection Message Exchange Format (IDME
Alerts are enriched when values for required attributes are not provided by original alert sources
such that sensible default values are inserted. After normalization and enrichment, L
with alert verification. In the following we describe details on verification, using introductory
examples with normalized alerts.
3.2. Alert Verification
Alert verification is subdivided into three parts, namely alert vulnerability verification, alert
severity verification, and alert operational impact verification. We first discuss
verification, with the central idea to relate alerts with in
the network under consideration. Vulnerabilities are available from the so
inventory, listing all monitored network devices and detected
vulnerabilities nmap and openvas pe
correlation process relies on this knowledge base to link normalized alerts to the monitored
network. Normalized alerts can have many fields and in the following we focus on special cases
in order to demonstrate central ideas using several examples.
3.2.1. Alert Vulnerability Verification
Consider, as shown in Table 1, an alert with a reference to a local exploit reported by an IDS with
the analyzer ID CEDET01IDS. Local exploits take advantage of vulnerabilities or bugs. For the
example in Table 1 we assume that an IDS (CEDET01IDS) has generated an alert referring to
CVE vulnerability (for more details regarding CVE see [3]).
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
introduce a threshold and consider potential indirect dependency (δ(s
j
i,sl
k), δ(s
correct identified indirect dependency if
es in a monitored network provides a basis for verifying how alerts
could potentially affect the overall network. For this purposes a monitored infrastructure’s
need to be processed and linked to network dependencies.
Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion
prevention systems (IPSs) are collected throughout a monitored network such that large series of
alerts (alert streams) need to be fused. As different alert streams could use different data formats,
alerts need to be normalized before being further processed. In order to implement fused alert
processing in this fashion, the goal of low-level correlation is to provide for alert normalization,
enrichment, verification, and merging.
In the overall LLC architecture, data from the above-mentioned probes are fed into a SYSLOG
time data processing. Due to the heterogeneous nature of data formats
provided by probes in a distributed environment, it is necessary implement a normalization
process to allow for coherent handling of alerts in subsequent processing steps. A
normalization for the a electrical power grid’s communication network test is realized by a
as well as the set of descriptive attributes of normalized alerts is
etection Message Exchange Format (IDMEF). For details on IDMEF see [
Alerts are enriched when values for required attributes are not provided by original alert sources
such that sensible default values are inserted. After normalization and enrichment, L
with alert verification. In the following we describe details on verification, using introductory
examples with normalized alerts.
Alert verification is subdivided into three parts, namely alert vulnerability verification, alert
severity verification, and alert operational impact verification. We first discuss
, with the central idea to relate alerts with information about known vulnerabilities for
the network under consideration. Vulnerabilities are available from the so-called network
inventory, listing all monitored network devices and detected vulnerabilities.
vulnerabilities nmap and openvas periodically scan the monitored network. The low
correlation process relies on this knowledge base to link normalized alerts to the monitored
network. Normalized alerts can have many fields and in the following we focus on special cases
onstrate central ideas using several examples.
2.1. Alert Vulnerability Verification
Consider, as shown in Table 1, an alert with a reference to a local exploit reported by an IDS with
ID CEDET01IDS. Local exploits take advantage of vulnerabilities or bugs. For the
example in Table 1 we assume that an IDS (CEDET01IDS) has generated an alert referring to
CVE vulnerability (for more details regarding CVE see [3]).
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
7
(sl
m,so
n)) as a
provides a basis for verifying how alerts
monitored infrastructure’s alerts
Probes of multiple distributed firewalls (FWs), intrusion detection systems (IDSs) or intrusion
prevention systems (IPSs) are collected throughout a monitored network such that large series of
nt alert streams could use different data formats,
order to implement fused alert
level correlation is to provide for alert normalization,
e fed into a SYSLOG
time data processing. Due to the heterogeneous nature of data formats
provided by probes in a distributed environment, it is necessary implement a normalization
f alerts in subsequent processing steps. Alert
is realized by a
as well as the set of descriptive attributes of normalized alerts is inspired
F). For details on IDMEF see [2].
Alerts are enriched when values for required attributes are not provided by original alert sources
such that sensible default values are inserted. After normalization and enrichment, LLC proceeds
with alert verification. In the following we describe details on verification, using introductory
Alert verification is subdivided into three parts, namely alert vulnerability verification, alert
severity verification, and alert operational impact verification. We first discuss vulnerability
formation about known vulnerabilities for
called network
vulnerabilities. To detect
The low-level
correlation process relies on this knowledge base to link normalized alerts to the monitored
network. Normalized alerts can have many fields and in the following we focus on special cases
Consider, as shown in Table 1, an alert with a reference to a local exploit reported by an IDS with
ID CEDET01IDS. Local exploits take advantage of vulnerabilities or bugs. For the
example in Table 1 we assume that an IDS (CEDET01IDS) has generated an alert referring to
8. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
8
Table 1. An alert issued by an IDS probe with the analyzer ID CEDET01IDS reports a local exploit.
Analyzer
ID
Alert
ID
Time Source Destination CVE ID
CEDET01I
DS
1
2016-01-24
11:02:31.20
85.1.1.8 132.8.1.5
CVE-2016-
0034
An exploit can only be successful if the respective vulnerability or bug is indeed present on the
targeted network device. Thus, alert vulnerability verification needs to check whether the
vulnerability has been detected on the targeted device by extracting respective information from
the network inventory. To continue the example, we assume that data shown in Table 2 are
available, indicating that CVE-2016-00034 is indeed associated with network device 132.8.1.5.
Table 2. Vulnerability information extracted from the network inventory.
Network Device CVE ID
132.8.1.5 CVE-2016-0034
The network inventory allows the alert vulnerability verification process to link a reported local
exploit, as shown in Table 1, to vulnerabilities detected on source or destination hosts, as shown
in Table 2.
Table 3 – A verified vulnerability alert with an added tag VULNVERIFIED.
Analyzer
ID
Alert
ID
Time Source Destination CVE ID Classification ID
CEDET0
1IDS
1
2016-01-24
11:02:31.20
85.1.1.8 132.8.1.5
CVE-2016-
0034
VULNVERIFIED
If an alert can be linked to a previously recorded vulnerability, we refer to it as a true positive
attack; otherwise it is denoted as a false negative attack. The alert vulnerability verification
process filters out false negative attacks. True positive attacks are passed on with the added
classification ID VULNVERIFIED. Table 3 shows a true positive attack alert with the added
classification ID VULNVERIFIED. In order to reduce the workload of subsequent models, in the
LLC configuration, there is an option to suppress alerts for which no vulnerability can be
identified.FW/IDS/IPS probes report on abnormal behavior occurring in a monitored network,
and not only local exploits potentially with a high impact are being detected. The level of severity
that probes assign to a reported alert is investigated by alert severity verification.
3.2.2. Alert Severity Verification
Given a sensor is certain of abnormal activity with an impact occurring, an alert with a severity
data field is issued. Should we be unable to verify an alert’s vulnerability, but there is an impact
associated with the event then we pass on the alert with an added classification ID
UNVERIFIED. An alert’s vulnerability can be unverified due to two reasons: An alert reporting
an exploit using a particular CVE ID, which the network inventory cannot be corroborated or the
network inventory detected a vulnerability on source or destination, which is not mentioned in the
alert. Consider, as shown in Table 4, for example an alert with a CVE ID “CVE-2016-0033”
severity "medium" is reported by an IDS with the analyzer ID CEDET01IDS.
9. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
9
Table 4 – An alert issued by an IDS probe with the analyzer ID CEDET01IDS reports an abnormal activity
with a severity and CVE ID.
Analyzer ID
Alert
ID
Time Source Destination CVE ID Severity
CEDET01IDS 2
2016-01-24
11:02:31.20
85.1.1.8 132.8.1.5 CVE-2016-0033 medium
CVE-2016-033 is not a vulnerability that was detected on source or destination. Hence, the alert
does not have verified vulnerability. However, given that an alert contains a severity, this alert is
passed on for further consideration with a tag "NOTVERIFIED" as shown in Table 5.
Table 5 – A verified severity alert with an added tag NOTVERIFIED.
Analyzer ID
Alert
ID
Time Source Destination Severity Classification ID
CEDET01ID
S
2
2016-01-24
11:02:31.20
85.1.1.
8
132.8.1.5 medium NOTVERIFIED
In comparison consider an alert reports a medium severity incident with no associated
vulnerability as described in Table 6.
Table 6 –An alert issued by an IDS probe with the analyzer ID CEDET01IDS reports an abnormal activity
with a severity.
Analyzer
ID
Alert ID Time Destination Source Severity
CEDET01I
DS
2
2016-01-
24
11:02:31.2
0
132.8.1.5 85.1.1.8 medium
The network inventory lists vulnerability “CVE-2016-0034” on the destination network device.
Table 7 - Vulnerability information extracted from the network inventory.
CVE ID Network Device
CVE-2016-0034 132.8.1.5
Although the vulnerability could not be verified, the medium severity incident is passed on by the
severity verification process with an added classification ID “NOTVERIFIED”.
10. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
10
Table 8 - A verified severity alert with an added tag NOTVERIFIED.
Analyzer
ID
Alert
ID
Time Source Destination Severity Classification ID
CEDET01I
DS
2
2016-01-24
11:02:31.20
85.1.1.8 132.8.1.5 medium NOTVERIFIED
3.2.4. Alert Fusion
FW/IDS/IPS alerts are reports of abnormal activities in a monitored network. As indicated above,
some alerts are clearly linked to an exploited vulnerability. However, the vast majority of alerts
are simply reports of abnormal activities in a network. Also, in 2015 the security company Check
Point reported that zero day attacks are rising [15]. Check Point discovered that organizations are
targeted by about 100 unknown malware attacks per hour. Thus, reporting a rate 50 times more
than the rate in 2013. As the vulnerabilities involved in, e.g., zero day attacks are unknown, the
attack paths up as false negatives in vulnerability based high-level online correlation.
Misconfiguration or insider attacks are another cause for false negatives. We attempt to address
these attacks by performing alert fusion. Generally, these more sophisticated attacks require prior
reconnaissance attacks, which cause FW/IDS/IPS alerts. Obviously, FW/IDS/IPS sensors
involved in the detection of abnormal activities do not report these alerts with a high confidence
of belonging to an ongoing attack. Combining multiple instances of abnormal activity reports
augment the confidence that a reconnaissance attack is currently occurring. As these alerts would
otherwise go unnoticed, alert fusion aims to reduce false negative alerts.
The purpose of alert fusion is to combine alerts that represent the same attack occurrence. The
LLC process maintains a tumbling alert based window of n alerts. The size of the alert processing
window n is computed as the averaged daily number of alerts occurring every second. On one
hand, this allows for fixed computation time within the low level correlation process (regardless
of how long the component is running), on the other hand, it must be taken into consideration that
alerts can only be fused if they are in the same window. However, the parameter n can be selected
in MONA’s configuration such that scalability and expressivity requirements can be fulfilled in a
particular context.
Duplicate Alert Fusion
The goal of alert fusion is to combine alerts representing an identical detection of the
same attack by FW/IDS/IPS sensor. A single FW/IDS/IPS sensor is able to produce
duplicate alerts, when an attack fits multiple rules. This phenomenon is also referred to as
alert splitting. Table 9 describes how an IDS sensor with an analyser ID CEDET01IDS
splits a port scan into two alerts. The LLC process performs duplicate alert fusion by
merging them into a meta-alert. The meta-alert averages the timestamp of both alerts and
combines all diverging data fields.
Table 9 – Example for merging duplicate alerts.
Analyzer
ID
Alert
ID
Time Source Destination Description
Classification
ID
CEDET0
1IDS
1
2016-01-24
11:02:31.10
85.1.1.8 132.8.1.5 Port scan
CEDET0
1IDS
2
2016-01-24
11:02:31.20
85.1.1.8 132.8.1.5 Port scan
CEDET0
1IDS
{1,2}
2016-01-24
11:02:31.15
85.1.1.8 132.8.1.5 DUBLIMERGE
11. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
11
Taking the same example of port scanning, it is possible that distinct FW/IDS/IPS sensors
detect the port scan. Given source and destination with an alert are identical, the low-
level correlation processes performs alert fusion. Assume that two distinct IDS sensors
with an analyzer id CEDET01IDS and CEDET02IDS both report a port scan. The event
correlation process performs duplicate alert fusion by merging them into a meta-alert.
The meta-alert averages the timestamp of both alerts and combines all diverging data
fields.
In Table 10 there are two port scans shown from one source (1 to n). With an appropriate
classification ID a new alert that fuses both port scan alert is generated (see the last row
in Table 10).
Table 10 –Example for merging duplicate alerts with the same source address.
Analyzer
ID
Alert
ID
Time Source Destination
Descriptio
n
Classification
ID
CEDET01
IDS
4
2016-01-24
11:02:31.10
85.1.1.8 132.8.1.4 Port scan
CEDET01
IDS
5
2016-01-24
11:02:31.20
85.1.1.8 132.8.1.5 Port scan
CEDET01
IDS
{4,5}
2016-01-24
11:02:31.15
85.1.1.8
{132.8.1.4,132.8.
1.5}
SRCMERGE
In Table 11 we show a port scans from different source to a single device. The fused alert
shown in the last row, again fusion is indicated using a specific classification ID.
Table 11 –Example for merging duplicate alerts with the same destination address.
Analyzer ID
Alert
ID
Time Source Destination Description
Classification
ID
CEDET01ID
S
6
2016-01-24
11:02:31.10
85.1.1.8 132.8.1.4 Port scan
CEDET01ID
S
7
2016-01-24
11:02:31.20
85.1.1.9 132.8.1.4 Port scan
CEDET01ID
S
{6,7}
2016-01-24
11:02:31.15
85.1.1.10 132.8.1.4 DSTMERGE
It is possible to configure LLC in such a way that original alerts are filtered and only the
meta-alerts or fused alerts are forwarded.
3.2.4. Alert Operational Impact Verification
Traditionally, the success of security information and event management (SIEM) is determined
by the level of protection of critical network devices and applications from attackers. Critical
network devices can be routers, servers, etc. and critical applications can compromise database
management software or tools for monitoring and controlling an infrastructure. In order to
understand how critical an application is for a network’s mission, a mission criticality level is
added to the network inventory. Per default, application ports that where found responding are
listed in the network inventory with a default mission criticality value low. Network operators are
12. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
able to reclassify an applications mission criticality to medium or high.
entry from the network inventory.
Table 12 –An application’s mission criticality is added to the network inventory.
CVE ID Network Device
CVE-2016-0034 132.8.1.5
CRITIC: si→ {low, medium, high}
Hence, the set of affected indirect dependencies
OPIMPACT=SCC((∀si∈S:CRITIC
where SCC denotes the strongly connected components (SCC) of the hypergraph given as
parameter (asSet maps a tuple into a set of components).
affected indirect dependencies.
Figure 3. An example for
Operational impact lists all network services and thereby devices, which are potentially affected
by a security incident reported in form of an alert.
of threat to a mission criticality is sufficient
4. EVALUATION
A test bed based on a disaster recovery site of an energy distribution network, provided
Italian water and energy distribution company, was available for testing.
metasploit [8] was used to emulate an attack on the test bed. To allow a more extended
evaluation, a synthetic data set generator was built based on the dataset
test bed. This synthetic data set generator simply replays these attack
collected in the test bed, and is
scalability analysis. Additionally, we ar
dependent network services.
4.1. Test environment
The environment used for the evaluation is following:
• Operating System: Ubuntu Release 12.04 (precise) 64
generic
• RAM: 12 GB, 1600 MHz DDR3
• 2 CPUs: Intel(R) Xeon(R) CPU E5
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
able to reclassify an applications mission criticality to medium or high. Table 12
entry from the network inventory.
application’s mission criticality is added to the network inventory.
Network Device Application Port Mission Criticality
132.8.1.5 80 High
{low, medium, high} (10)
Hence, the set of affected indirect dependencies OPIMACT is defined as
CRITIC(si),map(asSet,ISDEP))), (11)
where SCC denotes the strongly connected components (SCC) of the hypergraph given as
parameter (asSet maps a tuple into a set of components). Figure 3 gives an example for a set of
An example for indirect dependencies affected by an alert.
Operational impact lists all network services and thereby devices, which are potentially affected
by a security incident reported in form of an alert. Network operators can predetermine what level
of threat to a mission criticality is sufficient for a security incident to be reported.
based on a disaster recovery site of an energy distribution network, provided
Italian water and energy distribution company, was available for testing. To evaluate
metasploit [8] was used to emulate an attack on the test bed. To allow a more extended
evaluation, a synthetic data set generator was built based on the dataset from the attack
This synthetic data set generator simply replays these attack patterns, which
and is additionally able to provide more alerts per second for a
Additionally, we are able to replay typical network traffic patterns of
The environment used for the evaluation is following:
Operating System: Ubuntu Release 12.04 (precise) 64-bit, Kernel Linux 3.13.0
2 GB, 1600 MHz DDR3
2 CPUs: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
12
illustrates an
application’s mission criticality is added to the network inventory.
Mission Criticality
(10)
))), (11)
where SCC denotes the strongly connected components (SCC) of the hypergraph given as
Figure 3 gives an example for a set of
Operational impact lists all network services and thereby devices, which are potentially affected
Network operators can predetermine what level
based on a disaster recovery site of an energy distribution network, provided by an
To evaluate MONA,
metasploit [8] was used to emulate an attack on the test bed. To allow a more extended
from the attacks on the
patterns, which have been
able to provide more alerts per second for a
e able to replay typical network traffic patterns of
bit, Kernel Linux 3.13.0- 32-
13. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
4.2. Precision and Recall
True Positive (TP) represents the correctly identified indirect dependencies while
(FN) is the rate of correct indirect dependencies not identified.
identified indirect dependencies, which are no indirect dependencies. This leads to calculation of
precision and recall
Precision = TP / (TP + FP)
Recall = FP / (TP + FN)
4.3. Sensitivity Analysis
NSDMiner, Sherlock, and Orion
attractive TP and FN rates. Administrators and employees on their own networks provide the
respective ground truth for NSDMiner, Sherlock and Orion. As enterprise networks rely on third
parties to provide the respective ground truth
of all network dependencies. In fact, in our experiments, often network dependency analysis was
very often able to point out unknown network dependencies to administrators.
evaluation, a known ground truth
synthetic data set generator. Our
or other humans. For each indirect dependency between network services, our network generator
saves important details into a file. Hence, indirect and direct dependencies, size of network and
simulation duration of each generated network is known.
Figure 4 shows an evaluation of two networks. Delay distribution between network services of
indirect dependencies is randomly distributed between one and three seconds.
shows the average rate for networks with 100 network devices, 20 indirect dependencies and 60
additional communicating network devices. The right figure
bigger network containing 250 network devices, 140 indirect dependencies and 120 ad
communicating network devices. The x
a threshold in Orion’s approach. Orion makes use of mean+x·stdev to calculate the threshold to
classify potential indirect dependencies.
Figure 4.Comparison between MONA
(blue dotted line), Precision Orion (red line), Recall Orion (red dotted line)]. Left Figure
represents average rates for networks containing
average rates for networks containing 450 network
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
represents the correctly identified indirect dependencies while False Negative
is the rate of correct indirect dependencies not identified. False Positive (FP)
identified indirect dependencies, which are no indirect dependencies. This leads to calculation of
Recall = FP / (TP + FN)
NSDMiner, Sherlock, and Orion conduct their experiments based on network traces and
Administrators and employees on their own networks provide the
respective ground truth for NSDMiner, Sherlock and Orion. As enterprise networks rely on third
the respective ground truth, administrators cannot be certain that they are aware
of all network dependencies. In fact, in our experiments, often network dependency analysis was
very often able to point out unknown network dependencies to administrators. For a trustworthy
evaluation, a known ground truth is essential. Hence, we conducted our experiments based on the
ground-truth is not dependent on knowledge from administrators
or other humans. For each indirect dependency between network services, our network generator
saves important details into a file. Hence, indirect and direct dependencies, size of network and
simulation duration of each generated network is known.
shows an evaluation of two networks. Delay distribution between network services of
indirect dependencies is randomly distributed between one and three seconds. The left figure
rage rate for networks with 100 network devices, 20 indirect dependencies and 60
additional communicating network devices. The right figure shows the same experiment with a
bigger network containing 250 network devices, 140 indirect dependencies and 120 ad
communicating network devices. The x-axis represents the multiplication factor used to calculate
a threshold in Orion’s approach. Orion makes use of mean+x·stdev to calculate the threshold to
classify potential indirect dependencies.
Comparison between MONA and Orion [Precision NDA (blue line), Recall MONA
(blue dotted line), Precision Orion (red line), Recall Orion (red dotted line)]. Left Figure
represents average rates for networks containing 100 network-devices. Right Figure repre
average rates for networks containing 450 network-devices.
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
13
False Negative
rate contains
identified indirect dependencies, which are no indirect dependencies. This leads to calculation of
Recall = FP / (TP + FN) (10)
conduct their experiments based on network traces and present
Administrators and employees on their own networks provide the
respective ground truth for NSDMiner, Sherlock and Orion. As enterprise networks rely on third
t be certain that they are aware
of all network dependencies. In fact, in our experiments, often network dependency analysis was
For a trustworthy
is essential. Hence, we conducted our experiments based on the
truth is not dependent on knowledge from administrators
or other humans. For each indirect dependency between network services, our network generator
saves important details into a file. Hence, indirect and direct dependencies, size of network and
shows an evaluation of two networks. Delay distribution between network services of
The left figure
rage rate for networks with 100 network devices, 20 indirect dependencies and 60
shows the same experiment with a
bigger network containing 250 network devices, 140 indirect dependencies and 120 additional
axis represents the multiplication factor used to calculate
a threshold in Orion’s approach. Orion makes use of mean+x·stdev to calculate the threshold to
sion NDA (blue line), Recall MONA
(blue dotted line), Precision Orion (red line), Recall Orion (red dotted line)]. Left Figure
. Right Figure represents
14. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
For an additional experiment, we expanded the experiment to include NSDMiner and Sherlock in
addition to Orion. We compare their precision and recall rate to MONA’s.
precision and recall rate of Sherlock, Orion and MONA on varying sized networks.
4.4. Comparison with Orion
Orion focuses on local-remote indirect dependencies and is not able to identify remote
indirect dependencies. A reason
approach MONA is able to identify more complex remote
compare both approaches, our evaluation is based on local
step we generate networks containing traffic between network services using our network
generator. This leads to ground
implementation of Orion and MONA to calculate indirect dependencies identified
generated networks. Orion has a high rate of TP and a low FN rate of indirect dependencies in
networks with small delays and huge amount of network communication between indirect
dependent network services. Few
one example not fulfilling the mentioned criteria. In enterprise networks, often devices are
geographically distributed in different quarters. Therefore, delays are more spread than in
networks without geographically distributed
characteristics. Furthermore, Orion’s threshold is dependent on number of network devices and
amount of network traffic involved in indirect dependencies.
Figure 5. Comparison between NDA, Orion, N
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
For an additional experiment, we expanded the experiment to include NSDMiner and Sherlock in
addition to Orion. We compare their precision and recall rate to MONA’s. Figure 6 shows the
precision and recall rate of Sherlock, Orion and MONA on varying sized networks.
remote indirect dependencies and is not able to identify remote
for this behavior is their host-based design. Our network
approach MONA is able to identify more complex remote-remote indirect dependencies. To
compare both approaches, our evaluation is based on local-remote indirect dependencies. In a first
we generate networks containing traffic between network services using our network
generator. This leads to ground-truth and networks with different characteristics.
implementation of Orion and MONA to calculate indirect dependencies identified
generated networks. Orion has a high rate of TP and a low FN rate of indirect dependencies in
networks with small delays and huge amount of network communication between indirect
dependent network services. Few networks fulfill these criteria. Data networks of power grids are
one example not fulfilling the mentioned criteria. In enterprise networks, often devices are
geographically distributed in different quarters. Therefore, delays are more spread than in
networks without geographically distributed areas. Each connection to branch offices has its own
characteristics. Furthermore, Orion’s threshold is dependent on number of network devices and
amount of network traffic involved in indirect dependencies.
. Comparison between NDA, Orion, NSDMiner and Sherlock.
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
14
For an additional experiment, we expanded the experiment to include NSDMiner and Sherlock in
Figure 6 shows the
remote indirect dependencies and is not able to identify remote-remote
based design. Our network-based
remote indirect dependencies. To
remote indirect dependencies. In a first
we generate networks containing traffic between network services using our network
truth and networks with different characteristics. We use our
implementation of Orion and MONA to calculate indirect dependencies identified in the
generated networks. Orion has a high rate of TP and a low FN rate of indirect dependencies in
networks with small delays and huge amount of network communication between indirect
networks of power grids are
one example not fulfilling the mentioned criteria. In enterprise networks, often devices are
geographically distributed in different quarters. Therefore, delays are more spread than in
areas. Each connection to branch offices has its own
characteristics. Furthermore, Orion’s threshold is dependent on number of network devices and
15. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
Figure 6. Precision and recall between MONA, Orion and Sherlock for networks with different amount of
4.5. Performance alert processing time
As a number of low-level alerts are being fired from IDS sensors at a high
sophisticated knowledge of both networking technology and infiltration techniques is required to
understand them. IDS alert correlation system tries to solve this problem by post
alert stream from one or many IDS sensors.
the alerts with vulnerability information
seconds depends on the number of simultaneously processed alerts.
exceeds one second, we would not be able to hold that pace, should it continuously occur over
multiple time windows. The results are illustrated in Figure 2. The computation time of
simultaneously processed alerts is compared with 2 virtual CPUs and 4 virtual CPUs. Th
experiment shows that MONA’s
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
. Precision and recall between MONA, Orion and Sherlock for networks with different amount of
devices.
. Performance alert processing time
level alerts are being fired from IDS sensors at a high pace, a fairly
sophisticated knowledge of both networking technology and infiltration techniques is required to
understand them. IDS alert correlation system tries to solve this problem by post-processing the
m from one or many IDS sensors. They goal is to aggregate low-level alert and enrich
the alerts with vulnerability information. Assuming a time-based system, the processing time in
seconds depends on the number of simultaneously processed alerts. If the alert processing time
nd, we would not be able to hold that pace, should it continuously occur over
The results are illustrated in Figure 2. The computation time of
simultaneously processed alerts is compared with 2 virtual CPUs and 4 virtual CPUs. Th
experiment shows that MONA’s algorithm is parallelizable.
Figure 7.Alert processing time.
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
15
. Precision and recall between MONA, Orion and Sherlock for networks with different amount of
pace, a fairly
sophisticated knowledge of both networking technology and infiltration techniques is required to
processing the
level alert and enrich
based system, the processing time in
If the alert processing time
nd, we would not be able to hold that pace, should it continuously occur over
The results are illustrated in Figure 2. The computation time of
simultaneously processed alerts is compared with 2 virtual CPUs and 4 virtual CPUs. This
16. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
4.6. Performance network dependency analysis
The network dependency analysi
network dependency in a network containing 100 devices and 50 communicating network
services. Computing network dependencies requires generating potential indirect dependencies
and analyzing whether these indirect dependencies
network devices affect the performance, we conducted the same experiment with a network
containing 900 network devices. The results of this evaluation are shown in
the number of network devices d
Figure 8. Network dependency analysis in
Figure 9. Network dependency analysis in a network containing 900 network devices.
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
Performance network dependency analysis
The network dependency analysis is conducted offline. Figure 8 evaluates the performance of
network dependency in a network containing 100 devices and 50 communicating network
services. Computing network dependencies requires generating potential indirect dependencies
whether these indirect dependencies actually exist. To assess, whether more
network devices affect the performance, we conducted the same experiment with a network
containing 900 network devices. The results of this evaluation are shown in Figure 9, revealing
the number of network devices does not affect the performance of network dependency analysis.
Network dependency analysis in a network containing 100 network devices.
. Network dependency analysis in a network containing 900 network devices.
International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
16
evaluates the performance of
network dependency in a network containing 100 devices and 50 communicating network
services. Computing network dependencies requires generating potential indirect dependencies
To assess, whether more
network devices affect the performance, we conducted the same experiment with a network
Figure 9, revealing
oes not affect the performance of network dependency analysis.
a network containing 100 network devices.
. Network dependency analysis in a network containing 900 network devices.
17. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
17
5. CONCLUSIONS
We have demonstrated a novel approach to security event management based on a deeper
understanding of network activities. This deeper understanding was derived based on network
dependency analysis. Network dependency analysis enables deriving a deeper understanding of
network activities and leverages well data-communication networks with different numbers of
network devices and indirect dependencies. A heuristic evaluation based on a synthetic data
generator compares the precision of our proposed approach to other network dependency discover
methodologies. In addition to aggregating alerts with similar characteristics occurring in the same
time window, we extend network dependencies in order to derive the operational impact of
alerts.The proposed frame is able to link network dependencies with security events and thereby
assesses a security event’s impact on ongoing network activities.
REFERENCES
[1] Budai, László, https://www.balabit.com/network-security/syslog-ng, last accessed on 21/03/2016.
[2] Debar, Hervé, David A. Curry, and Benjamin S. Feinstein, "The intrusion detection message
exchange format (IDMEF)." (2007).
[3] Common Vulnerabilities and Exposures, https://www.cve.mitre.org, last accessed on 26/02/2016.
[4] Check Point Security Report, https://www.checkpoint.com/resources/2015securityreport/CheckPoint-
2015-SecurityReport.pdf, 2015.
[5] Mona Lange, Ralf Moeller, Gregor Lang and Felix Kuhr, Event Prioritization and Correlation based
on Pattern Mining Techniques, ICMLA, 2015.
[6] Technical Report, Mona Lange, Felix Kuhr, Ralf Moeller, Using a Deep Understanding of Network
Activities for Network Vulnerability Assessment, 2016.
[7] Metasploit, https://www.metasploit.com, last accessed on 26/02/2016.
[8] Michael Larsen and Fernando Gont. Recommendations for transport-protocol port randomization.
2011.
[9] ParamvirBahl, Paul Barham, Richard Black, Ranveer Chandra, MoisesGoldszmidt, Rebecca Isaacs,
SrikanthKandula, Lun Li, John MacCormick, David A Maltz, et al. Discovering dependencies for
network management. In ACM SIGCOMM 5th Workshop on Hot Topics in Networks (Hotnets-V),
pages 97–102. ACM, 2006.
[10] Xu Chen, Ming Zhang, Zhuoqing Morley Mao, and ParamvirBahl. Automating net- work application
dependency discovery: Experiences, limitations, and new solutions. In OSDI, volume 8, pages 117–
130, 2008.
[11] ArunNatarajan, Peng Ning, Yao Liu, SushilJajodia, and Steve E Hutchinson. NS- DMiner: Automated
discovery of network service dependencies. IEEE, 2012.
[12] Ali Zand, Giovanni Vigna, Richard Kemmerer, and Christopher Kruegel. Rippler: Delay injection for
service dependency detection. In INFOCOM, 2014 Proceedings IEEE, pages 2157–2165. IEEE, 2014.
2.2, 4.2.4
[13] Check Point Security Report, https://www.checkpoint.com/resources/
2015securityreport/CheckPoint-2015-SecurityReport.pdf, 2015, last accessed on 26/02/2016.
[14] J. R. Clapper. Statement for the record, worldwide threat assessment of the US intelligence
community.https://www.dni.gov/index.php/newsroom/testimonies/209- congressional-testimonies-
2015/1174-statement-for-the- record-worldwide-threat-assessment-of-the-u-s-ic- before-the-sasc,
2014.
[15] D. Inc. Dell security annual threat report.https://software.dell.com/docs/2015-dell-security- annual-
threat-report-white-paper-15657.pdf, 2015.
[16] B. Morin, L. M ́e, H. Debar, and M. Ducass ́e. M2D2: A formal data model for IDS alert correlation.
In Recent Advances in Intrusion Detection, pages 115– 137. Springer, 2002.
[17] T. Pietraszek. Using adaptive alert classification to reduce false positives in intrusion detection. In
Recent Advances in Intrusion Detection, pages 102– 124. Springer, 2004.
[18] R. Smith, N. Japkowicz, M. Dondo, and P. Mason. Using unsupervised learning for network alert
correlation. In Advances in Artificial Intelligence, pages 308–319. Springer, 2008.
18. International Journal of Network Security & Its Applications (IJNSA) Vol.8, No.3, May 2016
18
[19] F. Cuppens and A. Miege. Alert correlation in a cooperative intrusion detection framework. In
Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, pages 202–215. IEEE, 2002.
[20] X. Peng, Y. Zhang, S. Xiao, Z. Wu, J. Cui, L. Chen, and D. Xiao. An alert correlation method based
on improved cluster algorithm. In Computational Intel- ligence and Industrial Application,
2008.PACIIA’08. Pacific-Asia Workshop on, volume 1, pages 342–347. IEEE, 2008.
[21] H. Farhadi, M. AmirHaeri, and M. Khansari. Alert correlation and prediction using data mining and
HMM.The ISC International Journal of Information Security, 3(2), 2015.
[22] M. GhasemiGol and A. Ghaemi-Bafghi. E-correlator: an entropy-based alert correlation system.
Security and Communication Networks, 8(5):822–836, 2015.
[23] K. Tabia, S. Benferhat, P. Leray, and L. M ́e. Alert correlation in intrusion detection: Combining AI-
based approaches for exploiting security operators’ knowledge and preferences. In Security and
Artificial Intelligence (SecArt), page NC, 2011.