Results 1 -
8 of
8
Integrated Innate and Adaptive Artificial Immune Systems Applied to Process Anomaly Detection
, 2007
"... This thesis explores the design and application of artificial immune systems (AISs), problem-solving systems inspired by the human and other immune systems. AISs to date have largely been modelled on the biological adaptive immune system and have taken little inspiration from the innate immune syste ..."
Abstract
-
Cited by 24 (5 self)
- Add to MetaCart
(Show Context)
This thesis explores the design and application of artificial immune systems (AISs), problem-solving systems inspired by the human and other immune systems. AISs to date have largely been modelled on the biological adaptive immune system and have taken little inspiration from the innate immune system. The first part of this thesis examines the biological innate immune system, which controls the adaptive immune system. The importance of the innate immune system suggests that AISs should also incorporate models of the innate immune system as well as the adaptive immune system. This thesis presents and discusses a number of design principles for AISs which are modelled on both innate and adaptive immunity. These novel design principles provided a structured framework for developing AISs which incorporate innate and adaptive immune systems in general. These design principles are used to build a software system which allows such AISs to be implemented and explored.
Sequence Alignment for Masquerade Detection
"... The masquerade attack, where an attacker takes on the identity of a legitimate user to maliciously utilize that user’s privileges, poses a serious threat to the security of information systems. Such attacks completely undermine traditional security mechanisms due to the trust imparted to user accoun ..."
Abstract
-
Cited by 10 (0 self)
- Add to MetaCart
The masquerade attack, where an attacker takes on the identity of a legitimate user to maliciously utilize that user’s privileges, poses a serious threat to the security of information systems. Such attacks completely undermine traditional security mechanisms due to the trust imparted to user accounts once they have been authenticated. Many attempts have been made at detecting these attacks, yet achieving high levels of accuracy remains an open challenge. In this paper, we discuss the use of a specially tuned sequence alignment algorithm, typically used in bioinformatics, to detect instances of masquerading in sequences of computer audit data. By using the alignment algorithm to align sequences of monitored audit data with sequences known to have been produced by the user, the alignment algorithm can discover areas of similarity and derive a metric that indicates the presence or absence of masquerade attacks. Additionally, we present several scoring systems, methods for accommodating variations in user behavior, and heuristics for decreasing the computational requirements of the algorithm. Our technique is evaluated against the standard masquerade detection dataset provided by Schonlau et al. [14, 13], and the results show that the use of the sequence alignment technique provides, to our knowledge, the best results of all masquerade detection techniques to date.
Effective Anomaly Detection with Scarce Training Data
"... Learning-based anomaly detection has proven to be an effective black-box technique for detecting unknown attacks. However, the effectiveness of this technique crucially depends upon both the quality and the completeness of the training data. Unfortunately, in most cases, the traffic to the system (e ..."
Abstract
-
Cited by 6 (0 self)
- Add to MetaCart
(Show Context)
Learning-based anomaly detection has proven to be an effective black-box technique for detecting unknown attacks. However, the effectiveness of this technique crucially depends upon both the quality and the completeness of the training data. Unfortunately, in most cases, the traffic to the system (e.g., a web application or daemon process) protected by an anomaly detector is not uniformly distributed. Therefore, some components (e.g., authentication, payments, or content publishing) might not be exercised enough to train an anomaly detection system in a reasonable time frame. This is of particular importance in real-world settings, where anomaly detection systems are deployed with little or no manual configuration, and they are expected to automatically learn the normal behavior of a system to detect or block attacks. In this work, we first demonstrate that the features utilized to train a learning-based detector can be semantically grouped, and that features of the same group tend to induce similar models. Therefore, we propose addressing local training data deficiencies by exploiting clustering techniques to construct a knowledge base of well-trained models that can be utilized in case of undertraining. Our approach, which is independent of the particular type of anomaly detector employed, is validated using the realistic case of a learning-based system protecting a pool of web servers running several web applications such as blogs, forums, or Web services. We run our experiments on a real-world data set containing over 58 million HTTP requests to more than 36,000 distinct web application components. The results show that by using the proposed solution, it is possible to achieve effective attack detection even with scarce training data.
Detecting Motifs in System Call Sequences
- In Proceedings of the 8th International Workshop on Information Security Applications (WISA 2007
, 2007
"... Abstract. The search for patterns or motifs in data represents an area of key interest to many researchers. In this paper we present the Motif Tracking Algorithm, a novel immune inspired pattern identification tool that is able to identify unknown motifs which repeat within time series data. The pow ..."
Abstract
-
Cited by 3 (2 self)
- Add to MetaCart
(Show Context)
Abstract. The search for patterns or motifs in data represents an area of key interest to many researchers. In this paper we present the Motif Tracking Algorithm, a novel immune inspired pattern identification tool that is able to identify unknown motifs which repeat within time series data. The power of the algorithm is derived from its use of a small number of parameters with minimal assumptions. The algorithm searches from a completely neutral perspective that is independent of the data being analysed and the underlying motifs. In this paper the motif tracking algorithm is applied to the search for patterns within sequences of low level system calls between the Linux kernel and the operating system’s user space. The MTA is able to compress data found in large system call data sets to a limited number of motifs which summarise that data. The motifs provide a resource from which a profile of executed processes can be built. The potential for these profiles and new implications for security research are highlighted. A higher level system call language for measuring similarity between patterns of such calls is also suggested. 1
Ensemble Extraction for Classification and Detection of Bird Species ✩
"... Advances in technology have enabled new approaches for sensing the environment and collecting data about the world. Once collected, sensor readings can be assembled into data streams and transmitted over computer networks for storage and processing at observatories or to evoke an immediate response ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
Advances in technology have enabled new approaches for sensing the environment and collecting data about the world. Once collected, sensor readings can be assembled into data streams and transmitted over computer networks for storage and processing at observatories or to evoke an immediate response from an autonomic computer system. However, such automated collection of sensor data produces an immense quantity of data that is time consuming to organize, search and distill into meaningful information. In this paper, we explore the design and use of distributed pipelines for automated processing of sensor data streams. In particular, we focus on the detection and extraction of meaningful sequences, called ensembles, from acoustic data streamed from natural areas. Our goal is automated detection and classification of various species of birds.
AN EVALUATION OF MACHINE LEARNING TECHNIQUES IN INTRUSION DETECTION By
, 2007
"... I would like to thank Gabor Karsai, my advisor, for all of his help on this project. Our discussions on intrusion detection and machine learning techniques allowed me to recognize areas I had overlooked and pointed out interesting areas to explore. I would also like to thank Dr. Fisher, my second re ..."
Abstract
- Add to MetaCart
(Show Context)
I would like to thank Gabor Karsai, my advisor, for all of his help on this project. Our discussions on intrusion detection and machine learning techniques allowed me to recognize areas I had overlooked and pointed out interesting areas to explore. I would also like to thank Dr. Fisher, my second reader, for his input on the experiments and thesis background. I would like to thank Eric Hall for the the information he provided me on network topology. In addition, Bradley Malin gave me many useful suggestions on evaluation methods such as ROC curves and cost curves. I would also like to thank those that attended my pizza lecture who asked questions and gave comments. In addition, I would like to thank Sean Duncavage for his comments about neural networks. This research was supported by a Graduate Assistantship sponsored by NASA and an NSF grant.
Machine Learning for Host-based Anomaly Detection
, 2008
"... Anomaly detection techniques complement signature based methods for intrusion detection. Machine learning approaches are applied to anomaly detection for automated learning and detection. Traditional host-based anomaly detectors model system call sequences to detect novel attacks. This dissertation ..."
Abstract
- Add to MetaCart
Anomaly detection techniques complement signature based methods for intrusion detection. Machine learning approaches are applied to anomaly detection for automated learning and detection. Traditional host-based anomaly detectors model system call sequences to detect novel attacks. This dissertation makes four key contributions to detect host anomalies. First, we present an unsupervised approach to clean training data using novel representations for system call sequences. Second, supervised learning with system call arguments and other attributes is proposed for enriched modeling. Third, techniques to increase model coverage for improved accuracy are presented. Fourth, we propose spatio-temporal modeling to detect suspicious behavior for mobile hosts. Experimental results on various data sets indicate that our techniques are more effective than traditional methods in capturing attack-based host anomalies. Additionally, our supervised methods create succint models and the computational overhead incurred is reasonable for an online anomaly detection system.
An Improved Semi-Global Alignment Algorithm for Masquerade Detection
, 2009
"... Masquerading is a security attack in which an intruder assumes the identity of a legitimate user. Semi-global alignment algorithm has been the best of known dynamic sequence alignment algorithm for detecting masqueraders. Though, the algorithm proves better than any other pair-wise sequence alignmen ..."
Abstract
- Add to MetaCart
(Show Context)
Masquerading is a security attack in which an intruder assumes the identity of a legitimate user. Semi-global alignment algorithm has been the best of known dynamic sequence alignment algorithm for detecting masqueraders. Though, the algorithm proves better than any other pair-wise sequence alignment algorithms such as local and global alignment algorithms, however, the problem of false positive and false negative have not been reduced to the barest minimum. Many previous works on masquer-ade detection using sequence alignment have difficulty at choosing the scoring system on which the algorithms base their optimal scores on. Hence, they resolved to assum-ing (or picking) a set of scores which they referred to as a unique scoring function for their experiment. In this work, an improved semi-global alignment called Cross-semiglobal algorithm, is designed to improve the efficiency of masquerade detection. In the previous pair-wise algo-rithms, a fix value is always assumed as the gaps score. In Cross-semiglobal algorithm, the scoring function on which the algorithms based their scores is constructed from le-gitimate users ’ sequence of commands. This principle was implemented using platform independent C/C++ frame-work. The designed was tested using a systematically gen-erated ASCII coded sequence audit data from Windows and UNIX operating systems as simulations for standard non-intrusive and intrusion data. The result shows a re-duction in false positive rate from 7.7 % using semi-global alignment to 5.4 % using cross-semiglobal. The detection efficiency was also improved by 7.7%.
