ICloud: An intrusion detection and dynamic defense mechanism for cloud environments

Data represent today a valuable asset for companies and organizations and must be protected. Most of an organization's sensitive and proprietary data resides in a Database Management System (DBMS). The focus of this thesis is to develop advanced security solutions for protecting the data residing in a DBMS. Our strategy is to develop an Intrusion Detection (ID) mechanism, implemented within the database server, that is capable of detecting anomalous user requests to a DBMS. The key idea is to learn profiles of users and applications interacting with a database. A database request that deviates from these profiles is then termed as anomalous. A major component of this work involves prototype implementation of this ID mechanism in the Post-greSQL database server. We also propose to augment the ID mechanism with an Intrusion Response engine that is capable of issuing an appropriate response to an anomalous database request.

Intrusion Detection System (IDS) is the most used mechanism for intrusion detection. Traditional IDS have been used to detect suspicious behaviors in network communication and hosts. However, with the evolution of Intrusion detection datasets size, we faced a new challenge which is storing those large datasets in Cloud Infrastructure and analyzing datasets traffic using Big data technology. Furthermore, some Cloud providers allow deploying and configuring IDS for the user.

In this paper we present a intrusion detection module capable of detecting malicious network traffic in a SCADA (Supervisory Control and Data Acquisition) system. Malicious data in a SCADA system disrupt its correct functioning and tamper with its normal operation. OCSVM (One-Class Support Vector Machine) is an intrusion detection mechanism that does not need any labeled data for training or any information about the kind of anomaly is expecting for the detection process. This feature makes it ideal for processing SCADA environment data and automate SCADA performance monitoring. The OCSVM module developed is trained by network traces off line and detect anomalies in the system real time. In order to decrease the overhead induced by communicated alarms we propose a new detection mechanism that is based on the combination of OCSVM with a recursive k-means clustering procedure. The proposed intrusion detection module K??OCSVMis capable to distinguish severe alarms from possible attacks regardless of the values of parameters and , making it ideal for real-time intrusion detection mechanisms for SCADA systems. The most severe alarms are then communicated with the use of IDMEF files to an IDSIDS (Intrusion Detection System) system that is developed under CockpitCI project. Alarm messages carry information about the source of the incident, the time of the intrusion and a classification of the alarm.

Cyber-physical systems (CPSs) integrate the computation with physical processes. Embedded computers and networks monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa. CPS was identified as one of the eight research priority areas in the August 2007 report of the President's Council of Advisors on Science and Technology, as CPS will be the core component of many critical infrastructures and industrial control systems in the near future. However, a variety of random failures and cyber attacks exist in CPS, which greatly restrict their growth. Fortunately, an intrusion detection mechanism could take effect for protecting CPS. When a misbehavior is found by the intrusion detector, the appropriate action can be taken immediately so that any harm to the system will be minimized. As CPSs are yet to be defined universally, the application of the instruction detection mechanism remain open presently. As a result, the effort will be made to discuss how to appropriately apply the intrusion detection mechanism to CPS in this paper. By examining the unique properties of CPS, it intends to define the specific requirements first. Then, the design outline of the intrusion detection mechanism in CPS is introduced in terms of the layers of system and specific detection techniques. Finally, some significant research problems are identified for enlightening the subsequent studies.

Wireless Sensor Networks are ubiquitous. The use of WSN saves a lot of man-power and instrumentation for a lot of healthcare and especially industrial applications. This paper describes the work done on securing cluster based WSNs using IDP mechanism. An Intrusion Detection and Prevention Mechanism is proposed here based on State Context and Hierchical Trust in cluster based WSNs. An IDP system will prevent and detect attacks on WSN nodes before they happen and jeopardize the whole network. The paper proposes a system which is flexible and is suitable for the WSNs that are constantly changing, characterized by changes in their perceptual environment, transitions of state of nodes and variation in trust value. A multilevel 2-tier hierarchical trust mechanism at the level of SNs and CHs evaluated on the basis of interactive trust, honesty trust and content trust is put forward, which is a combination of direct evaluation and feed-back based evaluation in the fixed-hop range. The calculation of interactive trust and honesty trust is done based on the interaction and behavior of the sensor nodes during routing. While the calculation of content trust is done based on the deviation of data transferred with respect to the rest of the members in the cluster during data aggregation. CHs evaluates the trust of the cluster member SNs, while the trust of the CH is evaluated by its neighboring SNs. When the trust evaluation process is done, then the data from low trust cluster members are avoided. Forwarding of data through low trust cluster members is avoided. Initially the attacker node tries to communicate to the rest of the nodes via fake control messages for getting itself elected to the level of CH. The mechanism proposed here in this paper will not only prevent the attacker node but also reduce the overall resource overhead while improving network performance. This paper tries to give its small contribution in the security of cluster based WSNs using IDP mechanisms.

Large-scale IP networks cause special challenges to the security. The network consists of a large number of devices with a vast variety of traffic behavior. Implementation of the intrusion detection and monitoring mechanisms are often ineffective or require a lot of hardware and human resources. In this paper we present a methodology to construct communication profiles by making a time series and clusters from selected network attributes. Using the method we can divide the network devices into different groups by their traffic behavior even if we don't know the role of each device or the network topology. Most appropriate intrusion detection or monitoring mechanisms can be assigned to each device according to its profile. It is also possible to monitor the changes in the devices' behavior by inspecting their changes from constructed profile cluster to another. The changes between different profiles can be considered abnormal or common variation in the usage.

Friend-assisted intrusion detection and response mechanisms for mobile ad hoc networks

Cyber-physical systems (CPSs) will play an important role in future real-world applications through the deep integration of computing, communication, and control technologies. CPSs are increasingly deployed in critical infrastructure, industry, and homes to achieve a smart grid, smart transportation, and smart healthcare and to bring many benefits to citizens, businesses, and governments. However, the openness and complexity brought by network and wireless communication technology, as well as the intelligence and dynamic of network intrusions make CPS more vulnerable to network intrusions and bring more serious threats to human life, enterprise productivity, and national security. Therefore, intrusion detection and defense in CPS have attracted considerable attention and have become a fundamental aspect of CPS security. However, a new challenging problem arises: how to improve the efficiency and accuracy of intrusion detection while protecting user privacy during the intrusion detection process. To address this challenge, we propose a deep reinforcement learning-based privacy-enhanced intrusion detection and defense mechanism (PIDD) for CPS. The PIDD is composed of three modules: privacy-enhanced topology graphs generation module, graph convolutional networks-based user evaluation module, and the deep reinforcement learning-based intruder identification and handling module. The experimental results show that the proposed PIDD achieves excellent performance in intrusion detection accuracy, intrusion defense percentage, and privacy protection.

Physical Unclonable Functions (PUF) provide a lightweight secure primitive. However, it is well known that PUFs are vulnerable to machine learning based modeling attacks (MA). A lot of efforts have been devoted to develop MA-resistant PUFs, while MA techniques are also evolving. In this paper, we propose to protect PUF-based authentication systems by providing an intrusion detection mechanism. By replacing some responses with the check information only known to the server and the PUF, any attacks will trigger alerts to the server. The proposed method provides an active protection mechanism so that the verifier can initiate an intrusion detection process to determine whether the prover is an attacker in disguise. In this way, the proposed method can provide an early alert so as to achieve another layer of protection. Experimental results show that the proposed mechanism can effectively provide alerts after PUFs being attacks.

To rapidly detect attack and properly do response , a lightweight and fast detection mechanism for traffic ?ooding attacks is proposed, which use SNMP MIB statistical data gathered from SNMP agents, instead of raw packet data from network links and a machine learning approach based on a Support Vector Machine (SVM) for attack classification. The involved SNMP MIB variables are selected by an effective feature selection mechanism and gathered effectively by the MIB update time prediction mechanism. Using MIB and SVM, it achieved fast detection with high accuracy, the minimization of the system burden, and extendibility for system deployment. The intrusion detection mechanism with hierarchical structure setup has two phases, which first distinguishes attack traffic from normal traffic and then determines the type of attacks in detail. Results of the experiment using MIB datasets collected from real experiments involving a DDoS attack demonstrate that it can be an an effective way for intrusion detection. The network attacks are detected with high efficiency, and classified with low false alarms

An intelligent intrusion detection and performance reliability evaluation mechanism in mobile ad-hoc networks

This paper proposes the use of grid computing platforms as an enabling technology for the implementation of a pervasive infrastructure which aims at improving the efficiency and effectiveness in the containment of network attacks. First, we identify a set requirements and design principles for the construction of new intrusion detection systems. Then, we present a set of grid capabilities and features which are fundamental for the implementation of new intrusion detection and response systems. As a contribution, we show how a grid-based collaborative environment can be employed in the production, delivery, and use of knowledge and mechanisms for intrusion detection and containment. Such environment provides a laboratory for the development of security resources (signatures, software patches, informative texts, logs, and others), augmented by a digital library capable of supporting the efficient storage, manipulation, and deployment of such resources. As the main result of this work, the efficiency and effectiveness of mechanisms and strategies can be enhanced.

Wireless sensor networks (WSNs) have many potential applications. Furthermore, in many scenarios WSNs are of interest to adversaries and they become susceptible to some types of attacks since they are deployed in open and unprotected environments and are constituted of cheap small devices. Preventive mechanisms can be applied to protect WSNs against some types of attacks. However, there are some attacks for which there is no known prevention methods. For these cases, it is necessary to use some mechanism of intrusion detection. Besides preventing the intruder from causing damages to the network, the intrusion detection system (IDS) can acquire information related to the attack techniques, helping in the development of prevention systems. In this work we propose an IDS that fits the demands and restrictions of WSNs. Simulation results reveal that the proposed IDS is efficient and accurate in detecting different kinds of simulated attacks.

The wireless network devices grow rapidly and the security of these devices is quite crucial. Attackers employ new techniques and methods to deceive the system and to take the most important information. An intrusion detection model is required to monitor wireless security breaches when the prevention methods in the preparation phase are passed. It is critical to have an automatic detection policy in place to respond to network threats as quickly as feasible. In this study, we propose a Fuzzy C-Means (FCM) based feature selection mechanism for wireless intrusion detection. The proposed mechanism utilizes the distance of FCM center point and data point, calculates the difference of normal and attack center distances, and adopts the distances to select the features. We evaluate the algorithm with the benchmark Aegean Wi-Fi Intrusion Dataset (AWID), and the results show an impressive accuracy for the binary detection of flooding, impersonation and injection attacks.

Cloud computing has significantly transformed the way businesses and governments approach information technology. Although the shift to cloud computing has brought many benefits in terms of cost and efficiency, new security challenges have emerged. A recent study has identified a number of critical security issues for cloud, including advanced persistent threats, malicious insiders, and data breaches. In general, cyber threats have become more sophisticated and malicious actors have devised a variety of different tools to circumvent traditional defenses. Intrusion Detection Systems have been traditionally employed to mitigate these threats by attempting to identify the onset of malicious activities. However, Intrusion Detection Systems are often monolithic solutions that offer very little flexibility in dynamic environments where resources can be elastically provisioned and deprovisioned and defensive priorities and threats can change over time and across different subsystems. To address these limitations and develop a principled approach to elastically deploy intrusion detection capabilities, we propose a quantitative risk assessment framework to enable defenders to deploy fine-grained intrusion detection mechanisms across network domains so as to minimize overall risk to the network infrastructure while prioritizing defensive objectives. Simulation results confirm that our approach can efficiently and effectively reduce risk by selectively deploying intrusion detection mechanisms that address current priorities. With its lightweight architectural design, this framework serves as the foundation for an adaptive approach to intrusion detection in the cloud.