Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652074
N. Hallberg, J. Hallberg
This paper presents an approach for extracting security requirements from early design specifications. An increasing part of the communication and sharing of information in our society utilizes electronic media. Many organizations, especially distributed and Net-centric, are entirely dependent on well functioning information systems. Thus, IT security is becoming central to the ability to fulfill business goals, build trustworthy systems, and protect assets. In order to develop systems with adequate security features, it is essential to capture the corresponding security needs and requirements. The main objective of this paper is to present and illustrate the use of a method for extracting security needs from textual descriptions of general requirements of information systems, and to transform these needs into security requirements and security techniques. The consequences of selected security techniques are described as design implications. The method utilizes quality tools, such as voice of the customer table and affinity and hierarchy diagrams. To illustrate the method, known as the usage-centric security requirements engineering (USeR) method, it is demonstrated in a case study. The USeR method enables the identification of security needs from statements about information systems, and the transformation of those needs into security techniques. Although the method needs to be used with complementary approaches, e.g. misuse cases to detect security requirements originating from the functional requirements, it provides a coherent approach and holistic view that even in the early stages can guide the system evolution to achieve information systems more resistant to security threats
{"title":"The Usage-Centric Security Requirements Engineering (USeR) Method","authors":"N. Hallberg, J. Hallberg","doi":"10.1109/IAW.2006.1652074","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652074","url":null,"abstract":"This paper presents an approach for extracting security requirements from early design specifications. An increasing part of the communication and sharing of information in our society utilizes electronic media. Many organizations, especially distributed and Net-centric, are entirely dependent on well functioning information systems. Thus, IT security is becoming central to the ability to fulfill business goals, build trustworthy systems, and protect assets. In order to develop systems with adequate security features, it is essential to capture the corresponding security needs and requirements. The main objective of this paper is to present and illustrate the use of a method for extracting security needs from textual descriptions of general requirements of information systems, and to transform these needs into security requirements and security techniques. The consequences of selected security techniques are described as design implications. The method utilizes quality tools, such as voice of the customer table and affinity and hierarchy diagrams. To illustrate the method, known as the usage-centric security requirements engineering (USeR) method, it is demonstrated in a case study. The USeR method enables the identification of security needs from statements about information systems, and the transformation of those needs into security techniques. Although the method needs to be used with complementary approaches, e.g. misuse cases to detect security requirements originating from the functional requirements, it provides a coherent approach and holistic view that even in the early stages can guide the system evolution to achieve information systems more resistant to security threats","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"114 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124122555","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652120
K. G. Labbe, N. Rowe, J. D. Fulp
Host-based intrusion-prevention systems are currently popular technologies which try to prevent exploits from succeeding on a host. They are like host-based intrusion-detection systems (P. E. Proctor, 2001) but include means to automatically take actions once malicious activities or code are discovered. This can include terminating connections, services, or ports; refusing commands; blocking packets from specific Internet addresses; initiating tracing of packets; and sending modified packets back to a user. Automated responses to exploits can be quick without human intervention. Around ten commercial vendors are currently offering intrusion-prevention products (N. Desai, May 2006), and Snort-Inline is a popular open-source tool. Total intrusion prevention is a difficult goal to achieve, since it takes time to recognize an exploit and by then the damage may be done. So it is important to have a way to test the often-broad claims of intrusion-prevention products. The testing we propose is not as comprehensive as that offered by attack-traffic simulators like Skaion's TGS (www.skaion.com) or by the DETER testbed (www.deterlab.net). But attack-traffic simulators, even when up-to-date, only model broad characteristics of attacks and not their context-dependent behavior, so they can produce significant numbers of false negatives. DETER emulates rather than executes malicious software to provide added safety, which is not quite the same. DETER also imposes several bureaucratic obstacles for getting approval for experiments and obtaining time on their hardware to run them; this bureaucracy requires motivation and time to navigate. For quick testing in depth of a new product that has not been evaluated in DETER, or for finding reasons to rule out a product, a simpler approach that is easier to set up is required
{"title":"A Methodology for Evaluation of Host-Based Intrusion Prevention Systems and Its Application","authors":"K. G. Labbe, N. Rowe, J. D. Fulp","doi":"10.1109/IAW.2006.1652120","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652120","url":null,"abstract":"Host-based intrusion-prevention systems are currently popular technologies which try to prevent exploits from succeeding on a host. They are like host-based intrusion-detection systems (P. E. Proctor, 2001) but include means to automatically take actions once malicious activities or code are discovered. This can include terminating connections, services, or ports; refusing commands; blocking packets from specific Internet addresses; initiating tracing of packets; and sending modified packets back to a user. Automated responses to exploits can be quick without human intervention. Around ten commercial vendors are currently offering intrusion-prevention products (N. Desai, May 2006), and Snort-Inline is a popular open-source tool. Total intrusion prevention is a difficult goal to achieve, since it takes time to recognize an exploit and by then the damage may be done. So it is important to have a way to test the often-broad claims of intrusion-prevention products. The testing we propose is not as comprehensive as that offered by attack-traffic simulators like Skaion's TGS (www.skaion.com) or by the DETER testbed (www.deterlab.net). But attack-traffic simulators, even when up-to-date, only model broad characteristics of attacks and not their context-dependent behavior, so they can produce significant numbers of false negatives. DETER emulates rather than executes malicious software to provide added safety, which is not quite the same. DETER also imposes several bureaucratic obstacles for getting approval for experiments and obtaining time on their hardware to run them; this bureaucracy requires motivation and time to navigate. For quick testing in depth of a new product that has not been evaluated in DETER, or for finding reasons to rule out a product, a simpler approach that is easier to set up is required","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"96 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133275773","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652127
M. Savastano, A. Luciano, A. Pagano, B. Peticone, L. Riccardi
In the context of the countermeasures against criminal or terrorist acts, the attribution of identity to a unknown speaker, (for example to an individual talking on a phone line), may play a primary role. Speaker identification (SI) may be performed with or without the human support and, according to this distinction, SI systems are divided in "semi-automatic" and "automatic" (J. P. Campbell, Sept. 1997). In semi-automatic protocols, the process of identification is carried out by means of electronic instruments with the support of a technician who generally has a linguistic background. Automatic systems do not need human support and may operate in quasi-real-time, and this may represent a feature particularly appealing in some operative scenarios. Obviously, the complexity of automatic systems is relevant and then, generally, complex architectures are required. In the present paper the authors propose a four-classifiers methodology which exhibits some innovative solutions in the context of similar approaches. In particular, a new robust approach to pitch extraction allows to overcome a set of problems generally associated with this task
在对犯罪或恐怖主义行为采取对策的背景下,将身份归属于不知名的说话者(例如,在电话线上说话的人)可能起主要作用。说话人识别(SI)可以在有或没有人类支持的情况下进行,根据这种区分,SI系统分为“半自动”和“自动”(J. P. Campbell, 1997年9月)。在半自动协议中,识别过程是在通常具有语言背景的技术人员的支持下,通过电子仪器进行的。自动系统不需要人工支持,可以准实时操作,这在某些操作场景中可能是一个特别吸引人的特征。显然,自动化系统的复杂性是相关的,然后,通常需要复杂的体系结构。在本文中,作者提出了一种四分类器方法,该方法在类似方法的背景下展示了一些创新的解决方案。特别是,一个新的鲁棒的方法来提取音高允许克服一组通常与此任务相关的问题
{"title":"A Multi-step Method for Speaker Identification","authors":"M. Savastano, A. Luciano, A. Pagano, B. Peticone, L. Riccardi","doi":"10.1109/IAW.2006.1652127","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652127","url":null,"abstract":"In the context of the countermeasures against criminal or terrorist acts, the attribution of identity to a unknown speaker, (for example to an individual talking on a phone line), may play a primary role. Speaker identification (SI) may be performed with or without the human support and, according to this distinction, SI systems are divided in \"semi-automatic\" and \"automatic\" (J. P. Campbell, Sept. 1997). In semi-automatic protocols, the process of identification is carried out by means of electronic instruments with the support of a technician who generally has a linguistic background. Automatic systems do not need human support and may operate in quasi-real-time, and this may represent a feature particularly appealing in some operative scenarios. Obviously, the complexity of automatic systems is relevant and then, generally, complex architectures are required. In the present paper the authors propose a four-classifiers methodology which exhibits some innovative solutions in the context of similar approaches. In particular, a new robust approach to pitch extraction allows to overcome a set of problems generally associated with this task","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129322612","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652121
S. Price, S. Price
The information assurance (IA) model, an extension of the McCumber information security model, specifies security services for information when it is at rest, in transit, or being processed. According to the IA model, the processing information state is protected by technology, operations, and people security countermeasures. However, what has not been considered is the power wielded by an ordinary user over the processes in their environment. The authors consider people to be the principle countermeasure in the model. Unfortunately, this becomes problematic when users introduce unknown or unauthorized processes into a system which may affect information and the security services of the system. Indeed, such processes run with the rights and privileges of the user. The intentional or accidental execution of unauthorized applications epitomizes the insider threat. Therefore, system and data security is at the mercy of executing processes and the hands of the authorized user. Another way to represent this situation is to say that unknown and unauthorized processes, whether or not under the control of the user, change the secure state processing (SSP) of a system
{"title":"Secure State Processing","authors":"S. Price, S. Price","doi":"10.1109/IAW.2006.1652121","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652121","url":null,"abstract":"The information assurance (IA) model, an extension of the McCumber information security model, specifies security services for information when it is at rest, in transit, or being processed. According to the IA model, the processing information state is protected by technology, operations, and people security countermeasures. However, what has not been considered is the power wielded by an ordinary user over the processes in their environment. The authors consider people to be the principle countermeasure in the model. Unfortunately, this becomes problematic when users introduce unknown or unauthorized processes into a system which may affect information and the security services of the system. Indeed, such processes run with the rights and privileges of the user. The intentional or accidental execution of unauthorized applications epitomizes the insider threat. Therefore, system and data security is at the mercy of executing processes and the hands of the authorized user. Another way to represent this situation is to say that unknown and unauthorized processes, whether or not under the control of the user, change the secure state processing (SSP) of a system","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115107771","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652126
C. Fox, D. Wilson
The Interrogator infrastructure is comprised of a number of networks each consisting of multiple thousands of nodes. The data produced by the sensors in this infrastructure is collected and stored in three distinct formats: relational databases, data files containing packet traffic or network flow information, and other report files - usually in extensible markup language (XML) format. In a network infrastructure of this size, it becomes very difficult to keep abreast of the complex relationships that exist within. Additionally, due to the sheer volume of data produced in the previously mentioned formats, a method to aid in extracting the security relevant content from the data becomes highly essential. We propose the use of network graphs to address these limitations in the current Interrogator architecture. Generation of the graphs required the development of methods to extract - from the data sources available - the needed connectivity and data transfer information. This information was then passed to a graphing utility, Graphviz, which was used to generate the network graphs. Using the capabilities provided in Graphviz, we were able to quickly obtain information about any node in the network including: the connectivity of the node, the data transferred, and any alerts generated that included these nodes. These graphs are used as another analysis source for an analyst to aid in the identification of suspicious network behavior
{"title":"Visualization in Interrogator using Graphviz","authors":"C. Fox, D. Wilson","doi":"10.1109/IAW.2006.1652126","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652126","url":null,"abstract":"The Interrogator infrastructure is comprised of a number of networks each consisting of multiple thousands of nodes. The data produced by the sensors in this infrastructure is collected and stored in three distinct formats: relational databases, data files containing packet traffic or network flow information, and other report files - usually in extensible markup language (XML) format. In a network infrastructure of this size, it becomes very difficult to keep abreast of the complex relationships that exist within. Additionally, due to the sheer volume of data produced in the previously mentioned formats, a method to aid in extracting the security relevant content from the data becomes highly essential. We propose the use of network graphs to address these limitations in the current Interrogator architecture. Generation of the graphs required the development of methods to extract - from the data sources available - the needed connectivity and data transfer information. This information was then passed to a graphing utility, Graphviz, which was used to generate the network graphs. Using the capabilities provided in Graphviz, we were able to quickly obtain information about any node in the network including: the connectivity of the node, the data transferred, and any alerts generated that included these nodes. These graphs are used as another analysis source for an analyst to aid in the identification of suspicious network behavior","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"109 9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115686599","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652099
Neil C. Rowe, B. Duong, E. J. Custy
Cyber-attackers are becoming more aware of honeypots. They generally want to avoid honeypots since it is hard to spread attacks from them, attacks are thoroughly monitored on them, and some honeypots contain planted false information. This suggests that it could be useful for a computer system to pretend it is a honeypot, to scare away smarter attackers. We examine here from a number of perspectives how this could be accomplished as a kind of "vaccination" of systems to reduce numbers of attacks and their severity. We develop a mathematical model of what would make an attacker go away. We report experiments with deliberate distortions on text to see at what point people could detect deception, and discover they can respond to subtle clues. We also report experiments with real attackers against a honeypot of increasing obviousness. Results show that attacks on it decreased over time which may indicate that attackers are being scared away. We conclude with some speculation about the escalation of honeypot-antihoneypot techniques
{"title":"Fake Honeypots: A Defensive Tactic for Cyberspace","authors":"Neil C. Rowe, B. Duong, E. J. Custy","doi":"10.1109/IAW.2006.1652099","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652099","url":null,"abstract":"Cyber-attackers are becoming more aware of honeypots. They generally want to avoid honeypots since it is hard to spread attacks from them, attacks are thoroughly monitored on them, and some honeypots contain planted false information. This suggests that it could be useful for a computer system to pretend it is a honeypot, to scare away smarter attackers. We examine here from a number of perspectives how this could be accomplished as a kind of \"vaccination\" of systems to reduce numbers of attacks and their severity. We develop a mathematical model of what would make an attacker go away. We report experiments with deliberate distortions on text to see at what point people could detect deception, and discover they can respond to subtle clues. We also report experiments with real attackers against a honeypot of increasing obviousness. Results show that attacks on it decreased over time which may indicate that attackers are being scared away. We conclude with some speculation about the escalation of honeypot-antihoneypot techniques","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"54 2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116269116","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652111
R. Samara, B. Panda
After an attack on a database system, evaluation of damage must be performed as soon the attack is identified. Otherwise, the initial damage would spread to other parts of the database via valid transactions, consequently resulting in denial-of-service. Damage assessment in a distributed database system is a complicated task due to intricate transaction relationships among distributed sites. In these systems, when any sub-transaction reads a damaged data at any site, the entire transaction of which the sub-transaction is a part, is considered affected by the damage. Hence, the data items updated by that transaction irrespective of sites are also considered damaged. This research focuses on damage assessment procedure for distributed database systems and uses a two-pass algorithm to obtain the final list of affected data items. The advantages of this method are: (1) the process is fully distributed in the sense that every site would execute the same algorithm, (2) the amount of data to be exchanged between the sites is minimized to the list of affected items at each site instead of the entire log, and (3) the local damage assessors can be executed in parallel at their respective sites
{"title":"Investigating the Effect of an Attack on a Distributed Database","authors":"R. Samara, B. Panda","doi":"10.1109/IAW.2006.1652111","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652111","url":null,"abstract":"After an attack on a database system, evaluation of damage must be performed as soon the attack is identified. Otherwise, the initial damage would spread to other parts of the database via valid transactions, consequently resulting in denial-of-service. Damage assessment in a distributed database system is a complicated task due to intricate transaction relationships among distributed sites. In these systems, when any sub-transaction reads a damaged data at any site, the entire transaction of which the sub-transaction is a part, is considered affected by the damage. Hence, the data items updated by that transaction irrespective of sites are also considered damaged. This research focuses on damage assessment procedure for distributed database systems and uses a two-pass algorithm to obtain the final list of affected data items. The advantages of this method are: (1) the process is fully distributed in the sense that every site would execute the same algorithm, (2) the amount of data to be exchanged between the sites is minimized to the list of affected items at each site instead of the entire log, and (3) the local damage assessors can be executed in parallel at their respective sites","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"50 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128502944","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652107
P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, A. Sung
To detect and deflect attempts at unauthorized use of information systems, network resources called honeypots are deployed. Honeypots are an efficient way to gather information and are being increasingly used for information security purposes. This paper focuses on the network level detection of honeypots by taking the feature set of the systems and also the network level activity into consideration. Earlier work in the area has been based on the system level detection. The results aim at bringing out the limitations in the current honeypot technology
{"title":"Network Based Detection of Virtual Environments and Low Interaction Honeypots","authors":"P. Defibaugh-Chavez, R. Veeraghattam, M. Kannappa, S. Mukkamala, A. Sung","doi":"10.1109/IAW.2006.1652107","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652107","url":null,"abstract":"To detect and deflect attempts at unauthorized use of information systems, network resources called honeypots are deployed. Honeypots are an efficient way to gather information and are being increasingly used for information security purposes. This paper focuses on the network level detection of honeypots by taking the feature set of the systems and also the network level activity into consideration. Earlier work in the area has been based on the system level detection. The results aim at bringing out the limitations in the current honeypot technology","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"145 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127309046","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652083
A. El-Semary, J. Edmonds, J. González-Pino, M. Papa
This paper describes the use of fuzzy logic in the implementation of an intelligent intrusion detection system. The system uses a data miner that integrates Apriori and Kuok's algorithms to produce fuzzy logic rules that capture features of interest in network traffic. Using an inference engine, implemented using FuzzyJess, the intrusion detection system evaluates these rules and gives network administrators indications of the firing strength of the ruleset. The resulting system is capable of adapting to changes in attack signatures. In addition, by identifying relevant network traffic attributes, the system has the inherent ability to provide abstract views that support network security analysis. Examples and experimental results using intrusion detection datasets from MIT Lincoln Laboratory demonstrate the potential of the approach
{"title":"Applying Data Mining of Fuzzy Association Rules to Network Intrusion Detection","authors":"A. El-Semary, J. Edmonds, J. González-Pino, M. Papa","doi":"10.1109/IAW.2006.1652083","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652083","url":null,"abstract":"This paper describes the use of fuzzy logic in the implementation of an intelligent intrusion detection system. The system uses a data miner that integrates Apriori and Kuok's algorithms to produce fuzzy logic rules that capture features of interest in network traffic. Using an inference engine, implemented using FuzzyJess, the intrusion detection system evaluates these rules and gives network administrators indications of the firing strength of the ruleset. The resulting system is capable of adapting to changes in attack signatures. In addition, by identifying relevant network traffic attributes, the system has the inherent ability to provide abstract views that support network security analysis. Examples and experimental results using intrusion detection datasets from MIT Lincoln Laboratory demonstrate the potential of the approach","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"104 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127584428","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2006-06-21DOI: 10.1109/IAW.2006.1652103
S. Ramaswami, S. Upadhyaya
The open medium, dynamic topology and infrastructureless characteristics of MANETs and sensor networks, have found widespread military applications. However, the nature of these networks and the limited processing capabilities of the nodes make them vulnerable to malicious attacks. In this paper we address the problem of colluding and coordinated black hole attacks, one of the major security issues in MANET based defense applications. These attacks are caused by malicious nodes that advertise the availability of the shortest route to the intended destination, thereby exploiting the functioning of the AODV protocol and retaining the data packets. This leads to loss of critical and sensitive information being relayed across the network. We propose a technique that overcomes the shortcomings of this protocol, and makes it less vulnerable to such attacks by identifying the malicious nodes and isolating them from the network. We have developed a lightweight acknowledgement scheme with multipath routing for securing the protocol. The proposed technique can be extended to similar routing protocols and scenarios in MANETs
{"title":"Smart Handling of Colluding Black Hole Attacks in MANETs and Wireless Sensor Networks using Multipath Routing","authors":"S. Ramaswami, S. Upadhyaya","doi":"10.1109/IAW.2006.1652103","DOIUrl":"https://doi.org/10.1109/IAW.2006.1652103","url":null,"abstract":"The open medium, dynamic topology and infrastructureless characteristics of MANETs and sensor networks, have found widespread military applications. However, the nature of these networks and the limited processing capabilities of the nodes make them vulnerable to malicious attacks. In this paper we address the problem of colluding and coordinated black hole attacks, one of the major security issues in MANET based defense applications. These attacks are caused by malicious nodes that advertise the availability of the shortest route to the intended destination, thereby exploiting the functioning of the AODV protocol and retaining the data packets. This leads to loss of critical and sensitive information being relayed across the network. We propose a technique that overcomes the shortcomings of this protocol, and makes it less vulnerable to such attacks by identifying the malicious nodes and isolating them from the network. We have developed a lightweight acknowledgement scheme with multipath routing for securing the protocol. The proposed technique can be extended to similar routing protocols and scenarios in MANETs","PeriodicalId":326306,"journal":{"name":"2006 IEEE Information Assurance Workshop","volume":"1994 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125549595","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: