Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949411
David L. Hancock, G. Lamont
Trends in computing and networking, in terms of physical capability, attack surface, and attacker sophistication, call for automated, fault-tolerant response systems. Military networks present such environments with unique authorities, critical systems, and threats. Within such environments, multi agent systems may make special contributions regarding recognisance and attack scenarios. We survey three multi agent systems designed for cyber operations, with particular emphasis on our classifier for flow-based attacks, which demonstrates the effectiveness of reputation for distributing classifying agents effectively.
{"title":"Multi agent systems on military networks","authors":"David L. Hancock, G. Lamont","doi":"10.1109/CICYBS.2011.5949411","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949411","url":null,"abstract":"Trends in computing and networking, in terms of physical capability, attack surface, and attacker sophistication, call for automated, fault-tolerant response systems. Military networks present such environments with unique authorities, critical systems, and threats. Within such environments, multi agent systems may make special contributions regarding recognisance and attack scenarios. We survey three multi agent systems designed for cyber operations, with particular emphasis on our classifier for flow-based attacks, which demonstrates the effectiveness of reputation for distributing classifying agents effectively.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"88 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126429746","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949390
Dean Lee, S. Hamilton, W. L. Hamilton
Sensor data can be used to provide a snapshot of the state of a mission critical network. However, sensor data and the conclusions derived from it (Cyber Knowledge) will often contain conflicting values for a given conclusion. In this paper we present a new method for representing and combining cyber knowledge that maintains accuracy even in the face of multiple conflicting inputs.
{"title":"Modeling Cyber Knowledge uncertainty","authors":"Dean Lee, S. Hamilton, W. L. Hamilton","doi":"10.1109/CICYBS.2011.5949390","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949390","url":null,"abstract":"Sensor data can be used to provide a snapshot of the state of a mission critical network. However, sensor data and the conclusions derived from it (Cyber Knowledge) will often contain conflicting values for a given conclusion. In this paper we present a new method for representing and combining cyber knowledge that maintains accuracy even in the face of multiple conflicting inputs.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122265132","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949398
Justin M. Beaver, R. Patton, T. Potok
Enterprise networks are comprised of thousands of interconnected computer hosts, each of which is capable of creating, removing, and exchanging data according to the needs of their users. Thus, the distribution of high-value, sensitive, and proprietary information across enterprise networks is poorly managed and understood. A significant technology gap in information security is the inability to automatically quantify the value of the information contained on each host in a network. Such insight would allow an enterprise to scale its defenses, react intelligently to an intrusion, manage its configuration audits, and understand the leak potential in the event that a host is compromised. This paper outlines a novel approach to the automated determination of the value of the information contained on a host computer. It involves the classification of each text document on the host machine using the frequency of the document's terms and phrases. A host information value is computed using an enterprise-defined weighting schema and applying it to a host's document distribution. The method is adaptable to specific organizational information needs, requires manual intervention only during schema creation, and is repeatable and consistent regardless of changes in information on the host machines.
{"title":"An approach to the automated determination of host information value","authors":"Justin M. Beaver, R. Patton, T. Potok","doi":"10.1109/CICYBS.2011.5949398","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949398","url":null,"abstract":"Enterprise networks are comprised of thousands of interconnected computer hosts, each of which is capable of creating, removing, and exchanging data according to the needs of their users. Thus, the distribution of high-value, sensitive, and proprietary information across enterprise networks is poorly managed and understood. A significant technology gap in information security is the inability to automatically quantify the value of the information contained on each host in a network. Such insight would allow an enterprise to scale its defenses, react intelligently to an intrusion, manage its configuration audits, and understand the leak potential in the event that a host is compromised. This paper outlines a novel approach to the automated determination of the value of the information contained on a host computer. It involves the classification of each text document on the host machine using the frequency of the document's terms and phrases. A host information value is computed using an enterprise-defined weighting schema and applying it to a host's document distribution. The method is adaptable to specific organizational information needs, requires manual intervention only during schema creation, and is repeatable and consistent regardless of changes in information on the host machines.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123945597","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949404
Y. Hu, Charles E. Frank, J. Walden, E. Crawford, D. Kasturiratna
Studies show that a significant number of employees steal data when changing jobs. Insider attackers who have the authorization to access the best-kept secrets of organizations pose a great challenge for organizational security. Although increasing efforts have been spent on identifying insider attacks, little research concentrates on detecting data exfiltration activities. This paper proposes a model for identifying data exfiltration activities by insiders. It uses statistical methods to profile legitimate uses of file repositories by authorized users. By analyzing legitimate file repository access logs, user access profiles are created and can be employed to detect a large set of data exfiltration activities. The effectiveness of the proposed model was tested with file access histories from the subversion logs of the popular open source project KDE.
{"title":"Profiling file repository access patterns for identifying data exfiltration activities","authors":"Y. Hu, Charles E. Frank, J. Walden, E. Crawford, D. Kasturiratna","doi":"10.1109/CICYBS.2011.5949404","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949404","url":null,"abstract":"Studies show that a significant number of employees steal data when changing jobs. Insider attackers who have the authorization to access the best-kept secrets of organizations pose a great challenge for organizational security. Although increasing efforts have been spent on identifying insider attacks, little research concentrates on detecting data exfiltration activities. This paper proposes a model for identifying data exfiltration activities by insiders. It uses statistical methods to profile legitimate uses of file repositories by authorized users. By analyzing legitimate file repository access logs, user access profiles are created and can be employed to detect a large set of data exfiltration activities. The effectiveness of the proposed model was tested with file access histories from the subversion logs of the popular open source project KDE.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122987046","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949402
Omar Al-Ibrahim, S. Nair
Security fusion is a new paradigm in security for resource-constrained environments [20]. Following this paradigm, strong system-level security is achieved by combining weak primitives from multiple nodes. In this paper, we describe a fusion methodology based on state machine compositions. From the properties of compositions, we devise a challenge-response system that composes low-entropy state machines at individual nodes into one with higher entropy. We use built-in digital logic such as Physical Unclonable Functions (PUFs) to efficiently mass generate and distribute keys. In addition, we draw on the properties of compositions to reduce the key storage complexity at the infrastructure-level, with high coverage and early detectability at the system-level.
{"title":"Security fusion based on state machine compositions","authors":"Omar Al-Ibrahim, S. Nair","doi":"10.1109/CICYBS.2011.5949402","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949402","url":null,"abstract":"Security fusion is a new paradigm in security for resource-constrained environments [20]. Following this paradigm, strong system-level security is achieved by combining weak primitives from multiple nodes. In this paper, we describe a fusion methodology based on state machine compositions. From the properties of compositions, we devise a challenge-response system that composes low-entropy state machines at individual nodes into one with higher entropy. We use built-in digital logic such as Physical Unclonable Functions (PUFs) to efficiently mass generate and distribute keys. In addition, we draw on the properties of compositions to reduce the key storage complexity at the infrastructure-level, with high coverage and early detectability at the system-level.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132671177","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949401
F. Barbhuiya, S. Biswas, N. Hubballi, Sukumar Nandi
Address Resolution Protocol (ARP) based attacks are caused by compromised hosts in the LAN and mainly involve spoofing with falsified IP-MAC pairs. Since ARP is a stateless protocol such attacks are possible. Neither there are signatures available for these attacks nor any significant statistical behavior change can be observed. So existing signature or anomaly intrusion detection systems are unable to detect these type of attacks. Several schemes have been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static, modify the existing ARP, violate network layering architecture etc. In this paper a host based Discrete Event System (DES) approach is proposed for detecting ARP spoofing attacks. This approach does not require any extra constraint like static IP-MAC, changing the ARP or violation of network layering architecture.
{"title":"A host based DES approach for detecting ARP spoofing","authors":"F. Barbhuiya, S. Biswas, N. Hubballi, Sukumar Nandi","doi":"10.1109/CICYBS.2011.5949401","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949401","url":null,"abstract":"Address Resolution Protocol (ARP) based attacks are caused by compromised hosts in the LAN and mainly involve spoofing with falsified IP-MAC pairs. Since ARP is a stateless protocol such attacks are possible. Neither there are signatures available for these attacks nor any significant statistical behavior change can be observed. So existing signature or anomaly intrusion detection systems are unable to detect these type of attacks. Several schemes have been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static, modify the existing ARP, violate network layering architecture etc. In this paper a host based Discrete Event System (DES) approach is proposed for detecting ARP spoofing attacks. This approach does not require any extra constraint like static IP-MAC, changing the ARP or violation of network layering architecture.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"2 10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124196305","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949399
Paul K. Harmer, Ryan W. Thomas, B. Christel, Richard K. Martin, Clifton Watson
Wireless networks are a common point of entry for computer network attacks. Due to high traffic volumes, network mission assurance requires tools that can usefully display network traffic data, automatically detect, and identify attacks to provide increased situational awareness to a network administrator. Many metrics used to analyze wireless network traffic and security depend on full access to all nodes. This is impractical in fielded networks. To address these issues, we propose a new set of metrics based on wireless network packet interarrival times. These metrics are displayed in a novel way to provide administrators with a mechanism for identifying possible attacks and their impact on the network. The performance of this visualizer is validated by the use of a linear classifier system, which shows that the chosen metrics can be used to accurately identify attacks. We further argue that the classifier could be used in conjunction with the visualizer as an effective decision support system to aid in maintaining mission assurance.
{"title":"Wireless security situation awareness with attack identification decision support","authors":"Paul K. Harmer, Ryan W. Thomas, B. Christel, Richard K. Martin, Clifton Watson","doi":"10.1109/CICYBS.2011.5949399","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949399","url":null,"abstract":"Wireless networks are a common point of entry for computer network attacks. Due to high traffic volumes, network mission assurance requires tools that can usefully display network traffic data, automatically detect, and identify attacks to provide increased situational awareness to a network administrator. Many metrics used to analyze wireless network traffic and security depend on full access to all nodes. This is impractical in fielded networks. To address these issues, we propose a new set of metrics based on wireless network packet interarrival times. These metrics are displayed in a novel way to provide administrators with a mechanism for identifying possible attacks and their impact on the network. The performance of this visualizer is validated by the use of a linear classifier system, which shows that the chosen metrics can be used to accurately identify attacks. We further argue that the classifier could be used in conjunction with the visualizer as an effective decision support system to aid in maintaining mission assurance.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131793271","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-04-11DOI: 10.1109/CICYBS.2011.5949387
P. LaRoche, A. N. Zincir-Heywood, M. Heywood
In this work, we explore the state space of a network application protocol by employing genetic programming techniques. To this end, we target Simple Mail Transfer Protocol (SMTP), which is a well-known and open protocol on the Internet. In order to achieve our goal, we aim to evolve the payload such that solution individuals result in an email being sent successfully through the targeted server. The proposed system implements an archive paradigm where, upon completion of the evolutionary process, a collection (archive) of solutions are presented. Specifically, they can all achieve the goal, but each does so in a unique manner. This collection allows us to examine the state space of the application protocol, giving us the ability to verify that these variations are either intended by the protocol, or should be addressed for security reasons.
{"title":"Exploring the state space of an application protocol: A case study of SMTP","authors":"P. LaRoche, A. N. Zincir-Heywood, M. Heywood","doi":"10.1109/CICYBS.2011.5949387","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949387","url":null,"abstract":"In this work, we explore the state space of a network application protocol by employing genetic programming techniques. To this end, we target Simple Mail Transfer Protocol (SMTP), which is a well-known and open protocol on the Internet. In order to achieve our goal, we aim to evolve the payload such that solution individuals result in an email being sent successfully through the targeted server. The proposed system implements an archive paradigm where, upon completion of the evolutionary process, a collection (archive) of solutions are presented. Specifically, they can all achieve the goal, but each does so in a unique manner. This collection allows us to examine the state space of the application protocol, giving us the ability to verify that these variations are either intended by the protocol, or should be addressed for security reasons.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"11 5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130225081","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2011-03-29DOI: 10.1109/CICYBS.2011.5949410
J. Zhan, Xing Fang, Naveen Bandaru
Location information is considered as private in many scenarios. Location information protection on social networks has not been paid much attention. In this paper, we extend our previous proposed location privacy protection approach on the basis of user messages in social networks. Our approach grants flexibility to users by offering them multiple protecting options. The extension includes performance evaluation towards our approach.
{"title":"Location privacy protection on social networks","authors":"J. Zhan, Xing Fang, Naveen Bandaru","doi":"10.1109/CICYBS.2011.5949410","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949410","url":null,"abstract":"Location information is considered as private in many scenarios. Location information protection on social networks has not been paid much attention. In this paper, we extend our previous proposed location privacy protection approach on the basis of user messages in social networks. Our approach grants flexibility to users by offering them multiple protecting options. The extension includes performance evaluation towards our approach.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-03-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125937011","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.1109/cicybs.2011.5949418
Justin Zhan, Marco Carvalho, Gerry V. Dozier, Murat Kantarcioglu, G. B. Lamont, Usa C Veni Madhavan, Andrzej Rucinski, Frederick Sheldon, Mario Strasser, Eth Zürich, Shamik Switzerland, Sural, Alexander Tarakanov, St Petersburg, Qishi Wu, Nan Zhang
Computational Intelligence constitutes an umbrella of techniques, has proven to be flexible in decision making in dynamic environment. These techniques typically include Fuzzy Logic, Evolutionary Computation, Intelligent Agent Systems, Neural Networks, Cellular Automata, Artificial Immune Systems and other similar computational models. The use of these techniques allowed building efficient online monitoring tools and robust decision support modules, providing cross-linking solutions to different cyber security applications.
{"title":"Symposium on Computational Intelligence in Cyber Security (IEEE CICS 2011)","authors":"Justin Zhan, Marco Carvalho, Gerry V. Dozier, Murat Kantarcioglu, G. B. Lamont, Usa C Veni Madhavan, Andrzej Rucinski, Frederick Sheldon, Mario Strasser, Eth Zürich, Shamik Switzerland, Sural, Alexander Tarakanov, St Petersburg, Qishi Wu, Nan Zhang","doi":"10.1109/cicybs.2011.5949418","DOIUrl":"https://doi.org/10.1109/cicybs.2011.5949418","url":null,"abstract":"Computational Intelligence constitutes an umbrella of techniques, has proven to be flexible in decision making in dynamic environment. These techniques typically include Fuzzy Logic, Evolutionary Computation, Intelligent Agent Systems, Neural Networks, Cellular Automata, Artificial Immune Systems and other similar computational models. The use of these techniques allowed building efficient online monitoring tools and robust decision support modules, providing cross-linking solutions to different cyber security applications.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134333958","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: