Aaron Striegel

Combating imbalance in network intrusion datasets

An approach to combating network intrusion is the development of systems applying machine learning and data min- ing techniques. Many IDS (Intrusion Detection Systems) suffer from a high rate of false alarms and missed intrusions. We want to be able to improve the intrusion detection rate at a reduced false positive rate. The focus of this paper is rule-learning, using RIPPER, on highly imbalanced intrusion datasets with an objective to improve the true positive rate (intrusions) without significantly increasing the false positives. We use RIPPER as the underlying rule classifier. To counter imbalance in data, we implement a combination of oversampling (both by replication and synthetic generation) and undersampling techniques. We also propose a clustering based methodology for oversampling by generating synthetic instances. We evaluate our approaches on two intrusion datasets — destination and actual packets based — constructed from actual Notre Dame traffic, giving a flavor of real-world data with its idiosyncrasies. Using ROC analysis, we show that oversampling by synthetic generation of minority (intrusion) class outperforms oversampling by replication and RIPPERs loss ratio method. Additionally, we establish that our clustering based approach is more suitable for the detecting intrusions and is able to provide additional improvement over just synthetic generation of instances.

Botnet Economics: Uncertainty Matters

Botnets have become an increasing security concern in today’s Internet. Thus far the mitigation to botnet attacks is a never ending arms race focusing on technical approaches. In this chapter, we model botnet-related cybercrimes as a result of profit-maximizing decision-making from the perspectives of both botnet masters and renters/attackers. From this economic model, we can understand the effective rental size and the optimal botnet size that can maximize the profits of botnet masters and attackers. We propose the idea of using virtual bots (honeypots running on virtual machines) to create uncertainty in the level of botnet attacks. The uncertainty introduced by virtual bots has a deep impact on the profit gains on the botnet market. With decreasing profitability, botnet-related attacks such as DDoS are reduced if not eliminated from the root cause, i.e. economic incentives.

Face-to-Face Proximity Estimation Using Bluetooth On Smartphones

The availability of “always-on” communications has tremendous implications for how people interact socially. In particular, sociologists are interested in the question if such pervasive access increases or decreases face-to-face interactions. Unlike triangulation which seeks to precisely define position, the question of face-to-face interaction reduces to one of proximity, i.e., are the individuals within a certain distance? Moreover, the problem of proximity estimation is complicated by the fact that the measurement must be quite precise (1-1.5 m) and can cover a wide variety of environments. Existing approaches such as GPS and Wi-Fi triangulation are insufficient to meet the requirements of accuracy and flexibility. In contrast, Bluetooth, which is commonly available on most smartphones, provides a compelling alternative for proximity estimation. In this paper, we demonstrate through experimental studies the efficacy of Bluetooth for this exact purpose. We propose a proximity estimation model to determine the distance based on the RSSI values of Bluetooth and light sensor data in different environments. We present several real world scenarios and explore Bluetooth proximity estimation on Android with respect to accuracy and power consumption.

RIPPS: Rogue Identifying Packet Payload Slicer Detecting Unauthorized Wireless Hosts Through Network Traffic Conditioning

Wireless network access has become an integral part of computing both at home and at the workplace. The convenience of wireless network access at work may be extremely beneficial to employees, but can be a burden to network security personnel. This burden is magnified by the threat of inexpensive wireless access points being installed in a network without the knowledge of network administrators. These devices, termed <it>Rogue Wireless Access Points</it>, may allow a malicious outsider to access valuable network resources, including confidential communication and other stored data. For this reason, wireless connectivity detection is an essential capability, but remains a difficult problem. We present a method of detecting wireless hosts using a local RTT metric and a novel packet payload slicing technique. The local RTT metric provides the means to identify physical transmission media while packet payload slicing conditions network traffic to enhance the accuracy of the detections. Most importantly, the packet payload slicing method is transparent to both clients and servers and does not require direct communication between the monitoring system and monitored hosts.

Modifying smartphone user locking behavior

With an increasing number of organizations allowing personal smart phones onto their networks, considerable security risk is introduced. The security risk is exacerbated by the tremendous heterogeneity of the personal mobile devices and their respective installed pool of applications. Furthermore, by virtue of the devices not being owned by the organization, the ability to authoritatively enforce organizational security polices is challenging. As a result, a critical part of organizational security is the ability to drive user security behavior through either on-device mechanisms or security awareness programs. In this paper, we establish a baseline for user security behavior from a population of over one hundred fifty smart phone users. We then systematically evaluate the ability to drive behavioral change via messaging centered on morality, deterrence, and incentives. Our findings suggest that appeals to morality are most effective over time, whereas deterrence produces the most immediate reaction. Additionally, our findings show that while a significant portion of users are securing their devices without prior intervention, it is difficult to influence change in those who do not.

Lessons learned from the netsense smartphone study

Over the past few years, smartphones have emerged as one of the most popular mechanisms for accessing content across the Internet driving considerable research to improve wireless performance. A key foundation for such research efforts is the proper understanding of user behavior. However, the gathering of live smartphone data at scale is often difficult and expensive. The focus of this paper is to explore the lessons learned from a two year study of two hundred smart phone users at the University of Notre Dame. In this paper, we offer commentary with regards to the entire process of the study covering aspects including funding considerations, technical architecture design, lessons learned, and recommendations for future efforts gathering live user data.

Enhanced feedback in balance rehabilitation using the Nintendo Wii Balance Board

Balance retraining is a critical part of rehabilitation for many individuals following neuro-trauma such as stroke. The WeHab system described in this paper is a low-cost rehabilitation instrument suite centered around the Nintendo Wii Balance Board that has the potential to enhance rehabilitation for patients with balance disorders. Using the WeHab system, therapists can lead patients through normal rehabilitation exercises with the added benefit of visual biofeedback based on center of pressure location. Patient improvement can be tracked by the WeHab system through objective analysis of trends both within a single session and from one session to the next. Pilot data from several patients receiving inpatient therapy using the WeHab system at the Wound Care center at Memorial Hospital in South Bend, IN, indicate the potential benefit that the system could bring to balance rehabilitation. Specifically, the details of and results from sit-to-stand, weight-shifting, and stepping activities are presented for pilot subjects. Further expansion of the WeHab system is planned, including incorporation of auditory feedback. Future work also includes more structured studies of the effects of the WeHab system on balance recovery.

Exploring the potential in practice for opportunistic networks amongst smart mobile devices

Wireless network providers are under tremendous pressure to deliver unprecedented amounts of data to a variety of mobile devices. A powerful concept that has only gained limited traction in practice has been the concept of opportunistic networks whereby nodes opportunistically communicate with each other when in range to augment or overcome existing wireless systems. One of the key impediments towards the adoption of opportunistic communications has been the inability to demonstrate viability at scale, namely showing that sufficient opportunities exist and more importantly exist when needed to offer significant network performance gains. We demonstrate through a large-scale, longitudinal study of smartphone users that significant opportunities are indeed prevalent, are indeed stable, and end up being reasonably reciprocal both on short and long-term timescales. In this paper, we propose a framework dubbed PSR (Prevalence, Stability, Reciprocity) to capture key aspects that characterize the net potential for opportunistic networks which we feel merit significantly increased attention.

A protocol independent Internet gateway for ad hoc wireless networks

An autonomous wireless local area network (AWLAN) is a collection of wireless computers that can be rapidly deployed as an ad hoc network without the aid of any established infrastructure or centralized administration. However, existing routing protocols for such networks neither scale nor function on the Internet. Therefore, a solution is required that provides a gateway between the ad hoc network and the Internet. In this paper, we propose a protocol-independent Internet gateway for ad hoc networks, the Cluster Gateway (CG). The proposed Cluster Gateway (CG) provides Internet access by acting as both a service access point and a Mobile IP foreign agent for ad hoc networks. In this paper, we describe the requirements for supporting the CG in any ad hoc routing protocol, the messages sent in order to provide CG support, and several optional enhancements for the CG. Finally, we briefly describe an implementation of the CG over an existing ad hoc routing protocol.

A scalable approach for DiffServ multicasting

The phenomenal growths of group communications and QoS-aware applications over the Internet have respectively accelerated the development of two key technologies, namely, multicasting and differentiated services (DiffServ). Although both are complementary technologies, the integration of the two technologies is a non-trivial task due to architectural conflicts between multicasting and DiffServ. We propose an approach for providing multicast support across a DiffServ domain that is scalable in terms of group size, network size, and number of groups. We analyze our approach in a detailed manner for feasibility, adaptiveness, and deployment considerations.