Abdun Naser Mahmood

A survey of network anomaly detection techniques

Information and Communication Technology (ICT) has a great impact on social wellbeing, economic growth and national security in todays world. Generally, ICT includes computers, mobile communication devices and networks. ICT is also embraced by a group of people with malicious intent, also known as network intruders, cyber criminals, etc. Confronting these detrimental cyber activities is one of the international priorities and important research area. Anomaly detection is an important data analysis task which is useful for identifying the network intrusions. This paper presents an in-depth analysis of four major categories of anomaly detection techniques which include classification, statistical, information theory and clustering. The paper also discusses research challenges with the datasets used for network intrusion detection. HighlightsMaps different types of anomalies with network attacks.Provides an up-to-date taxonomy of network anomaly detection.Evaluates effectiveness of different categories of techniques.Explores recent research related to publicly available network intrusion evaluation datasets.

SCADASim—A Framework for Building SCADA Simulations

Supervisory Control and Data Acquisition (SCADA) systems control and monitor industrial and critical infrastructure functions, such as electricity, gas, water, waste, railway, and traffic. Recent attacks on SCADA systems highlight the need of stronger SCADA security. It is important to analyze the security risks and develop appropriate security solutions to protect such systems. However, a key problem is the lack of proper modeling tools to evaluate the security of SCADA systems. As widely accepted in academic and industrial communities, it is impractical to conduct security experiments on live systems. A modeling simulation tool would enable the simulation of SCADA systems with the benefit of testing different attack and security solutions. This paper proposes a simulation tool for building SCADA simulations that supports the integration of external devices and applications. A key benefit of this tool is the ability to test the effect of attacks on real devices and applications, even though using a simulated environment. The paper further describes two case studies that demonstrate how the tool can be efficiently used to create SCADA simulations and perform malicious attacks.

Building a SCADA Security Testbed

SCADA (Supervisory Control and Data Acquisition) systems control and monitor industrial and critical infrastructure functions, such as the electricity, gas, water, waste, railway and traffic. Recent attacks on SCADA systems highlight the need of a SCADA security testbed, which can be used to model real SCADA systems and study the effects of attacks on them. We propose the architecture of a modular SCADA testbed and describe our tool which mimics a SCADA network, monitors and controls real sensors and actuators using Modbus/TCP protocol. Using Distributed Denial of Service (DDoS) scenarios we show how attackers can disrupt the operation of a SCADA system.

An Efficient Clustering Scheme to Exploit Hierarchical Data in Network Traffic Analysis

There is significant interest in the data mining and network management communities about the need to improve existing techniques for clustering multivariate network traffic flow records so that we can quickly infer underlying traffic patterns. In this paper, we investigate the use of clustering techniques to identify interesting traffic patterns from network traffic data in an efficient manner. We develop a framework to deal with mixed type attributes including numerical, categorical, and hierarchical attributes for a one-pass hierarchical clustering algorithm. We demonstrate the improved accuracy and efficiency of our approach in comparison to previous work on clustering network traffic.

A survey of anomaly detection techniques in financial domain

Anomaly detection is an important data analysis task. It is used to identify interesting and emerging patterns, trends and anomalies from data. Anomaly detection is an important tool to detect abnormalities in many different domains including financial fraud detection, computer network intrusion, human behavioural analysis, gene expression analysis and many more. Recently, in the financial sector, there has been renewed interest in research on detection of fraudulent activities. There has been a lot of work in the area of clustering based unsupervised anomaly detection in the financial domain. This paper presents an in-depth survey of various clustering based anomaly detection technique and compares them from different perspectives. In addition, we discuss the lack of real world data and how synthetic data has been used to validate current detection techniques. Recently, in the financial sector, there has been renewed interest in research on detection of fraudulent activities.This paper presents an in-depth survey of various clustering based anomaly detection techniques and compares them from different perspectives.In addition, we discuss the lack of real world data and how synthetic data has been used to validate current detection techniques.

Critical infrastructure protection: Resource efficient sampling to improve detection of less frequent patterns in network traffic

Networked critical infrastructures are of national importance. However, such infrastructures are running 24/7. The supervisory control and data acquisition system (SCADA) of the critical infrastructure will generate enormous network traffic continuously. It is vital in such environments that only useful data are stored while redundant data are discarded to reduce the huge data storage demand. However it is technically challenging to reduce the demand on data storage while losing little information. In this paper, a resource conserving sampling technique is proposed to improve detection of less frequent patterns from huge network traffic under the fixed data storage capacity of the system. Such less frequent patterns are often related to subtle network intrusion activities. Experiments using the 1998 DARPA intrusion Detection Dataset have validated the effectiveness of the proposed scheme.

Diagnosis of cardiovascular abnormalities from compressed ECG: A data mining based approach

Usage of compressed Electrocardiography (ECG) for fast and efficient telecardiology application is crucial, as ECG signals are enormously large in size. However, conventional ECG diagnosis algorithms require the compressed ECG to be decompressed before diagnosis can be applied. This added step of decompression before performing diagnosis for every ECG packets introduces unnecessary delays, which is undesirable for cardiovascular patients. In this paper, we first used an attribute selection method that selects only a few features from the compressed ECG. Then we used clustering techniques to create normal and abnormal ECG clusters. 18 different segments (12 normal and 6 abnormal) of compressed ECG were tested with 100 % success on our model. This innovative data mining technique on compressed ECGs, now enables faster identification of cardiac abnormality directly from the compressed ECG, resulting in an efficient telecardiology diagnosis system.

Seamless integration of dependability and security concepts in SOA: A feedback control system based framework and taxonomy

Recent research effort has been made to integrate both dependability and security concepts for SOA using fault taxonomy. However most of such work is confined to the SOA functionality layer excluding the interactions with its underlying distributed systems. Also many elements of taxonomies proposed are loosely integrated without generic interactive relationships. This is especially true when security attributes are included. There is a lack of framework that can systematically and genuinely integrate dependability and security concepts for SOA and also include underlying distributed systems of SOA. This paper attempts to address this issue by providing a taxonomy and framework from a new angle. The major contribution of this paper is that we have introduced a feedback control system as an integration vehicle to integrate concepts and attributes of both dependability and security in SOA, so that they can be more generically integrated and more systematically constructed. Furthermore, the framework proposed in this paper covers the SOA functionality layer and its underlying distributed systems. A novel idea of basic fault building blocks has been proposed to address the scalability issue due to layer interactions. Various fault taxonomies are constructed from these basic building blocks.

Compressed ECG Biometric: A Fast, Secured and Efficient Method for Identification of CVD Patient

Adoption of compression technology is often required for wireless cardiovascular monitoring, due to the enormous size of Electrocardiography (ECG) signal and limited bandwidth of Internet. However, compressed ECG must be decompressed before performing human identification using present research on ECG based biometric techniques. This additional step of decompression creates a significant processing delay for identification task. This becomes an obvious burden on a system, if this needs to be done for a trillion of compressed ECG per hour by the hospital. Even though the hospital might be able to come up with an expensive infrastructure to tame the exuberant processing, for small intermediate nodes in a multihop network identification preceded by decompression is confronting. In this paper, we report a technique by which a person can be identified directly from his / her compressed ECG. This technique completely obviates the step of decompression and therefore upholds biometric identification less intimidating for the smaller nodes in a multihop network. The biometric template created by this new technique is lower in size compared to the existing ECG based biometrics as well as other forms of biometrics like face, finger, retina etc. (up to 8302 times lower than face template and 9 times lower than existing ECG based biometric template). Lower size of the template substantially reduces the one-to-many matching time for biometric recognition, resulting in a faster biometric authentication mechanism.

Vulnerabilities of Smart Grid State Estimation Against False Data Injection Attack

In recent years, Information Security has become a notable issue in the energy sector. After the invention of ‘The Stuxnet worm’ [1] in 2010, data integrity, privacy and confidentiality has received significant importance in the real-time operation of the control centres. New methods and frameworks are being developed to protect the National Critical Infrastructures like- energy sector. In the recent literatures, it has been shown that the key real-time operational tools (e.g., State Estimator) of any Energy Management System (EMS) are vulnerable to Cyber Attacks. In this chapter, one such cyber attack named ‘False Data Injection Attack’ is discussed. A literature review with a case study is considered to explain the characteristics and significance of such data integrity attacks.