André Årnes

Real-time risk assessment with network sensors and intrusion detection systems

This paper considers a real-time risk assessment method for information systems and networks based on observations from networks sensors such as intrusion detection systems. The system risk is dynamically evaluated using hidden Markov models, providing a mechanism for handling data from sensors with different trustworthiness in terms of false positives and negatives. The method provides a higher level of abstraction for monitoring network security, suitable for risk management and intrusion response applications.

Using hidden markov models to evaluate the risks of intrusions

Security-oriented risk assessment tools are used to determine the impact of certain events on the security status of a network. Most existing approaches are generally limited to manual risk evaluations that are not suitable for real-time use. In this paper, we introduce an approach to network risk assessment that is novel in a number of ways. First of all, the risk level of a network is determined as the composition of the risks of individual hosts, providing a more precise, fine-grained model. Second, we use Hidden Markov models to represent the likelihood of transitions between security states. Third, we tightly integrate our risk assessment tool with an existing framework for distributed, large-scale intrusion detection, and we apply the results of the risk assessment to prioritize the alerts produced by the intrusion detection sensors. We also evaluate our approach on both simulated and real-world data.

Anonymization of IP traffic monitoring data: attacks on two prefix-preserving anonymization schemes and some proposed remedies

In our search for anonymization solutions for passive measurement data in the context of the LOBSTER passive network monitoring project, we discovered attacks against two initially promising candidates for IP address anonymization. We present a suite of three algorithms employing packet injection and frequency analysis, which can compromise individual addresses protected with prefix-preserving anonymization in multilinear time. We present two algorithms to counter our attacks. These methods support gradual release of topological information, as required by some applications. We also introduce an algorithm that strengthens some hash-based anonymization methods.

Multisensor Real-time Risk Assessment using Continuous-time Hidden Markov Models

The use of tools for monitoring the security state of assets in a network is an essential part of network management. Traditional risk assessment methodologies provide a framework for manually determining the risks of assets, and intrusion detection systems can provide alerts regarding security incidents, but these approaches do not provide a real-time high level overview of the risk level of assets. In this paper we further extend a previously proposed realtime risk assessment method to facilitate more flexible modeling with support for a wide range of sensors. Specifically, the paper develops a method for handling continuous-time sensor data and for determining a weighted aggregate of multisensor input

Digital forensic reconstruction and the virtual security testbed vise

This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate forensic testing of a digital crime using minimal resources. Although a reconstruction can neither prove a hypothesis with absolute certainty, nor exclude the correctness of other hypotheses, a standardized environment, such as ViSe, combined with event reconstruction and testing, can lend credibility to an investigation and can be a great asset in court

Using a virtual security testbed for digital forensic reconstruction

This paper presents ViSe, a virtual security testbed, and demonstrates how it can be used to efficiently study computer attacks and suspect tools as part of a computer crime reconstruction. Based on a hypothesis of the security incident in question, ViSe is configured with the appropriate operating systems, services, and exploits. Attacks are formulated as event chains and replayed on the testbed. The effects of each event are analyzed in order to support or refute the hypothesis. The purpose of the approach is to facilitate reconstruction experiments in digital forensics. Two examples are given to demonstrate the approach; one overview example based on the Trojan defense and one detailed example of a multi-step attack. Although a reconstruction can neither prove a hypothesis with absolute certainty nor exclude the correctness of other hypotheses, a standardized environment, such as ViSe, combined with event reconstruction and testing, can lend credibility to an investigation and can be a great asset in court.

Non-expanding transaction specific pseudonymization for IP traffic monitoring

This paper presents a scheme for transaction pseudonymization of IP address data in a distributed passive monitoring infrastructure. The approach provides high resistance against traffic analysis and injection attacks, and it provides a technique for gradual release of data through a key management scheme. The scheme is non-expanding, and it should be suitable for hardware implementations for high-bandwidth monitoring systems.

A big data analytics approach to combat telecommunication vulnerabilities

Both the telecommunication networks and the mobile communication networks are using the Signaling System No. 7 (SS7) as the nervous system. It allows mobile users to communicate using SMS and phone calls, manage billing for operators and much more. Primarily, it is a set of protocols that allows telecommunication network elements to communicate, collaborate and deliver services to its users. Deregulation and migration to IP have made SS7 vulnerable to serious attacks such as location tracking of subscribers, interception of calls and SMS, fraud, and denial of services. Unfortunately, current protection measures such as firewalls, filters, and blacklists are not able to provide adequate protection of SS7. In this paper, a method for detection of SS7 attacks using big data analytics and machine learning is proposed. The paper clarifies the vulnerabilities of SS7 networks and explains how the proposed techniques can help improve SS7 security. A proof-of-concept SS7 protection system based on big data techniques and machine learning is also described thoroughly.

Better Protection of SS7 Networks with Machine Learning

Deregulation and migration to IP have made SS7 vulnerable to serious attacks such as location tracking of subscribers, interception of calls and SMS, fraud, and denial of services. Unfortunately, current protection measures such as firewalls, filters, and blacklists are not able to provide adequate protection of SS7. In this paper, a method for detection of SS7 attacks using machine learning is proposed. The paper clarifies the vulnerabilities of SS7 networks and explains how machine learning techniques can help improve SS7 security. A proof- of- concept SS7 protection system using machine learning is also described thoroughly.