Anjali Sardana

Parallel Misuse and Anomaly Detection Model

In this paper a novel hybrid model is being proposed for misuse and anomaly detection. C4.5 based binary decision trees are used for misuse and CBA (Classification Based Association) based classifier is used for anomaly detection. Firstly, the C4.5 based decision tree separates the network traffic into normal and attack categories. The normal traffic is sent to anomaly detector and parallel attacks are sent to a decision trees based classifier for labelling with specific attack type. The CBA based anomaly detection is a single level classifier where as the decision trees based misuse detector is a sequential multi-level classifier which labels one attack at a time in a step by step manner. The model is trained and tested on two disjoint datasets provided in the KDD Cup 99. Results show that 99.995% misuse detection rate with an anomaly detection rate of 99.298% is achievable. The overall at-tack detection rate is 99.911% and false alarm ratio of the integrated model is 3.229%. To overcome the deficiencies in KDD 99 dataset, a new improved dataset is also proposed. The overall accuracy of integrated model trained on new dataset is 97.495% compared to 97.24% of the old dataset.

A Keyless Approach to Image Encryption

Maintaining the secrecy and confidentiality of images is a vibrant area of research, with two different approaches being followed, the first being encrypting the images through encryption algorithms using keys, the other approach involves dividing the image into random shares to maintain the images secrecy. Unfortunately heavy computation cost and key management limit the employment of the first approach and the poor quality of the recovered image from the random shares limit the applications of the second approach. In this paper we propose a novel approach without the use of encryption keys. The approach employs Sieving, Division and Shuffling to generate random shares such that with minimal computation, the original secret image can be recovered from the random shares without any loss of image quality.

Detection and Honeypot Based Redirection to Counter DDoS Attacks in ISP Domain

The inherent vulnerabilities in TCT/IP architecture give dearth of opportunities to DDoS attackers. The array of schemes proposed for detection of these attacks in real time is either targeted towards low rate attacks or high bandwidth attacks. Tresence of low rate attacks leads to graceful degradation of QoS in the network thus making them further undetectable. In this paper, we propose a scheme that uses three lines of defense. The first line of defense is towards detecting the presence of low rate as well as high bandwidth attacks based on entropy variations in small time windows. The second line of defense identifies and tags attack flows in real time. The last line of defense is redirecting the attack flows to honeypot server that responds in contained manner to the attack flows, thus providing deterrence and maintaining QoS at ISP level. We validate the effectiveness of the approach with simulation in ns-2 on a Linux platform.

A PageRank based detection technique for phishing web sites

Phishing is an attempt to acquire ones information without users knowledge by tricking him by making similar kind of website or sending emails to user which looks like legitimate site or email. Phishing is a social cyber threat attack, which is causing severe loss of economy to the user, due to phishing attacks online transaction users are declining. This paper aims to design and implement a new technique to detect phishing web sites using Googles PageRank. Google gives a PageRank value to each site in the web. This work uses the PageRank value and other features to classify phishing sites from normal sites. We have collected a dataset of 100 phishing sites and 100 legitimate sites for our use. By using this Google PageRank technique 98% of the sites are correctly classified, showing only 0.02 false positive rate and 0.02 false negative rate.

An auto-responsive honeypot architecture for dynamic resource allocation and QoS adaptation in DDoS attacked networks

Distributed Denial of Service (DDoS) attacks generate flooding traffic from multiple sources towards selected nodes. Diluted low rate attacks lead to graceful degradation while concentrated high rate attacks leave the network functionally unstable. Previous approaches to such attacks have reached to a level where survivable systems effort to mitigate the effects of these attacks. However, even with such reactive mitigation approaches in place, network under DDoS attack becomes unstable and legitimate users in the network suffer in terms of increased response times and frequent network failures. Moreover, the Internet is dynamic in nature and the topic of automated responses to attacks has not received much attention. In this paper, we propose a proactive approach to DDoS in form of integrated auto-responsive framework that aims to restrict attack flow reach target and maintain stable network functionality even under attacked network. It combines detection and characterization with attack isolation and mitigation to recover networks from DDoS attacks. As first line of defense, our method uses high level specifications of entropy variations for legitimate interactions between clients and servers. The network generates optimized entropic detectors that monitor the behavior of flows to identify significant deviations. As the second line of defense, malicious flows are identified and directed to isolated zone of honeypots where they cannot cause any further damage to the network and legitimate flows are directed to a randomly selected server from pool of replicated servers. This approach leads the attacker to believe that they are succeeding in their attack, whereas in reality they are simply wasting time and resources. Service replication and attack isolation alone are not sufficient to mitigate the attacks. Limited network resources must be judiciously used when an attack is underway. Further, as third line of defense, we propose a Dynamic Honeypot Engine (DHE) modeled as a part of Honeypot Controller (HC) module that triggers the automatic generation of adequate nodes to service client requests and required number of honeypots that interact with attackers in contained manner. This load balancing in the network makes it attack tolerant. Legitimate clients, depending upon their trust levels built according to their monitored statistics, can track the actual servers for certain time period. Attack flows reaching honeypots are logged by Honeypot Data Repository (HDR). Most severe flows are punished by starting honeypot back propagation sessions and filtering them at the source as the last line of defense. The data collected on honeypots are used to isolate and filter present attack, if any and as an insight into future attack trends. The judicious mixture and self organization of servers and honeypots at different time intervals also guaranties promised QoS. We present the exhaustive parametric dependencies at various phases of attack and their regulation in real time to make the service network DDoS attack tolerant and insensitive to attack load. Results show that this auto-responsive network has the potential to maintain stable network functionality and guaranteed QoS even under attacks. It can be fine tuned according to the dynamically changing network conditions. We validate the effectiveness of the approach with analytical modeling on Internet type topology and simulation in ns-2 on a Linux platform.

Identity management framework for cloud based internet of things

Internet of Things is emerging as next generation technology with a vision of a connected world where everything is connected whether it is a person, a thing or a device. The connected things are able to exchange data including their identities, physical properties and information gathered from the environment. Hence they actively participate in decision making. The identification technologies like RFID have empowered the concept of Internet of Things by enabling the unique identification of things. The cloud computing technology has made the tasks of processing huge amount of data produced by the devices easier. But in order to make the system scalable, it must be able to handle the devices that are growing day by day. Hence there is a need of proper identity management. This paper discusses requirement of identity management and then presents a framework for identity management for Cloud based Internet of Things.

Defending against internet worms using honeyfarm

With new worms appearing at fast pace off late, conventional classification and defense techniques are not adequate to cover wide spectrum of recent worm attacks like stuxnet (2010), morto (June 2011), and DuQu (Oct 2011). Honeypots have been found to be effective for zero day threats, and recent trend for defending against worms leverages the advantages of honeypot alone, or honeypots combined with either signature or anomaly based detection. Although such honeypot based techniques are effective, they become resource intensive when multiple honeypot sensors are used. Moreover, the techniques suffer from one or more limitations of high false positives, false negatives, reduced sensitivity and specificity. In this paper we discuss a classification of worms which is more exhaustive compared to the earlier classifications. It includes recent worm attacks as well as gives a better and quicker understanding of the recent worm behavior aiding in the design of accurate defense mechanisms. Further a novel hybrid scheme is proposed that integrates anomaly and signature detection with honeypots. At first level we used Signature based detection, for known worm attacks, that makes the system operate in real time. Any deviation from the normal behavior can be easily detected by anomaly detector in second level. Last level is honeypots which helps in detecting zero day attacks. We leverage the advantage of honeyfarm by deploying honeypots and both the detectors in a resource efficient advantage. Controller redirects the traffic to the respective honeypots. To ensure the security of controller, the role of controller is alternated among the honeypots periodically. We validate the proposed scheme by deploying a realistic setup in local environment. Metasploit has been used to generate attack traffic. We compare our proposed scheme against various existing honeypot based defense mechanisms and observe an increase of 32.78% in the detection rate as well as a reduction of 33.3% in the false alarm rate. Our proposed model combines detection scheme (i.e. signature based and anomaly based) with containment scheme, taking the advantages of both and hence developing an effective defense against Internet worms.

Novel authentication system using visual cryptography

An array of encryption techniques has been proposed for providing data security. However, most of the traditional cryptography methods require complex algorithms for encryption and decryption. Visual cryptography is a technique which provides confidentiality without any cryptographic knowledge or complex computations. Visual information (e.g. printed text, hand-written notes, pictures, etc.) is encrypted by decomposing it into several images, called shares, in such a way that decryption can be done by human visual system with stacking of the shares. Some important goals while developing a Visual Cryptography scheme is to have (i)optimum number of shares, (ii)good quality of reconstructed image and (iii)keeping the size of share small. This paper aims to provide a comparative study of various Visual Cryptographic schemes based on pixel expansion, no of shares, size and quality of reconstructed image, etc and some real-life applications of visual cryptography. A new authentication system has been proposed which uses the technique of visual cryptography to improve the security level of existing schemes. The application of the system in financial domain is discussed.

Secure Private Cloud Architecture for Mobile Infrastructure as a Service

Cloud based systems have gained popularity over traditional systems owing to their advantages like cost effectiveness, pay per use, scalability and ease to upgrade. Market is dominated by various cloud vendors providing Infrastructure as a Service (IaaS). However threat to security in mobile IaaS based cloud environment prohibits the usage of services specially, in case of public cloud environment. In this paper we propose secure private cloud architecture for mobile infrastructure as a service. As a prototype service, we deploy a virtual research lab which provides infrastructure and computing resources dynamically in a secure way. The proposed secure private cloud architecture for the lab environment provides the cloud services along with mobility. Mobility gives the researcher the flexibility to access cloud services on their mobile devices anywhere and anytime. We analyse the proposed architecture using a prototype on OpenNebula platform and compare it with traditional computational infrastructure. Results show that our architecture is capable to support 84% more users.

A fingerprinting system calls approach for intrusion detection in a cloud environment

Cloud Computing envisioned as the next generation architecture for IT enterprises, has proliferated itself due to the advantages it provides. Cloud Computing provides solutions for carrying out efficient, scalable and low cost computing. Due to the distributed nature of cloud based system, it is vulnerable to a large category of attacks out of which VM based attacks are most common. To counter these attacks we need Intrusion Detection System (IDS), which is used to monitor network traffic and policy violations from unauthorized users. Anomaly Detection is a technique of Intrusion Detection, which is used to detect intrusions by monitoring system activity and finding out patterns that do not comply with the normal behavior. In this paper an approach for anomaly detection in cloud environment is presented, which is based upon analysis of system call sequences generated by the virtual machines to the hypervisor. Our proposed implementation prevents malicious VM users to modify well known frequently executed programs.