Bahari Belaton

False positives reduction via intrusion alert quality framework

Existing security monitoring sensors such as IDS/IPS, firewalls, filtering routers, and others often record logs and subsequently generate alerts to warn security analysts of what is perceived as posing security threat to the environment or organization they are monitoring. Unfortunately, these logs and alerts are not only huge in number but also poor in data quality i.e. containing false logs/alerts. This in turn poses two main challenges to higher-level operations; first computationally efficient algorithms are needed to process and shift through large unverified logs and alerts. Second is the need to develop algorithms that avoid making wrong conclusions due to poor quality logs and alerts. In this paper, we implement intrusion alert quality framework to reduce false positive alerts in IDS. Using this framework, we enrich each alert with quality parameters such as correctness, accuracy, reliability, and sensitivity. To compliment this effort, we normalize the enriched alerts in the IDMEF format. In this form (enriched and normalized), higher level operations are given the option to utilize the quality parameters values tagged in the alerts in their core operations in order to produce good conclusions. Finally, we demonstrate the efficacy of the framework in reducing false positive alerts using DARPA 2000 network traffic.

ICMPv6-Based DoS and DDoS Attacks and Defense Mechanisms: Review

ABSTRACT The number of internet users and devices that are in need for more IP addresses to be assigned to them is rapidly increasing. A new protocol named IPv6 was developed in 1998 to overcome the addressing issue and to improve network communications in general. IPv6 is an improved protocol compared to IPv4 in terms of security since it provides built-in security mechanisms, such as IPSec. In addition, it brought new functionalities, such as Neighbour Discovery Protocol (NDP) procedure, which depends on Internet Control Message Protocol version 6 (ICMPv6) protocol messages. However, IPv6 inherited a number of attacks from IPv4 in addition to new attacks it brought within its new features. One of the most common attacks is the Denial of Service (DoS) attack due to its ease of being launched in different ways. A more serious DoS attack can be launched from many hosts called Distributed Denial of Service (DDoS). DoS and DDoS attacks are thorny and a grave problem of todays internet, resulting in economic damages for organizations and individuals. Therefore, this paper is created to study the properties of DoS and DDoS attacks against IPv6 networks using ICMPv6 messages. Additionally, it analyzes the various existing detection and prevention approaches that are proposed to tackle ICMPv6-based DoS and DDoS attacks. Moreover, it explains the existing tools that might be used for performing these attacks.

Towards implementing intrusion alert quality framework

Security alerts high-level reasoning efforts such as alert filtering and intrusion alert correlation are initiatives to solve security data flooding and high false positive alert rates. These efforts decrease the volume of the security data, marginally reduce the false positive rate, and improve the attack-detection rate. Although the results of these efforts have been encouraging, there are still weaknesses partly due to data quality problems. This paper works on the premise that a quality input data should in theory help in producing good results. Thus, the aim of this paper is to propose an intrusion alert quality framework that addresses alert preparation stage for high-level reasoning by enriching and enhancing the alerts with quality parameters, and then encoding these enriched alerts in the IDMEF format. In this format, the enriched alerts are readily usable by high-level reasoning operations.

A K-means Based Generic Segmentation System

This paper presents a creative general purpose segmentation system, potentially capable of object extraction from RGB images. The segmentation takes place by initially performing K-means clustering and then recombination. K-means algorithm uses RGB color values, diagonal busyness factor (sum of color differences among central and diagonal pixels) and epsilon spatiality factor (sum of Euclidian distances of pixels belonging to a particular cluster from their cluster center) as its clustering parameters in order to produce optionally compact or loose clusters representative of inherent color and texture. In addition, three different distribution methods are introduced to initialize central points and therefore improve the clustering accuracy. The methods are evenly spaced values, random values and evenly spaced samples respectively. In evenly spaced values, clusters (central points) are evenly distributed along the range of RGB colors available with in the image so that each cluster may partially represent a sub range of the total range of colors available with in the image. In random values, the distribution of clusters (central points) is not even. To define a central point an RGB color is randomly selected from the range of RGB colors available with in the image. In evenly spaced samples the distribution of clusters (central points) is based on X and Y (width and height) coordinates rather than color. To obtain an even distribution, total number of image pixels are calculated and then divided by the number of clusters (central points). Recombination is performed by scanning the neighborhood of each pixel in eight connected directions and determining the class (cluster) to which majority of neighbors belong. The class of central pixel (the pixel whose neighborhood is scanned) is then changed to the class (cluster) that majority of neighbors belong.

A Visual Analytics Framework for the Examination Timetabling Problem

The research aspiration is to develop a visual framework for the examination timetabling problem. To perform the task we identified visual analytics as a multi-disciplinary field, directly supports the timetable designers, assist with visual metaphors, patterns to make decisions. Here we deemed three stages on the problem domain. It deals with pre-processing, during the processing and post-processing; in each of the processes are with transaction on data which transform into timetables. These processes are interrelated with one another for any heuristic based, evolutionary algorithm guided timetabling systems. However, the importance aspect is the significance of visualization among the three processes and how it contributes in each process. This paper discuss two aspects, it wraps the framework with literature and an implication on the pre-processing through visualizing data and knowledge with graph visualization.

Intrusion Detection Systems of ICMPv6-based DDoS attacks

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are thorny and a grave problem of today’s Internet, resulting in economic damages for organizations and individuals. DoS and DDoS attacks that are using Internet Control Message Protocol version six (ICMPv6) messages are the most common attacks against the Internet Protocol version six (IPv6). They are common because of the necessary inclusion of the ICMPv6 protocol in any IPv6 network to work properly. Intrusion Detection Systems (IDSs) of the Internet Protocol version four (IPv4) can run in an IPv6 environment, but they are unable to solve its security problems such as ICMPv6-based DDoS attacks due to the new characteristics of IPv6, such as Neighbour Discovery Protocol and auto-configuration addresses. Therefore, a number of IDSs have been either exclusively proposed to detect IPv6 attacks or extended from existing IPv4 IDSs to support IPv6. This paper reviews and classifies the detection mechanisms of the existing IDSs which are either proposed or extended to tackle ICMPv6-based DDoS attacks. To the best of the authors’ knowledge, it is the first review paper that explains and clarifies the problems of ICMPv6-based DDoS attacks and that classifies and criticizes the existing detection.

Effect of facial feature points selection on 3d face shape reconstruction using regularization

This paper aims to test the regularized 3D face shape reconstruction algorithm to find out how the feature points selection affect the accuracy of the 3D face reconstruction based on the PCA-model. A case study on USF Human ID 3D database has been used to study these effect. We found that, if the test face is from the training set, then any set of any number greater than or equal to the number of training faces can reconstruct exact 3D face. If the test face does not belong to the training set, it will hardly reconstruct the exact 3D face using 3D PCA-based models. However, it could reconstruct an approximate face shape depending on the number of feature points and the weighting factor. Furthermore, the accuracy of reconstruction by a large number of feature points (> 150) is relatively the same in all cases even with different locations of points on the face. The regularized algorithm has also been tested to reconstruct 3D face shapes from a number of feature points selected manually from real 2D face images. Some 2D images from CMU-PIE database have been used to visualize the resulted 3D face shapes.

A neural network-based point registration method for 3D rigid face image

Intelligent detection of human face image combined with the real-time video monitoring has been applied to improve the secure and protective possibility. The registration is an indispensible step before distinguishing the variation among the images. Neural network (NN) has a strong learning ability from a mass unstructured point cloud even containing noisy data. Neural network has been applied to register 3D reconstructed ear data and 3D surface of bunny and to achieve the better results. Motivated by this idea, NN-based registration method for 3D rigid face image is proposed. This paper presented the proof process of obtaining rotation matrix and translation vector according to the training process of neural network. Then the measure index of registration performance was provided. The elaborate experiments were conducted on the 3D USF face database (provided by the University of South Florida) to verify the effectiveness of neural network as a registration method. Next, two comparisons were performed, one group was NN-based and ICP-based registration methods and the other group was our proposed NN-based and other NN-based registration methods. The experimental results showed that neural network is a robust and potential registration method for rigid face image registration. Furthermore, our proposed NN-based registration method is extended easily to do 2D-to-3D registration and non-rigid face registration.

Adaptive face modelling for reconstructing 3D face shapes from single 2D images

Example-based statistical face models using principle component analysis (PCA) have been widely deployed for three-dimensional (3D) face reconstruction and face recognition. The two common factors that are generally concerned with such models are the size of the training dataset and the selection of different examples in the training set. The representational power (RP) of an example-based model is its capability to depict a new 3D face for a given 2D face image. The RP of the model can be increased by correspondingly increasing the number of training samples. In this contribution, a novel approach is proposed to increase the RP of the 3D face reconstruction model by deforming a set of examples in the training dataset. A PCA-based 3D face model is adapted for each new near frontal input face image to reconstruct the 3D face shape. Further an extended Tikhonov regularisation method has been employed to reconstruct 3D face shapes from a set of facial points. The results justify that the proposed adaptive PCA-based model considerably improves the RP of the standard PCA-based model and outperforms it with a 95% confidence level.

A Robust Subset-ICP Method for Point Set Registration

Iterative Closest Point (ICP) is a popular point set registration method often used for rigid registration problems. Because of all points in ICP-based method are processed at each iteration to find their correspondences, the methods performance is bounded by this constraint. This paper introduces an alternative ICP-based method by considering only subset of points whose boundaries are determined by the context of the inputs. These subsets can be used to sufficiently derive spatial mapping of points correspondences between the source and target set even if points have been missing or modified slightly in the target set. A brief description of this method is followed by a comparative analysis of its performance against two ICP-based methods, followed by some experiments on its subsets sensitivity and robustness against noise.