Claudio Mazzariello

Information fusion for computer security: State of the art and open issues

In this paper, we critically review the issue of information fusion for computer security, both in terms of problem formulation and in terms of state-of-the-art solutions. We also analyze main strengths and weaknesses of currently used approaches and propose some research issues that should be investigated in the future.

REAL TIME DETECTION OF NOVEL ATTACKS BY MEANS OF DATA MINING TECHNIQUES

Rule-based Intrusion Detection Systems (IDS) rely on a set of rules to discover attacks in network traffic. Such rules are usually hand-coded by a security administrator and statically detect one or few attack types: minor modifications of an attack may result in detection failures. For that reason, signature based classification is not the best technique to detect novel or slightly modified attacks. In this paper we approach this problem by extracting a set of features from network traffic and computing rules which are able to classify such traffic. Such techniques are usually employed in off line analysis, as they are very slow and resource-consuming. We want to assess the feasibility of a detection technique which combines the use of a common signature-based intrusion detection system and the deployment of a data mining technique. We will introduce the problem, describe the developed architecture and show some experimental results to demonstrate the usability of such a system.

Multiple Classifier Systems: Theory, Applications and Tools

In many Pattern Recognition applications, the achievement of acceptable recognition rates is conditioned by the large pattern variability, whose distribution cannot be simply modeled.

Anomaly-Based Detection of IRC Botnets by Means of One-Class Support Vector Classifiers

The complexity of modern cyber attacks urges for the definition of detection and classification techniques more sophisticated than those based on the well known signature detection approach. As a matter of fact, attackers try to deploy armies of controlled bots by infecting vulnerable hosts. Such bots are characterized by complex executable command sets, and take part in cooperative and coordinated attacks. Therefore, an effective detection technique should rely on a suitable model of both the envisaged networking scenario and the attacks targeting it. We will address the problem of detecting botnets , by describing a behavioral model, for a specific class of network users, and a set of features that can be used in order to identify botnet -related activities. Tests performed by using an anomaly-based detection scheme on a set of real network traffic traces confirmed the effectiveness of the proposed approach.

SIL2 assessment of an Active/Standby COTS-based Safety-Related system

Abstract The need of reducing costs and shortening development time is resulting in a more and more pervasive use of Commercial-Off-The-Shelf components also for the development of Safety-Related systems, which traditionally relied on ad-hoc design. This technology trend exacerbates the inherent difficulty of satisfying – and certifying – the challenging safety requirements imposed by safety certification standards, since the complexity of individual components (and consequently of the overall system) has increased by orders of magnitude. To bridge this gap, this paper proposes an approach to safety certification that is rigorous while also practical. The approach is hybrid, meaning that it effectively combines analytical modeling and field measurements. The techniques are presented and the results validated with respect to an Active/Standby COTS-Based industrial system, namely the Train Management System of Hitachi-Ansaldo STS, which has to satisfy Safety Integrity Level 2 requirements. A modeling phase is first used to identify COTS safety bottlenecks. For these components, a mitigation strategy is proposed, and then validated in an experimental phase that is conducted on the real system. The study demonstrates that with a relatively little effort we are able to configure the target system in such a way that it achieves SIL2.

Online IRC botnet detection using a SOINN classifier

IRC botnets have been rapidly growing in number, in infected network hosts, and, most of all, in size of caused damages. Hence, there is the need of a real-time detection solution, as accurate as possible; the earlier a botnet is discovered, the smaller will be its potential impact. In order to tackle these issues, our approach to IRC Botnet detection considers both the online context and the time consumption problem. In particular, we use both statistical and digrams-based features to build a two-class behavioral model. Then, we setup a fast detection engine based on an unsupervised incremental learning method. Several tests performed on real data (botnet and non-botnet IRC channels) revealed the effectiveness of the entire proposed solution.

A Self-training Approach for Automatically Labeling IP Traffic Traces

Many approaches have been proposed so far to tackle computer network security. Among them, several systems exploit Pattern Recognition techniques, by regarding malicious behavior detection as a classification problem.

Using behavior knowledge space and temporal information for detecting intrusions in computer networks

Pattern Recognition (PR) techniques have proven their ability for detecting malicious activities within network traffic. Systems based on multiple classifiers can further enforce detection capabilities by combining and correlating the results obtained by different sources. An aspect often disregarded in PR approaches dealing with the intrusion detection problem is the use of temporal information. Indeed, an attack is typically carried out along a set of consecutive network packets; therefore, a PR system could improve its reliability by examining sequences of network connections before expressing a decision. In this paper we present a system that uses a multiple classifier approach together with temporal information about the network packets to be classified. In order to improve classification reliability, we introduce the concept of rejection: instead of emitting an unreliable verdict, an ambiguously classified packet can be logged for further analysis. The proposed system has been tested on a wide database made up of real network traffic traces.

Combining genetic-based misuse and anomaly detection for reliably detecting intrusions in computer networks

When addressing the problem of detecting malicious activities within network traffic, one of the main concerns is the reliability of the packet classification. Furthermore, a system able to detect the so-called zero-day attacks is desirable. Pattern recognition techniques have proven their generalization ability in detecting intrusions, and systems based on multiple classifiers can enforce the detection reliability by combining and correlating the results obtained by different classifiers. In this paper we present a system exploiting genetic algorithms for deploying both a misuse-based and an anomaly-based classifier. Hence, by suitably combining the results obtained by means of such techniques, we aim at attaining a highly reliable classification system, still with a significant degree of new attack prediction ability. In order to improve classification reliability, we introduce the concept of rejection: instead of emitting an unreliable verdict, an ambiguous packet can be logged for further analysis. Tests of the proposed system on a standard database for benchmarking intrusion detection systems are also reported.

Performance assessment of a distributed intrusion detection system in a real network scenario

The heterogeneity and complexity of modern networks and services urge the requirement for flexible and scalable security systems, which can be dynamically configured to suit the everchanging nature of security threats and user behavior patterns. In this paper we present a distributed architecture for an Intrusion Detection System, allowing for traffic analysis at different granularity levels, performed by using the best available techniques. Such architecture leverages the principle of separation of concerns, and hence proposes to build up a system comprising entities specialized in performing different tasks, appropriately orchestrated by a broker entity playing the crucial role of the mediator. This paper stresses the point that a distributed system, besides being inherently more scalable than a centralized one, allows for better detection capabilities thanks to the effective exploitation of the inner heterogeneity of the involved detection engines. In order to support our findings, we will describe the design, implementation and deployment of the proposed solution in the framework of the INTERSECTION FP7 European Project.