Denise Ferebee

Monitoring security events using integrated correlation-based techniques

We propose an adaptive cyber security monitoring system that integrates a number of component techniques to collect time-series situation information, perform intrusion detection, and characterize and identify security events so corresponding defense actions can be taken in a timely and effective manner. We employ a decision fusion algorithm with analytically proven performance guarantee for intrusion detection based on local votes from distributed sensors. The security events in the proposed system are represented as forms of correlation networks using random matrix theory and identified through the computation of network similarity measurement. Extensive simulation results on event identification illustrate the efficacy of the proposed system.

Visualization of security events using an efficient correlation technique

The timely and reliable data transfer required by many networked applications necessitates the development of comprehensive security solutions to monitor and protect against an increasing number of malicious attacks. However, providing complete cyber space situation awareness is extremely challenging because of the lack of effective translation mechanisms from low-level situation information to high-level human cognition for decision making and action support. We propose an adaptive cyber security monitoring system that integrates a number of component techniques to collect time-series situation information, perform intrusion detection, keep track of event evolution, characterize and identify security events, and present a visual representation in order to provide comprehensive situational view so that corresponding defense actions can be taken in a timely and effective manner. We explore the principles of designing and applying appropriate visualization techniques for situation monitoring by defining graphical representations of security events. This differs from the traditional rule-based pattern matching techniques in that security events in the proposed system are represented as forms of correlation networks using random matrix theory and identified through the computation of network similarity measurement. The events and corresponding event types are visualized using a stemplot to show location and quantity. Extensive simulation results on event identification illustrate the efficacy of the proposed system.

G-NAS: A grid-based approach for negative authentication

Surveys show that more than 80% authentication systems are password based and these systems are increasingly under direct and indirect attacks. In an effort to protect the Positive Authentication System (PAS), the negative authentication concept was introduced [9]. Here, the representation space of password profile is called self-region; any element outside this self-region is defined as the non-self-region. Then anti-password detectors (clusters) are generated covering most of the non-self-region while leaving some space uncovered to reduce detector generation time and obfuscation. In this work, we investigate a Grid-based NAS approach, called G-NAS, where anti-password detectors are generated deterministically. This approach allows faster detector generation compared to previous NAS approaches. We reported some experimental results of G-NAS using different real-world password datasets. Results demonstrate the efficiency of the proposed approach and exhibited significant improvements compared to NAS approaches. It appears to be more robust and scalable with respect to the size of password profiles and able to update of detector sets on-the-fly.

Applying Puzzle-Based Learning to Cyber-Security Education

Cyber-enabled devices are becoming more and more complex with integration of new capabilities and functionalities, both in software and hardware, making it very difficult for users to realize that they are under cyber attack or the cause of data breach, etc. It is also well-known fact that vulnerabilities at one component can affect other components in any computing device. But it is hard to realize the interdependencies of various components in order to secure the entire path to in and out of a cyber system. Puzzle-based Learning approach proved to have improved learning environment including mathematics, physics and computer science, however, there is very little work has been done in computer and cyber security. We introduced the Puzzle-based Learning to basic cyber security education. We believe that such an interactive learning environment will help students to understand complex attack paths and countermeasures for fraud detection, cybercrime, and advanced persistent threats (APTs). Students can learn not only to protect a specific system but also for a class of Internet-enabled systems with different hardware/software components and architecture, providing similar services.

Security visualization: Cyber security storm map and event correlation

Efficient visualization of cyber incidents is the key in securing increasingly complex information infrastructure. Extrapolating security-related information from data from multiple sources can be a daunting task for organizations to maintain safe and secure operating environment. However, meaningful visualizations can significantly improve decision-making quality and help security administrators in taking rapid response. The purpose of this work is to explore this possibility by building on previously gained knowledge and understanding of weather maps used in meteorology, assessing the gaps, and applying various techniques and matrices to quantify the impacts of cyber incidences in an efficient way.

Consequences of Diminishing Trust in Cyberspace

The cyberspace has become an integral part of modern day life—social, economic, political, religious, medical and other aspects. Without the availability of the Internet today’s businesses, government and society cannot function properly. Moreover, different online social media and blogosphere are bringing people together, providing platforms to share their ideas and allowing their voices to be heard. Ideally, the cyberspace has no political, geographical or social boundaries; as a result it is promoting globalization and uniting people from all over the world. While the potential benefits of this interconnectivity are unlimited, this virtual world is also becoming hackers’ playground, underworld’s marketplace, nation-states’ battle ground, and a vehicle for propaganda and misinformation. In this paper, we argue that with the growing threat of coordinated attacks, release of complex malware and gradually diminished trust in freely-available information, the openness of the web and its global connectivity will no longer exist. Specifically, if this trend continues, the Internet will be partitioned, users will rely on information and news only through membership-based services, the information flow will be limited to geographical and political jurisdictions and will be highly regulated by governments, online businesses and critical knowledge will only be shared among alliance of friendly nations.

Design and implementation of Negative Authentication System

Modern society is mostly dependent on online activities like official or social communications, fund transfers and so on. Unauthorized system access is one of the utmost concerns than ever before in cyber systems. For any cyber system, robust authentication is an absolute necessity for ensuring security and reliable access to all type of transactions. However, more than 80% of the current authentication systems are password based, and surprisingly, they are prone to direct and indirect cracking via guessing or side channel attacks. The inspiration of Negative Authentication System (NAS) is based on the negative selection algorithm. In NAS, the password-based authentication data for valid users are termed as password profile or self-region (positive profile); any element other than the self-region is defined as non-self-region in the same representative space. The anti-password detectors are generated which covers most of the non-self-region. There are also some uncovered regions left in the non-self-region for inducing uncertainty to the attackers. In this work, we describe the design and implementation of three approaches of NAS and its efficacy over the other authentication methods. These three approaches represent three different ways to achieve obfuscation of password points with non-password space. The experiments are conducted with both real and simulated password profiles to justify the efficiency of different implementations of NAS.

Information assurance: a cyber security storm map

Cyber-security issues affect organisations at all levels. In this article, we will discuss how to apply a visualisation and event correlation tool to facilitate the analysis of data, understanding of data, and dissemination of information to all affected parties. The visualisation shows an overall view of security events or storms that are occurring on a network while providing information in reference to severity and a propagation pattern. The tool can potentially provide an early warning so that events or storms can be proactively mitigated. Thus, organisations can make business decisions by determining or understanding the relationship between the computing devices and the business/information technology services they make-up.

A Cyber-Security Storm MAP

When a cyber-security event occurs, a person has to answer the following questions: what events are happening, where are the events occurring, and how much damage has occurred or will occur. This paper recommends a cyber-security monitoring system that provides correlation of time-series event data, a visual representation of the security events, and gives a predictive forecast of potential events based on known environmental states. The rationale for this comes from the need to have an overall view of security events or storms that are occurring on a network while providing information in reference to severity and a propagation pattern. Thus, it can potentially provide an early warning so that events or storms can be proactively mitigated. In addition, it can help in making business decisions by determining or understanding the relationship between the computing devices and the business/information technology services they make up.

Enhancing Computer Security with Smart Technology [Book Review]

This book presents various methods for enhancing the enforcement of computer security. It consists of two parts and nine chapters. Among the topics covered are: basic issues with cyber trust; the need for firewalls; web application security; risk assessment; the relevance of machine learning in computer security; applying machine learning to intrusion detection; scanning and probing techniques; signature-based and anomaly IDs; artificial immune systems; and exploratory multivariate analysis for network security.