Dong Seong Kim

Network-Based Intrusion Detection with Support Vector Machines

This paper proposes a method of applying Support Vector Machines to network-based Intrusion Detection System (SVM IDS). Support vector machines(SVM) is a learning technique which has been successfully applied in many application areas. Intrusion detection can be considered as two-class classification problem or multi-class classification problem. We used dataset from 1999 KDD intrusion detection contest. SVM IDS was learned with triaing set and tested with test sets to evaluate the performance of SVM IDS to the novel attacks. And we also evaluate the importance of each feature to improve the overall performance of IDS. The results of experiments demonstrate that applying SVM in Intrusion Detection System can be an effective and efficient way for detecting intrusions.

End-to-End Performability Analysis for Infrastructure-as-a-Service Cloud: An Interacting Stochastic Models Approach

Handling diverse client demands and managing unexpected failures without degrading performance are two key promises of a cloud delivered service. However, evaluation of a cloud service quality becomes difficult as the scale and complexity of a cloud system increases. In a cloud environment, service request from a user goes through a variety of provider specific processing steps from the instant it is submitted until the service is fully delivered. Measurement-based evaluation of cloud service quality is expensive especially if many configurations, workload scenarios, and management methods are to be analyzed. To overcome these difficulties, in this paper we propose a general analytic model based approach for an end-to-end perform ability analysis of a cloud service. We illustrate our approach using Infrastructure-as-a-Service (IaaS) cloud, where service availability and provisioning response delays are two key QoS metrics. A novelty of our approach is in reducing the complexity of analysis by dividing the overall model into sub-models and then obtaining the overall solution by iteration over individual sub-model solutions. In contrast to a single one-level monolithic model, our approach yields a high fidelity model that is tractable and scalable. Our approach and underlying models can be readily extended to other types of cloud services and are applicable to public, private and hybrid clouds.

Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees

Attack tree (AT) is one of the widely used non-state-space models for security analysis. The basic formalism of AT does not take into account defense mechanisms. Defense trees (DTs) have been developed to investigate the effect of defense mechanisms using measures such as attack cost, security investment cost, return on attack (ROA), and return on investment (ROI). DT, however, places defense mechanisms only at the leaf nodes and the corresponding ROI/ROA analysis does not incorporate the probabilities of attack. In attack response tree (ART), attack and response are both captured but ART suffers from the problem of state-space explosion, since solution of ART is obtained by means of a state-space model. In this paper, we present a novel attack tree paradigm called attack countermeasure tree (ACT) which avoids the generation and solution of a state-space model and takes into account attacks as well as countermeasures (in the form of detection and mitigation events). In ACT, detection and mitigation are allowed not just at the leaf node but also at the intermediate nodes while at the same time the state-space explosion problem is avoided in its analysis. We study the consequences of incorporating countermeasures in the ACT using three case studies (ACT for BGP attack, ACT for a SCADA attack and ACT for malicious insider attacks). Copyright

Dependability and security models

There is a need to quantify system properties methodically. Dependability and security models have evolved nearly independently. Therefore, it is crucial to develop a classification of dependability and security models which can meet the requirement of professionals in both fault-tolerant computing and security community. In this paper, we present a new classification of dependability and security models. First we present the classification of threats and mitigations in systems and networks. And then we present several individual model types such as availability, confidentiality, integrity, performance, reliability, survivability, safety and maintainability. Finally we show that each model type can be combined and represented by one of the model representation techniques: combinatorial (such as reliability block diagrams (RBD), reliability graphs, fault trees, attack trees), state-space (continuous time Markov chains, stochastic Petri nets, fluid stochastic Petri nets, etc) and hierarchical (e.g., fault trees in the upper level and Markov chains in the lower level). We show case studies for each individual model types as well as composite model types.

Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees

Constraints such as limited security investment cost precludes a security decision maker from implementing all possible countermeasures in a system. Existing analytical model-based security optimization strategies do not prevail for the following reasons: (i) none of these model-based methods offer a way to find optimal security solution in the absence of probability assignments to the model, (ii) methods scale badly as size of the system to model increases and (iii) some methods suffer as they use attack trees (AT) whose structure does not allow for the inclusion of countermeasures while others translate the non-state-space model (e.g., attack response tree) into a state-space model hence causing state-space explosion. In this paper, we use a novel AT paradigm called attack countermeasure tree (ACT) whose structure takes into account attacks as well as countermeasures (in the form of detection and mitigation events). We use greedy and branch and bound techniques to study several objective functions with goals such as minimizing the number of countermeasures, security investment cost in the ACT and maximizing the benefit from implementing a certain countermeasure set in the ACT under different constraints. We cast each optimization problem into an integer programming problem which also allows us to find optimal solution even in the absence of probability assignments to the model. Our method scales well for large ACTs and we compare its efficiency with other approaches.

Modeling and analysis of software rejuvenation in a server virtualized system

As server virtualization is used as an essential software infrastructure of various software services such as cloud computing, availability management of server virtualized system is becoming more significant. Although time-based software rejuvenation is useful to postpone/prevent failures due to software aging in a server virtualized system, the rejuvenation schedules for virtual machine (VM) and virtual machine monitor (VMM) need to be determined in a proper way for the VM availability, since VMM rejuvenation affects VMs running on the VMM. This paper presents analytic models using stochastic reward nets for three time-based rejuvenation techniques of VMM; (i) Cold-VM rejuvenation in which all VMs are shut down before the VMM rejuvenation, (ii) Warm-VM rejuvenation in which all VMs are suspended before the VMM rejuvenation and (iii) Migrate-VM rejuvenation in which all VMs are moved to the other host server during the VMM rejuvenation. We compare the three techniques in terms of steady-state availability and the number of transactions lost in a year. We find the optimal combination of rejuvenation trigger intervals for each rejuvenation technique by a gradient search method. The numerical analysis shows the interesting result that Warm-VM rejuvenation does not always outperform Cold-VM rejuvenation in terms of steady-state availability depending on rejuvenation trigger intervals. Migrate-VM rejuvenation is better than the other two as long as live VM migration rate is large enough and the other host server has a capacity to accept the migrated VM.

A framework of survivability model for wireless sensor network

Wireless sensor network (WSN) should be capable of fulfilling its mission, in a timely manner, in the middle of intrusion, attacks, accidents and failures in hostile environment. However, current security mechanisms for WSN are able to satisfy confidentiality, integrity, and authentication properties using cipher algorithms, key management schemes, and so on, but they are not enough to meet above requirements. Therefore, we propose a framework of survivability model for WSN. Our model adopts software rejuvenation methodology, which is applicable in security field and also less expensive. We model and analyze each cluster of a hierarchical cluster based WSN as a stochastic process based on semi-Markov process (SMP) and discrete-time Markov chain (DTMC). The model analysis indicates the feasibility of our approach.

Fusions of GA and SVM for anomaly detection in intrusion detection system

It is important problems to increase the detection rates and reduce false positive rates in Intrusion Detection System (IDS). These problems can be viewed as optimization problems for features and parameters for a detection model in IDS. This paper proposes fusions of Genetic Algorithm (GA) and Support Vector Machines (SVM) for efficient optimization of both features and parameters for detection models. Our method provides optimal anomaly detection model which is capable to minimize amounts of features and maximize the detection rates. In experiments, we show that the proposed method is efficient way of selecting important features as well as optimizing the parameters for detection model and provides more stable detection rates.

Candy: Component-based Availability Modeling Framework for Cloud Service Management Using SysML

High-availability assurance of cloud service is a critical and challenging issue for cloud service providers. To quantify the availability of cloud services from both architectural and operational points of views, availability modeling and evaluation are essential. This paper presents a component-based availability modeling framework, named Candy, which constructs a comprehensive availability model semi-automatically from system specifications described by Systems Modeling Language (SysML). SysML diagrams are translated into components of availability model and the components are assembled together to form the entire availability model in Stochastic Reward Nets (SRNs). In order to incorporate the maintenance operations of cloud services in availability models, Candy defines the translation rules from Activity diagram to SRN and synchronizes the related SRNs according to SysML allocation notations. The feasibility of the proposed modeling and availability evaluation process is studied by an illustrative example of a web application service hosted on a cloud infrastructure having multiple failure isolation zones and automatic scale-up function.

Resilience in computer systems and networks

The term resilience is used differently by different communities. In general engineering systems, fast recovery from a degraded system state is often termed as resilience. Computer networking community defines it as the combination of trustworthiness (dependability, security, performability) and tolerance (survivability, disruption tolerance, and traffic tolerance). Dependable computing community defined resilience as the persistence of service delivery that can justifiably be trusted, when facing changes. In this paper, resilience definitions of systems and networks will be presented. Metrics for resilience will be compared with dependability metrics such as availability, performance, performability. Simple examples will be used to show quantification of resilience via probabilistic analytic models.