Harsha Kumara Kalutarage

Detecting stealthy attacks

Display Omitted A scalable monitoring scheme for stealthy attacks on computer networks is presented.Bayesian fusion along with traffic sampling is used as a data reduction method.Stealthy activities can be detected using 10-20% size sampling rates.A tracing algorithm for anonymous stealthy activities to their sources is presented.The effect of network parameters on detection is investigated. Stealthy attackers move patiently through computer networks - taking days, weeks or months to accomplish their objectives in order to avoid detection. As networks scale up in size and speed, monitoring for such attack attempts is increasingly a challenge. This paper presents an efficient monitoring technique for stealthy attacks. It investigates the feasibility of proposed method under number of different test cases and examines how design of the network affects the detection. A methodological way for tracing anonymous stealthy activities to their approximate sources is also presented. The Bayesian fusion along with traffic sampling is employed as a data reduction method. The proposed method has the ability to monitor stealthy activities using 10-20% size sampling rates without degrading the quality of detection.

The Disintegration Protocol: An Ultimate Technique for Cloud Data Security

There has been an accelerating trend in outsourcing data to Cloud Service Providers (CSPs) who offer huge storage space for a little cost. Once data goes into the cloud, owners lose control of their data, which inevitably brings new security risks toward integrity and confidentiality. These worries security and restrict the use of cloud services not so much malleable. In this paper, we also propose a similar disintegration technique for cyber defense. In general, the server is designed to perform N number of different tasks (functions). We disintegrate the suite of web services to N separate services and move them from one server and distribute among M homogeneous servers. We demonstrate design and implementation of the unidirectional, closed and Disintegrated Protocol (DIP) to achieve this.

Nth Order Binary Encoding with Split-Protocol

TocopeupwiththeBigDataexplosion,theNthOrderBinaryEncoding(NOBE)algorithmwith theSplit-protocolhasbeenproposed.Intheearlierpapers,theapplicationSplit-protocolforsecurity, reliability,availability,HPChavebeendemonstratedandimplementedencoding.Thistechnologywill significantlyreducethenetworktraffic,improvethetransmissionrateandaugmentthecapacityfor datastorage.Inadditiontodatacompression,improvingtheprivacyandsecurityisaninherentbenefit oftheproposedmethod.ItispossibletoencodethedatarecursivelyuptoNtimesanduseaunique combinationofNOBE’sparameterstogenerateencryptionkeysforadditionalsecurityandprivacyfor dataontheflightoratastation.Thispaperdescribesthedesignandapreliminarydemonstrationof (NOBE)algorithm,servingasafoundationforapplicationimplementers.Italsoreportstheoutcomes ofcomputablestudiesconcerningtheperformanceoftheunderlyingimplementation. KEywORDS Adaptive Huffman Coding, Data Compression, Performance, Split-Encoding

Towards a knowledge-based approach for effective decision-making in railway safety

Purpose – This paper aims to contribute towards understanding how safety knowledge can be elicited from railway experts for the purposes of supporting effective decision-making. Design/methodology/approach – A consortium of safety experts from across the British railway industry is formed. Collaborative modelling of the knowledge domain is used as an approach to the elicitation of safety knowledge from experts. From this, a series of knowledge models is derived to inform decision-making. This is achieved by using Bayesian networks as a knowledge modelling scheme, underpinning a Safety Prognosis tool to serve meaningful prognostics information and visualise such information to predict safety violations. Findings – Collaborative modelling of safety-critical knowledge is a valid approach to knowledge elicitation and its sharing across the railway industry. This approach overcomes some of the key limitations of existing approaches to knowledge elicitation. Such models become an effective tool for prediction o...

Towards an Early Warning System for Network Attacks Using Bayesian Inference

The Internet has become the most vulnerable part of critical civil infrastructures. Proactive measures such as early warnings are required to reduce the risk of disasters that can be created using it. With the continuous growth in scale, complexity and variety of networked systems the quality of data is continuously decreasing. This paper investigates the ability to employ Bayesian inference for network scenario analysis with low quality data to produce early warnings. Theoretical account of the approach and experimental results using a real world attack scenario and a real network traffic capture is presented.

Early warning systems for cyber defence

Cybercriminals ramp up their efforts with sophisticated techniques while defenders gradually update their typical security measures. Attackers often have a long-term interest in their targets. Due to a number of factors such as scale, architecture and nonproductive traffic however it makes difficult to detect them using typical intrusion detection techniques. Cyber early warning systems (CEWS) aim at alerting such attempts in their nascent stages using preliminary indicators. Design and implementation of such systems involves numerous research challenges such as generic set of indicators, intelligence gathering, uncertainty reasoning and information fusion. This paper discusses such challenges and presents the reader with compelling motivation. A carefully deployed empirical analysis using a real world attack scenario and a real network traffic capture is also presented.

Tracing sources of anonymous slow suspicious activities

Tracing down anonymous slow attackers creates number of challenges in network security. Simply analysing all traffic is not feasible. By aggregating information of large volume of events, it is possible to build a clear set of benchmarks of what should be considered as normal over extended period of time and hence to identify anomalies. This paper provides an anomaly based method for tracing down sources of slow suspicious activities in Cyber space. We present the theoretical account of our approach and experimental results.

Monitoring for Slow Suspicious Activities Using a Target Centric Approach

Slow, suspicious and increasingly sophisticated malicious activities on modern networks are incredibly hard to detect. Attacker tactics such as source collusion and source address spoofing are common. Effective attribution of attacks therefore is a real challenge. To address this we propose an approach to utilise destination information of activities together with a data fusion technique to combine the output of several information sources to a single profile score. The main contribution of the paper is proposing a radical shift to the focus of analysis. Experimental results offer a promise for target centric monitoring that does not have to rely on possible source aggregation.

Towards a threat assessment framework for apps collusion

App collusion refers to two or more apps working together to achieve a malicious goal that they otherwise would not be able to achieve individually. The permissions based security model of Android does not address this threat as it is rather limited to mitigating risks of individual apps. This paper presents a technique for quantifying the collusion threat, essentially the first step towards assessing the collusion risk. The proposed method is useful in finding the collusion candidate of interest which is critical given the high volume of Android apps available. We present our empirical analysis using a classified corpus of over 29,000 Android apps provided by Intel SecurityTM.

Detecting Malicious Collusion Between Mobile Software Applications: The Android TM Case

Malware has been a major problem in desktop computing for decades. With the recent trend towards mobile computing, malware is moving rapidly to smartphone platforms. “Total mobile malware has grown 151% over the past year”, according to McAfee®’s quarterly treat report in September 2016. By design, AndroidTM is “open” to download apps from different sources. Its security depends on restricting apps by combining digital signatures, sandboxing, and permissions. Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps for which combined permissions allow them to carry out attacks. In this chapter we report on recent and ongoing research results from our ACID project which suggest a number of reliable means to detect collusion, tackling the aforementioned problems. We present our conceptual work on the topic of collusion and discuss a number of automated tools arising from it.