Igor V. Kotenko

Common Framework for Attack Modeling and Security Evaluation in SIEM Systems

The paper suggests a framework for attack modeling and security evaluation in Security Information and Event Management (SIEM) systems. It is supposed that the common approach to attack modeling and security evaluation is based on modeling of a malefactors behavior, generating a common attack graph, calculating different security metrics and providing risk analysis procedures. Key elements of suggested architectural solutions for attack modeling and security evaluation are using a comprehensive security repository, effective attack graph (tree) generation techniques, taking into account known and new attacks based on zero-day vulnerabilities, stochastic analytical modeling, and interactive decision support to choose preferred security solutions. The architecture of the Attack Modeling and Security Evaluation Component (AMSEC) is proposed, its interaction with other SIEM components is described. We present the prototype of the component and the results of experiments carried out.

Agent-based simulation of cooperative defence against botnets

The paper outlines a framework and software tool intended for simulation of cooperative defence mechanisms against botnets. These framework and software tool are based on agent‐oriented approach and packet‐level network simulation. They are intended to evaluate and compare different cooperative distributed attacks and defence mechanisms. Botnet and defence components are represented in the paper as a set of collaborating and counteracting agent teams. Agents are supposed to collect information from various network sources, operate different situational knowledge, and react to actions of other agents. The paper describes the results of experiments aimed to investigate botnets and distributed denial of service defence mechanisms. We explore various botnet attacks and counteraction against them on the example of defence against distributed denial of service attacks. Copyright

Multi-agent Modelling and Simulation of Cyber-Attacks and Cyber-Defense for Homeland Security

The paper considers the approach to investigation of distributed cooperative cyber-defense mechanisms against network attacks. The approach is based on the agent-based simulation of cyber-attacks and cyber-protection mechanisms which combines discrete-event simulation, multi-agent approach and packet-level simulation of network protocols. The various methods of counteraction against cyber-attacks are explored by representing attack and defense components as agent teams using the developed software simulation environment. The teams of defense agents are able to cooperate as the defense system components of different organizations and Internet service providers (ISPs). The paper represents the common framework and implementation peculiarities of the simulation environment as well as the experiments aimed on the investigation of distributed network attacks and defense mechanisms.

Verification of security policy filtering rules by Model Checking

One of the very important tasks, a computer network (or security) administrator has to fulfill under constructing a (distributed) firewall security policy, is to guarantee the absence of inconsistencies (or anomalies) and possibility to implement the policy in the given network configuration. The paper outlines an approach to verification of filtering rules of firewalls. The approach is intended for detection and resolution of filtering anomalies in the specification of security policy of computer networks. It is based on Model Checking technique. The paper proposes the models of computer networks, the models of firewalls and filtering anomalies, as well as an algorithm of detection of such anomalies. We suggest also a method for verification of filtering rules based on the mentioned models. The main peculiarities of the approach consist in using Model Checking exactly to detect the anomalies of filtering rules and in ability to specify temporal parameters in filtering rules.

Security Assessment of Computer Networks Based on Attack Graphs and Security Events

Security assessment is an important task for operation of modern computer networks. The paper suggests the security assessment technique based on attack graphs which can be implemented in contemporary SIEM systems. It is based on the security metrics taxonomy and different techniques for calculation of security metrics according to the data about current events. Proposed metrics form the basis for security awareness and reflect current security situation, including development of attacks, attacks sources and targets, attackers’ characteristics. The technique suggested is demonstrated on a case study.

Improved genetic algorithms for solving the optimisation tasks for design of access control schemes in computer networks

Access control scheme design is the most important task in the field of computer network security, which has to be solved by security administrators and developers. The access control quality strongly affects such important security properties, as information privacy and accessibility. One of the solutions to this problem is to reduce it to a form of the optimisation task and its subsequent solving by mathematical methods. However, due to the large complexity of this task, applying traditional mathematical methods is very difficult. At the same time, genetic algorithms represent a new and very interesting way to solve this class of problems. This paper suggests an approach for designing access control schemes based on genetic algorithms. To enhance the implementation of genetic operations it proposes a number of significant improvements, which include the multi-chromosomal representation of individuals in populations, the usage of complex data types to represent genes in chromosomes and the use of special control chromosomes. The experimental evaluation of the approach is discussed. It is demonstrated that the proposed improved genetic algorithms are quite efficient means for access control schemes optimisation in computer networks.

Hybridization of computational intelligence methods for attack detection in computer networks

Abstract The paper is devoted to identification and classification of network traffic connections by various hybridization schemes with the goal of efficient network attack detection. For this purpose the combination of different methods of computational intelligence is used, namely neural networks, immune systems, neuro-fuzzy classifiers and support vector machines. To increase the speed of processing of input vectors it is proposed to apply the method of principal components. A distinctive feature and advantage of the approach suggested is a multi-level analysis of network traffic, providing the possibility to detect attacks by a signature based technique and combining a set of adaptive detectors based on computational intelligence methods. The paper describes a software tool that is built on the basis of the proposed hybridization mechanisms. Computational experiments were carried out that serve as evidence of their effectiveness in detection of both known and unknown attacks.

Network Attack Detection Based on Combination of Neural, Immune and Neuro-Fuzzy Classifiers

The paper considers an approach for detection of anomalous patterns of network connections using artificial neural networks, immune systems, neuro-fuzzy classifiers and their combination. The principal component analysis is proposed to optimize the assigned problem. The architecture of the intrusion detection system, based on the application of the proposed methods, is described. The main advantage of the developed approach to intrusion detection is a multi-level analysis technique: first, signature based analysis is carried out, then a combination of adaptive detectors is involved. A number of computational experiments is performed. These experiments demonstrate the effectiveness of the chosen methods in terms of false positive, true positive and correct classification rates.

A Genetic Approach for Virtual Computer Network Design

One of possible levels of computer protection may consist in splitting computer networks into logical chunks that are known as virtual computer networks or virtual subnets. The paper considers a novel approach to determine virtual subnets that is based on the given matrix of logic connectivity of computers. The paper shows that the problem considered is related to one of the forms of Boolean Matrix Factorization. It formulates the virtual subnet design task and proposes genetic algorithms as a means to solve it. Basic improvements proposed in the paper are using trivial solutions to generate an initial population, taking into account in the fitness function the criterion of minimum number of virtual subnets, and using columns of the connectivity matrix as genes of chromosomes. Experimental results show the proposed genetic algorithm has high effectiveness.

Neural network approach to forecast the state of the Internet of Things elements

The paper presents the method to forecast the states of elements of the Internet of Things based on using an artificial neural network. The offered architecture of the neural network is a combination of a multilayered perceptron and a probabilistic neural network. For this reason, it provides high efficiency of decision-making. Results of an experimental assessment of the offered neural network on the accuracy of forecasting the states of elements of the Internet of Things are discussed.