Jarmo Siltanen

Analysis of HTTP Requests for Anomaly Detection of Web Attacks

Attacks against web servers and web-based applications remain a serious global network security threat. Attackers are able to compromise web services, collect confidential information from web data bases, interrupt or completely paralyze web servers. In this study, we consider the analysis of HTTP logs for the detection of network intrusions. First, a training set of HTTP requests which does not contain any attacks is analyzed. When all relevant information has been extracted from the logs, several clustering and anomaly detection algorithms are employed to describe the model of normal users behavior. This model is then used to detect network attacks as deviations from the norms in an online mode. The simulation results presented show that, compared to other data mining algorithms, the method results in a higher accuracy rate.

Increasing web service availability by detecting application-layer DDoS attacks in encrypted traffic

Nowadays, zero-day Denial-of-Service (DoS) attacks become frighteningly common in high-speed networks due to constantly increasing number of vulnerabilities. Moreover, these attacks become more sophisticated, and, therefore, they are hard to detect before they damage several networks and hosts. Due to these reasons, real-time monitoring, processing and network anomaly detection must be among key features of a modern DoS prevention system. In this paper, we present a method which allows us to timely detect various denial-of-service attacks against a computer or a network system. We focus on detection of application-layer DoS attacks that utilize encrypted protocols by applying an anomaly-detection-based approach to statistics extracted from network packets. Since network traffic decryption can violate ethical norms and regulations on privacy, the detection scheme proposed analyzes network traffic without its decryption. The scheme includes the analysis of conversations between a web server and its clients, the construction of a model of normal user behavior by dividing these conversations into clusters and the examination of distribution of these conversations among the resulting clusters with the help of the stacked auto-encoder which belongs to a class of deep learning algorithms. Conversations of clients that deviate from those normal patterns are classified as anomalous. The proposed technique is tested on the data obtained with the help of a realistic cyber environment.

Data Mining Approach for Detection of DDoS Attacks Utilizing SSL/TLS Protocol

Denial of Service attacks remain one of the most serious threats to the Internet nowadays. In this study, we propose an algorithm for detection of Denial of Service attacks that utilize SSL/TLS protocol. These protocols encrypt the data of network connections on the application layer which makes it impossible to detect attackers activity based on the analysis of packet payload. For this reason, we concentrate on statistics that can be extracted from packet headers. Based on these statistics, we build a model of normal user behavior by using several data mining algorithms. Once the model has been built, it is used to detect DoS attacks. The proposed framework is tested on the data obtained with the help of a realistic cyber environment that enables one to construct real attack vectors. The simulations show that the proposed method results in a higher accuracy rate when compared to other intrusion detection techniques.

Model for sharing the information of cyber security situation awareness between organizations

Exchanging of Situation Awareness information is extremely important for organizations in order to survive as part of the cyber domain. The situation Awareness is required for decision making and for an early warning of upcoming threats. Situation Awareness and the security information in the cyber domain differ from the kinetic domain. Because of that, Situation Awareness has different requirements and use cases, for example when considering time or geographical distances. There is always a risk when sharing security information due to the classified nature of the information. It might contain information of weaknesses or vulnerabilities of the organization, and if used wrongly it jeopardizes the continuity of the business or mission. The model introduced in this paper for creating information sharing topologies enables sharing of classified security related information between multiple organizations with the lowest possible risks levels.

Analysis of Approaches to Internet Traffic Generation for Cyber Security Research and Exercise

Because of the severe global security threat of malwares, vulnerabilities and attacks against networked systems cyber-security research, training and exercises are required for achieving cyber resilience of organizations. Especially requirement for organizing cyber security exercises has become more and more relevant for companies or government agencies. Cyber security research, training and exercise require closed Internet like environment and generated Internet traffic. JAMK University of Applied Sciences has built a closed Internet-like network called Realistic Global Cyber Environment (RGCE). The traffic generation software for the RGCE is introduced in this paper. This paper describes different approaches and use cases to Internet traffic generation. Specific software for traffic generation is created, to which no existing traffic generation solutions were suitable.

Online detection of anomalous network flows with soft clustering

In this study, we apply an anomaly-based approach to analyze traffic flows transferred over a network to detect the flows related to different types of attacks. Based on the information extracted from network flows a model of normal user behavior is discovered with the help of several clustering techniques. This model is then used to detect anomalies within recent time intervals. Since this approach is based on normal user behavior, it can potentially detect zero-day intrusions. Moreover, such a flow-based intrusion detection approach can be used in high speeds since it is based on information in packet headers, and, therefore, has to handle a considerably lesser amount of data. The proposed framework is tested on the data obtained with the help of a realistic cyber environment (RGCE) that enables one to construct real attack vectors. The simulations show that the proposed method results in a higher accuracy rate when compared to other intrusion detection techniques.

Weighted Fuzzy Clustering for Online Detection of Application DDoS Attacks in Encrypted Network Traffic

Distributed denial-of-service (DDoS) attacks are one of the most serious threats to today’s high-speed networks. These attacks can quickly incapacitate a targeted business, costing victims millions of dollars in lost revenue and productivity. In this paper, we present a novel method which allows us to timely detect application-layer DDoS attacks that utilize encrypted protocols by applying an anomaly-based approach to statistics extracted from network packets. The method involves construction of a model of normal user behavior with the help of weighted fuzzy clustering. The construction algorithm is self-adaptive and allows one to update the model every time when a new portion of network traffic data is available for the analysis. The proposed technique is tested with realistic end user network traffic generated in the RGCE Cyber Range.

VoiP performance analysis in IEEE802.16 networks

WiMAX, as known as IEEE standard 802.16, is a wide range broadband wireless access network which has a significant good support for the quality of service. According to IEEE standard 802.16e WiMAX has support also for mobility. One of the key advantages of the WiMAX network is the possibility to assign QoS parameters as connection based. A good example of traffic type having strict QoS demands is VoIP. VoIP will probably be a killer application in the futures broadband wireless networks because of its cost efficiency compared to circuit switched networks. In this paper, we analyze by extensive simulations how QoS is applied per connection, especially for the VoIP connection.

The simulation and analysis of the revenue critierion based adaptive WFQ

This paper presents the simulation and analysis of the adaptive resource allocation model, which was proposed and theoretically considered in our previous works. It relies upon the Weighted Fair Queueing (WFQ) service policy and uses the revenue criterion to adjust weights. The purpose of the proposed model is to maximize a providers revenue and, at the same time, ensure the required Quality-of-Service (QoS) for end-users. Our previous works provided the theoretical evaluation of the proposed model and considered the single-node case only. This paper presents more realistic network scenario, which includes a set of clients and several intermediate switching nodes with the proposed model. The adaptive and non-adaptive approaches to the WFQ are considered in terms of obtained revenue and state of queues at intermediate nodes. It is shown that the adaptive approach can improve the total revenue obtained by a provider when compared to the non-adaptive approach.