Johnny Wong

Intelligent agents for intrusion detection

The paper focuses on intrusion detection and countermeasures with respect to widely-used operating systems and networks. The design and architecture of an intrusion detection system built from distributed agents is proposed to implement an intelligent system on which data mining can be performed to provide global, temporal views of an entire networked system. A starting point for agent intelligence in the system is the research into the use of machine learning over system call traces from the privileged sendmail program on UNIX. The authors use a rule learning algorithm to classify the system call traces for intrusion detection purposes and show the results.

Lightweight agents for intrusion detection

We have designed and implemented an intrusion detection system (IDS) prototype based on mobile agents. Our agents travel between monitored systems in a network of distributed systems, obtain information from data cleaning agents, classify and correlate information, and report the information to a user interface and database via mediators.Agent systems with lightweight agent support allow runtime addition of new capabilities to agents. We describe the design of our Multi-agent IDS and show how lightweight agent capabilities allowed us to add communication and collaboration capabilities to the mobile agents in our IDS.

A taxonomy of intrusion response systems

Recent advances in the field of intrusion detection brought new requirements to intrusion prevention and response. Traditionally, the response to an attack is manually triggered by an administrator. However, increased complexity and speed of the attack-spread during recent years show acute necessity for complex dynamic response mechanisms. Although intrusion detection systems are being actively developed, research efforts in intrusion response are still isolated. In this work we present a taxonomy of intrusion response systems, together with a review of current trends in intrusion response research. We also provide a set of essential features as a requirement for an ideal intrusion response system.

A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System

Requirements analysis for an intrusion detection system (IDS) involves deriving requirements for the IDS from analysis of the intrusion domain. When the IDS is, as here, a collection of mobile agents that detect, classify, and correlate system and network activities, the derived requirements include what activities the agent software should monitor, what intrusion characteristics the agents should correlate, where the IDS agents should be placed to feasibly detect the intrusions, and what countermeasures the software should initiate. This paper describes the use of software fault trees for requirements identification and analysis in an IDS. Intrusions are divided into seven stages (following Ruiu), and a fault subtree is developed to model each of the seven stages (reconnaissance, penetration, etc.). Two examples are provided. This approach was found to support requirements evolution (as new intrusions were identified), incremental development of the IDS, and prioritisation of countermeasures.

An End-to-end Detection of Wormhole Attack in Wireless Ad-hoc Networks

Wormhole attack is a severe attack in wireless ad hoc networks. Most of the previous work eliminate the effect of wormhole attack by examining the distance or communication time over each link during the route establishment, which requires special hardware or causes overhead on all links even though only one link on each route could be affected by a wormhole attack. In this article, we propose an end-to-end detection of wormhole attack (EDWA) in wireless ad-hoc networks. We first present the wormhole detection which is based on the smallest hop count estimation between source and destination. If the hop count of a received shortest route is much smaller than the estimated value an alert of wormhole attack is raised at the source node. Then the source node will start a wormhole TRACING procedure to identify the two end points of the wormhole. Finally, a legitimate route is selected for data communication. Both our analysis and simulation results show that the end-to-end wormhole detection method is effective when the source and destination are not too far away.

Automated discovery of concise predictive rules for intrusion detection

This paper details an essential component of a multi-agent distributed knowledge network system for intrusion detection. We describe a distributed intrusion detection architecture, complete with a data warehouse and mobile and stationary agents for distributed problem-solving to facilitate building, monitoring, and analyzing global, spatio-temporal views of intrusions on large distributed systems. An agent for the intrusion detection system, which uses a machine learning approach to automated discovery of concise rules from system call traces, is described.We use a feature vector representation to describe the system calls executed by privileged processes. The feature vectors are labeled as good or bad depending on whether or not they were executed during an observed attack. A rule learning algorithm is then used to induce rules that can be used to monitor the system and detect potential intrusions. We study the performance of the rule learning algorithm on this task with and without feature subset selection using a genetic algorithm. Feature subset selection is shown to significantly reduce the number of features used while improving the accuracy of predictions.

Perceptions of Technology Among Older Adults

Changes and advancements in technology have the potential to benefit older adults by promoting independence and increasing the ability to age in place. However, older adults are less likely to adopt new technology unless they see benefits to themselves. This study assessed the perceptions of 30 older adults in the Midwest concerning technology via three separate focus groups (i.e., independent apartment complex, a rural community, exercise program participants), which addressed a need in the literature (i.e., inclusion of oldest-old and rural individuals). The focus group questions included items such as what technology older adults currently used, desired improvements in technology, and the greatest challenges participants were facing or would face in the future. Overall, older adults were enthusiastic about learning new forms of technology that could help them maintain their independence and quality of life. Five themes emerged from all three focus groups: (a) Frustrations, Limitations, and Usability Concerns; (b) Transportation; (c) Help and Assistance; (d) Self-Monitoring; and (e) Gaming. The themes have important implications for future technology developed for older adults; in particular, older adults were willing and eager to adopt new technology when usefulness and usability outweighed feelings of inadequacy.

Polyp Detection in Colonoscopy Video using Elliptical Shape Feature

Early detection of polyps and cancers is one of the most important goals of colonoscopy. Computer-based analysis of video files using texture features, as has been proposed for polyps of the stomach and colon, has two major limitations: this method uses a fixed size analysis window and relies heavily on a training set of images for accuracy. To overcome these limitations, we propose a new technique focusing on shape instead of texture in this paper. The proposed polyp region detection method is based on the elliptical shape that is common for nearly all small colon polyps.

Informative frame classification for endoscopy video

Advances in video technology allow inspection, diagnosis and treatment of the inside of the human body without or with very small scars. Flexible endoscopes are used to inspect the esophagus, stomach, small bowel, colon, and airways, whereas rigid endoscopes are used for a variety of minimal invasive surgeries (i.e., laparoscopy, arthroscopy, endoscopic neurosurgery). These endoscopes come in various sizes, but all have a tiny video camera at the tip. During an endoscopic procedure, the tiny video camera generates a video signal of the interior of the human organ, which is displayed on a monitor for real-time analysis by the physician. However, many out-of-focus frames are present in endoscopy videos because current endoscopes are equipped with a single, wide-angle lens that cannot be focused. We need to distinguish the out-of-focus frames from the in-focus frames to utilize the information of the out-of-focus and/or the in-focus frames for further automatic or semi-automatic computer-aided diagnosis (CAD). This classification can reduce the number of images to be viewed by a physician and to be analyzed by a CAD system. We call an out-of-focus frame a non-informative frame and an in-focus frame an informative frame. The out-of-focus frames have characteristics that are different from those of in-focus frames. In this paper, we propose two new techniques (edge-based and clustering-based) to classify video frames into two classes, informative and non-informative frames. However, because intensive specular reflections reduce the accuracy of the classification we also propose a specular reflection detection technique, and use the detected specular reflection information to increase the accuracy of informative frame classification. Our experimental studies indicate that precision, sensitivity, specificity, and accuracy for the specular reflection detection technique and the two informative frame classification techniques are greater than 90% and 95%, respectively.

Software fault tree and coloured Petri net based specification, design and implementation of agent-based intrusion detection systems

The integration of Software Fault Tree (SFT), which describes intrusions and Coloured Petri Nets (CPNs) that specifies design, is examined for an Intrusion Detection System (IDS). The IDS under development is a collection of mobile agents that detect, classify, and correlate the system and network activities. SFTs, augmented with nodes that describe trust, temporal and contextual relationships, are used to describe intrusions. CPNs for intrusion detection are built using CPN templates created from the augmented SFTs. Hierarchical CPNs are created to detect critical stages of intrusions. The agentbased implementation of the IDS is then constructed from the CPNs. Examples of intrusions and descriptions of the prototype implementation are used to demonstrate how the CPN approach has been used in the development of the IDS. The main contribution of this paper is an approach to systematic specification, design and implementation of an IDS; Innovations include (1) using stages of intrusions to structure the specification and design of the IDS; (2) augmentation of SFT with trust, temporal and contextual nodes to model intrusions; (3) algorithmic construction of CPNs from augmented SFT; and (4) generation of mobile agents from CPNs.