Jorge Maestre Vidal

Adaptive artificial immune networks for mitigating DoS flooding attacks

Abstract Denial of service attacks pose a threat in constant growth. This is mainly due to their tendency to gain in sophistication, ease of implementation, obfuscation and the recent improvements in occultation of fingerprints. On the other hand, progress towards self-organizing networks, and the different techniques involved in their development, such as software-defined networking, network-function virtualization, artificial intelligence or cloud computing, facilitates the design of new defensive strategies, more complete, consistent and able to adapt the defensive deployment to the current status of the network. In order to contribute to their development, in this paper, the use of artificial immune systems to mitigate denial of service attacks is proposed. The approach is based on building networks of distributed sensors suited to the requirements of the monitored environment. These components are capable of identifying threats and reacting according to the behavior of the biological defense mechanisms in human beings. It is accomplished by emulating the different immune reactions, the establishment of quarantine areas and the construction of immune memory. For their assessment, experiments with public domain datasets (KDD’99, CAIDA’07 and CAIDA’08) and simulations on various network configurations based on traffic samples gathered by the University Complutense of Madrid and flooding attacks generated by the tool DDoSIM were performed.

Towards Incidence Management in 5G Based on Situational Awareness

The fifth generation mobile network, or 5G, moves towards bringing solutions to deploying faster networks, with hundreds of thousands of simultaneous connections and massive data transfer. For this purpose, several emerging technologies are implemented, resulting in virtualization and self-organization of most of their components, which raises important challenges related to safety. In order to contribute to their resolution, this paper proposes a novel architecture for incident management on 5G. The approach combines the conventional risk management schemes with the Endsley Situational Awareness model, thus improving effectiveness in different aspects, among them the ability to adapt to complex and dynamical monitoring environments, and countermeasure tracking or the role of context when decision-making. The proposal takes into account all layers for information processing in 5G mobile networks, ranging from infrastructure to the actuators responsible for deploying corrective measures.

Reasoning and Knowledge Acquisition Framework for 5G Network Analytics

Autonomic self-management is a key challenge for next-generation networks. This paper proposes an automated analysis framework to infer knowledge in 5G networks with the aim to understand the network status and to predict potential situations that might disrupt the network operability. The framework is based on the Endsley situational awareness model, and integrates automated capabilities for metrics discovery, pattern recognition, prediction techniques and rule-based reasoning to infer anomalous situations in the current operational context. Those situations should then be mitigated, either proactive or reactively, by a more complex decision-making process. The framework is driven by a use case methodology, where the network administrator is able to customize the knowledge inference rules and operational parameters. The proposal has also been instantiated to prove its adaptability to a real use case. To this end, a reference network traffic dataset was used to identify suspicious patterns and to predict the behavior of the monitored data volume. The preliminary results suggest a good level of accuracy on the inference of anomalous traffic volumes based on a simple configuration.Autonomic self-management is a key challenge for next-generation networks. This paper proposes an automated analysis framework to infer knowledge in 5G networks with the aim to understand the network status and to predict potential situations that might disrupt the network operability. The framework is based on the Endsley situational awareness model, and integrates automated capabilities for metrics discovery, pattern recognition, prediction techniques and rule-based reasoning to infer anomalous situations in the current operational context. Those situations should then be mitigated, either proactive or reactively, by a more complex decision-making process. The framework is driven by a use case methodology, where the network administrator is able to customize the knowledge inference rules and operational parameters. The proposal has also been instantiated to prove its adaptability to a real use case. To this end, a reference network traffic dataset was used to identify suspicious patterns and to predict the behavior of the monitored data volume. The preliminary results suggest a good level of accuracy on the inference of anomalous traffic volumes based on a simple configuration.

Alert correlation framework for malware detection by anomaly-based packet payload analysis

Abstract Intrusion detection based on identifying anomalies typically emits a large amount of reports about the malicious activities monitored; hence information gathered is difficult to manage. In this paper, an alert correlation system capable of dealing with this problem is introduced. The work carried out has focused on the study of a particular family of sensors, namely those which analyze the payload of network traffic looking for malware. Unlike conventional approaches, the information provided by the network packet headers is not taken into account. Instead, the proposed strategy considers the payload of the monitored traffic and the characteristics of the models built during the training of such detectors, in this way supporting the general-purpose incident management tools. It aims to analyze, classify and prioritize alerts issued, based on two criteria: the risk of threats being genuine and their nature. Incidences are studied both in a one-to-one and in a group context. This implies the consideration of two different processing layers: The first one allows fast reactions and resilience against certain adversarial attacks, and on the other hand, the deeper layer facilitates the reconstruction of attack scenarios and provides an overview of potential threats. Experiments conducted by analyzing real traffic demonstrated the effectiveness of the proposal.

Malware Detection System by Payload Analysis of Network Traffic

This paper presents a system for detecting intrusions when analyzing the network traffic payload looking for malware evidences. The system implements the detection algorithm as a Snort preprocessor component. Since they work together, a highly effective system against known attacks has been achieved (based on Snort rules) and a highly effective system against unknown threats (which was the main aim of the designed system). As the majority of such systems, the proposal consists of two phases: a training phase and a detection phase. During the training phase a statistical model of the legitimate network usage is created through Bloom Filters and N-grams techniques. Subsequently, the results obtained by analyzing a dataset of attacks are compared with such model. This will allow a set of rules to be developed which will be able to determine whether the packets payloads contain malware. In the detection phase, the traffic to analyze is compared with the model created in the training phase and the results obtained when applying rules. The performed experiments showed really satisfactory results, with 100% malware detection and just 0.15% false positives.

Advanced Payload Analyzer Preprocessor

Abstract Advanced Payload Analyzer Pre-processor (APAP) is an intrusion detection system by analysis of Payload from network traffic looking for malware. APAP implements its detection algorithm as “dynamic pre-processor” of Snort. By working together, a highly effective system to known attacks (by passing Snort rules) and equally effective against new and unknown attacks is obtained. APAP consists of two phases: training and detection. During training, a statistical model of legitimate network traffic through the techniques Bloom filter and n-grams is created. Then results obtained by analyzing a dataset of attacks with this model are compared. Consequently, a set of rules able to determine whether a payload corresponds to malware or otherwise legitimate traffic is obtained. During detection, monitored traffic is passed by the Bloom filter which is created in the training phase, and the obtained results are compared with rules. Training requires two datasets: a collection of habitual and legitimate traffic and samples of malicious traffic. This approach offers various improvements compared with similar proposals. The most outstanding is a new method for filling Bloom filters and thereby building usage models. The implementation of a rule system based on Ks speeds up decision-making. Results obtained by analyzing real HTTP traffic prove a high hit rate (95%) and a low false positive rate (0.1%).

An Approach to Data Analysis in 5G Networks

5G networks expect to provide significant advances in network management compared to traditional mobile infrastructures by leveraging intelligence capabilities such as data analysis, prediction, pattern recognition and artificial intelligence. The key idea behind these actions is to facilitate the decision-making process in order to solve or mitigate common network problems in a dynamic and proactive way. In this context, this paper presents the design of Self-Organized Network Management in Virtualized and Software Defined Networks (SELFNET) Analyzer Module, which main objective is to identify suspicious or unexpected situations based on metrics provided by different network components and sensors. The SELFNET Analyzer Module provides a modular architecture driven by use cases where analytic functions can be easily extended. This paper also proposes the data specification to define the data inputs to be taking into account in diagnosis process. This data specification has been implemented with different use cases within SELFNET Project, proving its effectiveness.

Online masquerade detection resistant to mimicry

A framework for online detection of masquerade attacks is proposed.At the analysis stage, local alignment algorithms are introduced.At the verification stage, a validation scheme based on the U-test is implemented.For mimicry recognition, the parallel analysis of monitored actions is performed.For evaluating the approach, the SEA dataset is applied. Masquerade attackers are internal intruders acting through impersonating legitimate users of the victim system. Most of the proposals for their detection suggested recognition methods based on the comparison of use models of the protected environment. However recent studies have shown their vulnerability against adversarial attacks based on imitating the behavior of legitimate users. In order to contribute to their identification, this article introduces a novel detection method robust against evasion strategies based on mimicry. The proposal described two levels of information processing: analysis and verification. At the analysis stage, local alignment algorithms are implemented. In this way it is possible to score the similarity between action sequences performed by users, bearing in mind their regions of greatest resemblance. On the other hand, a novel validation scheme based on the statistical non-parametric U-test is implemented. Through this it is possible to refine the labeling of sequences to avoid making hasty decisions when their nature is not sufficiently clear. In order to strengthen their effectiveness against mimicry attacks, the analysis of the monitored sequences is performed in concurrency. This involves partitioning long sequences with two purposes: making subsequences of small intrusions more visible and analyzing new sequences when suspicious situations occur, such as the execution of never before seen commands or the discovery of potentially harmful activities. The proposal has been evaluated from the functional standard SEA and mimicry attacks. Promising experimental results have been shown, demonstrating great precision against conventional masqueraders (TPR=98.3%, FPR=0.77%) and a success rate of 80.2% when identifying mimicry attacks, hence outperforming the best contributions of bibliography.

Orchestration of use-case driven analytics in 5G scenarios

The SELFNET project provides an autonomic network management framework for 5G networks with a high degree of automation, self-healing and self-optimization. These capabilities are achieved through a layered architecture and a use-case driven approach. A differentiating feature on SELFNET is its competence when creating and customizing new use cases and their related virtual functions. In this way, the use case operators are able to introduce new rules and parameters that will be taken into account in the analysis and decision-making tasks. Due these characteristics, the orchestration of its analytical functions poses an important challenge in terms of configurability, synchronization and management of resources. In order to contribute to their resolution, this paper aims to lay the groundwork for implement the design and specification of the SELFNET Analyzer orchestration. To this end, several key issues related with the internal coordination of the analytics are introduced, among them initial assumptions, design principles, limitations, partitioning of the analysis process, data persistency and optimization. The proposed orchestration strategy has been implemented with different uses cases within the SELFNET Project.The SELFNET project provides an autonomic network management framework for 5G networks with a high degree of automation, self-healing and self-optimization. These capabilities are achieved through a layered architecture and a use-case driven approach. A differentiating feature on SELFNET is its competence when creating and customizing new use cases and their related virtual functions. In this way, the use case operators are able to introduce new rules and parameters that will be taken into account in the analysis and decision-making tasks. Due these characteristics, the orchestration of its analytical functions poses an important challenge in terms of configurability, synchronization and management of resources. In order to contribute to their resolution, this paper aims to lay the groundwork for implement the design and specification of the SELFNET Analyzer orchestration. To this end, several key issues related with the internal coordination of the analytics are introduced, among them initial assumptions, design principles, limitations, partitioning of the analysis process, data persistency and optimization. The proposed orchestration strategy has been implemented with different uses cases within the SELFNET Project.

A novel pattern recognition system for detecting Android malware by analyzing suspicious boot sequences

Abstract This paper introduces a malware detection system for smartphones based on studying the dynamic behavior of suspicious applications. The main goal is to prevent the installation of the malicious software on the victim systems. The approach focuses on identifying malware addressed against the Android platform. For that purpose, only the system calls performed during the boot process of the recently installed applications are studied. Thereby the amount of information to be considered is reduced, since only activities related with their initialization are taken into account. The proposal defines a pattern recognition system with three processing layers: monitoring, analysis and decision-making. First, in order to extract the sequences of system calls, the potentially compromised applications are executed on a safe and isolated environment. Then the analysis step generates the metrics required for decision-making. This level combines sequence alignment algorithms with bagging, which allow scoring the similarity between the extracted sequences considering their regions of greatest resemblance. At the decision-making stage, the Wilcoxon signed-rank test is implemented, which determines if the new software is labeled as legitimate or malicious. The proposal has been tested in different experiments that include an in-depth study of a particular use case, and the evaluation of its effectiveness when analyzing samples of well-known public datasets. Promising experimental results have been shown, hence demonstrating that the approach is a good complement to the strategies of the bibliography.