Ken Ferens

Multifractal Singularity Spectrum for Cognitive Cyber Defence in Internet Time Series

Growing global dependence over cyberspace has given rise to intelligent malicious threats due to increasing network complexities, inherent vulnerabilities embedded within the software and the limitations of existing cyber security systems to name a few. Malicious cyber actors exploit these vulnerabilities to carry out financial fraud, steal intellectual property and disrupt the delivery of essential online services. Unlike physical security, cyberspace is very difficult to secure due to the replacement of traditional computing platforms with sophisticated cloud computing and virtualization. These complex systems exhibit an increasing degree of complexity in tracking an attack or monitoring possible threats which is becoming intractable with the existing security firewalls and intrusion detection systems. In this paper, authors present a novel complexity detection technique using generalized multifractal singularity spectrum which is able to not only capture the growing complexity of the internet time series but also distinguishes the presence of an attack accurately.

Detecting Advanced Persistent Threats using Fractal Dimension based Machine Learning Classification

Advanced Persistent Threats (APTs) are a new breed of internet based smart threats, which can go undetected with the existing state of-the-art internet traffic monitoring and protection systems. With the evolution of internet and cloud computing, a new generation of smart APT attacks has also evolved and signature based threat detection systems are proving to be futile and insufficient. One of the essential strategies in detecting APTs is to continuously monitor and analyze various features of a TCP/IP connection, such as the number of transferred packets, the total count of the bytes exchanged, the duration of the TCP/IP connections, and details of the number of packet flows. The current threat detection approaches make extensive use of machine learning algorithms that utilize statistical and behavioral knowledge of the traffic. However, the performance of these algorithms is far from satisfactory in terms of reducing false negatives and false positives simultaneously. Mostly, current algorithms focus on reducing false positives, only. This paper presents a fractal based anomaly classification mechanism, with the goal of reducing both false positives and false negatives, simultaneously. A comparison of the proposed fractal based method with a traditional Euclidean based machine learning algorithm (k-NN) shows that the proposed method significantly outperforms the traditional approach by reducing false positive and false negative rates, simultaneously, while improving the overall classification rates.

Performance Results and Analysis of ZigBee Networks in the Presence of Multifractal Noise

The need to replace wire harnesses within industrial sensing and control systems calls for a wireless approach using ZigBee (IEEE 802.15.4) mesh networking, where nodes can self-heal and self-form. We proposed to use multifractal noise as a model for industrial electromagnetic noise in evaluating the performance of ZigBee mesh networks. This paper addresses an improved experimental setup, performance results, and analysis of the experimental findings. Packet error rate measurements were collected through a controlled hardware simulation of the transmission of packets from one ZigBee node to another. Performance of ZigBee network is measured in terms of Packet Error Rate (PER) versus Signal-to-Noise Ratio (SNR).

Anomaly detection in a smart grid using wavelet transform, variance fractal dimension and an artificial neural network

This paper presents a method for detecting anomalous power consumption patterns attacks, using a discrete wavelet transform, as well as the variance fractal dimension (VFD) and an artificial neural network (ANN) for a smart grid. The main procedure of the proposed algorithm consists of the following steps: (i) Finding normal and anomalous patterns of power consumption to train the proposed method, (ii) Applying wavelet transform to power consumption patterns to extract features, (iii) Applying the VFD to the extracted features from Step 3 as an input, (iv) Training an ANN with the extracted features from Step 3, and (v) Launching the trained ANN from Step 4 to detect the anomalous power consumption attack based on a threshold. The proposed method can detect an anomalous power consumption attack with 51% accuracy in the worst case scenario.

Fractal based adaptive boosting algorithm for cognitive detection of computer malware

Host Based Intrusion Detection Systems (HIDS) are gaining traction in discovering malicious software inside a host operating system. In this paper, the authors have developed a new cognitive host based anomaly detection system based on supervised AdaBoost machine learning algorithm. Particularly, information fractal dimension based approach is incorporated in the original AdaBoost machine learning algorithm to assign higher weight to the classifier that estimates wrong hypothesis. An agent based host sensor is developed that continuously gathers and extracts network profile of all the host processes and the modules spawned by each process of a Microsoft Windows 7 operating system. The main contributions of this paper are that a malware testing sandbox is developed using Microsoft native APIs and an information fractal (cognitive) based AdaBoost algorithm is designed and developed. Our results on empirical data set shows that the malware detection performance of the proposed algorithm outperforms original AdaBoost algorithm in detecting positives including the reduction of false negatives.

A cognitive multifractal approach to characterize complexity of non-stationary and malicious DNS data traffic using adaptive sliding window

This paper presents a cognitive feature extraction model based on scaling and multifractal dimension trajectory to analyze internet traffic time series. DNS (Domain Naming System) traffic time series is considered that contains tagged DNS Denial of Service attacks. The first step of the analysis involves transforming the DNS time series into a multifractal variance dimension trajectory keeping statistical stationarity of data intact. Then features of the trajectory are extracted to remove high variability noise. The extracted set of features indicates the presence of an attack when the denoised trajectory shows increasing variance fractal dimension. This technique is superior in finding changing patterns of a data series due to the presence of noise and denial of service attack because it is not dependent on integer dimensions and mono-scale measurement of variations in data series. Moreover, this technique provides adaptive and locally stationary windows in a highly non stationary data series.

Technologies to generate contact graphs for personal social networks

This paper presents three novel means of collecting and analyzing data to generate contact graphs of personal social networks. The means of collection include a web based service, an RFID system, and a network application running on a wireless sensor network. Data generated from networks of personal contact are demonstrated to be of utility in estimating the potential of the spread of a infection such as would be associated with the recent outbreak of H1N1 influenza.

Rapid prototyping Vehicle-to-Infrastructure applications using the Android TM development platform

This paper discusses a rapid prototyping environment for an application developed relative to the USDOT Vehicle Infrastructure Integration program. The primary application represents opportunities beyond traditional vehicular telematic applications by virtue of the technologies leveraged to prototype a vehicle crash detection system, as well as an emission sensor network for vehicle fleets and a vehicle speed retarder. A central theme in the research is that emerging vehicular telematic applications need to capitalize on advanced software engineering orientations, including open-source frameworks, web services, and Service Oriented Architectures.

An analysis of captured industrial vehicular noise signals for ZigBee communications

This paper addresses a scheme to measure the robustness of the ZigBee protocol as deployed in industrial machinery under the influence of electromagnetic noise. The scheme is based on a multiscale signal processing to analyze the time domain characteristics of the pulsative and other noise signals. The variance fractal dimension of the captured noise signals sequence shows that these signals exhibit fractal characteristics. In particular, the starter noise burst portion of the captured signal is more correlated compared to the background noise portion in all the acquired data, and the noise burst is multifractal in time. These findings support and verify the fractal model of noise in industrial machinery.

Analysis of Modulated Monofractal Noise

Motivated by experiments for measuring the robustness of wireless protocols, this paper presents an analysis of the effects of amplitude modulation (AM) on the spectral properties of monofractal noise. In general, the modulated monofractal noise signal becomes multifractal over the spectral tail. However, in circumstances where a spectral band of interest is small compared to the effective spectral tail, then a power-law decay can account for the modulated noise spectrum. This effective power-law behaviour, however, can be much more correlated than the original monofractal behaviour in the baseband.