Masoume Jabbarifar

Real Time Intrusion Prediction based on Optimized Alerts with Hidden Markov Model

Cyber attacks and malicious activities are rapidlybecoming a major threat to proper secure organization.Many security tools may be installed in distributed systemsand monitor all events in a network. Security managers oftenhave to process huge numbers of alerts per day, produced bysuch tools. Intrusion prediction is an important technique tohelp response systems reacting properly before the networkis compromised. In this paper, we propose a frameworkto predict multi-step attacks before they pose a serioussecurity risk. Hidden Markov Model (HMM) is used toextract the interactions between attackers and networks.Since alerts correlation plays a critical role in prediction,a modulated alert severity through correlation concept isused instead of just individual alerts and their severity.Modulated severity generates prediction alarms for the mostinteresting steps of multi-step attacks and improves theaccuracy. Our experiments on the Lincoln Laboratory 2000data set show that our algorithm perfectly predicts multi-step attacks before they can compromise the network.

FEMRA: Fuzzy Expert Model for Risk Assessment

Risk assessment is a major part of the ISMS Process. The Information Security Management System standards specify guidelines and a general framework for risk assessment. In many existing standards, such as NIST and ISO27001, risk assessment is described however, while these standards present some guidelines, there are no details on how to implement it in an organization. In a complex organization, risk assessment is a complicated process and involves a lot of assets. In this paper, we present the FEMRA model, which uses fuzzy expert systems to assess risk in organizations. The risk assessment varies considerably with the context, the metrics used as dependent variables, and the opinions of the persons involved. Fuzzy logic thus represents an excellent model for this application. Organizations can use FEMRA as a tool to improve the ISMS implementation. One of the interesting characteristics of FEMRA is that it can represent each risk with a numerical value. The managers can detect higher risks by comparing these values and develop a good strategy to reduce them

Fuzzy Multi-Criteria Decision-Making for Information Security Risk Assessment

Risk assessment is a major part of the ISMS process. In a complex organization which involves a lot of assets, risk assessment is a complicated process. In this paper, we present a practical model for information security risk assessment. This model is based on multi-criteria decision-making and uses fuzzy logic. The fuzzy logic is an appropriate model to assess risks and represents the practical results. The proposed risk assessment is a qualitative approach according to ISO/IEC 27005 standard. Main objectives and processes of business have been considered in this model and assessment of risk has been done in managerial and operational levels. This model was performed completely in the information technology section of a supply chain management company and the results show its efficiency and reliability.

L-SYNC: Larger Degree Clustering Based Time-Synchronisation for Wireless Sensor Network

In many existing synchronization protocols within wireless sensor networks, the effect of routing algorithm in synchronization precision of two remote nodes is not being considered. In several protocols such as SLTP, this issue is considered for local time estimation of a remote node. Cluster creation is according to ID technique. This technique incurs an increase in cluster overlapping and eventually the routing algorithm will be affected and requires more hops to move from one cluster to another remote cluster. In this article, we present L-SYNC method, which creates large degree clusters for wireless sensor networks synchronization. Using large degree clustering, L-SYNC can reduce path hops. Also, L-SYNC uses linear regression method to calculate clock offset and skew in each cluster. Therefore, it is capable to compute skew and offset intervals between each node and its head cluster and, in other words, it can estimate the local time of remote nodes in future and past. To estimate the local time for remote nodes, routing algorithm is used and conversion technique is performed in each time changing hop. The fewer L-SYNC hops could increase the precision. Simulation results illustrate that monotonous clustering formation can increase the precision in synchronization. However, more overhead and time period are needed for clustering formation

A Reliable and Efficient Time Synchronization Protocol for Heterogeneous Wireless Sensor Network

L-SYNC is a synchronization protocol for Wireless Sensor Networks which is based on larger degree clustering providing efficiency in homogeneous topologies. In L-SYNC, the effectiveness of the routing algorithm for the synchronization precision of two remote nodes was considered. Clustering in L-SYNC is according to larger degree techniques. These techniques reduce cluster overlapping, resulting in the routing algorithm requiring fewer hops to move from one cluster to another remote cluster. Even though L-SYNC offers higher precision compared to other algorithms, it does not support heterogeneous topologies and its synchronization algorithm can be influenced by unreliable data. In this paper, we present the L-SYNCng (L-SYNC next generation) protocol, working in heterogeneous topologies. Our proposed protocol is scalable in unreliable and noisy environments. Simulation results illustrate that L-SYNCng has better precision in synchronization and scalability.

Online Incremental Clock Synchronization

AbstractTime synchronization is a fundamental requirement for many services provided by distributed systems. For this purpose, several time synchronization protocols have been proposed. However, they either achieve high accuracy by adding further network traffic, even more than common protocols such as network time protocol and precision time protocol, or consume a lot of time in additional computations. An online distributed tracing and monitoring system, used to identify functional and performance problems in distributed systems, must offer high precision with minimum time overhead and system resource consumption. The aim of this paper is to propose an efficient algorithm for time synchronization in online mode, applicable for all distributed services. The proposed method in this paper addresses five key requirements for a practical solution in distributed systems. First, it provides microseconds scale accuracy, which is applicable for trace events with nanosecond timestamp granularity. Secondly, it does not require adding new network traffic, using the send and receive time of existing traffic. Thirdly, it synchronizes the distributed traces in average time complexity of O(1) per synchronization update. Fourthly, it updates online synchronization parameters immediately without latency. Finally, it iteratively refines the early estimates without requiring significant buffering of earlier data. Although we used this work for distributed trace synchronization, it is a general, fully incremental, continuous synchronization approach applicable to most synchronization purposes.

A Retroactive-Burst Framework for Automated Intrusion Response System

The aim of this paper is to present an adaptive and cost-sensitive model to prevent security intrusions. In most automated intrusion response systems, response selection is performed locally based on current threat without using the knowledge of attacks history. Another challenge is that a group of responses are applied without any feedback mechanism to measure the response effect. We address these problems through retroactive-burst execution of responses and a Response Coordinator (RC) mechanism, the main contributions of this work. The retroactive-burst execution consists of several burst executions of responses with, at the end of each burst, a mechanism for measuring the effectiveness of the applied responses by the risk assessment component. The appropriate combination of responses must be considered for each burst execution to mitigate the progress of the attack without necessarily running the next round of responses, because of the impact on legitimate users. In the proposed model, there is a multilevel response mechanism. To indicate which level is appropriate to apply based on the retroactive-burst execution, we get help from a Response Coordinator mechanism. The applied responses can improve the health of Applications, Kernel, Local Services, Network Services, and Physical Status. Based on these indexes, the RC gives a general overview of an attacker’s goal in a distributed environment.

Optimum off-line trace synchronization of computer clusters

A tracing and monitoring framework produces detailed execution trace files for a system. Each trace file contains events with associated timestamps based on the local clock of their respective system, which are not perfectly synchronized. To monitor all behavior in multi-core distributed systems, a global time reference is required, thus the need for traces synchronization techniques. The synchronization is time consuming when there is a cluster of many computers. In this paper we propose an optimized technique to reduce the total synchronization time. Compared with related techniques that have been used on kernel level traces, this method improves the performance while maintaining a high accuracy. It uses the packet rate and the hop count as two major criteria to focus the computation on more accurate network links during synchronization. These criteria, tested in real-word experiments, were identified as most important features of a network. Furthermore, we present numerical and analytical evaluation results, and compare these with previous methods demonstrating the accuracy and the performance of the method.

Reference node selection in dynamic tree

The reference node RN is a central node that has minimum distance/hop count to all other nodes in the network. This central node can play several critical roles such as being the time reference in order to synchronise computer nodes. For synchronisation, the main goal is to minimise the sum of synchronisation errors. The time synchronisation error, known for each link between two nodes, accumulates for each hop along the path used for synchronisation between two nodes. In such a context, the best RN is defined as having the minimal sum of time synchronisation errors between itself and every other node. Thus, the first step for error minimisation is to select a minimum spanning tree MST, formed by the links with minimum synchronisation error, as synchronisation path. The second step is to select an RN, which minimises the sum of synchronisation errors to all nodes in the MST, as time reference for synchronisation. In a dynamic network, where communication links appear and disappear, and synchronisation accuracy improves as more packets are exchanged, a static RN would entail suboptimal synchronisation accuracy. All existing models in this area are limited to static RNs because of the computing cost of updating the RN, yielding a suboptimal total synchronisation error over time and causing problems if the selected node is removed from the dynamic network. This paper presents a novel and efficient method for dynamic RN selection in dynamic networks. The approach proposed in this paper improves the performance of RN computation and update in live mode for dynamic networks. This new method concentrates on the altered path with respect to the RN, each time the MST is updated. This provides an efficient way to find and maintain a RN incrementally in an average time complexity of Olog n per update, which n is the total number of nodes in the network. The proposed approach was tested with a huge dynamic network containing 60000 simulated nodes, in a number of different situations. The proposed approach achieves excellent running time while minimising synchronisation error. Although this work is currently used for time synchronisation purposes, several dynamic network tools can benefit from an efficient incremental algorithm to calculate hop counts and select a central point for the network. Copyright

System Health Monitoring Using a Novel Method: Security Unified Process

Iterative and incremental mechanisms are not usually considered in existing approaches for information security management System (ISMS). In this paper, we propose SUP (security unified process) as a unified process to implement a successful and high-quality ISMS. A disciplined approach can be provided by SUP to assign tasks and responsibilities within an organization. The SUP architecture comprises static and dynamic dimensions; the static dimension, or disciplines, includes business modeling, assets, security policy, implementation, configuration and change management, and project management. The dynamic dimension, or phases, contains inception, analysis and design, construction, and monitoring. Risk assessment is a major part of the ISMS process. In SUP, we present a risk assessment model, which uses a fuzzy expert system to assess risks in organization. Since, the classification of assets is an important aspect of risk management and ensures that effective protection occurs, a Security Cube is proposed to identify organization assets as an asset classification model. The proposed model leads us to have an offline system health monitoring tool that is really a critical need in any organization.