Miao Xie

Scalable Hypergrid k-NN-Based Online Anomaly Detection in Wireless Sensor Networks

Online anomaly detection (AD) is an important technique for monitoring wireless sensor networks (WSNs), which protects WSNs from cyberattacks and random faults. As a scalable and parameter-free unsupervised AD technique, k-nearest neighbor (kNN) algorithm has attracted a lot of attention for its applications in computer networks and WSNs. However, the nature of lazy-learning makes the kNN-based AD schemes difficult to be used in an online manner, especially when communication cost is constrained. In this paper, a new kNN-based AD scheme based on hypergrid intuition is proposed for WSN applications to overcome the lazy-learning problem. Through redefining anomaly from a hypersphere detection region (DR) to a hypercube DR, the computational complexity is reduced significantly. At the same time, an attached coefficient is used to convert a hypergrid structure into a positive coordinate space in order to retain the redundancy for online update and tailor for bit operation. In addition, distributed computing is taken into account, and position of the hypercube is encoded by a few bits only using the bit operation. As a result, the new scheme is able to work successfully in any environment without human interventions. Finally, the experiments with a real WSN data set demonstrate that the proposed scheme is effective and robust.

Intrusion Detection in Cyber-Physical Systems: Techniques and Challenges

Cyber-physical systems (CPSs) integrate the computation with physical processes. Embedded computers and networks monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa. CPS was identified as one of the eight research priority areas in the August 2007 report of the Presidents Council of Advisors on Science and Technology, as CPS will be the core component of many critical infrastructures and industrial control systems in the near future. However, a variety of random failures and cyber attacks exist in CPS, which greatly restrict their growth. Fortunately, an intrusion detection mechanism could take effect for protecting CPS. When a misbehavior is found by the intrusion detector, the appropriate action can be taken immediately so that any harm to the system will be minimized. As CPSs are yet to be defined universally, the application of the instruction detection mechanism remain open presently. As a result, the effort will be made to discuss how to appropriately apply the intrusion detection mechanism to CPS in this paper. By examining the unique properties of CPS, it intends to define the specific requirements first. Then, the design outline of the intrusion detection mechanism in CPS is introduced in terms of the layers of system and specific detection techniques. Finally, some significant research problems are identified for enlightening the subsequent studies.

Secure communication in wireless multimedia sensor networks using watermarking

Wireless multimedia sensor networks (WMSNs) are an emerging type of sensor networks which contain sensor nodes equipped with microphones, cameras, and other sensors that producing multimedia content. These networks have the potential to enable a large class of applications ranging from military to modern healthcare. Since in WMSNs information is multimedia by nature and it uses wireless link as mode of communication so this posses serious security threat to this network. Thereby, the security mechanisms to protect WMSNs communication have found importance lately. However given the fact that WMSN nodes are resources constrained, so the traditionally intensive security algorithm is not well suited for WMSNs. Hence in this research, we aim to a develop lightweight digital watermarking enabled techniques as a security approach to ensure secure wireless communication. Finally aim is to provide a secure communication framework for WMSNs by developing new.

Segment-Based Anomaly Detection with Approximated Sample Covariance Matrix in Wireless Sensor Networks

In wireless sensor networks (WSNs), it has been observed that most abnormal events persist over a considerable period of time instead of being transient. As existing anomaly detection techniques usually operate in a point-based manner that handles each observation individually, they are unable to reliably and efficiently report such long-term anomalies appeared in an individual sensor node. Therefore, in this paper, we focus on a new technique for handling data in a segment-based manner. Considering a collection of neighbouring data segments as random variables, we determine those behaving abnormally by exploiting their spatial predictabilities and, motivated by spatial analysis, specifically investigate how to implement a prediction variance detector in a WSN. As the communication cost incurred in aggregating a covariance matrix is finally optimised using the Spearmans rank correlation coefficient and differential compression, the proposed scheme is able to efficiently detect a wide range of long-term anomalies. In theory, comparing to the regular centralised approach, it can reduce the communication cost by approximately 80 percent. Moreover, its effectiveness is demonstrated by the numerical experiments, with a real world data set collected by the Intel Berkeley Research Lab (IBRL).

Histogram-Based Online Anomaly Detection in Hierarchical Wireless Sensor Networks

Online anomaly detection is critical for protecting wireless sensor networks (WSNs) from cyber-attacks and random faults, which handles the streaming data in real-time. Comparing to other techniques, histogram-based anomaly detection is cheaper in computation, which should be suitable for WSNs. However, performing histogram-based anomaly detection with an online manner in WSNs is not a straightforward issue. Most of the existing histogram-based schemes have to depend on a verification procedure, which costs a great amount of computational overhead as well as communication overhead. Thus, it almost wipes out the advantage of low complexity of histogram-based anomaly detection. This paper introduces a simple estimating approach to detect anomalies with the histogram, which takes account into the distributed manner and online manner at the same time. It also proves the error caused by the new estimate is very small, through a theoretical analysis. Moreover, the optimal parameter will be suggested by minimizing the error. Finally, a set of experiments are implemented with a real WSN dataset, which prove the new scheme is effective and efficient.

Evaluating host-based anomaly detection systems: A preliminary analysis of ADFA-LD

Host-based intrusion detection systems (HIDSs), especially anomaly-based, have received much attention over the past few decades. Over time, however, the existing data sets used for evaluation of a HIDS have lost most of their relevance due to the substantial development of computer systems. To fill this gap, ADFA Linux data set (ADFA-LD) is recently released, which is composed of thousands of system call traces collected from a contemporary Linux local server and expects to be a new benchmark for evaluating a HIDS. In this paper, we perform a preliminary analysis of ADFA-LD, in an attempt to extract useful information for developing new host-based anomaly detection systems (HADSs). In accordance with the general concerns arising from the community, some typical features are analysed particularly against ADFA-LD, such as length, common pattern and frequency. Furthermore, we implement a simple k nearest neighbour (kNN)-based HADS to be evaluated using ADFA-LD. The experimental results show that, although an acceptable performance can be acquired for a few types of attack, there is still a long way to fully understand the complex behaviour resulting from a modern computer system and, finally, realise more intelligent HADSs.

Evaluating Host-Based Anomaly Detection Systems: Application of the Frequency-Based Algorithms to ADFA-LD

ADFA Linux data set (ADFA-LD) is released recently for substituting the existing benchmark data sets in the area of host-based anomaly detection which have lost most of their relevance to modern computer systems. ADFA-LD is composed of thousands of system call traces collected from a contemporary Linux local server, with six types of up-to-date cyber attack involved. Previously, we have conducted a preliminary analysis of ADFA-LD, and shown that the frequency-based algorithms can be realised at a cheaper computational cost in contrast with the short sequence-based algorithms, while achieving an acceptable performance. In this paper, we further exploit the potential of the frequency-based algorithms, in attempts to reduce the dimension of the frequency vectors and identify the optimal distance functions. Two typical frequency-based algorithms, i.e., k-nearest neighbour (kNN) and k-means clustering (kMC), are applied to validate the effectiveness and efficiency.

Evaluating host-based anomaly detection systems: Application of the one-class SVM algorithm to ADFA-LD

ADFA-LD is a recently released data set for evaluating host-based anomaly detection systems, aiming to substitute the existing benchmark data sets which have failed to reflect the characteristics of modern computer systems. In a previous work, we had attempted to evaluate ADFA-LD with a highly efficient frequency model but the performance is inferior. In this paper, we focus on the other typical technical category that detects anomalies with a short sequence model. In collaboration with the one-class SVM algorithm, a novel anomaly detection system is proposed for ADFA-LD. The numerical experiments demonstrate that it can not only achieve a satisfactory performance, but also reduce the computational cost largely.

Towards reliable data feature retrieval and decision engine in host-based anomaly detection systems

Host-based anomaly detection systems (HADS) serves as the second line of defense after cyber attacks have penetrated the network level defense. The major components of reliable HADS includes enriched data source (DS), computational efficient data feature retrieval (DFR), accurate and fast decision engine (DE). ADFA-LD is a recently published data set which reflects the invisible threat environment of modern computer system. The existing HADS utilizing ADFA-LD as DS, exhibits high computational DFR and inferior performance of the DE at real-time. The major drawback is inability to acquire representative features from host activities. Confronting this drawback in this paper, at DFR a character data zero watermark inspired statistical based strategy is developed for integer data to extract hidden reliable or representative features from system calls of the trace. At DE, three supervised machine learning classifiers such as support vector machine (SVM) with linear and radial bases function (RBF) kernels and k-nearest neighbor (KNN) are evaluated across detection rate (DR), false alarm rate (FAR) and computational time. The numerical trials validates that the suggested statistical feature extraction strategy at DFR and KNN at DE can attain acceptable performance at real-time.

Privacy-Preserving Access to Big Data in the Cloud

Cloud storage can simplify data management and reduce data maintenance costs. However, many users and companies hesitate to move their data to cloud storage because of security and privacy concerns about third-party cloud service providers. Oblivious RAM (ORAM) aims to enable privacy-preserving access to data stored in the cloud. This article offers a tutorial on ORAM and surveys recent literature. The authors also study the access load-balancing problem when applying ORAM to big data in the cloud. They propose heuristic algorithms to achieve access load balancing in both static and dynamic deployments.