Randal T. Abler

Intrusion detection testing and benchmarking methodologies

The ad-hoc methodology that is prevalent in todays testing and evaluation of network intrusion detection algorithms and systems makes it difficult to compare different algorithms and approaches. After conducting a survey of the literature on the methods and techniques being used, it can be seen that a new approach that incorporates an open source testing methodology and environment would benefit the information assurance community. After summarizing the literature and presenting several example test and evaluation environments that have been used in the past, we propose a new open source evaluation environment and methodology for use by researchers and developers of new intrusion detection and denial of service detection and prevention algorithms and methodologies.

The optimal connection preemption algorithm in a multi-class network

In an integrated network in which multiple classes with different priorities exist, when the network does not have enough unused bandwidth, connection preemption algorithms (CPA) play an important role in accepting a new session with a high priority by preempting lower priority flows already admitted. Although there are lots of studies about which connections to preempt to optimize the preemption factors (the priority of connections, the bandwidth to be preempted, and the number of connections to be preempted), existing CPAs are only suboptimal from the point of view of the preemption factors because of the computational complexity. The connection preemption problem in a centralized fashion is proved to be NP-complete. To avoid the complexity of the centralized scheme, decentralized/distributed algorithms are proposed. However their solutions are optimal only at the hop level. In order to avoid the priority order problem and to minimize the number of preempted and rerouted sessions, we propose to order the priority of the preemption factors in a new way. We also propose an optimal connection preemption algorithm which optimizes the newly ordered preemption factors in the connection preemption events. The proposed algorithm is the first optimal algorithm that provides a guideline about the upper bound of the computational complexity of the optimal CPAs.

Hybrid intelligent systems for network security

Society has grown to rely on Internet services, and the number of Internet users increases every day. As more and more users become connected to the network, the window of opportunity for malicious users to do their damage becomes very great and lucrative. The computer industry is combating the rising threat of malicious activity with new hardware and software products such as Intrusion Detection Systems, Intrusion Prevention Systems, and Firewalls. However, malicious users are constantly looking for ways to by-pass the security features of these products, and many times they will succeed. This paper describes a novel concept implemented for the purpose of computer and network security with hopes of using it to combat malicious user activity. A hybrid-intelligent system based on Bayesian Learning Networks and Self-Organizing Maps was created and used for classifying network and host based data collected within a Local Area Network. The KDD-CUP-99 data set was used to test this classification system, and the experimental results show that there is an advantage to using a hybrid system such as this because there was a significant improvement in classification accuracy compared to a non-hybrid Bayesian Learning approach when network-only data is used for classification.

A distributed firewall and active response architecture providing preemptive protection

Firewalls provide very good network security features. However, classical perimeter firewall deployments suffer from limitations due to complex network topologies and the inability to completely trust insiders of the network. Distributed firewalls are designed for alleviating these limitations. Intrusion detection is a mature technology and is very powerful when coupled with active response, which is the act of responding to intrusions without the need of human advisory. This paper describes an architecture that implements a distributed firewall with distributed active response. A fundamental result of the architecture is that it can provide proactive and preemptive security for hosts that deploy the system. Using the open-source software framework, the software implementing this proposed system will be provided to the research community so that the architecture can be extended by other researchers and so that newcomers to network security can start investigating security concepts quickly.

Intelligent actor mobility in wireless sensor and actor networks

In wireless sensor and actor network research, the commonly used mobility models for a mobile actor are random walk model, random waypoint mobility model, or variants thereof. For a fully connected network, the choice of mobility model for the actor is not critical because, there is at least one assured path from the sensor nodes to the actor node. But, for a sparsely connected network where information cannot propagate beyond a cluster, random movement of the actor may not be the best choice to maximize event detection and subsequent action. This paper presents static and dynamic intelligent mobility models that are based on the inherent clusters’ information of a sparsely connected network. Simulation results validate the idea behind the intelligent mobility models and provide insights into the applicability of these mobility models in different application scenarios.

IP flow identification for IP traffic carried over switched networks

Abstract Today much of the Internet backbone traffic is carried over switched networks. Switching within these backbone networks is done primarily by using permanent virtual circuits to interconnect internal routers. To improve efficiency, schemes have been suggested that involve identifying IP data flows at the edge of the switched network, and then carrying these flows over a virtual connection through the switched network. To interface with the Internet as it is today, there must be a way to identify flows that are long enough to economically warrant setting up a switched connection. Shorter flows would still be routed on a segment by segment basis. In this paper we look at the effectiveness of several flow identification algorithms, and compare them to the effectiveness of an optimum scheme. We recommend a flow definition based on client–server connections (C–S flow) that results in the lowest SVC setup rate and allows QoS to be applied based on the application.

High Definition video support for natural interaction through distance learning

Using high definition video distance learning allows large areas of the classroom to be captured at a resolution approaching human visual acuity. This allows instructors and students to interact with significantly less constraints then the classic television based distance learning design. Hi Definition Television (HDTV) is becoming commonplace. This drives cost down, but more significantly it creates an increase in student expectation as HDTV replaces standard television in the home. Implementing a useful distance learning classroom based on HDTV requires significant attention to layout in order to achieve a pedagogically functional classroom, especially when applications beyond a simple lecture are considered. The classrooms considered here use two channel video in each direction, as well as stereo audio. This paper will discuss the issues in capturing an entire instructional area (whiteboard and podium) using multiple HD cameras. Careful attention to audio design is also critical to natural interaction.

Intelligent Actor Mobility in Wireless Sensor and Actor Networks

In wireless sensor and actor network research, the commonly used mobility models for a mobile actor are random walk model, random waypoint mobility model, or variants thereof. For a fully connected network, the choice of mobility model for the actor is not critical because, there is at least one assured path from the sensor nodes to the actor node. But, for a sparsely connected network where information cannot propagate beyond a cluster, random movement of the actor may not be the best choice to maximize event detection and subsequent action. This paper presents encouraging preliminary results with static intelligent mobility models that are found using the inherent clusters’ information of a sparsely connected network. Finally, a proposal to develop dynamic intelligent mobility models for the actor based on a mathematical model is presented.

Bit vector algorithms enabling high-speed and memory-efficient firewall blacklisting

In a world of increasing Internet connectivity coupled with increasing computer security risks, security conscious network applications implementing blacklisting technology are becoming very prevalent because it provides the ability to prevent information exchange from known malicious sources. Current technology implementing blacklisting does so at the application level. However, there are numerous benefits for implementing blacklisting filters in the firewall. These benefits include reduced application workload and reduced bandwidth consumption. But, because the de facto algorithm in firewalls is based on a linear search first match principle, large blacklists are not feasible to implement in firewalls due to the O(N) timing complexity of linear search methods. This paper addresses this issue by describing techniques that solve the O(N) time complexity issue without changing the internal input-output behavior of the firewall.

Theory and development of cross-layer techniques for localization in environments with Extreme Emitter Densities

As the RF spectrum becomes increasingly congested, localization algorithms which are tolerant of high levels of interference become necessary. A unique opportunity exists to study these issues during any event in a large venue, such as a football game in a large stadium. We report on the development of a RF sensor localization field deployment, LOC-EED, in the football stadium at Georgia Tech as well as a simplified laboratory testbed for controlled experimentation. During football games, cellphones, stadium personnel radios, media organization radios and wireless controlled devices, game official wireless headsets, etc. create an Extreme Emitter Density (EED) background that is a challenge to any algorithm attempting to identify and localize a single emitter. The laboratory testbed and field deployment to study this problem consists of RF sensor nodes (RFSN) using wideband RF digitizers and general purpose processors to sense the RF environment. We are using software radios as an enabling technology for the development of unique cross-layer localization techniques which are typically not realizable on specialized hardware, such as WiFi APs. This paper reports the details of LOC-EED and offers a preliminary analysis of spectrum captures in the 2.4 GHz band during a live football game. The analysis and a simulation of a simple cross-layer localization technique confirm both the need for, and ability to exploit, cross-layer information for localization.