Rayford B. Vaughn

Fuzzy cognitive maps for decision support in an intelligent intrusion detection system

The health of a computer network needs to be assessed and protected in much the same manner as the health of a person. The task of an intrusion detection system is to protect a computer system by detecting and diagnosing attempted breaches of the integrity of the system. A robust intrusion detection system for a computer network will necessarily use multiple sensors, each providing different types of information about some aspect of the monitored system. In addition, the sensor data will often be analyzed in several different ways. We describe a decision engine for an intelligent intrusion detection system that fuses information from different intrusion detection modules using a causal knowledge based inference technique. Fuzzy cognitive maps (FCMs) and fuzzy rule-bases are used for the causal knowledge acquisition and to support the causal knowledge reasoning process.

Intrusion sensor data fusion in an intelligent intrusion detection system architecture

Most modern intrusion detection systems employ multiple intrusion sensors to maximize their trustworthiness. The overall security view of the multi-sensor intrusion detection system can serve as an aid to appraise the trustworthiness in the system. This paper presents our research effort in that direction by describing a decision engine for an intelligent intrusion detection system (IIDS) that fuses information from different intrusion detection sensors using an artificial intelligence technique. The decision engine uses fuzzy cognitive maps (FCMs) and fuzzy rule-bases for causal knowledge acquisition and to support the causal knowledge reasoning process. In this paper, we report on the workings of the decision engine that has been successfully embedded into the IIDS architecture being built at the Center for Computer Security Research (CCSR), Mississippi State University.

Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs

In this paper, we overview cluster security research underway at Mississippi State University (MSU) and focus on one particular effort involving a process to model system vulnerabilities and possible exploitations in specific cluster environments using exploitation graphs (e-graphs). Cluster security research at MSU has included attacks against clusters, anomaly detection, sensor fusion, VGLI security functionality in clusters, and the use of known system vulnerability data, system configuration data, and vulnerability scanner results to create e-graphs to model possible attack scenarios. The use of e-graphs is helpful in determining attacker work factor analysis, cost/benefit analysis of security, detection of attacks, and identification of critical vulnerabilities.

Engineering future cyber-physical energy systems: Challenges, research needs, and roadmap

Cyber-physical energy systems require the integration of a heterogeneous physical layers and decision control networks, mediated by decentralized and distributed local sensing/actuation structures backed by an information layer. With the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) [1] requirements and presidents visions of more secure, reliable and controllable cyber-physical system, a new paradigm for modeling and research investigation is needed. In this paper, we present common challenges and our vision of solutions to design advanced Cyber-physical energy systems with embedded security and distributed control. Finally, we present a survey of our research results in this domain.

A testbed for SCADA control system cybersecurity research and pedagogy

This paper describes the Mississippi State University Supervisory Control and Data Acquisition (SCADA) security laboratory and Power and Energy Research laboratory. This laboratory combines process control systems from multiple critical infrastructure industries to create a testbed with functional physical processes controlled by commercial hardware and software over common industrial control system routable and non-routable networks. The testbed enables a research process in which cybersecurity vulnerabilities are discovered, exploits are used to understand the implications of the vulnerability on controlled physical processes, identified problems are classified by criticality and similarities in type and effect, and finally cybersecurity mitigations are developed and validated against the testbed. The testbed also enables control system security workforce development through integration into the classroom of laboratory exercises, functional demonstrations, and research outcomes.

Phighting the Phisher: Using Web Bugs and Honeytokens to Investigate the Source of Phishing Attacks

This paper presents a summary of research findings for a new reacitve phishing investigative technique using Web bugs and honeytokens. Phishing has become a rampant problem in today s society and has cost financial institutions millions of dollars per year. Todays reactive techniques against phishing usually involve methods that simply minimize the damage rather than attempting to actually track down a phisher. Our research objective is to track down a phisher to the IP address of the phishers workstation rather than innocent machines used as intermediaries. By using Web bugs and honeytokens on the fake Web site forms the phisher presents, one can log accesses to the honeytokens by the phisher when the attacker views the results of the forms. Research results to date are presented in this paper

A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems

MODBUS RTU/ASCII Snort is software to retrofit serial based industrial control systems to add Snort intrusion detection and intrusion prevention capabilities. This article discusses the need for such a system by describing 4 classes of intrusion vulnerabilities (denial of service, command injection, response injection, and system reconnaissance) which can be exploited on MODBUS RTU/ASCII industrial control systems. The article provides details on how Snort rules can detect and prevent such intrusions. Finally, the article describes the MODBUS RTU/ASCII Snort implementation, provides details on placement of a MODBUS RTU/ASCII Snort host within a control system to maximize intrusion detection and prevention capabilities, and discusses the systems validation.

Software requirement understanding using Pathfinder networks: discovering and evaluating mental models

Understanding and communicating user requirements in a software requirement analysis effort is very important. Misunderstandings of user requirements between software developers and users, will cause problems in terms of satisfying user needs, defects, cost and schedule during the software development process. This paper proposes a new technique that has the ability to represent the mental models of the user and developer communities as network representations using Pathfinder networks. Graphs (mental models) are generated for each of the user and developer groups and compared for similarities/dissimilarities using a graph similarity metric. This paper overviews how this technique is used to categorize requirements and to identify ambiguous and duplicate requirements. We also propose to extend this technique to enhance communication and reduce misunderstanding surrounding the user requirements during the requirement analysis phase.

Multi-level alert clustering for intrusion detection sensor data

Alert fusion is a promising research area in information assurance today. To increase trustworthiness in systems, most modern information systems deployed in distributed environments employ multiple, diverse sensors that monitor security violations throughout the network. The outputs of the sensors must be fused in an effective and intelligent manner in order to provide an overall view of the status of such systems. A unified architecture for intelligent alert fusion essentially combines alert prioritization, alert clustering and alert correlation. In this paper, we address the alert clustering aspect of sensor data fusion in an intrusion detection environment. A causal knowledge based inference technique with fuzzy cognitive modeling is used to cluster alerts by discovering structural relationships in sensor data.

Combining static analysis and dynamic learning to build accurate intrusion detection models

Anomaly detection based on monitoring of sequences of system calls has been shown to be an effective method for detection of previously unseen, potentially damaging attacks on hosts. This paper presents a new model for profiling normal program behavior for use in detection of intrusions that change application execution flow. This model is compact and efficient to operate and can be acquired using a combination of static analysis and dynamic learning. Our model (hybrid push down automata, HPDA) incorporates call stack information in the automata model and effectively captures the control flow of a program. Several important properties of the model are based on a unique correspondence relation between addresses and instructions within the model. These properties allow the HPDA to be acquired by dynamic analysis of an audit of the call stack log. Our strategy is to use static analysis to acquire a base model and then to use dynamic learning as a supplement to capture those aspects of behavior that are difficult to capture with static analysis due to techniques commonly used in modern programming environments. The model created by this combination method is shown to have a higher detection capability than models acquired by static analysis alone and a lower false positive rate than models acquired by dynamic learning alone.