Rodrigo Sanches Miani

A survey of intrusion detection in Internet of Things

Internet of Things (IoT) is a new paradigm that integrates the Internet and physical objects belonging to different domains such as home automation, industrial process, human health and environmental monitoring. It deepens the presence of Internet-connected devices in our daily activities, bringing, in addition to many benefits, challenges related to security issues. For more than two decades, Intrusion Detection Systems (IDS) have been an important tool for the protection of networks and information systems. However, applying traditional IDS techniques to IoT is difficult due to its particular characteristics such as constrained-resource devices, specific protocol stacks, and standards. In this paper, we present a survey of IDS research efforts for IoT. Our objective is to identify leading trends, open issues, and future research possibilities. We classified the IDSs proposed in the literature according to the following attributes: detection method, IDS placement strategy, security threat and validation strategy. We also discussed the different possibilities for each attribute, detailing aspects of works that either propose specific IDS schemes for IoT or develop attack detection strategies for IoT threats that might be embedded in IDSs.

Relationships between information security metrics: an empirical study

Finding relevant metrics in information security is an important but difficult problem. In this paper, we propose to empirically investigate the relevance of different security metrics that could be derived from intrusion prevention system (IPS) alert events and computer security incident data. Based on the data provided by the University of Maryland, we show that IPS metrics are linked to security incidents, and also that different types of security incidents have different significant metrics. These results can be used for identifying possible candidates for security incident indicators, developing methods to improve incident prevention and helping organizations interpret their IPSs better in the future.

Construction of baselines for VoIP traffic management on open MANs

SUMMARY In the last century, owing to the constant evolution of technologies telecommunication networks have become increasingly robust, being able to support multiple services. These services are part of the heterogeneous network traffic that can be carried through the Internet. Many of these services, including VoIP, are latency sensitive. In other words, this means that their quality depends directly on the network quality of service. Since users tend to become more sensitive with the instability and unavailability of the network, it is important to improve traffic management. A particular type of data that could be used to improve VoIP traffic management is the Internet Protocol Detail Record (IPDR). IPDRs are tickets created by all VoIP call attempts which contain a group of information related to the call history. Because of its full range of information, IPDRs can be used to create VoIP traffic baselines. This paper presents the development of baselines based on IPDRs to support VoIP traffic management in open-access Metropolitan Area Networks (MAN). Copyright

Detecting mobile botnets through machine learning and system calls analysis

Botnets have been a serious threat to the Internet security. With the constant sophistication and the resilience of them, a new trend has emerged, shifting botnets from the traditional desktop to the mobile environment. As in the desktop domain, detecting mobile botnets is essential to minimize the threat that they impose. Along the diverse set of strategies applied to detect these botnets, the ones that show the best and most generalized results involve discovering patterns in their anomalous behavior. In the mobile botnet field, one way to detect these patterns is by analyzing the operation parameters of this kind of applications. In this paper, we present an anomaly-based and host-based approach to detect mobile botnets. The proposed approach uses machine learning algorithms to identify anomalous behaviors in statistical features extracted from system calls. Using a self-generated dataset containing 13 families of mobile botnets and legitimate applications, we were able to test the performance of our approach in a close-to-reality scenario. The proposed approach achieved great results, including low false positive rates and high true detection rates.

Process mining and hierarchical clustering to help intrusion alert visualization

Abstract Intrusion Detection Systems (IDS) are extensively used as one of the lines of defense of a network to prevent and mitigate the risks caused by security breaches. IDS provide information about the intrusive activities on a network through alerts, which security analysts manually evaluate to execute an intrusion response plan. However, one of the downsides of IDS is the large amount of alerts they raise, which makes the manual investigation of alerts a burdensome and error-prone task. In this work, we propose an approach to facilitate the investigation of huge amounts of intrusion alerts. The approach applies process mining techniques on alerts to extract information regarding the attackers behavior and the multi-stage attack strategies they adopted. The strategies are presented to the network administrator in friendly high-level visual models. Large and visually complex models that are difficult to understand are clustered into smaller, simpler and intuitive models using hierarchical clustering techniques. To evaluate the proposed approach, a real dataset of alerts from a large public University in the United States was used. We find that security visualization models created with process mining and hierarchical clustering are able to condense a huge number of alerts and provide insightful information for network/IDS administrators. For instance, by analyzing the models generated during the case study, network administrators could find out important details about the attack strategies such as attack frequencies and targeted network services.

A Practical Experience on Evaluating Intrusion Prevention System Event Data as Indicators of Security Issues

There are currently no generally accepted metrics for information security issues. One reason is the lack of validation using empirical data. In this practical experience report, we investigate whether metrics obtained from security devices used to monitor network traffic can be employed as indicators of security incidents. If so, security experts can use this information to better define priorities on security inspection and also to develop new rules for incident prevention. The metrics we investigate are derived from intrusion detection and prevention system (IDPS) alert events. We performed an empirical case study using IDPS data provided by a large organization of about 40,000 computers. The results indicate that characteristics of alerts can be used to depict trends in some security issues and consequently serve as indicators of security performance.

Development of a business intelligence environment for e-gov using open source technologies

It has become common for modern organizations to use advanced information systems for helping their daily operational task. However, there is still a large demand for software solutions that enable straightforward data analysis from these systems. Aiming to solve this problem, Business Intelligence (BI) environments were created. Electronic Government (e-Gov) systems, which typically work with governmental operational data, can take great benefits from a BI environment. Therefore, in e-Gov systems BI tools can be used, among others, to pursue the following goals: enhance the relationship between city and state government and the citizen; help administrating public resources; monitor the impacts of public policies upon the society. This paper presents a proposal for creating a BI environment for Electronic Government systems, using open source technologies with a special application to Social Welfare, developed for the city of Campinas, SP, Brazil.

Evaluation of quality in encrypted VoIP calls

The purpose of this work is to evaluate the quality of encrypted VoIP calls with different encryption algorithms through OpenVPN software, in order to identify differences in results between encryption algorithms and also differences between non-encrypted and encrypted calls. This evaluation will take into account the MOS (Mean Opinion Score), a method to indicate user satisfaction of voice communication quality. The encrypted VoIP calls will occur in different network scenarios that present different network bandwidths and different problems, like packet loss, out-of-order packets, and delay.