Sang C. Suh

Applied Cyber-Physical Systems

Applied Cyber-Physical Systems presents the latest methods and technologies in the area of cyber-physical systems including medical and biological applications. Cyber-physical systems (CPS) integrate computing and communication capabilities by monitoring, and controlling the physical systems via embedded hardware and computers. This book brings together unique contributions from renowned experts on cyber-physical systems research and education with applications. It also addresses the major challenges in CPS, and then provides a resolution with various diverse applications as examples. Advanced-level students and researchers focused on computer science, engineering and biomedicine will find this to be a useful secondary text book or reference, as will professionals working in this field.

An Approach for Building a Personal Health Information System Using Conceptual Domain Knowledge

In this paper we present the development of a Personal Health Information System (PHIS) by capturing the domain knowledge in the form of concept maps. The software architecture based on capturing the conceptual domain knowledge is demonstrated using a working prototype for patients suffering from diabetes mellitus. Cited current literature predicts that this user based information system has the potential to improve patient care, reduce medical errors, and lower health care costs.

A survey of deep learning-based network anomaly detection

A great deal of attention has been given to deep learning over the past several years, and new deep learning techniques are emerging with improved functionality. Many computer and network applications actively utilize such deep learning algorithms and report enhanced performance through them. In this study, we present an overview of deep learning methodologies, including restricted Bolzmann machine-based deep belief network, deep neural network, and recurrent neural network, as well as the machine learning techniques relevant to network anomaly detection. In addition, this article introduces the latest work that employed deep learning techniques with the focus on network anomaly detection through the extensive literature survey. We also discuss our local experiments showing the feasibility of the deep learning approach to network traffic analysis.

Towards a Software Tool for Raising Awareness of Diabetic Foot in Diabetic Patients

We propose a computational model based on OWL/SWRL enabled ontologies, which can shape the development of an automated software tool for the purpose of providing patient-specific reminders, advice and action-items in preventing the development of diabetic foot in diabetic patients. The tool is aimed at both: (i) patients who would like to manage their illness efficiently by being informed and alerted to the significance of any change(s) they detect in their feet and (ii) healthcare professionals who can disseminate their knowledge to patients more effectively, and thus prevent the development of diabetic foot, which may cause the premature death of diabetic patients. The advantages of using OWL/SWRL enabled ontologies in our computational model are numerous. They range from the power to store, manage and reason effectively upon knowledge and information related to diabetic foot problems and their prevention through OWL/SWRL computations, to the feasibility of including such computations into software applications, which may run as a set of Apps on Android devices or on personalized healthcare iClouds. Consequently in the core of our proposal are (a) the OWL ontological model and its constraints which define and store the semantics of symptoms and observations of the changes in diabetic patients feet and (b) a reasoning process which uses the semantics and the power of ontological matching through SWRL for the purpose of delivering functionalities of the tool.

Integration of low level and ontology derived features for automatic weapon recognition and identification

This paper presents a further step of a research toward the development of a quick and accurate weapons identification methodology and system. A basic stage of this methodology is the automatic acquisition and updating of weapons ontology as a source of deriving high level weapons information. The present paper outlines the main ideas used to approach the goal. In the next stage, a clustering approach is suggested on the base of hierarchy of concepts. An inherent slot of every node of the proposed ontology is a low level features vector (LLFV), which facilitates the search through the ontology. Part of the LLFV is the information about the objects parts. To partition an object a new approach is presented capable of defining the objects concavities used to mark the end points of weapon parts, considered as convexities. Further an existing matching approach is optimized to determine whether an ontological object matches the objects from an input image. Objects from derived ontological clusters will be considered for the matching process. Image resizing is studied and applied to decrease the runtime of the matching approach and investigate its rotational and scaling invariance. Set of experiments are preformed to validate the theoretical concepts.

Unsupervised Labeling for Supervised Anomaly Detection in Enterprise and Cloud Networks

Identifying anomalous events in the network is one of the vital functions in enterprises, ISPs, and datacenters to protect the internal resources. With its importance, there has been a substantial body of work for network anomaly detection using supervised and unsupervised machine learning techniques with their own strengths and weaknesses. In this work, we take advantage of the both worlds of unsupervised and supervised learning methods. The basic process model we present in this paper includes (i) clustering the training data set to create referential labels, (ii) building a supervised learning model with the automatically produced labels, and (iii) testing individual data points in question using the established learning model. By doing so, it is possible to construct a supervised learning model without the provision of the associated labels, which are often not available in practice. To attain this process, we set up a new property defining anomalies in the context of clustering, based on our observations from anomalous events in network, by which the referential labels can be obtained. Through our extensive experiments with a public data set (NSL-KDD), we will show that the presented method perform very well, yielding fairly comparable performance to the traditional method running with the original labels provided in the data set, with respect to the accuracy for anomaly detection.

A lightweight network anomaly detection technique

While the network anomaly detection is essential in network operations and management, it becomes further challenging to perform the first line of detection against the exponentially increasing volume of network traffic. In this work, we develop a technique for the first line of online anomaly detection with two important considerations: (i) availability of traffic attributes during the monitoring time, and (ii) computational scalability for streaming data. The presented learning technique is lightweight and highly scalable with the beauty of approximation based on the grid partitioning of the given dimensional space. With the public traffic traces of KDD Cup 1999 and NSL-KDD, we show that our technique yields 98.5% and 83% of detection accuracy, respectively, only with a couple of readily available traffic attributes that can be obtained without the help of post-processing. The results are at least comparable with the classical learning methods including decision tree and random forest, with approximately two orders of magnitude faster learning performance.

An approach to online network monitoring using clustered patterns

Network traffic monitoring is a core element in network operations and management for various purposes such as anomaly detection, change detection, and fault/failure detection. In this paper, we introduce a new approach to online monitoring using a pattern-based representation of the network traffic. Unlike the past online techniques limited to a single variable to summarize (e.g., sketch), the focus of this study is on capturing the network state from the multivariate attributes under consideration. To this end, we employ clustering with its benefit of the aggregation of multidimensional variables. The clustered result represents the state of the network with regard to the monitored variables, which can also be compared with the previously observed patterns visually and quantitatively. We demonstrate the proposed method with two popular use cases, one for estimating state changes and the other for identifying anomalous states, to confirm its feasibility.

Incorporating multiple cluster models for network traffic classification

Network traffic classification is one of the essential functions for local and ISP networks. With its importance, a substantial number of previous studies have explored various machine learning techniques with network flow statistics for accurate traffic classification, including the clustering-based approach. However, we obtained unacceptable results from previously proposed clustering-based techniques from our preliminary experiments. In particular, simply employing the entire flow attributes for clustering leads to unexpectedly poor accuracy (less than 70%). In this paper, we propose a new technique based on multiple trained cluster models to overcome this problem. The proposed technique utilizes multiple sets of attribute combinations in parallel for traffic classification, rather than simply merging the entire (or a subset of) attributes in a single model. Our technique also includes a selection step to reduce the results from the individual models into a single output as the final classification decision, and we explore a set of selection strategies. We present our experimental results and show that our technique significantly improves overall accuracy up to 95%.

Scalable Security Event Aggregation for Situation Analysis

Cyber-attacks have been evolved in a way to be more sophisticated by employing combinations of attack methodologies with greater impacts. For instance, Advanced Persistent Threats (APTs) employ a set of stealthy hacking processes running over a long period of time, making it much hard to detect. With this trend, the importance of big-data security analytics has taken greater attention since identifying such latest attacks requires large-scale data processing and analysis. In this paper, we present SEAS-MR (Security Event Aggregation System over MapReduce) that facilitates scalable security event aggregation for comprehensive situation analysis. The introduced system provides the following three core functions: (i) periodic aggregation, (ii) on-demand aggregation, and (iii) query support for effective analysis. We describe our design and implementation of the system over MapReduce and high-level query languages, and report our experimental results collected through extensive settings on a Hadoop cluster for performance evaluation and design impacts.