Santosh Biswas

Network specific false alarm reduction in intrusion detection system

Intrusion Detection Systems (IDSs) are used to find the security violations in computer networks. Usually IDSs produce a vast number of alarms that include a large percentage of false alarms. One of the main reason for such false alarm generation is that, in most cases IDSs are run with default set of signatures. In this paper, a scheme for network specific false alarm reduction in IDS is proposed. A threat profile of the network is created and IDS generated alarms are correlated using neural network. Experiments conducted in a test bed have successfully filtered out most of the false alarms for a range of attacks yet maintaining the Detection Rate. Copyright

Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol

With the increase in number of hosts in the Internet, there is also a rise in the demand for IP address space. To cater to this issue, IP version 6 (IPv6) succeeded IPv4. Compared to 32 bit IP address space in IPv4, IP address in IPv6 is composed of 128 bits. In IPv4, when a host wants to communicate with another host in an LAN, it needs to know the MAC address of the target host, which was possible through Address Resolution Protocol (ARP). As ARP is stateless and due to lack of authorization in ARP messages, many attacks like request spoofing, response spoofing, Man-in-the-Middle (MiTM), Denial-of- Service (DoS) etc. are possible. IPv6 uses Network Discovery Protocol (NDP) to find the MAC address. NDP is also stateless and lacks authentication of its messages by default. So NDP also suffers from many attacks similar to ARP. Although there are various attack detection and prevention mechanisms available for ARP attacks, they are not yet implemented for NDP (IPv6). In this paper we propose an attack detection mechanism for neighbor solicitation spoofing and neighbor advertisement spoofing.

LAN attack detection using Discrete Event Systems

Address Resolution Protocol (ARP) is used for determining the link layer or Medium Access Control (MAC) address of a network host, given its Internet Layer (IP) or Network Layer address. ARP is a stateless protocol and any IP-MAC pairing sent by a host is accepted without verification. This weakness in the ARP may be exploited by malicious hosts in a Local Area Network (LAN) by spoofing IP-MAC pairs. Several schemes have been proposed in the literature to circumvent these attacks; however, these techniques either make IP-MAC pairing static, modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose a Discrete Event System (DES) approach for Intrusion Detection System (IDS) for LAN specific attacks which do not require any extra constraint like static IP-MAC, changing the ARP etc. A DES model is built for the LAN under both a normal and compromised (i.e., spoofed request/response) situation based on the sequences of ARP related packets. Sequences of ARP events in normal and spoofed scenarios are similar thereby rendering the same DES models for both the cases. To create different ARP events under normal and spoofed conditions the proposed technique uses active ARP probing. However, this probing adds extra ARP traffic in the LAN. Following that a DES detector is built to determine from observed ARP related events, whether the LAN is operating under a normal or compromised situation. The scheme also minimizes extra ARP traffic by probing the source IP-MAC pair of only those ARP packets which are yet to be determined as genuine/spoofed by the detector. Also, spoofed IP-MAC pairs determined by the detector are stored in tables to detect other LAN attacks triggered by spoofing namely, man-in-the-middle (MiTM), denial of service etc. The scheme is successfully validated in a test bed.

An Optimal Diagnosis of NoC Interconnects on Activation of Diagonal Routers

Previous works on detecting and locating manufacturing faults-shorts, stuck-at, and open on an interswitch link of a channel in a network-on-chip (NoC) have been based on the assumption that these faults do not coexist. The works failed to diagnose all these faults when this assumption is relaxed. A deficiency for non-diagnosability of these faults is then represented. A packet address driven test strategy that detects and locates a faulty inters witch link in a NoC channel is proposed. The strategy addresses the intra-channel shorts, stuck at, and open faults coexist on inters witch links and is governed by parallel activation of diagonal routers. The strategy is scalable with mesh NoCs. Simulation results achieve 100% and more than 97% fault coverages when faults are diagnosed explicitly and implicitly respectively.

Detection of faulty interswitch links in 2-D mesh network-on-chips

The network-on-chip has become an emerging research area in the fields of system on chips, embedded systems, integrated circuits design, etc. with the rapid advancement of technologies. The introduction of multi-core chips has in addition made researches in the area ever significant and is growing to facilitate high demand of bandwidth via core utilization and need of scalable interconnection fabrics. Numerous technical papers have addressed the performance evaluation but a limited attention has been paid on detection of faulty interswitch links in post manufactured network-on-chip setups. Existing works are traditional circuit based but not with respect to current aspects. Main drawbacks of these approaches are high detection time, large test data, and low scalability. In this paper we propose a novel high level detection model for interswitch links in network-on-chips. The detection process is exercised with a set of test patterns to identify faulty links. The model proposes both local and global test generation schemes. A 2-D mesh network-on-chip architecture is considered for experiment. The experimental results show that the proposed detection model outperforms with a finite test patterns set which suffices to test all interswitch links of the underlying network-on-chip.

An odd-even model for diagnosis of shorts on NoC interconnects

Interconnect shorts in a network-on-chip (NoC) have caused data overloading and misrouting that make an extra burden on performance metrics. Therefore, diagnosis of shorts on NoC interconnects has taken special interest. Existing works on diagnosis of shorts on NoC interconnects have two major issues-high test time and less scalability. This paper presents a distributed packet address driven test strategy that addresses shorts on NoC interconnects and tackles these issues. High test time is reduced significantly by lowering the test rounds. The scalability is established by applying proposed test strategy on different NoCs. Simulations achieve 100% test and fault coverages, and demonstrate impact of interconnect shorts for a subset of performance metrics in actual traffic in the network.

A host based DES approach for detecting ARP spoofing

Address Resolution Protocol (ARP) based attacks are caused by compromised hosts in the LAN and mainly involve spoofing with falsified IP-MAC pairs. Since ARP is a stateless protocol such attacks are possible. Neither there are signatures available for these attacks nor any significant statistical behavior change can be observed. So existing signature or anomaly intrusion detection systems are unable to detect these type of attacks. Several schemes have been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static, modify the existing ARP, violate network layering architecture etc. In this paper a host based Discrete Event System (DES) approach is proposed for detecting ARP spoofing attacks. This approach does not require any extra constraint like static IP-MAC, changing the ARP or violation of network layering architecture.

A Neural Network based system for Intrusion Detection and attack classification

Anomaly based Intrusion Detection Systems (IDSs) are known to achieve high accuracy and detection rate. However, a significant computational overhead is incurred in training and deploying them. In this paper, we aim to address this issue by proposing a simple Artificial Neural Network (ANN) based IDS model. The proposed IDS model uses the feed forward and the back propagation algorithms along with various other optimization techniques to minimize the overall computational overhead, while at the same time maintain a high performance level. Experimental results on the benchmark NSL-KDD dataset shows that the performance (accuracy and detection rate) of the proposed ANN based IDS model is at par and in some cases even better than other IDS models. Owing to its high performance and low computational overhead, the proposed ANN based IDS model is a suitable candidate for real time deployment and intrusion detection analysis.

Impact of NoC interconnect shorts on performance metrics

Duplication, misrouting, and dropping of packets due to short faults on network-on-chip (NoC) interconnects have become a burden and significant impact on performance metrics. This paper proposes an adaptive approach that detects and locates intra-channel short faults on NoC interconnects, and accounts impact of the faults on performance metrics. The model is scalable with all NoCs. Simulations show the effectiveness of proposed approach and measure different performance metrics with faulty channels on various NoCs.

A matrix model for redefining and testing NoC interconnect shorts

Network-on-chip (NoC) has currently considered as a holistic solution over traditional and global bus-based system-on-chip (SoC) interconnections. However, NoC interconnects experience a subset of manufacturing faults- shorts, opens, and stuck-ats. A limitation of prior works on testing shorts on interconnects of a NoC is that interconnects are tested without coexistent open faults. The works then fail to detect all shorts if a relaxation is made on this assumption. A fast matrix based test strategy that tests and diagnoses shorts with and without coexistent opens on NoC interconnects is proposed. Proposed strategy is scalable irrespective of NoCs and evaluated in terms of test time, test criteria, and performance metrics. Both 100% and near 100% fault coverages are achieved on explicit and implicit testing of shorts respectively. However, 100% test coverage is achieved in either of the cases.