Shanika Karunasekera

A distortion measure for blocking artifacts in images based on human visual sensitivity

A visual model that gives a distortion measure for blocking artifacts in images is presented. Given the original and reproduced image as inputs, the model output is a numerical value that quantifies the visibility of blocking error in the reproduced image. The model is derived based on the human visual sensitivity to horizontal and vertical edge artifacts that result from blocking. Psychovisual experiments have been carried out to measure the visual sensitivity to these artifacts. In the experiments, typical edge artifacts are shown to subjects and the sensitivity to them is measured with the variation of background luminance, background activity, edge length, and edge amplitude. Synthetic test patterns are used as background images in the experiments. The sensitivity measures thus obtained are used to estimate the model parameters. The final model is tested on real images, and the results show that the error visibility predicted by the model correlates well with the subjective ranking.

A survey of coordinated attacks and collaborative intrusion detection

Coordinated attacks, such as large-scale stealthy scans, worm outbreaks and distributed denial-of-service (DDoS) attacks, occur in multiple networks simultaneously. Such attacks are extremely difficult to detect using isolated intrusion detection systems (IDSs) that monitor only a limited portion of the Internet. In this paper, we summarize the current research directions in detecting such attacks using collaborative intrusion detection systems (CIDSs). In particular, we highlight two main challenges in CIDS research: CIDS architectures and alert correlation algorithms. We review the current CIDS approaches in terms of these two challenges. We conclude by highlighting opportunities for an integrated solution to large-scale collaborative intrusion detection.

Automatic measurement of a QoS metric for Web service recommendation

Web services have enabled businesses and organizations to collaborate without platform interoperability and programming language barriers. Quality of service (QoS) of a Web service is an important factor that differentiates similar services offered by different service providers. Such a measure would allow Web service clients to choose and bind to a suitable Web service at run time (based on QoS attributes). Some researchers have proposed the integration of the QoS measure on the Web service directory server. However, a mechanism to maintain the QoS metric has not been defined yet. In this paper, we propose such a mechanism. This mechanism involves automated measurement of QoS attributes on both the client and provider sides, when the service is being used, and updating the QoS-aware Web services directory with this information. We describe a prototype we developed for this purpose and present the results of using this prototype for gathering QoS measurements at run time.

Decentralized multi-dimensional alert correlation for collaborative intrusion detection

The growth in coordinated network attacks such as scans, worms and distributed denial-of-service (DDoS) attacks is a profound threat to the security of the Internet. Collaborative intrusion detection systems (CIDSs) have the potential to detect these attacks, by enabling all the participating intrusion detection systems (IDSs) to share suspicious intelligence with each other to form a global view of the current security threats. Current correlation algorithms in CIDSs are either too simple to capture the important characteristics of attacks, or too computationally expensive to detect attacks in a timely manner. We propose a decentralized, multi-dimensional alert correlation algorithm for CIDSs to address these challenges. A multi-dimensional alert clustering algorithm is used to extract the significant intrusion patterns from raw intrusion alerts. A two-stage correlation algorithm is used, which first clusters alerts locally at each IDS, before reporting significant alert patterns to a global correlation stage. We introduce a probabilistic approach to decide when a pattern at the local stage is sufficiently significant to warrant correlation at the global stage. We then implement the proposed two-stage correlation algorithm in a fully distributed CIDS. Our experiments on a large real-world intrusion data set show that our approach can achieve a significant reduction in the number of alert messages generated by the local correlation stage with negligible false negatives compared to a centralized scheme. The proposed probabilistic threshold approach gains a significant improvement in detection accuracy in a stealthy attack scenario, compared to a naive scheme that uses the same threshold at the local and global stages. A large scale experiment on PlanetLab shows that our decentralized architecture is significantly more efficient than a centralized approach in terms of the time required to correlate alerts.

Evaluation of a Decentralized Architecture for Large Scale Collaborative Intrusion Detection

An important problem in network intrusion detection is how to detect large scale coordinated attacks such as scans, worms and denial-of-service attacks. These coordinated attacks can be difficult to detect at an early stage, since the evidence of the attack may be widely distributed across different subnetworks in the Internet. A critical issue for research is how to detect these large scale attacks by correlating information from multiple intrusion detection systems in an efficient manner. Several collaborative detection systems have been proposed in the literature. However, these proposals have lacked large scale testing in real networks, and the practicalities of how to optimize the trade-off between detection accuracy and reaction time of these systems has not been demonstrated. To address these challenges, we propose LarSID, a scalable decentralized large scale intrusion detection framework. LarSID provides a service for defending against attacks by sharing potential evidence of intrusions between participant intrusion detection systems via a distributed hash table (DHT) architecture. In particular, we investigate how to optimize the trade-off between detection accuracy and reaction time of LarSID based on an analysis of a large, real-world intrusion detection dataset (DShield Dataset), which has been collected from over 1600 firewall administrators across the world. LarSID has been deployed and tested on the PlanetLab testbed, and is built on top of OpenDHT - a public DHT service. Our experimental results show significant reductions in detection latency compared to a centralized detection architecture. Currently, LarSID has been deployed on 128 PlanetLab nodes as a large scale intrusion detection service.

Anomaly detection by clustering ellipsoids in wireless sensor networks

A major challenge for the management of low-cost sensor networks is how to ensure the integrity of the data collected, and how to detect unusual events. In this paper, we present a distributed algorithm for anomaly detection in wireless sensor networks, which reduces the amount of data that needs to be communicated through the network. Our approach learns an ellipsoidal boundary for normal data at each sensor, and introduces a method to cluster these ellipsoids at a global level in order to model normal behaviour in the network. We demonstrate that our approach can achieve greater accuracy in non-homogeneous sensing environments than existing methods, while achieving low communication and computational overhead in the network.

Decentralised Resource Discovery Service for Large Scale Federated Grids

Efficient resource discovery mechanism is one of the fundamental requirement for grid computing systems, as it aids in resource management and scheduling of applications. Resource discovery involves searching for resources that match the users application requirements. Various kinds of solutions to grid resource discovery have been developed, including the centralised and hierarchical information server approach. However, these approaches have serious limitations in regards to scalability, fault-tolerance and network congestion. To overcome such limitations, we propose a decentralised grid resource discovery system based on a spatial publish/subscribe index. It utilises a distributed hash table (DHT) routing substrate for delegation of d-dimensional service messages. Our approach has been validated using a simulated publish/subscribe index that assigns regions of a d-dimensional resource attribute space to the grid peers in the system. We generated the resource attribute distribution using the configurations obtained from the top 500 supercomputer list. The simulation study takes into account various parameters such as resource query rate, index load distribution, number of index messages generated, overlay routing hops and system size. Our results show that grid resource query rate directly affects the performance of the decentralised resource discovery system, and that at higher rates the queries can experience considerable latencies. Further, contrary to what one can expect, system size does not have a significant impact on the performance of the system, in particular the query latency.

Incremental Elliptical Boundary Estimation for Anomaly Detection in Wireless Sensor Networks

Wireless Sensor Networks (WSNs) provide a low cost option for gathering spatially dense data from different environments. However, WSNs have limited energy resources that hinder the dissemination of the raw data over the network to a central location. This has stimulated research into efficient data mining approaches, which can exploit the restricted computational capabilities of the sensors to model their normal behavior. Having a normal model of the network, sensors can then forward anomalous measurements to the base station. Most of the current data modeling approaches proposed for WSNs require a fixed offline training period and use batch training in contrast to the real streaming nature of data in these networks. In addition they usually work in stationary environments. In this paper we present an efficient online model construction algorithm that captures the normal behavior of the system. Our model is capable of tracking changes in the data distribution in the monitored environment. We illustrate the proposed algorithm with numerical results on both real-life and simulated data sets, which demonstrate the efficiency and accuracy of our approach compared to existing methods.

Collaborative Detection of Fast Flux Phishing Domains

Phishing is a significant security threat to users of Internet services. Nowadays, phishing has become more resilient to detection and trace-back with the invention of Fast Flux (FF) service networks. We propose two approaches to correlate evidence from multiple DNS servers and multiple suspect FF domains. Real-world experiments show that our correlation approaches speed-up FF domain detection, based on an analytical model that we propose to quantify the number of DNS queries needed to confirm a FF domain. We also show how our correlation scheme can be implemented on a large scale by using a decentralized publish-subscribe correlation model called LarSID, which is more scalable than a fully centralized architecture.

Preparing Software Engineering Graduates for an Industry Career

The lack of preparedness of software engineering (SE) graduates for a professional career is a common complaint raised by industry practitioners. The career progression of many new graduates is severely impacted due to the lack of well rounded skills. For example, some of the technically stronger graduates lack communication and managerial skills and vise versa. Industry based capstone projects, incorporated as a part of an undergraduate degree, are a well accepted means of preparing students for their professional careers. Software Engineering undergraduates at the University of Melbourne engage in such industry based projects both in the penultimate and final years of their degree. Though aimed at providing students a real-life SE experience and preparing them for industry, we observed these projects to fail in some cases in giving the necessary breadth of skills. We believe this failure to be due to the lack of an objective framework to guide student learning outcomes during projects. To address this problem we developed an objective skill-based framework, focusing on managerial, engineering and personal skills. In this paper we present this framework and share our experiences of using it.