Taeshik Shon

A hybrid machine learning approach to network anomaly detection

Zero-day cyber attacks such as worms and spy-ware are becoming increasingly widespread and dangerous. The existing signature-based intrusion detection mechanisms are often not sufficient in detecting these types of attacks. As a result, anomaly intrusion detection methods have been developed to cope with such attacks. Among the variety of anomaly detection approaches, the Support Vector Machine (SVM) is known to be one of the best machine learning algorithms to classify abnormal behaviors. The soft-margin SVM is one of the well-known basic SVM methods using supervised learning. However, it is not appropriate to use the soft-margin SVM method for detecting novel attacks in Internet traffic since it requires pre-acquired learning information for supervised learning procedure. Such pre-acquired learning information is divided into normal and attack traffic with labels separately. Furthermore, we apply the one-class SVM approach using unsupervised learning for detecting anomalies. This means one-class SVM does not require the labeled information. However, there is downside to using one-class SVM: it is difficult to use the one-class SVM in the real world, due to its high false positive rate. In this paper, we propose a new SVM approach, named Enhanced SVM, which combines these two methods in order to provide unsupervised learning and low false alarm capability, similar to that of a supervised SVM approach. We use the following additional techniques to improve the performance of the proposed approach (referred to as Anomaly Detector using Enhanced SVM): First, we create a profile of normal packets using Self-Organized Feature Map (SOFM), for SVM learning without pre-existing knowledge. Second, we use a packet filtering scheme based on Passive TCP/IP Fingerprinting (PTF), in order to reject incomplete network traffic that either violates the TCP/IP standard or generation policy inside of well-known platforms. Third, a feature selection technique using a Genetic Algorithm (GA) is used for extracting optimized information from raw internet packets. Fourth, we use the flow of packets based on temporal relationships during data preprocessing, for considering the temporal relationships among the inputs used in SVM learning. Lastly, we demonstrate the effectiveness of the Enhanced SVM approach using the above-mentioned techniques, such as SOFM, PTF, and GA on MIT Lincoln Lab datasets, and a live dataset captured from a real network. The experimental results are verified by m-fold cross validation, and the proposed approach is compared with real world Network Intrusion Detection Systems (NIDS).

A machine learning framework for network anomaly detection using SVM and GA

In todays world of computer security, Internet attacks such as Dos/DDos, worms, and spyware continue to evolve as detection techniques improve. It is not easy, however, to distinguish such new attacks using only knowledge of pre-existing attacks. In this paper the authors focused on machine learning techniques for detecting attacks from Internet anomalies. The machine learning framework consists of two major components: genetic algorithm (GA) for feature selection and support vector machine (SVM) for packet classification. By experiment it is also demonstrated that the proposed framework outperforms currently employed real-world NIDS.

An analysis of mobile WiMAX security: vulnerabilities and solutions

The IEEE 802.16 Working Group on Broadband Wireless Access Standards released IEEE 802.16-2004 which is a standardized technology for supporting broadband and wireless communication with fixed and nomadic Access. The standard has a security sublayer in the MAC layer called, Privacy Key Management, which aims to provide authentication and confidentiality. However, several researches have been published to address the security vulnerabilities of 802.16-2004. After the IEEE 802.16-2004 standard, a new advanced and revised standard was released as the IEEE 802.16e-2005 amendment which is foundation of Mobile WiMAX network supporting handoffs and roaming capabilities. In the area of security aspects, Mobile WiMAX adopts improved security architecture, PKMv2, including Extensible Authentication Protocol (EAP) authentication, AES-CCM-based authenticated encryption, and CMAC or HMAC based message protection. However, there is no guarantee that PKMv2- based Mobile WiMAX network will not have security flaws. In this paper, we first describe an overview of security architecture of IEEE 802.16e-based Mobile WiMAX and its vulnerabilities. Based on the related background research, we focus on finding new security vulnerabilities such as a disclosure of security context in initial entry and a lack of secure communication in network domain. We propose possible solutions to prevent these security vulnerabilities.

Cryptanalysis and Improvement of an Improved Two Factor Authentication Protocol for Telecare Medical Information Systems

Telecare medical information systems (TMIS) provides rapid and convenient health care services remotely. Efficient authentication is a prerequisite to guarantee the security and privacy of patients in TMIS. Authentication is used to verify the legality of the patients and TMIS server during remote access. Very recently Islam et al. (J. Med. Syst. 38(10):135, 2014) proposed a two factor authentication protocol for TMIS using elliptic curve cryptography (ECC) to improve Xu et al.’s (J. Med. Syst. 38(1):9994, 2014) protocol. They claimed their improved protocol to be efficient and provides all security requirements. However our analysis reveals that Islam et al.’s protocol suffers from user impersonation and server impersonation attacks. Furthermore we proposed an enhanced protocol. The proposed protocol while delivering all the virtues of Islam et al.’s protocol resists all known attacks.

A lightweight message authentication scheme for Smart Grid communications in power sector

Designed an authentication scheme for IoT based smart grid communication.Analyzed the scheme using automated tool ProVerif.The proposed scheme is more lightweight and secure than existing schemes. The Internet of Things (IoT) has plenty of applications including Smart Grid (SG). IoT enables smooth and efficient utilization of SG. It is assumed as the prevalent illustration of IoT at the moment. IP-based communication technologies are used for setting SG communication network, but they are challenged by huge volume of delay sensitive data and control information between consumers and utility providers. It is also challenged by numerous security attacks due to resource constraints in smart meters. Sundry schemes proposed for addressing these problems are inappropriate due to high communication, computation overhead and latency. In this paper, we propose a hybrid Diffie-Hellman based lightweight authentication scheme using AES and RSA for session key generation. To ensure message integrity, the advantages of hash based message authentication code are exploited. The scheme provides mutual authentication, thwarting replay and man-in-the-middle attacks and achieves message integrity, while reducing overall communication and computation overheads.

Toward Advanced Mobile Cloud Computing for the Internet of Things: Current Issues and Future Direction

Cloud computing is the coming new era of information processing and has proved its benefits in high scalability and functional diversity. However, almost all cloud-computing architectures including SaaS, PaaS, and IaaS are vulnerable to serious security issues. Similarly, Mobile Cloud Computing (MCC) is vital to overcoming mobile limited storage and computing capabilities. MCC authentication and authorization issues must be provided on two levels: login password control and the environment from where the cloud is accessed. MCC has overcome the barrier of limited storage by providing remote storage but requires a strict security system that is responsible for retrievability, integrity, and seamless storage access. Elasticity and connectivity are also of major concern in MCC because delays and jitters cause degradation in the user experience. Cloud-computing architecture creates more challenges in maintaining security because of the liberty of users to choose any MCC architecture. Thus in this paper we discuss current cloud computing issues and future directions.

Asynchronous inter-network interference avoidance for wireless body area networks

This paper considers the internetwork interference problem in environments with multiple wireless body area networks (WBANs). We propose an asynchronous internetwork interference avoidance scheme (abbreviated as AIIA), which is based on the hybrid multiple access of carrier sense multiple access with collision avoidance (CSMA/CA) and time division multiple access (TDMA). In AIIA, the gateway device of each WBAN maintains a table, called an AIIA table, which includes the timing offset and TDMA transmission schedule information corresponding to the interfering WBANs. By referring to the table, the conflicting TDMA schedule can be checked and updated by itself, in asynchronous and distributed manners. Extensive simulations are conducted to demonstrate the feasibility and effectiveness of AIIA.

Challenges and research directions for heterogeneous cyber-physical system based on IEC 61850

IEC 61850, an international standard for communication networks, is becoming prevalent in the cyber-physical system (CPS) environment, especially with regard to the electrical grid. Recently, since cyber threats in the CPS environment have increased, security matters for individual protocols used in this environment are being discussed at length. However, there have not been many studies on the types of new security vulnerabilities and the security requirements that are required in a heterogeneous protocol environment based on IEC 61850. In this paper, we examine the electrical grid in Korea, and discuss security vulnerabilities, security requirements, and security architectures in such an environment. There are security concerns in the heterogeneous CPS environment based on IEC 61850.Two connections (IEC 61850-DNP3, IEC 61850-IEC 61970) are drawn from a case study.We classify the security vulnerabilities of the heterogeneous protocol environment.We present security requirements and architectures in the heterogeneous CPS environment.

Untraceable Mobile Node Authentication in WSN

Mobility of sensor node in Wireless Sensor Networks (WSN) brings security issues such as re-authentication and tracing the node movement. However, current security researches on WSN are insufficient to support such environments since their designs only considered the static environments. In this paper, we propose the efficient node authentication and key exchange protocol that reduces the overhead in node re-authentication and also provides untraceability of mobile nodes. Compared with previous protocols, our protocol has only a third of communication and computational overhead. We expect our protocol to be the efficient solution that increases the lifetime of sensor network.

Information delivery scheme of micro UAVs having limited communication range during tracking the moving target

In the proposed scheme, micro Unmanned Aerial Vehicle (micro UAV) is used to find the target and the UAV group is controlled to constantly provide location information to the base while the target is moving. UAVs have a limited communication range and information transmission is only possible through communication among the UAVs. After locating the target within the search area, the UAVs move toward the base station in order to transmit the information to the base station using multihop connectivity. In the proposed scheme, when communication is not possible among the UAVs because the target moves too far away from the base station, UAVs retain the information of the target and move toward the base station, deliver the information to another UAV, return to the target, and repeat the process. The base station calculates the range of target’s location upon receiving the information, and determines whether target tracking is possible with the current number of UAVs. The performance of the proposed scheme was evaluated by a simulation using NS-2.