Tayeb Kenaza

Conflicts Handling in Cooperative Intrusion Detection: A Description Logic Approach

In cooperative intrusion detection, several intrusion detection systems (IDS), network analyzers, vulnerability analyzers and other analyzers are deployed in order to get an overview of the system under consideration. In this case, the definition of a shared vocabulary describing the different information is prominent. Since these pieces of information are structured, we first propose to use description logics which ensure the reasoning decidability. Besides, the analyzers used in cooperative intrusion detection are not totally reliable. The second contribution of this paper is to handle these inconsistencies induced by the use of several analyzers using the so-called partial lexicographic inference.

On the Use of Naive Bayesian Classifiers for Detecting Elementary and Coordinated Attacks

Bayesian networks are very powerful tools for knowledge representation and reasoning under uncertainty. This paper shows the applicability of naive Bayesian classifiers to two major problems in intrusion detection: the detection of elementary attacks and the detection of coordinated ones. We propose two models starting with stating the problems and defining the variables necessary for model building using naive Bayesian networks. In addition to the fact that the construction of such models is simple and efficient, the performance of naive Bayesian networks on a representative data is competing with the most efficient state of the art classification tools. We show how the decision rules used in naive Bayesian classifiers can be improved to detect new attacks and new anomalous activities. We experimentally show the effectiveness of these improvements on a recent Web-based traffic. Finally, we propose a naive Bayesian network-based approach especially designed to detect coordinated attacks and provide experimental results showing the effectiveness of this approach.

Toward an Efficient Ontology-Based Event Correlation in SIEM

Abstract Cooperative intrusion detection use several intrusion detection systems (IDS) and analyzers in order to build a reliable overview of the monitored system trough a central security information and event management system (SIEM). In such environment, the definition of a shared vocabulary describing the exchanged information between tools is prominent. Since these pieces of information are structured, we propose in this paper to use an ontological representation based on Description Logics (DLs) which is a powerful tool for knowledge representation. Moreover, DLs are able to ensure a decidable reasoning. An alert correlation prototype is presented using this ontology, and an illustrative attack scenario is carried out to show the usefulness of the proposed ontology.

Adaptive SVDD-based learning for false alarm reduction in intrusion detection

During the last decade the support vector data description (SVDD) has been used by researchers to develop anomaly-based intrusion detection systems (IDS), with the ultimate objective to design new efficient IDS that achieve higher detection rates together with lower rates of false alerts. However, most of these systems are generally evaluated during a short period without considering the dynamic aspect of the monitored environment. They are never experimented to test their behavior in long-term, namely after some long period of deployment. In this paper, we propose an adaptive SVDD-based learning approach that aims at continuously enhancing the performances of the SVDD classifier by refining the training dataset. This approach consists of periodically evaluating the classifier by an expert, and feedback in terms of false positives and confirmed attacks is used to update the training dataset. Experimental results using both refined training dataset and compromised dataset (dataset with mislabeling) have shown promising results.

Efficient centralized approach to prevent from replication attack in wireless sensor networks

The majority of key management schemes suffer from the physical compromising of nodes. This vulnerability allows an adversary to reproduce clones and inject them throughout the network to perform other types of attacks. Furthermore, adding new nodes to the network for maintenance, which is an inevitable step to prolong its life or to repair voids, is the best opportunity to carry out the cloning attack. Our contribution in this paper is to perfectly secure network maintenance against the cloning attack, using a solution based on the digital signature of the base station. Our solution is based on the agreement that the base station should give to a new node to share a pairwise key with its neighbors. The conducted simulations under TinyOS SIMulator TOSSIM show that, in addition to perfect resilience, our approach is efficient in terms of time consumption and communication overhead. Copyright

Clustering approach for false alerts reducing in behavioral based intrusion detection systems

Behavioral intrusion detection systems are known by their high false alerts rates. In this paper, we propose to combine a behavioral intrusion detection approach with a clustering approach in order to obtain a set of clusters with different false alerts rates. The order of these clusters with respect to their false alerts rates will be considered as an alerts prioritization. Hence, new alerts will be classified to the closest cluster and processed according to their cluster priority. Experimental results, using a simulated IDS, show that our approach is able to reduce the false alerts rate produced by behavioral intrusion detection systems.

Security in device-to-device communications: a survey

Device-to-device (D2D) communication is a promising technology for the next generation mobile communication networks (5G). Indeed, it is expected to allow high throughput, reduce communication delays and reduce energy consumption and traffic load. D2D technology will enhance the capacity and the performance of traditional cellular networks. Security issues must be considered in all types of communications, especially when it comes to wireless communication between devices involved in controlling critical infrastructures and/or dealing with personal data. The authors propose taxonomy based on the review of recent works which have addressed the security issues in D2D communications. This taxonomy is more practical since it gives, on the one hand, a better readability and a good understanding of all the works that have addressed the security issues in the literature, and on the other hand, a roadmap towards a global security solution that combines the best techniques and security solutions inherent to each layer: physical, MAC, network and application.

Dynamic Clustering for IoT Key Management in Hostile Application Area

The IoT development area has drawn the attention of nowadays researchers, some of them made assumptions regarding the use of clustering in their key management schemes. For example, in CL-EKM (Certificateless Effective Key Management) protocol, cluster-heads are assumed to be with high-processing capabilities and deployed within a grid topology. In fact, this is only possible in a controlled environment. In a hostile environment, such as battlefields, this assumption cannot be satisfied. In this work, an enhancement of the CL-EKM scheme has been proposed by introducing a distributed clustering algorithm. The performance of the implemented and enhanced system proved our assumptions.

Implementing a Semantic Approach for Events Correlation in SIEM Systems

Efficient reasoning in intrusion detection needs to manipulate different information provided by several analyzers in order to build a reliable overview of the underlying monitored system trough a central security information and event management system (SIEM). SIEM provides many functions to take benefit of collected data, such as Normalization, Aggregation, Alerting, Archiving, Forensic analysis, Dashboards, etc. The most relevant function is Correlation, when we can get a precise and quick picture about threats and attacks in real time. Since information provided by SIEM is in general structured and can be given in XML, we propose in this paper to use an ontological representation based on Description Logics (DLs) which is a powerful tool for knowledge representation and reasoning. Indeed, Ontology provides a comprehensive environment to represent any kind of information in intrusion detection. Moreover, basing on DLs and rules, Ontology is able to ensure a decidable reasoning. Basing on the proposed ontology, an alert correlation prototype is implemented and two attack scenarios are carried out to show the usefulness of the semantic approach.

An efficient hybrid SVDD/clustering approach for anomaly-based intrusion detection

A hybrid solution is proposed in this paper to enhance the quality of anomaly detection systems using Supports Vectors Data Description (SVDD). The SVDD aims to characterize the dataset of a single target class. In the case of Intrusion Detection Systems (IDS) the SVDD model is trained using only the class of normal user behavior. Indeed, the learning step consists of finding the hypersphere that encloses the entire scatter of the training set. Notice that the resulting model have to be optimal, i.e. a hypersphere with a minimal radius. This assumes implicitly that the scatter is spherical which is not always true. This paper deals with the general case where the scatter may have a random shape. In this case, some voids may occur in the hypersphere which mainly causes a distortion of the data description, and consequently reduces the accuracy of the detection. We propose a set of improvements that helps removing internal and external voids to enhance the detection accuracy. Experimental results show the effectiveness of our proposals to enhance the accuracy of the SVDD-based anomaly detection, especially the hybridization between SVDD and the clustering.