Wim Mees

On a multicriteria clustering approach for attack attribution

We present a multicriteria clustering approach that has been developed to address a problem known as attack attribution in the realm of investigative data mining. Our method can be applied to a broad range of security data sets in order to get a better understanding of the root causes of the underlying phenomena that may have produced the observed data. A key feature of this approach is the combination of cluster analysis with a component for multi-criteria decision analysis. As a result, multiple criteria of interest (or attack features) can be aggregated using different techniques, allowing one to unveil complex relationships resulting from phenomena with eventually dynamic behaviors. To illustrate the method, we provide some empirical results obtained from a data set made of attack traces collected in the Internet by a set of honeypots during two years. Thanks to the application of our attribution method, we are able to identify several large-scale phenomena composed of IP sources that are linked to the same root cause, which constitute a type of phenomenon that we have called Misbehaving cloud (MC). An in-depth analysis of two instances of such clouds demonstrates the utility and meaningfulness of the approach, as well as the kind of insights we can get into the behaviors of malicious sources involved in these clouds.

Risk management in coalition networks

In modern military operations, nations participate as members of a coalition. In order to realize a rapid command and control cycle, the armed forces of one nation need to establish communication links between their information system and that of other members of the coalition. These interconnections inevitably introduce risks, and these risks need to be managed. However, because each nation uses its own risk management methodology and tools, integrating the results of the risk assessment performed by a partner in the coalition with whom information is exchanged, into ones own risk management process, remains a periodically performed, manual operation. In this paper we will first discuss risk management approaches in a single organization, and show why it is important to adopt a continuous risk management approach. Next we will present a concept for realizing this continuous risk management in a coalition environment.

Building k-nn graphs from large text data

In this paper we present our new design of NNCTPH, a scalable algorithm to build an approximate k-NN graph from large text datasets. The algorithm uses a modified version of Context Triggered Piecewise Hashing to bin the input data into buckets, and uses NN-Descent, a versatile graph-building algorithm, inside each bucket. We use datasets consisting of the subject of spam emails to experimentally test the influence of the different parameters of the algorithm on the number of computed similarities, on processing time, and on the quality of the final graph. We also compare the algorithm with a sequential and a MapReduce implementation of NN-Descent. For our datasets, the algorithm proved to be up to ten times faster than NN-Descent, for the same quality of produced graph. Moreover, the speedup increased with the size of the dataset, making NNCTPH a sensible choice for very large text datasets.

Detection of defects in a fuzzy knowledge base

We discuss the problem of detecting defects in a fuzzy knowledge base. We introduce a degree of redundancy and a degree of conflict which allow a knowledge engineer to identify potentially redundant or conflicting sets of rules.

Multisensor data fusion for IED threat detection

In this paper we present the multi-sensor registration and fusion algorithms that were developed for a force protection research project in order to detect threats against military patrol vehicles. The fusion is performed at object level, using a hierarchical evidence aggregation approach. It first uses expert domain knowledge about the features used to characterize the detected threats, that is implemented in the form of a fuzzy expert system. The next level consists in fusing intra-sensor and inter-sensor information. Here an ordered weighted averaging operator is used. The object level fusion between candidate threats that are detected asynchronously on a moving vehicle by sensors with different imaging geometries, requires an accurate sensor to world coordinate transformation. This image registration will also be discussed in this paper.

An attempt at defining cyberdefense situation awareness in the context of command & control

In this paper we present an overview of the most important views on situation awareness in literature. We then go on to apply these concepts to cyberdefense. The main contribution of the paper lies in bringing together different decision making models and proposing a unified cyberdefense situation awareness model, that covers the different levels of abstraction from raw data to understanding, as well as the different topics that are relevant for building situation awareness.

Fast distributed k-nn graph update

In this paper, we present an approximate algorithm that is able to quickly modify a large distributed fc-nn graph by adding or removing nodes. The algorithm produces an approximate graph that is highly similar to the graph computed using a naïve approach, although it requires the computation of far fewer similarities. To achieve this goal, it relies on a novel, distributed graph based search procedure. All these algorithms are also experimentally evaluated, using both euclidean and non-euclidean datasets.

Spatial smoothing for coherent MIMO radar setups with minimum redundancy

This paper covers coherent MIMO radar systems with collocated antennas combined with minimum redundancy principles. The fundament of the first are virtual arrays which can be considered as discrete convolution of transmitter and receiver distributions. This technique can be connected to sparse arrays regarding minimum redundancy (MR) aspects. However, MR setups are usually suited for so-called uncorrelated signal scenarios, whereas coherent MIMO radar setups provide correlated or coherent signal outputs. The standard angular signal processing of MR arrays would become corrupted in coherent signal case. The spatial smoothing algorithm can provide a possible solution for this conflict by lateral shifts. However, the pure amount of required shifts would make the idea of sparse arrays obsolete. Therefore, the spatial smoothing algorithm was adapted in order to find also sparse lateral shift positions. The solution could again be found by means of minimum redundancy. This paper presents simulation results which were generated during design and implementation of radar sensors.

Coherent resampling for coherent MIMO radar setups

During the recent decade, coherent MIMO radar systems have been examined intensively. Although well proven conventional modulation schemes can be applied to coherent MIMO radars, such as linear frequency modulation (LFM), the system implementation, and therefore also the modulation, usually underlies errors such as non-linearities, phase noise etc. Nevertheless, the academic world in turn has developed methods for calibration, correction and error prediction against corrupted radar signal modulation. One of these methods is the so-called resampling method which had been developed for correction of linear frequency modulation. However, the convolution operation in coherent MIMO radars with collocated antennas incorporates another grade of complexity. This paper sketches the efforts needed, as well as results, for the resampling method applied to coherent MIMO radars with respect to maintenance of coherency between single MIMO channels.

Multi-agent System for APT Detection

Advanced Persistent Threats (APTs) are targeted cyber attacks committed over a long period of time by highly skilled attackers. The ever increasing number of successful attacks indicates that classical network protection solutions (firewalls, Intrusion Detections Systems, proxies etc.) are no longer sufficient. Therefore, in this paper we propose a new system that combines multiples approaches using advanced aggregation techniques to achieve a better detection performance. We also test the system on real data from a small corporate network, and show that our system is able to attain a high probability of detection to probability of false alarm ratio.