Youcef Begriche

Improving Web Application Firewalls to detect advanced SQL injection attacks

Injections flaws which include SQL injection are the most prevalent security threats affecting Web applications[1]. To mitigate these attacks, Web Application Firewalls (WAFs) apply security rules in order to both inspect HTTP data streams and detect malicious HTTP transactions. Nevertheless, attackers can bypass WAFs rules by using sophisticated SQL injection techniques. In this paper, we introduce a novel approach to dissect the HTTP traffic and inspect complex SQL injection attacks. Our model is a hybrid Injection Prevention System (HIPS) which uses both a machine learning classifier and a pattern matching inspection engine based on reduced sets of security rules. Our Web Application Firewall architecture aims to optimize detection performances by using a prediction module that excludes legitimate requests from the inspection process.

Exact conditional and unconditional Cramér–Rao bounds for near field localization

Abstract This paper considers the Cramer–Rao lower Bound (CRB) for the source localization problem in the near field. More specifically, we use the exact expression of the delay parameter for the CRB derivation and show how this ‘exact CRB’ can be significantly different from the one given in the literature based on an approximate time delay expression (usually considered in the Fresnel region). In addition, we consider the exact expression of the received power profile (i.e., variable gain case) which, to the best of our knowledge, has been ignored in the literature. Finally, we exploit the CRB expression to introduce the new concept of Near Field Localization Region (NFLR) for a target localization performance associated to the application at hand. We illustrate the usefulness of the proposed CRB derivation as well as the NFLR concept through numerical simulations in different scenarios.

Vehicle Driving Pattern Based Sybil Attack Detection

In recent years, vehicular networks have been drawing special attention because of its significant potential role in future smart city regarding traffic efficiency improvement and road safety. Safetys crucial status in vehicular networks is determined by its direct impact on peoples lives. Several security services based on cryptography, PKI and pseudonymous have been standardized in the past few years by IEEE and ETSI. However, vehicular networks are still vulnerable to critical attacks and the Sybil attack is one of them. This paper proposes a Sybil attack detection method based on vehicle driving pattern in urban scenario. In this method, Driving Pattern Matrices (DPMs) are constructed for each vehicle based on the beaconing messages they communicate. Then, a minimum distance classifier is used to evaluate their driving pattern and detect the unusual pattern. The simulation results show that our detection method can reach a high detection rate with a low error rate.

Bayesian statistical analysis for spams

This paper presents a Bayesian statistical analysis applied to the spam problem. In most anti-spam related research, generally it is assumed that the probability of a spam occurrence is equal to 0.5, which is in our opinion unrealistic. It is also assumed that in the spam message, words are considered as an independent family of words. This makes us look at how the posterior probability behaves when the a priori probability is different from 0.5 and derive the consequences of the assumption of independent words on the posterior probability. The first assumption pushes us to define a prior and find a posterior probability laws to enhance the spam detection and increase the reliability decision. This analysis differs from previous results, that used the Bayesian approach to the anti-spam issue, especially through refinement and enhancement of various probability laws.

Denial of service (DoS) attacks detection in MANETs using Bayesian classifiers

Mobile Ad hoc Networks (MANETs) are dynamic and self-organized networks composed of mobile wireless entities. The communications between nodes are multihop, and provided in a decentralized way without preexisting infrastructure. These characteristics make MANETs vulnerable to many types of Denial of Service (DoS) attacks, this including, Wormhole, Blackhole and Grayhole attack. This latter targets some reactive routing protocols in the aim of disrupting the forwarding process in the network. Grayhole attack occurs during the route discovery phase when a malicious node drops some of received packets. The watchdog is a well-known intrusion detection mechanism and usually used to detect this kind of attack. However, watchdogs are characterized by a relatively high rate of false alerts. In this paper, we propose a novel approach of watchdog based on two Bayesian filters: Bernoulli and Multinomial. We use these two models in a complementary manner to successfully detect the packet dropping attacks in mobile ad hoc networks. Based on simulation results, our filters prove that these attacks can be detected with a high rate of accuracy.

Denial of Service (DoS) attacks detection in MANETs through statistical models

Mobile ad-hoc networks (MANETs) are well known to be vulnerable to various attacks, due to features such as lack of centralized control, dynamic topology, and limited physical security. Denial of Service attacks still represent a serious threat for wireless networks. These attacks not only consume the system resources but also isolate legitimate users from the network. Grayhole attack is one of these attacks, which occurs when a malicious node drop some of received data packets during the route discovery process. To detect this attack, we propose in this paper a novel approach based on two Bayesian classification models: Bernoulli and Multinomial. Several tests have been performed using NS2 simulator. Our filters prove that intentionally dropping packets can be fully detected with a low-level of false alerts.

Support Vector Machine (SVM) Based Sybil Attack Detection in Vehicular Networks

Vehicular networks have been drawing special atten- tion in recent years, due to its importance in enhancing driving experience and improving road safety in future smart city. In past few years, several security services, based on cryptography, PKI and pseudonymous, have been standardized by IEEE and ETSI. However, vehicular networks are still vulnerable to various attacks, especially Sybil attack. In this paper, a Support Vector Machine (SVM) based Sybil attack detection method is proposed. We present three SVM kernel functions based classifiers to distinguish the malicious nodes from benign ones via evaluating the variance in their Driving Pattern Matrices (DPMs). The effectiveness of our proposed solution is evaluated through extensive simulations based on SUMO simulator and MATLAB. The results show that the proposed detection method can achieve a high detection rate with low error rate even under a dynamic traffic environment.

Flooding attacks detection in MANETs

Flooding attacks are well-known security threats that can lead to a denial of service (DoS) in computer networks. These attacks consist of an excessive traffic generation, by which an attacker aim to disrupt or interrupt some services in the network. The impact of flooding attacks is not just about some nodes, it can be also the whole network. Many routing protocols are vulnerable to these attacks, especially those using reactive mechanism of route discovery, like AODV. In this paper, we propose a statistical approach to defense against RREQ flooding attacks in MANETs. Our detection mechanism can be applied on AODV-based ad hoc networks. Simulation results prove that these attacks can be detected with a low rate of false alerts.

A stochastic approach for packet dropping attacks detection in mobile Ad hoc networks

A Mobile Ad hoc Network (MANET) is a dynamic network composed of mobile nodes that can communicate without relying on an existing infrastructure. In such decentralized environment, packet forwarding and other routing services are provided by network nodes cooperatively without any central administration. Most of existing Ad hoc routing protocols are based on the assumption that all network nodes are trustworthy. However, this assumption may be inconsistent when a malicious node decides to drop packets that are supposed to be forwarded in the aim of disrupting the routing services. Furthermore, the malicious node can change its behavior over time in order to appear as a legitimate node and still disrupting the network without being detected. To address this problem, we propose in this paper a fully decentralized mechanism that allows a node to monitor and detect neighbors that are malicious even if they have a changing behavior. Our mechanism is based on a Bernoulli Bayesian model for nodes behavior classification and a Markov chain model for behavior evolution tracking. Performance analysis of numerical results obtained using NS2 simulations show an accurate detection of malicious nodes, which can be used to guarantee a reliable and secure packet forwarding among network nodes.

A statistical trust system in wireless mesh networks

Most trust and reputation solutions in wireless mesh networks (WMNs) rely on the intrusion detection system (IDS) Watchdog. Nevertheless, Watchdog does not consider packet loss on wireless links and may generate false positives. Consequently, a node that suffers from packet loss on one of its links may be accused wrongly, by Watchdog, of misbehaving. To deal with this issue, we propose in this paper a novel trust system which considers packet loss of links. Our trust system is based on a statistical detection method (SDM) implemented on each node of the network. Firstly, the SDM, via CUSUM test, analyzes the behavior of the packets loss in order to detect a dropping attack. Secondly, the SDM, through the Kolmogorov-Smirnov test, compares the behavior of the total packets loss with that of the control packets in order to identify the attack type. Our system allows every WMN’s node to assign to each of its neighbors, a trust value which reflects its real behavior. We have validated the proposed SDM method via extensive simulations on ns2 and have compared our trust system with an existing solution. The results display that our SDM solution offers better performance.