Metadata Discovery Problem

Image removed.

Metadata is often described as “data about data.” Usage varies from virtualization to data warehousing to statistics. Because of its volume and complexity, metadata has the potential to tax security procedures and processes. A recent workshop described a Metadata-based Malicious Cyber Discovery Problem and solicited research and papers. The bibliography presented here provides a number of papers published early in 2014.

  • Khanuja, H.; Suratkar, S.S., "“Role of Metadata In Forensic Analysis Of Database Attacks“," Advance Computing Conference (IACC), 2014 IEEE International , vol., no., pp.457,462, 21-22 Feb. 2014. With the spectacular increase in online activities like e-transactions, security and privacy issues are at the peak with respect to their significance. Large numbers of database security breaches are occurring at a very high rate on daily basis. So, there is a crucial need in the field of database forensics to make several redundant copies of sensitive data found in database server artifacts, audit logs, cache, table storage etc. for analysis purposes. Large volume of metadata is available in database infrastructure for investigation purposes but most of the effort lies in the retrieval and analysis of that information from computing systems. Thus, in this paper we mainly focus on the significance of metadata in database forensics. We proposed a system here to perform forensics analysis of database by generating its metadata file independent of the DBMS system used. We also aim to generate the digital evidence against criminals for presenting it in the court of law in the form of who, when, why, what, how and where did the fraudulent transaction occur. Thus, we are presenting a system to detect major database attacks as well as anti-forensics attacks by developing an open source database forensics tool. Eventually, we are pointing out the challenges in the field of forensics and how these challenges can be used as opportunities to stimulate the areas of database forensics.
    Keywords: data privacy; digital forensics; law; meta data; antiforensics attacks; audit logs; cache; court of law; database attacks; database security breaches; database server artifacts; digital evidence; e-transactions; forensic analysis; fraudulent transaction; information analysis; information retrieval; metadata; online activities; open source database forensics tool; privacy issue; security issue ;table storage; conferences; Handheld computers; Database forensics; SQL injection; anti-forensics attacks; digital notarization ;linked hash technique; metadata; reconnaissance attack; trail obfuscation (ID#:14-2171)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6779367&isnumber=6779283
  • Vollmer, T.; Manic, M.; Linda, O., "Autonomic Intelligent Cyber-Sensor to Support Industrial Control Network Awareness," Industrial Informatics, IEEE Transactions on, vol.10, no.2, pp.1647,1658, May 2014 The proliferation of digital devices in a networked industrial ecosystem, along with an exponential growth in complexity and scope, has resulted in elevated security concerns and management complexity issues. This paper describes a novel architecture utilizing concepts of autonomic computing and a simple object access protocol (SOAP)-based interface to metadata access points (IF-MAP) external communication layer to create a network security sensor. This approach simplifies integration of legacy software and supports a secure, scalable, and self-managed framework. The contribution of this paper is twofold: 1) A flexible two-level communication layer based on autonomic computing and service oriented architecture is detailed and 2) three complementary modules that dynamically reconfigure in response to a changing environment are presented. One module utilizes clustering and fuzzy logic to monitor traffic for abnormal behavior. Another module passively monitors network traffic and deploys deceptive virtual network hosts. These components of the sensor system were implemented in C++ and PERL and utilize a common internal D-Bus communication mechanism. A proof of concept prototype was deployed on a mixed-use test network showing the possible real-world applicability. In testing, 45 of the 46 network attached devices were recognized and 10 of the 12 emulated devices were created with specific operating system and port configurations. In addition, the anomaly detection algorithm achieved a 99.9% recognition rate. All output from the modules were correctly distributed using the common communication structure.
    Keywords: access protocols; computer network security; fault tolerant computing; field buses; fuzzy logic; industrial control; intelligent sensors; meta data; network interfaces; pattern clustering; C++;IF-MAP; PERL; SOAP-based interface; anomaly detection algorithm; autonomic computing; autonomic intelligent cyber-sensor; digital device proliferation; flexible two-level communication layer; fuzzy logic; industrial control network awareness; internal D-Bus communication mechanism; legacy software; metadata access point external communication layer; mixed-use test network; network security sensor; networked industrial ecosystem; proof of concept prototype; self-managed framework; service oriented architecture; simple object access protocol-based interface; traffic monitor; virtual network hosts; Autonomic computing; control systems; industrial ecosystems; network security; service-oriented architecture . (ID#:14-2172)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6547755&isnumber=6809862
  • Afzal Butt, Muhammad Irfan, "BIOS Integrity And Advanced Persistent Threat," Information Assurance and Cyber Security (CIACS), 2014 Conference on , vol., no., pp.47,50, 12-13 June 2014.  Basic Input Output System (BIOS) is the most important component of a computer system by virtue of its role i.e., it holds the code which is executed at the time of startup. It is considered as the trusted computing base, and its integrity is extremely important for smooth functioning of the system. On the contrary, BIOS of new computer systems (servers, laptops, desktops, network devices, and other embedded systems) can be easily upgraded using a flash or capsule mechanism which can add new vulnerabilities either through malicious code, or by accidental incidents, and deliberate attack. The recent attack on Iranian Nuclear Power Plant (Stuxnet) is an example of advanced persistent attack. This attack vector adds a new dimension into the information security (IS) spectrum, which needs to be guarded by implementing a holistic approach employed at enterprise level. Malicious BIOS upgrades can also cause denial of service, stealing of information or addition of new backdoors which can be exploited by attackers for causing business loss, passive eaves dropping or total destruction of system without knowledge of user. To address this challenge a capability for verification of BIOS integrity needs to be developed and due diligence must be observed for proactive resolution of the issue. This paper explains the BIOS Integrity threats and presents a prevention strategy for effective and proactive resolution.
    Keywords: Advanced Persistent Threat (APT); BIOS Integrity Measurement; Original Equipment Manufacturer (OEM); Roots of Trust (RoTs); Trusted Computing (ID#:14-2173)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6861331&isnumber=6861314
  • Ling, Zhen; Luo, Junzhou; Wu, Kui; Yu, Wei; Fu, Xinwen, "TorWard: Discovery of Malicious Traffic Over Tor," INFOCOM, 2014 Proceedings IEEE , vol., no., pp.1402,1410, April 27 2014-May 2 2014.  Tor is a popular low-latency anonymous communication system. However, it is currently abused in various ways. Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we design and implement a novel system, TorWard, for the discovery and systematic study of malicious traffic over Tor. The system can avoid legal and administrative complaints and allows the investigation to be performed in a sensitive environment such as a university campus. An IDS (Intrusion Detection System) is used to discover and classify malicious traffic. We performed comprehensive analysis and extensive real-world experiments to validate the feasibility and effectiveness of TorWard. Our data shows that around 10% Tor traffic can trigger IDS alerts. Malicious traffic includes P2P traffic, malware traffic (e.g., botnet traffic), DoS (Denial-of-Service) attack traffic, spam, and others. Around 200 known malware have been identified. To the best of our knowledge, we are the first to perform malicious traffic categorization over Tor.
    Keywords: Bandwidth; Computers ;Logic gates; Malware; Mobile handsets; Ports (Computers); Servers; Intrusion Detection System; Malicious Traffic; Tor (ID#:14-2174)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6848074&isnumber=6847911
  • Goseva-Popstojanova, Katerina; Dimitrijevikj, Ana, "Distinguishing between Web Attacks and Vulnerability Scans Based on Behavioral Characteristics," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.42,48, 13-16 May 2014.  The number of vulnerabilities and reported attacks on Web systems are showing increasing trends, which clearly illustrate the need for better understanding of malicious cyber activities. In this paper we use clustering to classify attacker activities aimed at Web systems. The empirical analysis is based on four datasets, each in duration of several months, collected by high-interaction honey pots. The results show that behavioral clustering analysis can be used to distinguish between attack sessions and vulnerability scan sessions. However, the performance heavily depends on the dataset. Furthermore, the results show that attacks differ from vulnerability scans in a small number of features (i.e., session characteristics). Specifically, for each dataset, the best feature selection method (in terms of the high probability of detection and low probability of false alarm) selects only three features and results into three to four clusters, significantly improving the performance of clustering compared to the case when all features are used. The best subset of features and the extent of the improvement, however, also depend on the dataset.
    Keywords: Web applications; attacks; classification of malicious cyber activities; honeypots; vulnerability scans (ID#:14-2175)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6844611&isnumber=6844560
  • Pajic, Miroslav; Weimer, James; Bezzo, Nicola; Tabuada, Paulo; Sokolsky, Oleg; Lee, Insup; Pappas, George J., "Robustness of Attack-Resilient State Estimators," Cyber-Physical Systems (ICCPS), 2014 ACM/IEEE International Conference on , vol., no., pp.163,174, 14-17 April 2014. The interaction between information technology and phys ical world makes Cyber-Physical Systems (CPS) vulnerable to malicious attacks beyond the standard cyber attacks. This has motivated the need for attack-resilient state estimation. Yet, the existing state-estimators are based on the non-realistic assumption that the exact system model is known. Consequently, in this work we present a method for state estimation in presence of attacks, for systems with noise and modeling errors. When the the estimated states are used by a state-based feedback controller, we show that the attacker cannot destabilize the system by exploiting the difference between the model used for the state estimation and the real physical dynamics of the system. Furthermore, we describe how implementation issues such as jitter, latency and synchronization errors can be mapped into parameters of the state estimation procedure that describe modeling errors, and provide a bound on the state-estimation error caused by modeling errors. This enables mapping control performance requirements into real-time (i.e., timing related) specifications imposed on the underlying platform. Finally, we illustrate and experimentally evaluate this approach on an unmanned ground vehicle case-study.
    Keywords: (not provided) (ID#:14-2176)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6843720&isnumber=6843703
  • Sanandaji, Borhan M.; Bitar, Eilyan; Poolla, Kameshwar; Vincent, Tyrone L., "An Abrupt Change Detection Heuristic With Applications To Cyber Data Attacks On Power Systems," American Control Conference (ACC), 2014 , vol., no., pp.5056,5061, 4-6 June 2014. We present an analysis of a heuristic for abrupt change detection of systems with bounded state variations. The proposed analysis is based on the Singular Value Decomposition (SVD) of a history matrix built from system observations. We show that monitoring the largest singular value of the history matrix can be used as a heuristic for detecting abrupt changes in the system outputs. We provide sufficient detectability conditions for the proposed heuristic. As an application, we consider detecting malicious cyber data attacks on power systems and test our proposed heuristic on the IEEE 39-bus testbed.
    Keywords: History; Monitoring; Noise level ;Power system dynamics; Time measurement; Vectors; Fault detection/accomodation; Power systems (ID#:14-2177)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6859403&isnumber=6858556
  • Farzan, F.; Jafari, M.A; Wei, D.; Lu, Y., "Cyber-related risk assessment and critical asset identification in power grids," Innovative Smart Grid Technologies Conference (ISGT), 2014 IEEE PES , vol., no., pp.1,5, 19-22 Feb. 2014. This paper proposes a methodology to assess cyber-related risks and to identify critical assets both at power grid and substation levels. The methodology is based on a two-pass engine model. The first pass engine is developed to identify the most critical substation(s) in a power grid. A mixture of Analytical hierarchy process (AHP) and (N-1) contingent analysis is used to calculate risks. The second pass engine is developed to identify risky assets within a substation and improve the vulnerability of a substation against the intrusion and malicious acts of cyber hackers. The risk methodology uniquely combines asset reliability, vulnerability and costs of attack into a risk index. A methodology is also presented to improve the overall security of a substation by optimally placing security agent(s) on the automation system.
    Keywords: Automation ;Indexes; Modeling; Power grids; Reliability; Security; Substations; cyber security; cyber vulnerability; electrical power grids; risk assessment; substation (ID#:14-2178)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6816371&isnumber=6816367
  • Tang, Lu-An; Han, Jiawei; Jiang, Guofei, "Mining sensor data in cyber-physical systems," Tsinghua Science and Technology , vol.19, no.3, pp.225,234, June 2014.  A Cyber-Physical System (CPS) integrates physical devices (i.e., sensors) with cyber (i.e., informational) components to form a context sensitive system that responds intelligently to dynamic changes in real-world situations. Such a system has wide applications in the scenarios of traffic control, battlefield surveillance, environmental monitoring, and so on. A core element of CPS is the collection and assessment of information from noisy, dynamic, and uncertain physical environments integrated with many types of cyber-space resources. The potential of this integration is unbounded. To achieve this potential the raw data acquired from the physical world must be transformed into useable knowledge in real-time. Therefore, CPS brings a new dimension to knowledge discovery because of the emerging synergism of the physical and the cyber. The various properties of the physical world must be addressed in information management and knowledge discovery. This paper discusses the problems of mining sensor data in CPS: With a large number of wireless sensors deployed in a designated area, the task is real time detection of intruders that enter the area based on noisy sensor data. The framework of IntruMine is introduced to discover intruders from untrustworthy sensor data. IntruMine first analyzes the trustworthiness of sensor data, then detects the intruders' locations, and verifies the detections based on a graph model of the relationships between sensors and intruders.
    Keywords: cyber-physical system; data trustworthiness; sensor network (ID#:14-2179)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6838193&isnumber=6838190
  • Hong, Junho; Liu, Chen-Ching; Govindarasu, Manimaran, "Detection of cyber intrusions using network-based multicast messages for substation automation," Innovative Smart Grid Technologies Conference (ISGT), 2014 IEEE PES , vol., no., pp.1,5, 19-22 Feb. 2014. This paper proposes a new network-based cyber intrusion detection system (NIDS) using multicast messages in substation automation systems (SASs). The proposed network-based intrusion detection system monitors anomalies and malicious activities of multicast messages based on IEC 61850, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Value (SV). NIDS detects anomalies and intrusions that violate predefined security rules using a specification-based algorithm. The performance test has been conducted for different cyber intrusion scenarios (e.g., packet modification, replay and denial-of-service attacks) using a cyber security testbed. The IEEE 39-bus system model has been used for testing of the proposed intrusion detection method for simultaneous cyber attacks. The false negative ratio (FNR) is the number of misclassified abnormal packets divided by the total number of abnormal packets. The results demonstrate that the proposed NIDS achieves a low fault negative rate.
    Keywords: Computer security; Educational institutions ;IEC standards; Intrusion detection; Substation automation; Cyber Security of Substations; GOOSE and SV; Intrusion Detection System; Network Security (ID#:14-2180)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6816375&isnumber=6816367
  • Sumit, S.; Mitra, D.; Gupta, D., "Proposed Intrusion Detection on ZRP based MANET by effective k-means clustering method of data mining," Optimization, Reliabilty, and Information Technology (ICROIT), 2014 International Conference on , vol., no., pp.156,160, 6-8 Feb. 2014.  Mobile Ad-Hoc Networks (MANET) consist of peer-to-peer infrastructure less communicating nodes that are highly dynamic. As a result, routing data becomes more challenging. Ultimately routing protocols for such networks face the challenges of random topology change, nature of the link (symmetric or asymmetric) and power requirement during data transmission. Under such circumstances both, proactive as well as reactive routing are usually inefficient. We consider, zone routing protocol (ZRP) that adds the qualities of the proactive (IARP) and reactive (IERP) protocols. In ZRP, an updated topological map of zone centered on each node, is maintained. Immediate routes are available inside each zone. In order to communicate outside a zone, a route discovery mechanism is employed. The local routing information of the zones helps in this route discovery procedure. In MANET security is always an issue. It is possible that a node can turn malicious and hamper the normal flow of packets in the MANET. In order to overcome such issue we have used a clustering technique to separate the nodes having intrusive behavior from normal behavior. We call this technique as effective k-means clustering which has been motivated from k-means. We propose to implement Intrusion Detection System on each node of the MANET which is using ZRP for packet flow. Then we will use effective k-means to separate the malicious nodes from the network. Thus, our Ad-Hoc network will be free from any malicious activity and normal flow of packets will be possible.
    Keywords: data mining; mobile ad hoc networks; mobile computing; peer-to-peer computing; routing protocols; telecommunication security; K-means clustering method; MANET security; ZRP based MANET; ad-hoc network; clustering technique; data mining; data transmission; intrusion detection system; intrusive behavior; k-means; local routing information; malicious activity; malicious nodes; mobile ad-hoc networks; packet flow; peer-to-peer infrastructure; proactive protocols; random topology; reactive protocols; route discovery mechanism; route discovery procedure; routing data; zone routing protocol; Flowcharts; Mobile ad hoc networks; Mobile computing; Protocols; Routing;I ARP; IDS effective k-means clustering; IERP; MANET ;ZRP (ID#:14-2181)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6798303&isnumber=6798279
  • Boukhtouta, Amine; Lakhdari, Nour-Eddine; Debbabi, Mourad, "Inferring Malware Family through Application Protocol Sequences Signature," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on , vol., no., pp.1,5, March 30 2014-April 2 2014. The dazzling emergence of cyber-threats exert today's cyberspace, which needs practical and efficient capabilities for malware traffic detection. In this paper, we propose an extension to an initial research effort, namely, towards fingerprinting malicious traffic by putting an emphasis on the attribution of maliciousness to malware families. The proposed technique in the previous work establishes a synergy between automatic dynamic analysis of malware and machine learning to fingerprint badness in network traffic. Machine learning algorithms are used with features that exploit only high-level properties of traffic packets (e.g. packet headers). Besides, the detection of malicious packets, we want to enhance fingerprinting capability with the identification of malware families responsible in the generation of malicious packets. The identification of the underlying malware family is derived from a sequence of application protocols, which is used as a signature to the family in question. Furthermore, our results show that our technique achieves promising malware family identification rate with low false positives.
    Keywords: (not provided) (ID#:14-2182)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6814026&isnumber=6813963
  • Sayed, Bassam; Traore, Issa, "Protection against Web 2.0 Client-Side Web Attacks Using Information Flow Control," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on , vol., no., pp.261,268, 13-16 May 2014. The dynamic nature of the Web 2.0 and the heavy obfuscation of web-based attacks complicate the job of the traditional protection systems such as Firewalls, Anti-virus solutions, and IDS systems. It has been witnessed that using ready-made toolkits, cyber-criminals can launch sophisticated attacks such as cross-site scripting (XSS), cross-site request forgery (CSRF) and botnets to name a few. In recent years, cyber-criminals have targeted legitimate websites and social networks to inject malicious scripts that compromise the security of the visitors of such websites. This involves performing actions using the victim browser without his/her permission. This poses the need to develop effective mechanisms for protecting against Web 2.0 attacks that mainly target the end-user. In this paper, we address the above challenges from information flow control perspective by developing a framework that restricts the flow of information on the client-side to legitimate channels. The proposed model tracks sensitive information flow and prevents information leakage from happening. The proposed model when applied to the context of client-side web-based attacks is expected to provide a more secure browsing environment for the end-user.
    Keywords: AJAX; Client-side web attacks ;Information Flow Control; Web 2.0 (ID#:14-2183)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6844648&isnumber=6844560
  • Boukhtouta, Amine; Lakhdari, Nour-Eddine; Debbabi, Mourad, "Inferring Malware Family through Application Protocol Sequences Signature," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on , vol., no., pp.1,5, March 30 2014-April 2, 2014. The dazzling emergence of cyber-threats exert today's cyberspace, which needs practical and efficient capabilities for malware traffic detection. In this paper, we propose an extension to an initial research effort, namely, towards fingerprinting malicious traffic by putting an emphasis on the attribution of maliciousness to malware families. The proposed technique in the previous work establishes a synergy between automatic dynamic analysis of malware and machine learning to fingerprint badness in network traffic. Machine learning algorithms are used with features that exploit only high-level properties of traffic packets (e.g. packet headers). Besides, the detection of malicious packets, we want to enhance fingerprinting capability with the identification of malware families responsible in the generation of malicious packets. The identification of the underlying malware family is derived from a sequence of application protocols, which is used as a signature to the family in question. Furthermore, our results show that our technique achieves promising malware family identification rate with low false positives.
    Keywords: (not provided) (ID#:14-2184)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6814026&isnumber=6813963
  • Hong, J.; Liu, C.-C.; Govindarasu, M., "Integrated Anomaly Detection for Cyber Security of the Substations," Smart Grid, IEEE Transactions on , vol.5, no.4, pp.1643,1653, July 2014. Cyber intrusions to substations of a power grid are a source of vulnerability since most substations are unmanned and with limited protection of the physical security. In the worst case, simultaneous intrusions into multiple substations can lead to severe cascading events, causing catastrophic power outages. In this paper, an integrated Anomaly Detection System (ADS) is proposed which contains host- and network-based anomaly detection systems for the substations, and simultaneous anomaly detection for multiple substations. Potential scenarios of simultaneous intrusions into the substations have been simulated using a substation automation testbed. The host-based anomaly detection considers temporal anomalies in the substation facilities, e.g., user-interfaces, Intelligent Electronic Devices (IEDs) and circuit breakers. The malicious behaviors of substation automation based on multicast messages, e.g., Generic Object Oriented Substation Event (GOOSE) and Sampled Measured Value (SMV), are incorporated in the proposed network-based anomaly detection. The proposed simultaneous intrusion detection method is able to identify the same type of attacks at multiple substations and their locations. The result is a new integrated tool for detection and mitigation of cyber intrusions at a single substation or multiple substations of a power grid.
    Keywords: Circuit breakers; Computer security; Intrusion detection; Power grids; Substation automation; Anomaly detection; GOOSE anomaly detection; SMV anomaly detection and intrusion detection; cyber security of substations (ID#:14-2185)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6786500&isnumber=6839066
  • Tsoutsos, N.G.; Maniatakos, M., "Fabrication Attacks: Zero-Overhead Malicious Modifications Enabling Modern Microprocessor Privilege Escalation," Emerging Topics in Computing, IEEE Transactions on , vol.2, no.1, pp.81,93, March 2014. The wide deployment of general purpose and embedded microprocessors has emphasized the need for defenses against cyber-attacks. Due to the globalized supply chain, however, there are several stages where a processor can be maliciously modified. The most promising stage, and the hardest during which to inject the hardware trojan, is the fabrication stage. As modern microprocessor chips are characterized by very dense, billion-transistor designs, such attacks must be very carefully crafted. In this paper, we demonstrate zero overhead malicious modifications on both high-performance and embedded microprocessors. These hardware trojans enable privilege escalation through execution of an instruction stream that excites the necessary conditions to make the modification appear. The minimal footprint, however, comes at the cost of a small window of attack opportunities. Experimental results show that malicious users can gain escalated privileges within a few million clock cycles. In addition, no system crashes were reported during normal operation, rendering the modifications transparent to the end user.
    Keywords: Computer architecture; Embedded systems; Fabrication; Hardware; logic gates; Microprocessors; Trojan horses; Hardware trojans; fabrication attacks; malicious modification; microprocessors; privilege escalation; zero overhead (ID#:14-2186)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6646239&isnumber=6824880
  • Pathan, AC.; Potey, M.A, "Detection of Malicious Transaction in Database Using Log Mining Approach," Electronic Systems, Signal Processing and Computing Technologies (ICESC), 2014 International Conference on , vol., no., pp.262,265, 9-11 Jan. 2014.  Data mining is the process of finding correlations in the relational databases. There are different techniques for identifying malicious database transactions. Many existing approaches which profile is SQL query structures and database user activities to detect intrusion, the log mining approach is the automatic discovery for identifying anomalous database transactions. Mining of the Data is very helpful to end users for extracting useful business information from large database. Multi-level and multi-dimensional data mining are employed to discover data item dependency rules, data sequence rules, domain dependency rules, and domain sequence rules from the database log containing legitimate transactions. Database transactions that do not comply with the rules are identified as malicious transactions. The log mining approach can achieve desired true and false positive rates when the confidence and support are set up appropriately. The implemented system incrementally maintain the data dependency rule sets and optimize the performance of the intrusion detection process.
    Keywords: SQL; data mining; relational databases; security of data; SQL; anomalous database transactions; automatic discovery; data mining; data sequence rules; domain dependency rules; intrusion detection; log mining approach; malicious transaction detection; query database; query structures; relational databases; Computers; Data mining; Database systems; Intrusion detection; Training; Data Mining; Database security; Intrusion Detection (ID#:14-2187)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6745384&isnumber=6745317
  • Desai, N.N.; Diwanji, H.; Shah, J.S., "A temporal packet marking detection scheme against MIRA attack in MANET," Engineering and Computational Sciences (RAECS), 2014 Recent Advances in , vol., no., pp.1,5, 6-8 March 2014. Mobile Ad-hoc Network is highly susceptible towards the security attacks due to its dynamic topology, resource constraint, energy constraint operations, limited physical security and lack of infrastructure. Misleading routing attack (MIRA) in MANET intend to delay packet to its fullest in order to generate time outs at the source as packets will not reach in time. Its main objective is to generate delay and increase network overhead. It is a variation to the sinkhole attack. In this paper, we have proposed a detection scheme to detect the malicious nodes at route discovery as well as at packet transmissions. The simulation results of MIRA attack indicate that though delay is increased by 91.30% but throughput is not affected which indicates that misleading routing attack is difficult to detect. The proposed detection scheme when applied to misleading routing attack suggests a significant decrease in delay.
    Keywords: mobile ad hoc networks; packet radio networks ;telecommunication network routing; telecommunication network topology; telecommunication security; MANET; MIRA attack;delay packet; dynamic topology; energy constraint operations; malicious nodes detection; misleading routing attack; mobile ad-hoc network; packet marking detection scheme; packet transmission; physical security; resource constraint; Delays; IP networks; Mobile ad hoc networks; Routing; Security; Throughput; Topology; MANET; Misleading routing attack (MIRA);clustering; packet marking; time behavior (ID#:14-2188)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6799560&isnumber=6799496
  • Bou-Harb, Elias; Debbabi, Mourad; Assi, Chadi, "Behavioral analytics for inferring large-scale orchestrated probing events," Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on , vol., no., pp.506,511, April 27 2014-May 2 2014.  The significant dependence on cyberspace has indeed brought new risks that often compromise, exploit and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, inferring probing events, which are commonly the first stage of any cyber attack, render a promising tactic to achieve that task. We have been receiving for the past three years 12 GB of daily malicious real darknet data (i.e., Internet traffic destined to half a million routable yet unallocated IP addresses) from more than 12 countries. This paper exploits such data to propose a novel approach that aims at capturing the behavior of the probing sources in an attempt to infer their orchestration (i.e., coordination) pattern. The latter defines a recently discovered characteristic of a new phenomenon of probing events that could be ominously leveraged to cause drastic Internet-wide and enterprise impacts as precursors of various cyber attacks. To accomplish its goals, the proposed approach leverages various signal and statistical techniques, information theoretical metrics, fuzzy approaches with real malware traffic and data mining methods. The approach is validated through one use case that arguably proves that a previously analyzed orchestrated probing event from last year is indeed still active, yet operating in a stealthy, very low rate mode. We envision that the proposed approach that is tailored towards darknet data, which is frequently, abundantly and effectively used to generate cyber threat intelligence, could be used by network security analysts, emergency response teams and/or observers of cyber events to infer large-scale orchestrated probing events for early cyber attack warning and notification.
    Keywords: Conferences; IP networks; Internet; Malware; Probes (ID#:14-2189)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6849283&isnumber=6849127
  • Nitti, M.; Girau, R.; Atzori, L., "Trustworthiness Management in the Social Internet of Things," Knowledge and Data Engineering, IEEE Transactions on , vol.26, no.5, pp.1253,1266, May 2014.  The integration of social networking concepts into the Internet of things has led to the Social Internet of Things (SIoT) paradigm, according to which objects are capable of establishing social relationships in an autonomous way with respect to their owners with the benefits of improving the network scalability in information/service discovery. Within this scenario, we focus on the problem of understanding how the information provided by members of the social IoT has to be processed so as to build a reliable system on the basis of the behavior of the objects. We define two models for trustworthiness management starting from the solutions proposed for P2P and social networks. In the subjective model each node computes the trustworthiness of its friends on the basis of its own experience and on the opinion of the friends in common with the potential service providers. In the objective model, the information about each node is distributed and stored making use of a distributed hash table structure so that any node can make use of the same information. Simulations show how the proposed models can effectively isolate almost any malicious nodes in the network at the expenses of an increase in the network traffic for feedback exchange.
    Keywords: Communication/Networking and Information Technology; Computer Systems Organization; Distributed Systems; General; Internet of things; social networks; trustworthiness management (ID#:14-2190)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6547148&isnumber=6814899
  • Vegh, Laura; Miclea, Liviu, "Enhancing security in cyber-physical systems through cryptographic and steganographic techniques," Automation, Quality and Testing, Robotics, 2014 IEEE International Conference on , vol., no., pp.1,6, 22-24 May 2014.  Information technology is continually changing, discoveries are made every other day. Cyber-physical systems consist of both physical and computational elements and are becoming more and more popular in today's society. They are complex systems, used in complex applications. Therefore, security is a critical and challenging aspect when developing cyber-physical systems. In this paper, we present a solution for ensuring data confidentiality and security by combining some of the most common methods in the area of security — cryptography and steganography. Furthermore, we use hierarchical access to information to ensure confidentiality and also increase the overall security of the cyber-physical system.
    Keywords: cryptography; cyber-physical systems; hierarchical access; multi-agent systems; steganography (ID#:14-2191)
    URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6857845&isnumber=6857810

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.