Bakke, Sverre Undseth

Approximate search in misuse detection based IDS

Presentation

Abstract

Intrusion detection systems are useful to detect and alert an operator about attacks and security policy breaches on a network. Misuse detection-based intrusion detection systems are a class of intrusion detection systems that queries signature databases for known attack patterns. Intrusion detection systems needs to inspect data in real-time and therefore needs to finish the database queries as fast as possible in order to be able to inspect all traffic. This can cause a problem since signature databases are large and increases even further in size for each new attack that is discovered. Approximate search is a method where the content in the database is organized by similarity and the search query is only checked against a reduced set of similar items based on approximation. In this thesis we will look at how approximate search techniques can be applied to reduce the time needed to inspect traffic. We will implement and perform an efficiency evaluation of the various methods. We will also try to further improve existing methods to increase the performance in intrusion detection querying. As a result we hope to find the better and more efficient method for querying signature databases in misuse detection-based intrusion detection systems.

Topics covered by this thesis

The purpose of this thesis is to look at how various approximate search methods can be applied for improving the performance in misuse detection-based intrusion detection signature database querying. We will implement the various search methods and measure their performance against the Snort signature database in order to see how intrusion detection systems can benefit from these methods. We will also try to define an improved approximate search method to further reduce the delay of the querying and include this in our performance measurement. The results will be used to compare the efficiency of the different methods and see which method is the better for intrusion detection.

Keywords

Intrusion detection, intrusion detection system, intrusion prevention system, misuse detection, IDS, IPS, performance analysis, algorithms, algorithm design and analysis, performance evaluation of algorithms, data structures, approximation, similarity measures, graph and tree search strategies, indexing methods, index generation, query processing, search process, performance evaluation.

Problem description

By using an intrusion detection system, operators can detect attacks against their networks. The most commonly used type of intrusion detection systems are misuse detection-based. Misuse detection-based intrusion detection systems searches a signature database for known attack patterns to identify and alert the operator about attacks in the content of network traffic. In such systems every data packet needs to be compared in real-time against each known attack pattern in order to guard against each and every possible known attack that the operator wishes to detect. The problem with this approach is that the size of the signature database, and therefore also the time needed to search it, increases with time as new attacks are identified. As the size of the database increases, the time needed to search it will also increase. In addition to new attacks, different variations of existing attacks need individual entries in the database when patterns are checked only against an exact match and therefore also increases the size of the database further. New network equipment with higher transfer rates also adds to this problem since the interval between packets may become significantly lower and therefore give the system less time to finish the search before a new packet needs to be inspected. If the time needed to search the database for a pattern exceeds the interval between incoming packets, then packets may be ignored by the intrusion detection and as a result lead to false negatives where the intrusion detection system do not alert about an attack.

Various improvements to search algorithms in order to reduce the needed run-time of database searches have been proposed by researchers for use in document and Internet searches. Among these are approximate search methods where the content in the database is organized by similarity and the search query is only checked against a reduced set of similar items based on approximation. These methods may also be applied to intrusion detection in order to reduce the problem with search complexity. We will look at how these methods can be applied in intrusion detection and try to find which method is better for use with misuse detection signature databases.

Justification, motivation and benefits

Intrusion detection and prevention systems are an important part of the security for many different computer networks and domains. However, across all these networks the intrusion detection performance issues remains the same. At a certain point the intrusion detection systems will reach its capacity limitations and it will start dropping packets, and therefore lead to false negatives where attacks may go unnoticed by the operators.

The solution for this problem today may be to choke the network transfer rates so that the amount of traffic will not cause the intrusion detection system to misbehave, to let certain types of traffic pass without inspection, or to leave out certain attacks from the search.

Finding ways to reduce this problem will affect the entire network. If the intrusion detection systems can handle higher transfer rates then the users, operators and owners of the network may get the advantages that follows such an increase in bandwidth. Furthermore, if the intrusion detection systems can cover a larger set of attack signatures the users, operators and owners may feel confident that their networks are protected against known attacks. The perhaps largest advantage is the possibility of reducing the number of, or completly mitigate, false negatives as the attacks the intrusion detection system is configured to detect actually will be detected. From a business point of view, both increase in speed and the better coverage of attacks can be highly beneficial. We hope to provide research that will help intrusion detection and prevention system developers to create systems that can handle these performance issues better and by this also benefit all the users of such systems.

Research questions

To find out which approximate search method is better for intrusion detection and prevention, the following research questions needs to be answered:

• What methods exists for approximate search and how can these be applied to intrusion detection?
• How does q-gram distance and constrained edit distance perform with and without using an index compared with each other?
• Is it possible to define a constrained q-gram distance method?
• If we can define a constrained q-gram distance, how does this perform compared with the other methods?

Planned contributions

The planned contributions from this project will be our research on how approximate search algorithms can be applied to improve the performance of intrusion detection systems. Our main contribution will be an efficiency comparison of the various approximate search algorithms for use with misuse detection. The performance results will be presented as a evaluation report that can be used as reference for later research, design, development or evaluation of intrusion detection and prevention systems.

We will also try to define a new algorithm called constrained q-gram distance which may work as an alternative fast approximate search algorithm for intrusion detection. If it is possible to define such an algorithm we will also include this in our efficiency evaluation.

Fladby, Kennet Bergsvik

Brain Wave Based Authentication

Presentation

Abstract

Brain wave based authentication is the idea of authenticating an individual based on thoughts. In place of typing a password, the person involved is simply required to think about it instead. This can be an image, a color, a feeling, text or something else that a human mind may think about.

A functional human brain will generate continuous electric signals at all times. The difficult part is how to extract these signals and how to analyze them to provide individual differences that are consistent enough to use in authentication. This thesis will explain methods to capture consistent brain waves, how to analyze them, and discuss whether this kind of authentication has a potential future or not.

Topics covered

Brain wave based authentication is the idea of authenticating an individual based on thoughts. In place of typing a password, the person involved is simply required to think about it instead. This can be an image, a color, a feeling, text, or another scenario that cause the human brain to activate and process information.

A functional human brain will generate continuous electric signals at all times. The difficult part is how to extract these signals and how to analyze them to
provide individual differences that are consistent enough to use in authentication. If they are not consistent, meaning that the same person will not be able to provide roughly the same brain waves more than once, it will be useless for authentication. Everyone have experienced how people react different, even in the same situation, because we interpret information differently. Several factors will determine how a person reacts. Previous experience, personal mood, social relationships, gender, and age are just some of them. This thesis will explain methods to capture consistent brain waves, how to analyze them, and discuss whether this kind of authentication has a potential future or not.

Problem description

There are three basic principles used in authentication; em something-you-have, something-you-know, and something-you-are. If users are authenticated by something-they-have like a key or passport, they have to be very careful not to loose the object or get it stolen. When something-they-know like a password or PIN code is required, the secret must never be written down forgotten, or told to others. Quite a formidable task. Especially considering the amount of different secrets like passwords and codes we have to remember today. It is also possible to ''shoulder-surfe'' a secret by looking at the very keyboard or panel where someone types their secret. Something-you-are involves authentication by using a biometric feature of a person as verification of the identity, called biometric authentication. Fingerprints, voice, face recognition, gait and other features or behavior which is unique between individuals can be used. But even this has problems. Some persons are able to mimic others, falsify fingerprints or use hardware that reconstructs a feature, i.e. the recording of another persons voice. An enrollment process is done for each individual user to create one or more templates which contains all the relevant data to describe the biometric feature of the user. Templates are used in the authentication process when the measured biometric data is matched against a template. The authentication data should match the enrollment template within a certain threshold.

Biometric authentication introduces two kinds of error rates, false match rate (FMR) and false nonmatch rate (FNMR). FMR is the case where a false identity is verified as true, and FNMR is the case where a true identity is verified as false. FMR and FNMR are introduced because the instruments that measure the features or behavior of a person rarely provide exactly the same data twice, even if the same person is measured. Which is why a threshold is used. A high threshold will accept a lot of true users (low FNRM), but also a lot of false users (high FMR) and vice versa. A good biometric authentication system should try too keep both these rates as low as possible.

Justification, motivation and benefits

The requirements of a biometric feature and the system utilizing it, is divided into seven parameters:

• Universality: Every individual required to use the system should have the feature
• Distinctiveness: The feature should be unique between all individuals
• Permanence: The feature should not change significantly over time
• Collectability: It should be easy to acquire measurements of the feature
• Performance: Speed, accuracy and strength of the system used
• Acceptability: The system and feature to be used has to be accepted by the public
• Circumvention: How easy is it to fool the system

In addition, it should be user friendly, easy to implement, and inexpensive. Brain wave based authentication is a very interesting idea with this in mind. Every human has a brain (universality). It is always present and we can not forget it or loose it like an arm or eye. People with physical handicaps to the extreme of total or partial paralysis will also be included as potential users of the system. The complexity of the brain (distinctiveness) implies that it is impossible for a person to mimic another persons brain (circumvention), ensuring that FMR rates will be very low. And unlike a password, brain wave based authentication should never require you type your secret. A feature which makes it impossible for others to ''shoulder-surfe'' your secret. Recent research provided a novel idea of using Brain-Computer Interface(BCI) technology to authenticate users by measuring electric activity in the brain. The idea is that users just think about their password to be authenticated. Either letter by letter or the whole password. It is of course possible to forget the very image or password you are supposed to think about. A minor problem indeed. Even if you write the password down or tell it to others, they can not reproduce your brain wave patterns.

Because it is a new kind of technology with little research and no implementations yet, brain wave authentication may prove to be expensive first and even somewhat

non user-friendly i.e. if it requires users to wear equipment (low acceptability). But over time, should it prove feasible to implement, every party involved in the
authentication process will benefit from this technology. The company that wishes to protect something will have high security, those who manufacture the technology will have a huge customer base, and users do not have to loose, forget or be something they are unable to achieve.

Research questions

• How is it different from existing authentication methods (FMR and FNMR, user friendliness, implementation)
• How to capture brain wave signals (Equipment, user interaction, time)
• How to analyze and recognize patterns (Algorithms, hardware and software requirement)
• How to generate consistent data (Text, images, colors, conscious and unconscious thinking, environment)

Planned contributions

As mentioned, brain wave based authentication is a rather new idea in terms of previous research and results available. This thesis will hopefully identify problems that may be encountered when implementing such a system. Algorithms to analyze data have to be reviewed and probably improved in a feasible manner. It is very important that measured data is consistent. Viable results on how to achieve this will be significantly easier to produce if existing technology to measure brain waves can be used.

Fontanini, Piero Patric

VoIP Security

IP telephony is a technology in which IP networks are being used as a medium to transmit voice. IP telephony is also referred to as Voice over IP or VoIP. There are some main challenges with VoIP security today. Mainly because call setup information and actual "voice data" is transported on an open network like Internet. There are work done in securing VoIP, but the solutions are still far from ideal.
SIP is used in VoIP as an application-layer signaling protocol for creating, modifying, and terminating sessions with one or more participants. The master research project will focus on securing the SIP protocol and especially on user and proxy authentication.

Research questions

How can the Signaling protocol used in VoIP be secured?

• What alternatives are there?
• Is confidentiality needed and if so, how can this be provided?
• How can integrity be provided?
• What are the availability requirements in VoIP?
• How can these availability requirements be assured?

How can user and network components be identified in a VoIP system?

• How can a user identify it self to a service provider in a reliable way? Users and service providers need to be sure that only legitimate users can be authenticated to prevent misuse like spoofing.
• How can a user be assured of a service providers identity? or how can a user be assured that he/she is talking to the right service provider.
• How can a service provider identify it self to other service providers? The service provider of the recipient needs to be sure that it talking to a legitimate service provider for an initiator.
• How can the recipient be sure of the initiators identity? Is the initiator authenticated by a trusted party?

Gigstad, Lars Olav

How can common properties of attacks be extracted from a large and ever growing set of attacks against computers networks?

Presentation

Abstract

When benchmarking Intrusion Detection Systems a data set is required for testing a systems ability to detect attacks. There is a need to generate test data sets for intrusion detection systems benchmarking, which are based on real data from an academic network. We will use a method called 'sequence of events' will be used to determine which features of the traffic are relevant for intrusion detection and because of that, should be included in the data set. Sequence of events can be defined as data describing the behavior of users or systems. These sequences can be collected as 'episodes' which will be used to produce the data set. Using a method like event sequencing new properties of an attack can be found.

Topic covered by the project

With the growing reliability corporations and people have on the internet. A way to protect them selfs from the threats this medium poses have arisen. One of the newer technologies that have come along is Intrusion Detection System, either for personal computers or networks. They try to detect attacks against hosts that pose a threat for the system. The need for testing and benchmarking these systems are done through the use of data sets which contains attack signatures. Only a few of these data sets are openly shared between the researchers\cite{kddcup} and this makes it hard to develop new systems along with testing them against other systems working on different ideas.

When testing IDS system there are two main possibilities, use a live network and run the attack signatures to test the system. Another is to setup a test lab network to run the tests on. Both have their positive and negative sides. Running on a test lab makes sure one have 100\% control over what attacks the system is exposed to, on the other hand this will only test the system in an artifical senario where it will be hard to test for false positives of the system.

Event sequencing is based on occuranse of events and their order. Then finding some kind of pattern or relation between the events. When a sequence of event are found that occur relative close to each other and dependent on other event in the sequence, these are referred to as episodes. By mapping attacks to sequence of events and trying to determine what features are important to the attack, these sequences can be put together as 'episodes' and be used in a data set for benchmarking IDS.

Definitions

A more formal definition on terms used:

Intrusion detection,
is the process of monitoring the events occurring in a computer system or network,
analyzing them for signs of security problems.

A threat,
in a communication network is a potential event or series of events that could result
in the violation of one or more security goals.

An attack,
is the actual implementation of a threat.

Sequence of events,
describing the behavior and actions of users or systems.

Frequent episodes,
is a collection of events that occur relatively close to each other in a given partial order.

Problem description

Benchmarking and testing IDS is a difficult and complex task. It's normally done with data set which contains data from a real network and has some attacks embedded to check if the IDS can detect these. The problem is most of these data set are not publicly available for researchers, and makes it difficult to test new IDS against others. We'll take a look at what is important features from an attack for Intrusion Detections System. We will focus on analyzing traffic by using sequence of events. This will be done on a live academic network, to keep from creating artificial/simulated data sets. The challenge will be to identify what features belongs to an attack and should be put into the data set. Once a set of events has been identified, putting these together to 'episodes' will become the next challenge, before integrating these into the test data set.

Justification, motivation and benefits

Testing and benchmarking IDS using simulated network traffic has received criticism from several papers\cite{marc, nist}. With the limited availability of data sets for researchers to work on \cite{kddcup}, testing new IDS implementation/ideas up against current one's are hard without any good data sets to work with. The current data sets available are also getting quite old, and might give an inaccurate picture of the network activity in todays network. By creating a new data set for researchers and manufactures, both may benefit as they can get a common reference data set to work with. Basing the data set on a scientific method like event sequences opens up for more theoretical research later.

Research questions

The research questions we are will take a closer look at, are the following:

• How can common properties of attacks be extracted from a large and ever growing set of attacks against computers networks?
• What are the properties of an IDS benchmarking data set based on real traffic for whose generation the methods of extraction of common properties of attacks have been used?
• How attacks can be generalized into sequence of events and frequent episodes?

Hammersland, Rune

Finding weaknesses in web applications through the means of fuzzing

Presentation

Topic covered by the project

Fuzzing is a technique developed by Barton P. Miller at the University of Wisconsin in USA. He and his colleagues have successfully used fuzzing to discover flaws in command line tools for UNIX-like systems, command line tools and GUI programs running under the X11 Window System, as well as command line tools and GUI programs running on Microsoft Windows and Apple Mac OS X. For the command line tools they generated a file containing random strings of characters which they piped to a program to find out if the program crashed (dumped core), or started to hang (typically entering an infinite loop). For the GUI applications they generated random key and mouse presses, as well as other mouse events, like drag and scroll, which they proceeded to send to the program they were testing.
Using this technique, they discovered that several programs didn't handle random key presses too well, many of them crashing. Where source code were available, they studied the core dump and source code to find out where the problem occurred. Many of the problems were due to simple mistakes as neglecting to check the return value of functions before using the result.
Little or no research has been done on fuzzing of web applications. There are some tools available: Paros, SPIKE and RFuzz to mention some. The first two work by acting as an HTTP proxy which allows you to modify POST or GET values passed to a web site. The last one is more like a framework for fuzzing which enables a programmer to programatically fuzz web sites and, optionally, generate statistics through the R project or the Ruby Reports library.
Keywords

Problem description

As evidenced by Miller et al., many applications are not robust enough against random input. While they have researched how fuzzing affects command line and GUI applications, little, or no research has been done on how it affects web applications. Tools do exist, but as to the writer's knowledge, no reports have been published on how web applications stand against fuzzing. With the ubiquitous blogs and user contributed websites that exists in this Web 2.0 world, it would be interesting to find out how robust the most used applications are. When handling great amounts of user input, it is important that there is no way that input can put the web application in an undefined state, in other words: crashing it. Many programmers choose to use a web framework
to avoid having to handle these problems themselves, and others make their own frameworks to simplify things. In both cases erroneous user input might affect their application, as nothing will prevent you from doing ``stupid'' things as evaluating the user input as code (i.e. if you're using a dynamic language like Perl). Articles has been writtin on how a programmer can evaluate untrusted code ``safely'', however, that is
outside the scope of this project.

Justification, motivation and benefits

Because so many web sites gives users the possibility to collaborate and contribute to the site, they are also vulnerable to erroneous input and / or users with bad intents. By typing in random data in the fields provided, either by accident, or by intent, the users may put the web application in an undefined state, where it will no longer respond to new requests.
Through fuzz testing, we can find out how well the web applications handle random input, and not the input the programmer expected (whether he expected legitimate or illegitimate input). By discovering where the applications fails to handle the fuzz data in a controlled manner, we can find out which programming practices resulted in the sloppy code, and possibly correct the mistakes made.

Research questions

Questions we are looking to answer are:

• Is fuzzing useful for testing web applications?
• Which web applications handles user input in a manner that is safe from fuzz data?
• If a web application fails to handle the fuzz data:
  • Why is this?
  • Is it due to bad programming practices?
  • How can the application be fixed?
• Are there any web frameworks that are more vulnerable to fuzz testing than others?

As stated earlier, research has been done on how well command line and GUI applications handle fuzz data. Some research has also been done on fuzzing for network protocols, but to my knowledge, similar tests have not been done on web applications.

Planned contributions

This project will look at several high profile web applications available for installation on a machine (we will not be looking at how fuzz testing affects hosted solutions, such as YouTube, as testing other people's production systems would be unethical), and how they handle fuzz data as input. We will create a detailed listing of flaws found in the web applications tested, and where possible we will include information on why the application failed, and how to fix the mistake, similarly as what Miller et al. did. We might also check how these applications stand against SQL injection attacks and cross site scripting attacks, but this is not directly related to the random testing technique we know as ``fuzzing''.

Holien, Kjetil

Gait Authentication under non-standard environments

Presentation

Humans have for ages used characteristics on a human to identify and authenticate
people, either by face, voice, fingerprints, etc. In recent time human recognition
has become an important task in a variety of applications, such as access control and
surveillance. Authentication can happen in many ways, but all authentication factors
can be categorized into one of three classes:

• Something you know: such as a password or a PIN code.
• Something you have: such as a key or a smart card.
• Something you are: this includes all biometric properties, e.g. as a fingerprint.

In this paper we will look at something you are, which consequently utilizes biometric
features of a person. Biometric features can be divided further into two main categories:

• Physiological: properties that will normally not change, such as fingerprints and your iris.
• Behavioral: properties that are learned, such as signature and gait.

When using physiological biometrics the user must usually interact with a system, for
instance scanning his fingerprint on a fingerprint reader. With behavioral biometrics the
data that are collected can normally be recorded when the user performs his natural
duties, for instance talking in a phone. Even though behavioral biometrics required less
user interaction, it is physiological biometrics that is used most. The reason for this is
that physiological biometrics perform in general better when a system is authenticating/
identifying a user. This fact leads to the growing interest to improve behavioral biometrics.

Topic covered by the project

This project will look at gait as a biometric feature. Gait recognition has become an area which has gained a lot of interest the last decade. An important reason why gait has become attractive is that is non-intrusive, can be measured without subject contact or knowledge and it can not easily be obscured [5]. The most research on gait recognition the last decade has been video-based, where the purpose has been for surveillance, for instance recognizing a criminal from a security camera video. There has also been some research on sensors installed in the floor which can be used in an access control system. When using video-based recognition however, there are a lot of variables interfering which lower the performance, such as light and other objects. In 2005 another identification method which utilize how people walk by looking at acceleration

Gait recognition under non-standard environments from sensors attached to the belt was presented. This method uses a device called an accelerometer which measures acceleration in three directions (horizontal, vertical and lateral), and such a device will be used in this project. Gait recognizing using accelerometer can be used to authenticate and protect mobile phones and other portable electronic devices, where the sensors could be integrated into the hardware. As with video-based recognition, there are some circumstances which lower the performance of accelerator based authentication. A common problem with this technology is the fact that one get noise that affects your signal, another problems are that your gait would be altered if you are injured, drunk and so on.

In this project we will investigate how gait recognition works under non-standard environments. We will try to, by isolating variables, find out how different variables impact the recognition rate. Furthermore will there be an analysis to see if the data collected under different circumstances can be adapted in order to be better comparable with each other.

Problem description

Gait recognition is normally achieved after walking back and forth on a solid surface and in a straight line. In a real life scenario this is unfortunately not the case, people walk on different surfaces, walk up and down stairs, walk with different speed, use different clothing and shoes, wear or carry backpacks/briefcases etc. These real-life circumstances introduces some challenges when trying to authenticate people by their gait. In that connection would it be interesting to see how gait recognition works under non-standard environments. It would be desirable that by e.g. knowing what kind of surface a person walks on or if a person is walking faster/slower than normal, the data collected by the accelerometer could be adjusted accordingly and compared with the baseline. The baseline which are being compared to is recorded during an enrollment phase under normal circumstances. In the recognition process the system must try to recognize the current situation and transform the data in a standard manor before comparing with the baseline.

Justification, motivation and benefits

In todays world portable electronic devices such as mobile phones and PDAs have become a natural and important tool. This technology has exploded during the last years, you do not have to go many years back before for instance the mobile phone was just a communication device. Today however, mobile phones are used in applications like m-banking and m-government. With this in mind it is not hard to realize the consequences if your mobile phone is stolen or lost, the financial and personal data would now be accessible by the thief. Currently the only protection mechanism which resides on such devices is usually a PIN code and perhaps a password, the need for a better security is obvious. Features like fingerprints and voice has been proposed with various results, but these features are either obtrusive, require user’s attention or merely did not perform satisfactory. The use of voice based recognition did actually perform very well Gait recognition under non-standard environments under low-noise circumstances, but had more problems with higher background noise. As a result of this gait has come up as an additional way to secure your phone. With gait the system has the possibility to perform continuously authentication. If gait recognition shall become an integrated part of securing electronic devices however, must it be able to perform adequate under different conditions.

Research questions

In order to solve the problem outlined there are first some general issues that must be considered:

General issues:

• What is the most practical way to gather gait data which yields the best result? There are several places to attach the sensor, one can use the hip, ankle, around the knee etc. It can also be possible to use more than one sensor.
• Do people walk in the same way given the same circumstances? An issue which needs to be looked into is whether people walk in the same way under the same condition (surface, clothing, speed etc) after for instance one week.

Technical issues:

• Which methods and techniques can be used to analyze gait data? In order to analyze the data collected has to be pre-processed before it can be handed to the actual matching algorithms. Such pre-processing can e.g be noise reduction and time normalization.
• Has there been any research related work which can be used more or less directly? In order to both ease the workload and achieve as good results as possible it is desirable to reuse some algorithms and tools that has already been used in similar topics.

Those questions I will look deeper into during this project are:

• To what extent is it possible to recognize a person under different circumstances? Is it possible to recognize a person under all different circumstances or do some circumstances provide better recognition than others?
• Do the different circumstances have any common features? We have to see if there are common features in the walking patterns in the various walking circumstances. This might involve a fixed transformation of the walking signal under a particular circumstance, e.g stretching the walking signal in time and decreasing it in amplitude in the case where the participant walks fast, so that the resulting signal better resembles normal walking.

Planned contributions

This project will come up with results how some different circumstances affect the ability to recognize people. If the circumstances do not significantly impact the recognizing process or if it would be possible to do some special processing according to what the circumstance are, there should be no problems using a training set from indoor walking for continuous authentication. This means that after the enrollment phase, the authentication could more easily be moved to another place without having to train the system Gait recognition under non-standard environments again to accommodate for different circumstances. This would be a huge step in order to secure mobile devices with gait analysis.

Ingebrigtsen, Tron

Informasjonssikkerhet, rapportering og håndtering av sikkerhetstruende hendelser og sikkerhetsbrudd

Presentation

Johansen, Gry Elisabeth

Presentation

Kokorina, Liubov

Experimental IDS which will combine misuse and anomaly approaches based on hierarchical frequency

System and network audit allows capturing large amounts of data. These audit data may contain evidences of intrusions, and thus, can be used in intrusion detection. But the audit trails contain lots of events, and only a few of them may indicate intrusions. To extract necessary information, we can use data mining techniques. Intrusion detection systems (IDSs) work with audit data which are, actually, a sequence of events ordered in time.

Frequent episodes give us an efficient way of representing partial order relationships between events. We will use frequent episodes to data mining in intrusion detection.

IDSs now are efficiency trade-offs, particularly, between speed and accuracy. Misuse-based IDS do not recognize unknown attacks while anomaly based IDSs produce many false alarms. There exist several frequent episode discovery algorithms which are claimed to be fast and precise. Besides, we can vary the speed and precision by changing correspondent thresholds. We will build an experimental IDS, which will combine misuse and anomaly approaches based on hierarchical frequency that we introduces. The IDS will be constructed only on frequent episode discovery, matching, and pruning algorithms. We believe that the IDS will be at least as efficient as today’s IDSs.

Kolstad, Erland

Analysis of the intrusion tolerance of the PubSub based MANET

Public/Subscribe (PubSub) paradigm is a powerful abstraction for building distributed applications and message distribution, and seems to be good suited model for the type of communication which takes place at a tactical/mobile level in military operations. Because of the hostile environment such network has to operate in, the networks has to have good information security qualities, including intrusion tolerance. A successful intrusion in tactical command and control networks can have a substantial damage on the ongoing military operation, making it a high valuable enemy target.

Most previous work on information distribution in MANETs focuses on how to distribute the information and minimizing the amount of data to be sent on the network, and not on security issues introduced by an intruder.

This master project will perform an analysis of the intrusion tolerance of the PubSub based MANET, i.e. the capability of a system to fulfil its mission in a timely manner, even in the presence of intelligent attacks or failures.

Pennamasta, Murali Krishna

Risa, Terje

Zero effort security for the home PC users?

Presentation

Introduction

With the increasing use of Internet to access sensitive information, online banking and electronic commerce, is the need for proper protection of home computers a pressing issue. Home computers are becoming a more valuable and easier target for malicious users than corporate computers, and thus increasing the threat against home PCs. The service providers ensure adequate protection for their services, but not for the computer accessing these services. Some service providers like for instance online banking gives out computer security software, like anti-virus programs to their customers, but very often is the user left alone to properly protect the computer. For the service providers to be able too recommend different solutions suited for the home computer users, is there a need for showing how good these solutions are with emphasis on usability.

Problem description

Security in online banking systems and information portals containing sensitive user information has been a very important subject. This has resulted in more secure solutions for the users, for instance the use of one-time password in conjunction with online banking. This focus on improving the security of corporations and businesses, has lead to security threat shifting toward including attacks against home computer also. Since corporate computers have become more difficult to attack, together with the propagation of home computer connecting to the Internet with broadband connection, has home computers become a more valuable target for malicious attacks.

Unfortunately is often the home PC security neglected when for instance securing an information portal or online bank, even though many users use these computers when accessing the sensitive information. Some online banking companies provide the users with anti-virus software, but this does not ensure that the user is protected enough. To improve on the problem of home computers being contaminated with malware and becoming part of bot-nets, user's needs user-friendly security solutions approved by the service providers. It is particularly important that the security solutions are usable for the common home computer user, for it to be used.

Justification, motivation and benefits

With the increasing use of sensitive information accessed via home computers, the service providers need to continually improve the security and defense of their product. One important step in the direction of getting satisfactory protection is not only to secure the service provided, but also help to secure the end-users. This would greatly increase the total security, and would help the users from getting their sensitive information leaked to potential attackers.

Research questions

• Which vulnerabilities and threats are of current interest?
• What security products/solutions are available for common home computer users?
• How can you measure security products effectiveness?
• How good protection can the identified products give?
• What effort is needed to install, maintain and use the different products?

Planned contributions

Hopefully this project will give service providers the ability to see the relations between effect and user-friendliness for some different security solutions. Based on this it can be easier to recommend which security solutions that are most fitted for the common home computer user. In the course of this MSc project, will the trade-offs between required effort and security effectiveness (how good protection it can provide) for some security solutions specifically made for home computers be visualized.

Skogsrud, Harald

Watne, Knut Steinar

Blood vessel patterns and thermal imaging of ear biometrics

Presentation

To determine whether a person is who he says he is, has been important since the dawn of man. In ancient Egypt, the Pharaohs measured the height of the persons to identify them. Through the different eras, new ways of authentication have been introduced. All of these are based on either something you have, know or are. In computer science, the examples of something you have can be a smart card or a token of some sort. Something you know can be a password, pass phrase or some secret way of logging into a system. The last category, something you are, is very much biometric oriented and includes e.g. fingerprints, iris and facial features. During the late 1960's, new biometric devices were made to measure different body parts for identification. From that time on, much research has been done in this area and today many such methods are commonly used.

Topic covered by the project

To authenticate a person by something he is will be the focus of this project. Facial recognition has been discussed for quite some time now, but a relatively new and undocumented area in relation to this, ear recognition, will be the topic of this master thesis. Different techniques have been defined for comparing ears. We will look into some of them, and try to find new and better ways of using the ear as a "something you are" measure in respect to authentication.

Problem description

Face recognition is by now well documented and tested. This require an image of the entire face, and the image must be taken from the front of the person. By just taking the image of an ear, one reduce the size of data that needs to be verified. Ear recognition is though a new field of research, and not much work has been done on this topic. Some of the techniques that have been described are weak and do not really give us any reason to believe that ear recognition might be a new, accurate way of authenticating people (PCA only had a 71,6% recognition rate). These methods are very dependent on the quality of the image, if the ear is covered by hair or if the head is tilted either way. There are however some methods that produce better results, e.g. the "Force Field Transformation method". We will look into new methods
that will broaden the area of ear biometrics, and with this master thesis we hope to consolidate ear recognition as a reliable authentication method. By looking at thermal images or blood vessel patterns in the ear, we hope to receive results that are feasible for authentication as well as overcoming the current issues concerning tilting of the head and occlusion by e.g hair.

Justification, motivation and benefits

Ear recognition is a new field of interest for authentication researchers. The theories that have already been described by different sources have results that varies from 71% to 99% depending on which theory that is applied. By trying to find new methods for this process, we hope to present ear authentication as a possible supplement to other authentication measures out there. Taking photos of ears is much more comfortable for the person which is to be authenticated than e.g. iris/retina scans or fingerprints. Retina scanning requires the person to look into the camera for a couple of seconds, a process which many people find uncomfortable. Some individuals are reluctant to put their finger on a scanner where plenty of people have had their "dirty" fingers before them. To be authenticated just by a photo of one's ear would be much more people-friendly. It is also easier for the person to "remember" his ear than it is to remember a password, or to bring some sort of token with him. If we can come up with some good results for this new method of ear authentication, a quick picture of a persons ear can be all that is needed for entering a building, getting access to files, or whatever you are protecting.

Research questions

In order to solve these problems, several research questions need to be addressed.

1. General research questions:
   • What techniques do already exist for ear authentication?
   • How good are our results compared to results using existing methods?
2. Thermal images:
   • Is it possible to determine differences in peoples ears by looking at a thermal image?
   • Do environmental factors, e.g. temperature, affect our results in any way?
3. Blood vessel extraction:
   • Does everyone have blood vessels that are distinct enough for extraction?
   • In what way should we normalize the extraction of the blood vessel pattern?

Planned contributions

Hopefully, this master thesis will make ear authentication a hot topic in the near future. By proposing a new method, we hope to come up with results that can be of use for later research. We will use an infrared camera to get photos of different ears. From this we will try to extract the blood vessels that are present in the ear. We choose to take 2D images as this does not require expensive equipment or long time to analyze the images created by such a camera. Thermal images of the ear is also something we will look into. A thermal image might reduce the problem with hair covering the ear. This will be very valuable in terms of passive identification. During active identification this will not pose a problem, as the subject can pull his hair back and proceed with the authentication process. If these two methods can be combined, and give us good results in terms of recognition rates, we will have shown that ear recognition can be a serious challenger for any authentication process.