systems overload their human operators by triggering thousands of alarms per day. This paper presents a new approach for handling intrusiondetection alarms more efficiently. Neural Network analyses based on the self-organizing map (SOM) and the growing hierarchical self-organizing map (GHSOM) are used to discover interrest patterns signs of potential scenarios of attacks aiming each machine in the network. The GHSOM addresses two main limits of SOM which are caused, on the one hand, by the static architecture of this model, as well as, on the other hand, by the limited capabilities for the representation of hierarchical relations of the data. The experiments conducted on several logs extracted from the SNORT NIDS, confirm that the GHSOM can form an adaptive architecture, which grows in size and depth during its training process, thus to unfold the hierarchical structure of the analyzed logs of alerts.
The SVM is one of the most successful classification algorithms in the field of data mining, but the training task is time-consuming (computationally expensive) for intrusiondetectionsystems which limits its use. Fur- thermore, the SVM in general treats every feature of data equally, while in real network tra ffic datasets, many features are redundant or less important. Kernel based approaches to feature selection [7, 8] require also com- plex training process and the so-called weighted kernel that results from the optimization process needs to be regularized prior to its use in an SVM. Moreover the processing of raw features for classification decreases the accuracy of detecting intrusion. Because of the above mentioned shortcomings, the standard SVM can not be used for intrusiondetection. However, to address the noticed limitations recently variant of SVM are sug- gested [9, 10, 11].
The TILEGX36 processor is a typical many-core proces- sor with 36 homogeneous, general-purpose computational elements, named tiles, organised in a 6 × 6 grid intercon- nected through a iMesh on-chip network [12, 16](see Fig.1). Each tile element consists of a full-featured processor core with both L1 and L2 cache and a non-blocking switch that connects the core to ﬁve 2-dimensional mesh networks con- necting all titles. Among these ﬁve Network-on-Chip (NoC) interconnects, only one, the User Dynamic Network (UD- N), is dedicated to the applications for communication a- mong tiles, while the processor itself uses other networks to improve eﬃciency and speed up data transfers among the tiles, the I/O devices and the memory. The UDN is con- nected directly to the Arithmetic Logical Unit (ALU) in the tile, which allows very low communication latency between tiles. Table.1 shows a comparison of communication among tiles via UDN and shared memory: The UDN network ex- hibits a very low transmission latency and meanwhile very high bandwidth up to 60 Tbps, which provides a much bet- ter performance than traditional shared memory. Each tile of the TILERAGX36 chip has a 256 KB L2 cache. Each of these L2 caches, in addition to be used locally, can be used as a remote L3 cache for other tiles. This results in a big distributed L3 cache accessible by all the tiles. This strategy allows a page of virtual memory to be homed on a specif- ic tile, then cached remotely by others. The processor also integrates a packet capture engine (mPIPE) on the die . 2.2 Packet processing in NIDS
Network intrusions pose a significant threat to network security. An intrusiondetection system (IDS) automates the intrusiondetection process by monitoring the packets coming from outside a computer system or network, and analyzes them for signs of a variety of pos- sible attacks or probes. If these problematic packets can be detected in time, it is then possible to stop them from getting inside the net- work, thus preventing numerous attacks. This detection can be done by inspecting the payload of a network packet and comparing it to a collection of suspicious patterns such as Snort’s. Snort is an open source networkintrusiondetectionsystems (NIDS) which can per- form real-time traffic analysis .
The large majority of smart object users are not security experts and are not aware of the vulnerabilities and the security threats induced by their network-accessible objects. Therefore, smarthomes become relevant targets for attackers, for different objectives. First, as some objects are often used to collect personal information about the environment, the privacy of users can be threatened if one of them is compromised. Furthermore, many objects are currently used to protect the physical access to the house, e.g., camera, locks, blinds, and an attacker may try to corrupt them to enter the house without causing any damage . The recent massive attack Mirai  shows that connected devices with weak security protections may also be compromised in order to be enrolled in a botnet. The traditional IT security protections, such as firewalls or networkintrusiondetectionsystems (IDS) usually rely on a central device, such as a gateway or a proxy, to analyze the network communications, in order to block unauthorized communications or to raise alarms. However, such solutions have generally a limited scope. In particular, direct commu- nications between objects using ad hoc or proprietary proto- cols are generally not covered. Also, some existing solutions consist in the development of specific monitors covering the communications associated to only a few and already known specific wireless protocols (in particular WiFi). Such solutions are not efficient to cover the large set of protocols used by the variety of connected objects deployed in a smart home. Also, they are not easy to adapt to take into account new objects or communication protocols integrated in the smarthome.
Index Terms—Attack Detection, machine learning, Security
I. I NTRODUCTION
Each network carries data for numerous different kinds of applications, which should be inspected by security settings in order to detect malicious contents. Most of the current methods for intrusiondetection are security rules based systems (misuse detection), which use pattern matching algorithms to inspect network trafﬁc. In spite of the robustness of these systems, attackers can bypass them by substituting malicious pattern characters or hiding them. However, a basic solution is to write a speciﬁc rule for each type of evasion technique, but it requires a high mastery of both protocol semantics and the regular expressions programming. Furthermore, pattern matching algorithms, used by security rules in order to deeply inspect complex patterns, decrease the overall performance of detectionsystems. To overcome the drawbacks of these methods, machine learning algorithms are an alternative to provide a fast statistical and probabilistic detection of attacks. However, actual operational settings deploy rarely machine learning based modules for anomaly detection. The reasons are 1) the long time training process, 2) the lack of quantity and good quality of training data 3) and a random selection of features (training attributes). As regards the quantity of the training data sets, often in practical applications, the number
2.4. Conclusion 29
Risk monitoring is not a new concept. A decent amount of research has been invested in the design and development of real-time risk analyses, especially in the realm of industrial control systems (see Section 2.2). How- ever, the developed solutions are often very specific to a use-case, and can- not be easily generalised. Moreover, they often lack support for properly encoding dependencies between arbitrary risk scenarios of assets. In that sense, these platforms are typically meant to investigate a specific risk scen- ario. In contrast, this thesis aims at creating a risk monitoring framework that serves as a support for the risk management of an entire system. However, when monitoring the risk of an entire system, the related risk analysis will be large and complex. This applies especially to industrial control systems, which may have a large and widespread network of in- terconnected devices. Section 2.1 above discusses existing research efforts spent on describing these interdependencies. However, they often fail at finding a good balance between a mathematically sound model, and one which can be described in simple terms. While attack graphs represent a decent candidate that is both simple and sound, they lack the support for mutual dependencies. This thesis thus focuses on generalising attack graphs (which must be acyclic) to arbitrarily shaped graphs, so that even cyclic dependencies can be properly encoded.
Fig. 20. Estimation with real traffic replay - PFC attack
V. C ONCLUSION AND F UTURE W ORK
In this paper, we have explained how a new hybrid method can improve intrusiondetectionsystems in the specific context of drone fleet. We have combined the use of a linear controller / observer and spectral analysis of the traffic. Based on a wavelet analysis, this traffic characterization process provides a preliminary level of knowledge about which type of intrusion is performed in the network. Based on this information, our linear controller / observer can be tuned and can perform traffic reconstruction in order to estimate accurately the level of attack observed in the network. Consequently, our design methodology provides a simple way to construct and instan- tiate our gain matrices for both the AQM controller and the observer. This approach has given us promising results with a simple topology within a time-delay framework. Indeed, two different types of anomaly have been considered in this paper (constant and progressive flash-crowds) and they are both accurately detected by the intrusiondetection process proposed in Section 3 and validated in Section 4.
network. Besides, it is difficult to identify the appropriate types of microdata that need to be anonymized.
Microdata anonymization works in such a way that it is quantifiable and difficult to infer potentially sensitive details about data entities such as protocol_type, service, flag, num_failed_logins, etc. If we share data between the different cloud users, we would like it to be difficult for the members of each cloud-based entity to recognize the data of the members in another cloud. Key attributes of the microdata are generally used to make inferences on the row’s identity from external sources of data. They do not explicitly identify a row, but the unique attribute values may be used to connect rows in the anonymized microdata with other databases that have the identifying information. For example, if a row in the microdata had a unique combination of key attributes, then an adversary could use these attributes to look up the row’s identity in an auxiliary database that has the data he can correlate. Finally, sensitive attributes are classified in that manner as they aren’t found in any other databases for the adversary to link to specific identities (Coull et al., 2009). To accomplish the objective of anonymization, the data publisher eliminates attributes and uses one or more anonymization methods to modify the relationship between key attributes and sensitive attributes to ensure that such inferences are unlikely to occur. The resulting sanitized microdata is evaluated to quantify its level of privacy and utility.
CHAPTER 4 PASARGADAE: A CONTEXT-AWARE AND
ONTOLOGY-BASED EVENT CORRELATION FRAMEWORK
Intrusiondetection and alert correlation systems play a key role in the surveillance and monitoring of computer network infrastructures. Considering the current advances of the hacker capability, these systems are increasingly important in any computer network in order to protect the information systems of any organization. However, as described in chapter 1, one of the main shortcomings of these systems is that they produce a large number of false positives, and duplicate and non-relevant alerts. Our goal in this research work is to present to the network analyst only interesting alerts. Once an alert is produced, we want the alert to be actionable. For this purpose, we leverage the vast quantities of data available in the various sensors already present in the network to improve the value of the alerts we present to the administrator. In addition, any IDS and alert correlation system that can automate some of the correlation and contextualization that (good) security analyst are forced to do manually today will greatly enhance their productivity and security posture of their organizations. In order to provide a method to gather event logs from various heterogenous sensors distributed in a computer network, and automate the analysis of the various information resources available to the security analyst, while preserving maximum flexibility and power of abstraction in the definition and use of such concepts, we propose the Pasargadae ontology-based context-aware event correlation framework in this chapter. Pasargadae uses ontologies to represent and store information on events, context and vulnerability information, and attack scenarios, and uses simple ontology logic rules written in Semantic Query-Enhance Web Rule Language (SQWRL) to correlate and filter out false positives, duplicate and non-relevant alerts.
We can think of a sixth class of method covering recent advances in deep learning and self-encoding based methods. These approaches have been historically initiated by Kramer  and adapted recently to a deep learning framework under the form of auto-encoder (AE)  and Variational Auto- Encoder (VAE) . In the context of anomaly detection, reconstruction error is the criterion used to decide whether a data item is normal or deviates too much from normality. The main advantage of VAE against AE is that their latent spaces are, by design, continuous, thanks to the prediction of a mean and a variance vectors allowing to smooth locally the latent space. In  the authors have proposed KitNET, an online unsupervised anomaly detector based on an ensemble of autoencoders, which are trained to reconstruct the input data, and whose performance is expected to incrementally improves overtime. One particularity of KitNET is that it estimates in an unsupervised manner the number of auto- encoders in the ensemble and the dimensions of the encoding layers. The last layer of the KitNET architecture is also an auto-encoder that takes as inputs the Root Mean Square Errors of the auto-encoders in the ensemble and provides in output the final reconstruction vector and RMSE. KitNET is considered as the state of the art unsupervised on-line anomaly detection for intrusiondetection on networksystems. In 2008, Isolation Forest (IF) , a quite conceptually dif- ferent approach to the previously referenced methods has been proposed. The IF paradigm is based on the difficulty to isolate a particular instance inside the whole set of instances when using (random) partitioning tree structures. It relies on the assumption that an anomaly is in general much easier to isolate than a ’normal’ data instance. Hence, IF is an unsupervised ap- proach that relates somehow to the information theoretic based methods since the isolation difficulty is addressed through
Abstract. Nowadays, the increase in technology has brought more so- phisticated intrusions. Consequently, IntrusionDetectionSystems (IDS) are quickly becoming a popular requirement in building a network se- curity infrastructure. Most existing IDS are generally centralized and suffer from a number of drawbacks, e.g., high rates of false positives, low efficiency, etc, especially when they face distributed attacks. This paper introduces a novel hybrid multi-agents IDS based on the intelli- gent combination of a clustering technique and an ontology model, called OCMAS-IDS. The latter integrates the desirable features provided by the multi-agents methodology with the benefits of semantic relations as well as the high accuracy of the data mining technique. Carried out experiments showed the efficiency of our distributed IDS, that sharply outperforms other systems over real traffic and a set of simulated attacks. Keywords: IntrusionDetection System; Multi-agents; Clustering; On- tology.
To evaluate our model, we chose to create our custom test environment. We prefered to use our own materials (e.g., resources) instead of using rented resources from existing CPs (e.g., Amazon EC2) for the following three reasons : 1) Most of the CPs including Amazon EC2 have restriction rules regarding any security testing and evaluating on their resources and systems . 2) All large CPs list DoS attacks’ testing and evaluating as a non-permissible action . 3) No CP allows its users with direct access to the host. Therefore, gathering information (i.e. performance information) is a quite difficult task. Our testbed consists of three machines. One machine is used as a virtual machine host and the other machines are used as client and attack emulator. All machines are attached directly to a Linksys 1000 Mb/s SOHO switch. Our test network is completely disconnected from the network of our institution as well as from the Internet to avoid the leakage of the DoS attacks. The detection algorithm (Algorithm 2) is implemented in Python and the BoNeSi program is used  to generate attack-level and normal traffic. We used BoNeSi as a traffic generation tool because it allows us to simulate floods from large-scale bot networks. Moreover, BoNeSi tries to avoid the generation of packets with easily identifiable patterns, which can be quickly filtered out . The virtual machine host used in the experiment is an Intel Core i7-4790 CPU 3.60 GHz Processor with 16 GB RAM. We installed the Apache 2.2 Web Server on the targeted VMs. The network interface is at 1000 Mb/s. We chose KVM  as our hypervisor-based virtualization. Indeed, KVM runs on the unmodified Linux kernel and is thus compatible with the standard performance tracing tools (e.g., LTTng), unlike Xen.
68 General conclusion
As wireless sensor networks continue to grow, so does the need for effective security mechanisms. Because sensor networks may interact with sensitive data and/or operate in hostile unattended environments, it is imperative to address these security concerns from the beginning of the system design. However, due to inherent resource and computing constraints, security in sensor networks poses different challenges than traditional network security. We were interested in this work in intrusiondetectionsystems (IDSs) as a means of protecting the WSN. According to their functionality, there are misuse based IDSs, anomaly based, and specification based ones. The misuse based IDSs use specific rules to predict with certainty if a sensor node in the network is an attacker or not. Anomaly based IDSs elaborate usually mathematical ways to determine with an accepted margin of error if a node has a normal behavior within the network or not. The third kind of IDSs is the specification based IDSs. These systems are a kind of hybridization of the two previous seen ones: they use the specification rules to predict if a node has a normal behavior or not.
2 C ONTEXT AND R ELATED WORKS
In a broad sense we address anomaly detection in sequential data  while focusing on intrusiondetection in cyber- physical systems. Intrusion  refers to possible security breaches in (cyber-)systems, namely malicious activity or policy violations. It covers both intrusions per se, i.e. attacks from the outside, and misuse, i.e. attacks from within the system. An intrusiondetection system (IDS) is thus a device that monitors a system for detecting potential intrusions. The IDS will be referred to as NIDS if the detection takes place on a network and HIDS if it takes place on a host of a network. Furthermore, we distinguish i) signature- based IDS approaches, that detects attacks by looking for predefined specific patterns, such as byte sequences in net- work packets, or known malicious sequences of instructions used by malware, to ii) anomaly-based intrusiondetectionsystems that were primarily introduced to detect unknown attacks (zero-day attacks).
Wireless networking technology has become a widespread alternative to wired networking technology in recent years, owing to the associated valuable features such as mobility, scalability, flexibility, and installation simplicity. However, wireless communications suffer from numerous security threats and attacks. Consequently, several security efforts have been exerted to keep the wireless communications systems invulnerable to attacks. This chapter provides an overview of wireless networking technology and the associated benefits and limitations, with a great concern about the wireless network security that is considered the most critical challenge in this context. To understand well the wireless security, we introduce in this chapter a security conceptual model that elucidates the relationships between the network security concepts; vulnerabilities, threats, threat sources, risks, system infection, and countermeasures. These dimensions are discussed in a sequence of cause and consequence until reaching the last dimension which is the security countermeasures to be aware of their great and crucial roles in the network security. The security countermeasures manipulate or neutralize the system vulnerabilities, combat the attack attempts, and mitigate the attack effects. We study the role of each security countermeasure, and how the countermeasures at the first line of defense, such as authentication, encryption, and firewalls, are susceptible to be breached or bypassed by some attacks. This thus necessitates installing wireless intrusiondetectionsystems (WIDSs) at the second line of defense to detect the attacks that eluded the first line of defense.
• Integrity is defined by the ISO 27000 standard as the “property of accuracy and completeness” . Integrity ensures that information is protected from being modified by unauthorized parties, or accidentally by authorized parties. An in- tegrity problem can, for example, allow the amount of online transactions to be modified. A malicious attacker can also insert himself into a conversation be- tween two parties to impersonate one of them. Then, the attacker can gain access to information that the two parties were trying to send to each other (man-in- the-middle attack). Integrity is commonly implemented using encryption, version control, checksums, and hashing. The received data is hashed and compared to the hash of the original data. Moreover, information can be changed by non-human- caused events such as server crash or electromagnetic pulse. Redundant systems and backup procedures are important security mechanisms to ensure data integrity. • Availability is defined by the ISO 27000 standard as the “property of being accessi- ble and usable on demand by an authorized entity” . Unavailability of informa- tion can have serious consequences. Denial of Service (DoS) attacks are common attacks against availability. For example, attackers may bring down servers and make services unavailable to legitimate users by flooding the targeted machines with superfluous requests. This illegitimate traffic is often detected and blocked by security mechanisms such as firewalls and IntrusionDetectionSystems (IDSs). Power outages and natural disasters like flood or fire can also lead to lack of availability. A disaster recovery plan is required to minimize the impact of these disasters, including redundancy, failover, RAID and off-site backups.
There has been much research on developing architectures and DoS solutions that propose to mitigate DoS attacks by enabling a receiver to stop unwanted traffic [4, 12, 21, 28, 29] (among others). Capability-based systems allow a receiver to explicitly authorize the traffic it is willing to receive, and filter-based schemes enable a receiver to install network filters to block unwanted traffic. How- ever, these designs are effective when receivers can reliably distin- guish attack traffic from legitimate traffic. The HID systems we explore herein are part of the infrastructure that helps to distin- guish attack traffic from legitimate traffic. More effective HIDS could complement the above systems with improved attack traffic detection. Approaches to detect and mitigate DDoS attacks due to botnets [14–16] provide defenses that observe traffic inside the en- terprise infrastructure, such as at gateways, routers and so on. For example, BotSniffer  proposes to detect botnet traffic within a network by exploiting the spatio-temporal correlation and simi- larities of responses to control commands issued by botmasters on C&C Channels. HID systems differ as they lie at the edge of the
CHAPTER 1 INTRODUCTION
IBM recently conducted research on the cost of data breaches of 383 companies (Ponemon and IBM, 2016), finding that the average cost of one breach increased from 3.79 to 4 million dollars between 2015 and 2016. This cost increase is due to the change in the average cost for each stolen record in these companies. In fact, each stolen record cost has increased from $154 to $158 between these years. Data breaches occur when there is an attack on or an intrusion into the systems, and they produce extra work for the network. Researchers introduced the idea of intrusiondetectionsystems with the ability to distinguish attacks from non-attack observations to secure systems from intruders. Hence, detectionsystems tend to minimize the increase of extra work as well as detecting deviations and anomaly patterns. One main type of intrusiondetection system is anomaly based, which aims to distinguish novel anomalies from non-attack patterns. However, current anomaly-based intrusiondetectionsystems suffer from a high false alarm rate. According to a report by Damballa & Ponemon, who surveyed 630 IT departments, the average annual cost of addressing alarms is 1.27 million dollars (Ponemon and Damballa, 2015). In IT departments, experts spend time evaluating all the alarms detected by intrusiondetectionsystems, although most of these alarms are not true intrusions. Clearly, by decreasing the false alarm rate, we will consequently decrease the undesired costs of addressing false alarms. Therefore, we propose a method to be used as an effective way to decrease this rate in the provided data.
T4: Measure air intrusion of roofing systems with multilayer insulation arrangements .
To measure the air intrusion in Mechanically Attached Roofing Systems (MARS), a new test laboratory Dynamic Roofing Facility – Air Intrusion (DRF-AI) Lab was developed at the National Research Council of Canada, and a new test protocol was conceptualized. This test protocol has been submitted as a work item to the American Society of Testing and Materials [D08.20.40] towards standard development [Work item WK23684 –