2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)最新文献

{"title":"Trust optimization in task-oriented social networks","authors":"J. Zhan, Xing Fang, P. Killion","doi":"10.1109/CICYBS.2011.5949408","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949408","url":null,"abstract":"Trust is a human-related phenomenon in social networks. Trust research on social networks has gained much attention on its usefulness, and on modeling propagations. There is little focus on finding maximum trust in social networks which is particularly important when a social network is oriented by certain tasks. In this paper, we first propose a trust maximization algorithm based on the task-oriented social networks. We then take communication cost into account and introduce four different trust optimization algorithms. We also conduct extensive experiments to evaluate the proposed algorithms and test their performance. To our best knowledge, this is pioneering work on trust optimization in task-oriented social networks.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123369751","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Automatic construction of anomaly detectors from graphical models","authors":"Erik M. Ferragut, David M. Darmon, Craig A. Shue, Stephen Kelley","doi":"10.1109/CICYBS.2011.5949386","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949386","url":null,"abstract":"Detection of rare or previously unseen attacks in cyber security presents a central challenge: how does one search for a sufficiently wide variety of types of anomalies and yet allow the process to scale to increasingly complex data? In particular, creating each anomaly detector manually and training each one separately presents untenable strains on both human and computer resources. In this paper we propose a systematic method for constructing a potentially very large number of complementary anomaly detectors from a single probabilistic model of the data. Only one model needs to be trained, but numerous detectors can then be implemented. This approach promises to scale better than manual methods to the complex heterogeneity of real-life data. As an example, we develop a Latent Dirichlet Allocation probability model of TCP connections entering Oak Ridge National Laboratory. We show that several detectors can be automatically constructed from the model and will provide anomaly detection at flow, sub-flow, and host (both server and client) levels. This demonstrates how the fundamental connection between anomaly detection and probabilistic modeling can be exploited to develop more robust operational solutions.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132540278","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Security visualization: Cyber security storm map and event correlation","authors":"Denise Ferebee, D. Dasgupta, Michael Schmidt, C. Wu","doi":"10.1109/CICYBS.2011.5949412","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949412","url":null,"abstract":"Efficient visualization of cyber incidents is the key in securing increasingly complex information infrastructure. Extrapolating security-related information from data from multiple sources can be a daunting task for organizations to maintain safe and secure operating environment. However, meaningful visualizations can significantly improve decision-making quality and help security administrators in taking rapid response. The purpose of this work is to explore this possibility by building on previously gained knowledge and understanding of weather maps used in meteorology, assessing the gaps, and applying various techniques and matrices to quantify the impacts of cyber incidences in an efficient way.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117125244","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Fuzzy logic based anomaly detection for embedded network security cyber sensor","authors":"O. Linda, M. Manic, T. Vollmer, Jason L. Wright","doi":"10.1109/CICYBS.2011.5949392","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949392","url":null,"abstract":"Resiliency and security in critical infrastructure control systems in the modern world of cyber terrorism constitute a relevant concern. Developing a network security system specifically tailored to the requirements of such critical assets is of a primary importance. This paper proposes a novel learning algorithm for anomaly based network security cyber sensor together with its hardware implementation. The presented learning algorithm constructs a fuzzy logic rule base modeling the normal network behavior. Individual fuzzy rules are extracted directly from the stream of incoming packets using an online clustering algorithm. This learning algorithm was specifically developed to comply with the constrained computational requirements of low-cost embedded network security cyber sensors. The performance of the system was evaluated on a set of network data recorded from an experimental test-bed mimicking the environment of a critical infrastructure control system.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"63 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116609391","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A scalable architecture for improving the timeliness and relevance of cyber incident notifications","authors":"James L. Miller, R. Mills, M. Grimaila, M. Haas","doi":"10.1109/CICYBS.2011.5949396","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949396","url":null,"abstract":"The current mechanics of cyber incident notification within the United States Air Force rely on a broadcast “push” of incident information to the affected community of interest. This process is largely ineffective because when the notification arrives at each unit, someone has to make a decision as to who should be notified within their unit. Broadcasting the notification to all users creates noise for those who do not need the notification, increasing the likelihood of ignoring future notifications. Selectively sending notifications to specific people without a priori knowledge of who might be affected results in missing users who need to know. Neither of these approaches addresses the passing of notifications to downstream entities whose missions may be affected by the incident. In this paper, we propose a modular, scalable, cyber incident notification system concept that makes use of a “publish and subscribe” architecture to assure the timeliness and relevance of incident notification. Mission stakeholders subscribe to the status of mission critical information resources (external and internal) and publish their own mission capability allowing other units to maintain real-time awareness of their own dependencies. We contend that this architecture is a significant improvement over current methods by making direct connections between mission stakeholders and their dependencies and eliminating multiple levels of human processing, thereby reducing noise and ensuring relevant information gets to the right people.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"98 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134332220","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An effective network-based Intrusion Detection using Conserved Self Pattern Recognition Algorithm augmented with near-deterministic detector generation","authors":"Senhua Yu, D. Dasgupta","doi":"10.1109/CICYBS.2011.5949393","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949393","url":null,"abstract":"The Human Immune System (HIS) employs multilevel defense against harmful and unseen pathogens through innate and adaptive immunity. Innate immunity protects the body from the known invaders whereas adaptive immunity develops a memory of past encounter and has the ability to learn about previously unknown pathogens. These salient features of the HIS are inspiring the researchers in the area of intrusion detection to develop automated and adaptive defensive tools. This paper presents a new variant of Conserved Self Pattern Recognition Algorithm (CSPRA) called CSPRA-ID (CSPRA for Intrusion Detection). The CSPRA-ID is given the capability of effectively identifying known intrusions by utilizing the knowledge of well-known attacks to build a conserved self pattern (APC detector) while it retains the ability to detect novel intrusions because of the nature of one-class classification of the T detectors. Furthermore, the T detectors in the CSPRA-ID are generated with a novel near-deterministic scheme that is proposed in this paper. The near-deterministic generation scheme places the detector with Brute Force method to guarantee the next detector to be very foreign to the existing detector. Moreover, the placement of the variable-sized detector is online determined during the Monte Carlo estimate of detector coverage and thus the detectors with an optimal distribution are generated without any additional optimization step. A comparative study between CSPRA-ID and one-class SVM shows that the CSPRA-ID is promising on DARPA network intrusion data in terms of detection accuracy and computation efficiency.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"39 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131933253","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Discrimination prevention in data mining for intrusion and crime detection","authors":"S. Hajian, J. Domingo-Ferrer, A. Martínez-Ballesté","doi":"10.1109/CICYBS.2011.5949405","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949405","url":null,"abstract":"Automated data collection has fostered the use of data mining for intrusion and crime detection. Indeed, banks, large corporations, insurance companies, casinos, etc. are increasingly mining data about their customers or employees in view of detecting potential intrusion, fraud or even crime. Mining algorithms are trained from datasets which may be biased in what regards gender, race, religion or other attributes. Furthermore, mining is often outsourced or carried out in cooperation by several entities. For those reasons, discrimination concerns arise. Potential intrusion, fraud or crime should be inferred from objective misbehavior, rather than from sensitive attributes like gender, race or religion. This paper discusses how to clean training datasets and outsourced datasets in such a way that legitimate classification rules can still be extracted but discriminating rules based on sensitive attributes cannot.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121393101","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A systems engineering approach for crown jewels estimation and mission assurance decision making","authors":"S. Musman, Mike Tanner, A. Temin, E. Elsaesser, Lewis Loren","doi":"10.1109/CICYBS.2011.5949403","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949403","url":null,"abstract":"Understanding the context of how IT contributes to making missions more or less successful is a cornerstone of mission assurance. This paper describes a continuation of our previous work that used process modeling to allow us to estimate the impact of cyber incidents on missions. In our previous work we focused on developing a capability that could work as an online process to estimate the impacts of incidents that are discovered and reported. In this paper we focus instead on how our techniques and approach to mission modeling and computing assessments with the model can be used offline to help support mission assurance engineering. The heart of our approach involves using a process model of the system that can be run as an executable simulation to estimate mission outcomes. These models not only contain information about the mission activities, but also contain attributes of the process itself and the context in which the system operates. They serve as a probabilistic model and stochastic simulation of the system itself. Our contributions to this process modeling approach have been the addition of IT activity models that document in the model how various mission activities depend on IT supported processes and the ability to relate how the capabilities of the IT can affect the mission outcomes. Here we demonstrate how it is possible to evaluate the mission model offline and compute characteristics of the system that reflect its mission assurance properties. Using the models it is possible to identify the crown jewels, to expose the systems susceptibility to different attack effects, and evaluate how different mitigation techniques would likely work. Being based on an executable model of the system itself, our approach is much more powerful than a static assessment. Being based on business process modeling, and since business process analysis is becoming popular as a systems engineering tool, we also hope our approach will push mission assurance analysis tasks into a framework that allows them to become a standard systems engineering practice rather than the “off to the side” activity it currently is.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"312 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132349655","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Hierarchical traceability of multimedia documents","authors":"A. B. Hamida, M. Koubàa, C. Amar, H. Nicolas","doi":"10.1109/CICYBS.2011.5949389","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949389","url":null,"abstract":"Illegal copying of multimedia files has become a very common practice. Indeed, with the rapid development of means of communication, sharing, copying and illegal downloading have become a very easy handling action, at everybody's reach. The magnitude of this continuously increasing phenomenon may have a significant economic impact since it induces a marked loss on turnover. To cope with this huge problem, it becomes necessary to control video traffic and ensure traceability. Thus, each user receives a personalized media release, containing a personal identifier inserted through a robust watermarking technique. If this copy is redistributed illegally, we are able to trace the dishonest user who can be prosecuted. This expresses an urgent need for implementing a reliable fingerprinting scheme with high performances. In this context, we present in this paper a hierarchical fingerprinting system based on Tardos code in order to reduce computational costs required for the pirates' detection. Both theoretical analyses and experimental results are provided to show the performance of the proposed system.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128548846","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Autonomous rule creation for intrusion detection","authors":"T. Vollmer, J. Alves-Foss, M. Manic","doi":"10.1109/CICYBS.2011.5949394","DOIUrl":"https://doi.org/10.1109/CICYBS.2011.5949394","url":null,"abstract":"Many computational intelligence techniques for anomaly based network intrusion detection can be found in literature. Translating a newly discovered intrusion recognition criteria into a distributable rule can be a human intensive effort. This paper explores a multi-modal genetic algorithm solution for autonomous rule creation. This algorithm focuses on the process of creating rules once an intrusion has been identified, rather than the evolution of rules to provide a solution for intrusion detection. The algorithm was demonstrated on anomalous ICMP network packets (input) and Snort rules (output of the algorithm). Output rules were sorted according to a fitness value and any duplicates were removed. The experimental results on ten test cases demonstrated a 100 percent rule alert rate. Out of 33,804 test packets 3 produced false positives. Each test case produced a minimum of three rule variations that could be used as candidates for a production system.","PeriodicalId":436263,"journal":{"name":"2011 IEEE Symposium on Computational Intelligence in Cyber Security (CICS)","volume":"159 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124454554","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}