Tesi sul tema "Attacks detection"
Segui questo link per vedere altri tipi di pubblicazioni sul tema: Attacks detection.
Cita una fonte nei formati APA, MLA, Chicago, Harvard e in molti altri stili
Vedi i top-50 saggi (tesi di laurea o di dottorato) per l'attività di ricerca sul tema "Attacks detection".
Accanto a ogni fonte nell'elenco di riferimenti c'è un pulsante "Aggiungi alla bibliografia". Premilo e genereremo automaticamente la citazione bibliografica dell'opera scelta nello stile citazionale di cui hai bisogno: APA, MLA, Harvard, Chicago, Vancouver ecc.
Puoi anche scaricare il testo completo della pubblicazione scientifica nel formato .pdf e leggere online l'abstract (il sommario) dell'opera se è presente nei metadati.
Vedi le tesi di molte aree scientifiche e compila una bibliografia corretta.
1
Akdemir, Kahraman D. "Error Detection Techniques Against Strong Adversaries". Digital WPI, 2010. https://digitalcommons.wpi.edu/etd-dissertations/406.
Abstract (sommario):
"Side channel attacks (SCA) pose a serious threat on many cryptographic devices and are shown to be effective on many existing security algorithms which are in the black box model considered to be secure. These attacks are based on the key idea of recovering secret information using implementation specific side-channels. Especially active fault injection attacks are very effective in terms of breaking otherwise impervious cryptographic schemes. Various countermeasures have been proposed to provide security against these attacks. Double-Data-Rate (DDR) computation, dual-rail encoding, and simple concurrent error detection (CED) are the most popular of these solutions. Even though these security schemes provide sufficient security against weak adversaries, they can be broken relatively easily by a more advanced attacker. In this dissertation, we propose various error detection techniques that target strong adversaries with advanced fault injection capabilities. We first describe the advanced attacker in detail and provide its characteristics. As part of this definition, we provide a generic metric to measure the strength of an adversary. Next, we discuss various techniques for protecting finite state machines (FSMs) of cryptographic devices against active fault attacks. These techniques mainly depend on nonlinear robust codes and physically unclonable functions (PUFs). We show that due to the nonuniform behavior of FSM variables, securing FSMs using nonlinear codes is an important and difficult problem. As a solution to this problem, we propose error detection techniques based on nonlinear codes with different randomization methods. We also show how PUFs can be utilized to protect a class of FSMs. This solution provides security on the physical level as well as the logical level. In addition, for each technique, we provide possible hardware realizations and discuss area/security performance. Furthermore, we provide an error detection technique for protecting elliptic curve point addition and doubling operations against active fault attacks. This technique is based on nonlinear robust codes and provides nearly perfect error detection capability (except with exponentially small probability). We also conduct a comprehensive analysis in which we apply our technique to different elliptic curves (i.e. Weierstrass and Edwards) over different coordinate systems (i.e. affine and projective). "
2
Rodofile, Nicholas R. "Generating attacks and labelling attack datasets for industrial control intrusion detection systems". Thesis, Queensland University of Technology, 2018. https://eprints.qut.edu.au/121760/1/Nicholas_Rodofile_Thesis.pdf.
Abstract (sommario):
To address the arising Cyber Security threats against SCADA-based Critical infrastructure, the security research community have identified the application of Intrusion Detection and IA as an ideal security measure for such systems. The research presents a cyber-attack classification for critical infrastructure, to identify the cyber-attack landscape for critical infrastructure attacks. To further aid in the development and evaluation of AI using intrusion detection, the thesis presents a SCADA cyber-attack generation framework. The cyber-attack generation framework provides a collection of algorithms to stimulate control system equipment with cyber-attacks. Using the attack generation methodology, a SCADA attack labelling framework is also presented to generate labelled attack datasets. The datasets can be used in future work to aid in the development of AI detecting new and unknown cyber attacks on Critical Infrastructure systems.
3
Omar, Luma Qassam Abedalqader. "Face liveness detection under processed image attacks". Thesis, Durham University, 2018. http://etheses.dur.ac.uk/12812/.
Abstract (sommario):
Face recognition is a mature and reliable technology for identifying people. Due to high-definition cameras and supporting devices, it is considered the fastest and the least intrusive biometric recognition modality. Nevertheless, effective spoofing attempts on face recognition systems were found to be possible. As a result, various anti-spoofing algorithms were developed to counteract these attacks. They are commonly referred in the literature a liveness detection tests. In this research we highlight the effectiveness of some simple, direct spoofing attacks, and test one of the current robust liveness detection algorithms, i.e. the logistic regression based face liveness detection from a single image, proposed by the Tan et al. in 2010, against malicious attacks using processed imposter images. In particular, we study experimentally the effect of common image processing operations such as sharpening and smoothing, as well as corruption with salt and pepper noise, on the face liveness detection algorithm, and we find that it is especially vulnerable against spoofing attempts using processed imposter images. We design and present a new facial database, the Durham Face Database, which is the first, to the best of our knowledge, to have client, imposter as well as processed imposter images. Finally, we evaluate our claim on the effectiveness of proposed imposter image attacks using transfer learning on Convolutional Neural Networks. We verify that such attacks are more difficult to detect even when using high-end, expensive machine learning techniques.
4
Cheng, Long. "Program Anomaly Detection Against Data-Oriented Attacks". Diss., Virginia Tech, 2018. http://hdl.handle.net/10919/84937.
Abstract (sommario):
Memory-corruption vulnerability is one of the most common attack vectors used to compromise computer systems. Such vulnerabilities could lead to serious security problems and would remain an unsolved problem for a long time. Existing memory corruption attacks can be broadly classified into two categories: i) control-flow attacks and ii) data-oriented attacks. Though data-oriented attacks are known for a long time, the threats have not been adequately addressed due to the fact that most previous defense mechanisms focus on preventing control-flow exploits. As launching a control-flow attack becomes increasingly difficult due to many deployed defenses against control-flow hijacking, data-oriented attacks are considered an appealing attack technique for system compromise, including the emerging embedded control systems.
To counter data-oriented attacks, mitigation techniques such as memory safety enforcement and data randomization can be applied in different stages over the course of an attack. However, attacks are still possible because currently deployed defenses can be bypassed. This dissertation explores the possibility of defeating data-oriented attacks through external monitoring using program anomaly detection techniques. I start with a systematization of current knowledge about exploitation techniques of data-oriented attacks and the applicable defense mechanisms. Then, I address three research problems in program anomaly detection against data-oriented attacks.
First, I address the problem of securing control programs in Cyber-Physical Systems (CPS) against data-oriented attacks. I describe a new security methodology that leverages the event-driven nature in characterizing CPS control program behaviors. By enforcing runtime cyber-physical execution semantics, our method detects data-oriented exploits when physical events are inconsistent with the runtime program behaviors.
Second, I present a statistical program behavior modeling framework for frequency anomaly detection, where frequency anomaly is the direct consequence of many non-control-data attacks. Specifically, I describe two statistical program behavior models, sFSA and sCFT, at different granularities. Our method combines the local and long-range models to improve the robustness against data-oriented attacks and significantly increase the difficulties that an attack bypasses the anomaly detection system.
Third, I focus on defending against data-oriented programming (DOP) attacks using Intel Processor Trace (PT). DOP is a recently proposed advanced technique to construct expressive non-control data exploits. I first demystify the DOP exploitation technique and show its complexity and rich expressiveness. Then, I design and implement the DeDOP anomaly detection system, and demonstrate its detection capability against the real-world ProFTPd DOP attack.Ph. D.
5
Rosa, José Luís da Silva. "Customer-side detection of BGP routing attacks". Master's thesis, Universidade de Aveiro, 2016. http://hdl.handle.net/10773/17808.
Abstract (sommario):
Mestrado em Engenharia de Computadores e TelemáticaA utilização diária da Internet tornou-se uma rotina que foi assimilada pelas pessoas sem considerarem a complexidade interna desta gigante rede. Até um certo ponto, o Border Gateway Protocol é o que mantem toda esta conectividade possível apesar de ser um protocolo defeituoso por natureza. Em 2008, um ataque Man-In-The-Middle foi pela primeira vez apresentado ao grande público e desde de então mais técnicas para explorar este protocolo e obter tráfego alheio de forma ilícita foram dadas a conhecer. Mesmo que o desvio não aconteça com natureza maliciosa, mas sim devido a um erro de configuração, este é um problema que deverá ser enfrentado. Alguns provedores de serviço e institutos de investigação já apresentaram propostas para novos protocolos e/ou sistemas de monitorização, mas estes estão atrasados no seu desenvolvimento ou apenas afetam a camada superior da rede, deixando utilizadores e um grande número de empresas que estão ligadas a um provedor sem meios para agir e sem informação sobre o encaminhamento do seu tráfego. Nesta dissertação, é apresentado, concebido e implementado um sistema que atinge uma monitorização ativa do BGP através da medição do tempo médio de viagem de vários pacotes enviados de várias localizações, através de uma rede mundial de sondas, e do processamento dos resultados obtidos, permitindo que todos os interessados possam ser alertados.
The daily use of the Internet has become a routine that many people absorbed into their lives without even thinking about the insides of this gigantic network. To an extent, the Border Gateway Protocol is what is keeping all this connectivity together despite being a very flawed protocol due to its design. In 2008 a Man-In-The-Middle attack was first presented to the general audience and ever since more techniques were reported to use the protocol to obtain traffic illicitly. Even if the routing deviation does not occur via a malicious intention but due to some poorly configured router, this is a problem that must be tackled. Some network providers and research institutes already presented some drafts for new protocols or monitoring systems but they are late into deployment or only affect the top layer of the network, leaving users and most part of the companies connected to the provider impotent and without any proper information about the routing of their traffic. In this dissertation a system is presented, implemented and deployed, achieving an active monitorization of BGP through measurements of the average travel time of several packets sent to various locations by a worldwide set of Probes and the collected results processed allowing all concerned actors to be alerted.
6
Liu, Jessamyn. "Anomaly detection methods for detecting cyber attacks in industrial control systems". Thesis, Massachusetts Institute of Technology, 2020. https://hdl.handle.net/1721.1/129055.
Abstract (sommario):
Thesis: S.M., Massachusetts Institute of Technology, Sloan School of Management, Operations Research Center, September, 2020Cataloged from PDF version of thesis.
Includes bibliographical references (pages 119-123).
Industrial control systems (ICS) are pervasive in modern society and increasingly under threat of cyber attack. Due to the critical nature of these systems, which govern everything from power and wastewater plants to refineries and manufacturing, a successful ICS cyber attack can result in serious physical consequences. This thesis evaluates multiple anomaly detection methods to quickly and accurately detect ICS cyber attacks. Two fundamental challenges in developing ICS cyber attack detection methods are the lack of historical attack data and the ability of attackers to make their malicious activity appear normal. The goal of this thesis is to develop methods which generalize well to anomalies that are not included in the training data and to increase the sensitivity of detection methods without increasing the false alarm rate. The thesis presents and analyzes a baseline detection method, the multivariate Shewhart control chart, and four extensions to the Shewhart chart which use machine learning or optimization methods to improve detection performance. Two of these methods, stationary subspace analysis and maximized ratio divergence analysis, are based on dimensionality reduction techniques, and an additional model-based method is implemented using residuals from LASSO regression models. The thesis also develops an ensemble method which uses an optimization formulation to combine the output of multiple models in a way that minimizes detection delay. When evaluated on 380 samples from the Kasperskey Tennessee Eastman process dataset, a simulated chemical process that includes disruptions from cyber attacks, the ensemble method reduced detection delay on attack data by 12% (55 minutes) on average when compared to the baseline method and was 9% (42 minutes) faster on average than the method which performed best on training data.
by Jessamyn Liu.
S.M.
S.M. Massachusetts Institute of Technology, Sloan School of Management, Operations Research Center
7
Lu, Yuanchao. "On Traffic Analysis Attacks To Encrypted VoIP Calls". Cleveland State University / OhioLINK, 2009. http://rave.ohiolink.edu/etdc/view?acc_num=csu1260222271.
8
Kazi, Shehab. "Anomaly based Detection of Attacks on Security Protocols". Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-4806.
Abstract (sommario):
Abstract. Security and privacy in digital communications is the need of the hour. SSL/TLS has become widely adopted to provide the same. Multiple application layer protocols can be layered on top of it. However protection is this form results in all the data being encrypted causing problems for an intrusion detection system which relies on a sniffer that analyses packets on a network. We thus hypothesise that a host based intrusion detection system that analyses packets after decryption would be able to detect attacks against security protocols. To this effect we conduct two experiments where we attack a web server and a mail server, collect data, analyse it and conclude with methods to detect such attacks. These methods are in the form of peudocode.
9
Whitelaw, Clayton. "Precise Detection of Injection Attacks on Concrete Systems". Scholar Commons, 2015. http://scholarcommons.usf.edu/etd/6051.
Abstract (sommario):
Injection attacks, including SQL injection, cross-site scripting, and operating system command injection, rank the top two entries in the MITRE Common Vulnerability Enumeration (CVE) [1]. Under this attack model, an application (e.g., a web application) uses some untrusted input to produce an output program (e.g., a SQL query). Applications may be vulnerable to injection attacks because the untrusted input may alter the output program in malicious ways. Recent work has established a rigorous definition of injection attacks. Injections are benign iff they obey the NIE property, which states that injected symbols strictly insert or expand noncode tokens in the output program. Noncode symbols are strictly those that are either removed by the tokenizer (e.g., insignificant whitespace) or span closed values in the output program language, and code symbols are all other symbols. This thesis demonstrates that such attacks are possible on applications for Android—a mobile device operating system—and Bash—a common Linux shell—and shows by construction that these attacks can be detected precisely. Specifically, this thesis examines the recent Shellshock attacks on Bash and shows how it widely differs from ordinary attacks, but can still be precisely detected by instrumenting the output program’s runtime. The paper closes with a discussion of the lessons learned from this study and how best to overcome the practical challenges to precisely preventing these attacks in practice.
10
Dandurand, Luc. "Detection of network infrastructure attacks using artificial traffic". Thesis, National Library of Canada = Bibliothèque nationale du Canada, 1998. http://www.collectionscanada.ca/obj/s4/f2/dsk3/ftp04/mq44906.pdf.
11
Sethi, Abhishek Rajkumar. "Evaluating Intrusion Detection Systems for Energy Diversion Attacks". Thesis, Massachusetts Institute of Technology, 2016. http://hdl.handle.net/1721.1/107021.
Abstract (sommario):
Thesis: S.M., Massachusetts Institute of Technology, Computation for Design and Optimization Program, 2016.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
Cataloged from student-submitted PDF version of thesis.
Includes bibliographical references (pages 111-114).
The widespread deployment of smart meters and ICT technologies is enabling continuous collection of high resolution data about consumption behavior and health of grid infrastructure. This has also spurred innovations in technological solutions using analytics/machine learning methods that aim to improve efficiency of grid operations, implement targeted demand management programs, and reduce distribution losses. One one hand, the technological innovations can potentially lead large-scale adoption of analytics driven tools for predictive maintenance and anomaly detection systems in electricity industry. On the other hand, private profit-maximizing firms (distribution utilities) need accurate assessment of the value of these tools to justify investment in collection and processing of significant amount of data and buy/implement analytics tools that exploit this data to provide actionable information (e.g. prediction of component failures, alerts regarding fraudulent customer behavior, etc.) In this thesis, the focus on the value assessment of intrusion/fraud detection systems, and study the tradeoff faced by distribution utilities in terms of gain from fraud investigations (and deterrence of fraudulent customer) versus cost of investigation and false alarms triggered due to probabilistic nature of IDS. Our main contribution is a Bayesian inspection game framework, which models the interactions between a profit-maximizing distribution utility and a population of strategic customers. In our framework, a fraction of customers are fraudulent - they consume same average quantity of electricity but report less by strategically manipulating their consumption data. We consider two sources of information incompleteness: first, the distribution utility does not know the identity of fraudulent customers but only knows the fraction of these consumers, and second, the distribution utility does not know the actual theft level but only knows its distribution. We first consider situation in which only the first source of information incompleteness is present, i.e., the distribution utility has complete information about the actual theft level. We present two simultaneous game models, which have same assumption about customer preferences and fraud, but differ in the way in which the distribution utility operates the IDS. In the first model, the distribution utility probabilistically chooses to use IDS with a default (fixed) configuration. In the second model, the distribution utility can configure/tune the IDS to achieve an optimal operating point (i.e. combination of detection probability and false alarm rate). Throughout, we assume that the theft level is greater than cost of attack. Our results show that for, the game with default IDS configuration, the distribution utility does not use the IDS in equilibrium if the fraction of fraudulent customers is less than a critical fraction. Also the distribution utility realizes a positive "value of IDS" only if one or both have the following conditions hold: (a) the ratio of detection probability and false alarm probability is greater than a critical ratio, (b) the fraction of fraudulent customers is greater than the critical fraction. For the tunable IDS game, we show that the distribution utility always uses an optimal configuration with non-zero false alarm probability. Furthermore, the distribution utility does not tune the false alarm probability when the fraction of fraudulent customers is greater than a critical fraction. In contrast to the game with fixed IDS, in the game of tunable IDS, the distribution utility realizes a positive value from IDS, and the value increases in fraction of fraudulent customers. Next, we consider the situation in which both sources of information incompleteness are present. Specifically, we present a sequential game in which the distribution utility first chooses the optimal configuration of the IDS based on its knowledge of theft level distribution (Stage 1), and then optimally uses the configured IDS in a simultaneous interaction with the customers (Stage 2). This sequential game naturally enables estimation of the "value of information" about theft level, which represents the additional monetary benefit the distribution utility can obtain if the exact value of average theft level is available in choosing optimal IDS configuration in Stage 1. Our results suggest that the optimal configuration under lack of full information on theft level lies between the optimal configurations corresponding to the high and low theft levels. Interestingly enough, our analysis also suggests that for certain technical (yet realistic) conditions on the ROC curve that characterizes achievable detection probability and false alarm probability configurations, the value of information about certain combination of theft levels can attain negligibly small values.
by Abhishek Rajkumar Sethi.
S.M.
12
Lantz, David. "Detection of side-channel attacks targeting Intel SGX". Thesis, Linköpings universitet, Programvara och system, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-177987.
Abstract (sommario):
In recent years, trusted execution environments like Intel SGX have allowed developers to protect sensitive code inside so called enclaves. These enclaves protect its code and data even in the cases of a compromised OS. However, SGX enclaves have been shown to be vulnerable to numerous side-channel attacks. Therefore, there is a need to investigate ways that such attacks against enclaves can be detected. This thesis investigates the viability of using performance counters to detect an SGX-targeting side-channel attack, specifically the recent Load Value Injection (LVI) class of attacks. A case study is thus presented where performance counters and a threshold-based detection method is used to detect variants of the LVI attack. The results show that certain attack variants could be reliably detected using this approach without false positives for a range of benign applications. The results also demonstrate reasonable levels of speed and overhead for the detection tool. Some of the practical limitations of using performance counters, particularly in an SGX-context, are also brought up and discussed.
13
Rubio, Hernan Jose Manuel. "Detection of attacks against cyber-physical industrial systems". Thesis, Evry, Institut national des télécommunications, 2017. http://www.theses.fr/2017TELE0015/document.
Abstract (sommario):
Nous abordons des problèmes de sécurité dans des systèmes cyber-physiques industriels. Les attaques contre ces systèmes doivent être traitées à la fois en matière de sûreté et de sécurité. Les technologies de contrôles imposés par les normes industrielles, couvrent déjà la sûreté. Cependant, du point de vue de la sécurité, la littérature a prouvé que l’utilisation de techniques cyber pour traiter la sécurité de ces systèmes n’est pas suffisante, car les actions physiques malveillantes seront ignorées. Pour cette raison, on a besoin de mécanismes pour protéger les deux couches à la fois. Certains auteurs ont traité des attaques de rejeu et d’intégrité en utilisant une attestation physique, p. ex., le tatouage des paramètres physiques du système. Néanmoins, ces détecteurs fonctionnent correctement uniquement si les adversaires n’ont pas assez de connaissances pour tromper les deux couches. Cette thèse porte sur les limites mentionnées ci-dessus. Nous commençons en testant l’efficacité d’un détecteur qui utilise une signature stationnaire afin de détecter des actions malveillantes. Nous montrons que ce détecteur est incapable d’identifier les adversaires cyber-physiques qui tentent de connaître la dynamique du système. Nous analysons son ratio de détection sous la présence de nouveaux adversaires capables de déduire la dynamique du système. Nous revisitons le design original, en utilisant une signature non stationnaire, afin de gérer les adversaires visant à échapper à la détection. Nous proposons également une nouvelle approche qui combine des stratégies de contrôle et de communication. Toutes les solutions son validées à l’aide de simulations et maquettes d’entraînementWe address security issues in cyber-physical industrial systems. Attacks against these systems shall be handled both in terms of safety and security. Control technologies imposed by industrial standards already cover the safety dimension. From a security standpoint, the literature has shown that using only cyber information to handle the security of cyber-physical systems is not enough, since physical malicious actions are ignored. For this reason, cyber-physical systems have to be protected from threats to their cyber and physical layers. Some authors handle the attacks by using physical attestations of the underlying processes, f.i., physical watermarking to ensure the truthfulness of the process. However, these detectors work properly only if the adversaries do not have enough knowledge to mislead crosslayer data. This thesis focuses on the aforementioned limitations. It starts by testing the effectiveness of a stationary watermark-based fault detector, to detect, as well, malicious actions produced by adversaries. We show that the stationary watermark-based detector is unable to identify cyber-physical adversaries. We show that the approach only detects adversaries that do not attempt to get any knowledge about the system dynamics. We analyze the detection performance of the original design under the presence of adversaries that infer the system dynamics to evade detection. We revisit the original design, using a non-stationary watermark-based design, to handle those adversaries. We also propose a novel approach that combines control and communication strategies. We validate our solutions using numeric simulations and training cyber-physical testbeds
14
Rubio, Hernan Jose Manuel. "Detection of attacks against cyber-physical industrial systems". Electronic Thesis or Diss., Evry, Institut national des télécommunications, 2017. http://www.theses.fr/2017TELE0015.
Abstract (sommario):
Nous abordons des problèmes de sécurité dans des systèmes cyber-physiques industriels. Les attaques contre ces systèmes doivent être traitées à la fois en matière de sûreté et de sécurité. Les technologies de contrôles imposés par les normes industrielles, couvrent déjà la sûreté. Cependant, du point de vue de la sécurité, la littérature a prouvé que l’utilisation de techniques cyber pour traiter la sécurité de ces systèmes n’est pas suffisante, car les actions physiques malveillantes seront ignorées. Pour cette raison, on a besoin de mécanismes pour protéger les deux couches à la fois. Certains auteurs ont traité des attaques de rejeu et d’intégrité en utilisant une attestation physique, p. ex., le tatouage des paramètres physiques du système. Néanmoins, ces détecteurs fonctionnent correctement uniquement si les adversaires n’ont pas assez de connaissances pour tromper les deux couches. Cette thèse porte sur les limites mentionnées ci-dessus. Nous commençons en testant l’efficacité d’un détecteur qui utilise une signature stationnaire afin de détecter des actions malveillantes. Nous montrons que ce détecteur est incapable d’identifier les adversaires cyber-physiques qui tentent de connaître la dynamique du système. Nous analysons son ratio de détection sous la présence de nouveaux adversaires capables de déduire la dynamique du système. Nous revisitons le design original, en utilisant une signature non stationnaire, afin de gérer les adversaires visant à échapper à la détection. Nous proposons également une nouvelle approche qui combine des stratégies de contrôle et de communication. Toutes les solutions son validées à l’aide de simulations et maquettes d’entraînementWe address security issues in cyber-physical industrial systems. Attacks against these systems shall be handled both in terms of safety and security. Control technologies imposed by industrial standards already cover the safety dimension. From a security standpoint, the literature has shown that using only cyber information to handle the security of cyber-physical systems is not enough, since physical malicious actions are ignored. For this reason, cyber-physical systems have to be protected from threats to their cyber and physical layers. Some authors handle the attacks by using physical attestations of the underlying processes, f.i., physical watermarking to ensure the truthfulness of the process. However, these detectors work properly only if the adversaries do not have enough knowledge to mislead crosslayer data. This thesis focuses on the aforementioned limitations. It starts by testing the effectiveness of a stationary watermark-based fault detector, to detect, as well, malicious actions produced by adversaries. We show that the stationary watermark-based detector is unable to identify cyber-physical adversaries. We show that the approach only detects adversaries that do not attempt to get any knowledge about the system dynamics. We analyze the detection performance of the original design under the presence of adversaries that infer the system dynamics to evade detection. We revisit the original design, using a non-stationary watermark-based design, to handle those adversaries. We also propose a novel approach that combines control and communication strategies. We validate our solutions using numeric simulations and training cyber-physical testbeds
15
Hooper, Emmanuel. "Intelligent detection and response strategies for network infrastructure attacks". Thesis, Royal Holloway, University of London, 2007. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.441276.
16
Harshe, Omkar Anand. "Preemptive Detection of Cyber Attacks on Industrial Control Systems". Thesis, Virginia Tech, 2015. http://hdl.handle.net/10919/54005.
Abstract (sommario):
Industrial Control Systems (ICSes), networked through conventional IT infrastructures, are vulnerable to attacks originating from network channels. Perimeter security techniques such as access control and firewalls have had limited success in mitigating such attacks due to the frequent updates required by standard computing platforms, third-party hardware and embedded process controllers. The high level of human-machine interaction also aids in circumventing perimeter defenses, making an ICS susceptible to attacks such as reprogramming of embedded controllers. The Stuxnet and Aurora attacks have demonstrated the vulnerabilities of ICS security and proved that these systems can be stealthily compromised.
We present several run-time methods for preemptive intrusion detection in industrial control systems to enhance ICS security against reconfiguration and network attacks. A run-time prediction using a linear model of the physical plant and a neural-network based classifier trigger mechanism are proposed for preemptive detection of an attack. A standalone, safety preserving, optimal backup controller is implemented to ensure plant safety in case of an attack. The intrusion detection mechanism and the backup controller are instantiated in configurable hardware, making them invisible to operating software and ensuring their integrity in the presence of malicious software. Hardware implementation of our approach on an inverted pendulum system illustrates the performance of both techniques in the presence of reconfiguration and network attacks.Master of Science
17
Stanley, Fred Philip. "Intrusion detection and response for system and network attacks". [Ames, Iowa : Iowa State University], 2009.
18
Arthur, Jacob D. "Enhanced Prediction of Network Attacks Using Incomplete Data". NSUWorks, 2017. http://nsuworks.nova.edu/gscis_etd/1020.
Abstract (sommario):
For years, intrusion detection has been considered a key component of many organizations’ network defense capabilities. Although a number of approaches to intrusion detection have been tried, few have been capable of providing security personnel responsible for the protection of a network with sufficient information to make adjustments and respond to attacks in real-time. Because intrusion detection systems rarely have complete information, false negatives and false positives are extremely common, and thus valuable resources are wasted responding to irrelevant events. In order to provide better actionable information for security personnel, a mechanism for quantifying the confidence level in predictions is needed. This work presents an approach which seeks to combine a primary prediction model with a novel secondary confidence level model which provides a measurement of the confidence in a given attack prediction being made. The ability to accurately identify an attack and quantify the confidence level in the prediction could serve as the basis for a new generation of intrusion detection devices, devices that provide earlier and better alerts for administrators and allow more proactive response to events as they are occurring.
19
Korba, Jonathan (Jonathan James) 1977. "Windows NT attacks for the evaluation of intrusion detection systems". Thesis, Massachusetts Institute of Technology, 2000. http://hdl.handle.net/1721.1/86454.
Abstract (sommario):
Thesis (S.B. and M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2000.Includes bibliographical references (leaves 99-101).
by Jonathan Korba.
S.B.and M.Eng.
20
Shafie, Emad. "Runtime detection and prevention for Structure Query Language injection attacks". Thesis, De Montfort University, 2013. http://hdl.handle.net/2086/10076.
Abstract (sommario):
The use of Internet services and web applications has grown rapidly because of user demand. At the same time, the number of web application vulnerabilities has increased as a result of mistakes in the development where some developers gave the security aspect a lower priority than aspects like application usability. An SQL (structure query language) injection is a common vulnerability in web applications as it allows the hacker or illegal user to have access to the web application's database and therefore damage the data, or change the information held in the database. This thesis proposes a new framework for the detection and prevention of new and common types of SQL injection attacks. The programme of research is divided in several work packages that start from addressing the problem of the web application in general and SQL injection in particular and discuss existing approaches. The other work packages follow a constructive research approach. The framework considers existing and new SQL injection attacks. The framework consists of three checking components; the first component will check the user input for existing attacks, the second component will check for new types of attacks, and the last component will block unexpected responses from the database engine. Additionally, our framework will keep track of an ongoing attack by recording and investigating user behaviour. The framework is based on the Anatempura tool, a runtime verification tool for Interval Temporal Logic properties. Existing attacks and good/bad user behaviours are specified using Interval Temporal Logic, and the detection of new SQL injection attacks is done using the database observer component. Moreover, this thesis discusses a case study where various types of user behaviour are specified in Interval Temporal Logic and show how these can be detected. The implementation of each component has been provided and explained in detail showing the input, the output and the process of each component. Finally, the functionality of each checking component is evaluated using a case study. The user behaviour component is evaluated using sample attacks and normal user inputs. This thesis is summarized at the conclusion chapter, the future work and the limitations will be discussed. This research has made the following contributions: • New framework for detection and prevention of SQL injection attacks. • Runtime detection: use runtime verification technique based on Interval Temporal logic to detect various types of SQL injection attacks. • Database observer: to detect possible new injection attacks by monitoring database transactions. • User's behaviour: investigates related SQL injection attacks using user input, and providing early warning against SQL injection attacks.
21
Elmasri, Basil. "Detection of denial of service attacks on application layer protocols". Thesis, University of Surrey, 2015. http://epubs.surrey.ac.uk/807702/.
Abstract (sommario):
This research investigates Denial of Service (DoS) attacks targeting the Internet’s Application Layer protocols, namely Session Initiation Protocol (SIP), and SPDY, the proposed second version of the Hyper Text Transfer Protocol (HTTP 2.0). The attack detection methodology was set using a Statistical Process Control (SPC) technique and Monitoring charts, as well as Cumulative Summation (CUSUM) and Exponential Weighted Moving Average (EWMA). The techniques tackle different possible flooding attacks, typically through monitoring the incoming messages. The system works by sensing sudden changes and detecting abnormal traffic increases alerting for an attack, and then triggering an alarm on the DoS attack. The scenarios are designed for SIP to simulate normal traffic behaviour and attack traffic behaviour; some scenarios were set to have a large ratio of the non-acknowledged requests, and another scenario was set to simulate a slight increase in the ratio. There was a scenario in which its traffic was imported from another SIP related research. In addition, the thesis discusses the results of DoS attacks targeting the SPDY protocol; one scenario is about a large increase in the total number of the sent requests by a user towards a SPDY proxy, and another scenario is set with a slight increase. SPC was tested on all previously mentioned scenarios; they have shown significant results in detecting the attacks, either it was large sudden flooding, or slight low rate DoS flood, as the low rate DoS attacks are very difficult and sometimes impossible to detect. SPC was tested to aim in false attack alarms reduction, as they are also difficult to deal with. These techniques were applied in two approaches: in the first approach, the Offline implementation, the statistical values of the whole observations, the mean and the standard deviation, are found and then applied to the equations. In the second approach, the Online implementation, the statistical values were updated on getting a new observation and immediately applying the SPC equations; there has not been any other research that discussed such an approach. The first approach represents a system with previous knowledge and experience of the ongoing traffic. This reduces the overhead spent in finding the mean and the standard deviation every time a new observation is added to the sequence. The second approach represents a system that is newly starting with no knowledge, or a system which was reset after detecting an attack. Finally, a framework was suggested to effectively employ the previous contributions in detecting the flood of the traffic.
22
Akbar, Yousef M. A. H. "Intrusion Detection of Flooding DoS Attacks on Emulated Smart Meters". Thesis, Virginia Tech, 2020. http://hdl.handle.net/10919/98554.
Abstract (sommario):
The power grid has changed a great deal from what has been generally viewed as a traditional power grid. The modernization of the power grid has seen an increase in the integration and incorporation of computing and communication elements, creating an interdependence of both physical and cyber assets of the power grid. The fast-increasing connectivity has transformed the grid from what used to be primarily a physical system into a Cyber- Physical System (CPS). The physical elements within a power grid are well understood by power engineers; however, the newly deployed cyber aspects are new to most researchers and operators in this field. The new computing and communications structure brings new vulnerabilities along with all the benefits it provides. Cyber security of the power grid is critical due to the potential impact it can make on the community or society that relies on the critical infrastructure. These vulnerabilities have already been exploited in the attack on the Ukrainian power grid, a highly sophisticated, multi-layered attack which caused large power outages for numerous customers. There is an urgent need to understand the cyber aspects of the modernized power grid and take the necessary precautions such that the security of the CPS can be better achieved. The power grid is dependent on two main cyber infrastructures, i.e., Supervisory Control And Data Acquisition (SCADA) and Advanced Metering Infrastructure (AMI). This thesis investigates the AMI in power grids by developing a testbed environment that can be created and used to better understand and develop security strategies to remove the vulnerabilities that exist within it. The testbed is to be used to conduct and implement security strategies, i.e., an Intrusion Detections Systems (IDS), creating an emulated environment to best resemble the environment of the AMI system. A DoS flooding attack and an IDS are implemented on the emulated testbed to show the effectiveness and validate the performance of the emulated testbed.M.S.
The power grid is becoming more digitized and is utilizing information and communication technologies more, hence the smart grid. New systems are developed and utilized in the modernized power grid that directly relies on new communication networks. The power grid is becoming more efficient and more effective due to these developments, however, there are some considerations to be made as for the security of the power grid. An important expectation of the power grid is the reliability of power delivery to its customers. New information and communication technology integration brings rise to new cyber vulnerabilities that can inhibit the functionality of the power grid. A coordinated cyber-attack was conducted against the Ukrainian power grid in 2015 that targeted the cyber vulnerabilities of the system. The attackers made sure that the grid operators were unable to observe their system being attacked via Denial of Service attacks. Smart meters are the digitized equivalent of a traditional energy meter, it wirelessly communicates with the grid operators. An increase in deployment of these smart meters makes it such that we are more dependent on them and hence creating a new vulnerability for an attack. The smart meter integration into the power grid needs to be studied and carefully considered for the prevention of attacks. A testbed is created using devices that emulate the smart meters and a network is established between the devices. The network was attacked with a Denial of Service attack to validate the testbed performance, and an Intrusion detection method was developed and applied onto the testbed to prove that the testbed created can be used to study and develop methods to cover the vulnerabilities present.
23
Yadav, Tarun Kumar. "Automatic Detection and Prevention of Fake Key Attacks in Signal". BYU ScholarsArchive, 2019. https://scholarsarchive.byu.edu/etd/9072.
Abstract (sommario):
The Signal protocol provides end-to-end encryption for billions of users in popular instant messaging applications like WhatsApp, Facebook Messenger, and Google Allo. The protocol relies on an app-specific central server to distribute public keys and relay encrypted messages between the users. Signal prevents passive attacks. However, it is vulnerable to some active attacks due to its reliance on a trusted key server. A malicious key server can distribute fake keys to users to perform man-in-the-middle or impersonation attacks. Signal applications support an authentication ceremony to detect these active attacks. However, this places an undue burden on the users to manually verify each other's public key. Recent studies reveal that the authentication ceremony is time-consuming and confusing, and almost nobody adopts it. Our goal is to explore various approaches for automatically detecting or preventing fake key attacks. We modified a local copy of the Signal server to demonstrate that active attacks are feasible. We then designed three defenses that automatically detect or prevent the attacks. We completed a threat analysis of the defenses and implemented some proof-of-concept prototypes for two of them. We analyze their strengths and weaknesses and outline avenues for future work.
24
Landfors, Kristoffer. "DETECTION AND RESOLUTION OF VSI-DDOS ATTACKS FOR CONTAINERIZED CLOUDS". Thesis, Umeå universitet, Institutionen för datavetenskap, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-165181.
Abstract (sommario):
Very Short Intermient Distributed Denial of Service (VSI-DDoS) attack is a new form of DDoS attacks with potential to bypass many of the security measures used today and still severely damage the quality of service of web applications in cloud systems. The attacks consists of short bursts of legitimate packets which exploits vulnerabilities in the targeted system. With the growing popularity of using containers instead of Virtual Machines in clouds, this project presents an approach for detecting these attacks in a container based cloud system. The approach uses signal processing in the form of Discrete Wavelet Transform (DWT) and recurrent neural networks (RNN) called Long Short Term Memory (LSTM) to detect attacks. Several experiments have been carried out to evaluate the performance of the proposed approach in a controlled testbed environment and it is shown to perform well with competing approaches.
25
Yaseen, Amer Atta. "Toward self-detection of cyber-physical attacks in control systems". Thesis, Lille 1, 2019. http://www.theses.fr/2019LIL1I040/document.
Abstract (sommario):
Un Système Contrôlé en Réseau (SCR en français, NCS (Networked Control System) en anglais) est un système de contrôle/commande distribué dans lequel les informations sont échangées en temps réel via un réseau reliant capteurs, actionneurs, contrôleurs, …) Ces SCR sont présents dans de nombreuses applications industrielles tels que les systèmes de production, les systèmes contrôlés à distance, les véhicules autonomes, la téléopération, …. Les principaux avantages de ces systèmes sont la flexibilité de leur architecture et la réduction des coûts d'installation et de maintenance, le principal inconvénient est les effets dus au réseau tels que les retards de transmission, qui influencent les performances et la stabilité de la boucle de régulation, ces systèmes sont également vulnérables aux cyber – attaques.Cette thèse apporte quelques contributions sur la détection des cyber attaques ainsi que le développement d'un contrôleur capable de traiter les effets des retards temporels.Pour atteindre cet objectif, la méthode proposée est d'adapter une commande sans modèle et d'améliorer son utilisation dans les Systèmes Contrôlés en Réseau. L'idée principale est basée sur le bénéfice mutuel d'un prédicteur de Smith et du modèle de base de la commande sans modèle. Ensuite, la structure intelligente de la commande sans modèle est appliquée avec une commande prédictive généralisée (GPC Generalized Predictive Control) de manière à obtenir une commande prédictive généralisée intelligente, qui est une amélioration du contrôleur généralisé standard. Ce contrôleur est conçu selon deux méthodes différentes pour détecter les cyber attaques.Parallèlement, un nouveau mécanisme de sécurité basé sur une réponse trompeuse pour les cyber attaques dans les Systèmes Contrôlés en Réseau est proposé. Le mécanisme proposé peut permettre d'arrêter une cyber-attaque en apportant une dernière ligne de défense lorsque l'attaquant a un accès à l'installation distante.Enfin, deux détecteurs d'attaque de piratage de commande sont introduits. L'objectif est de pouvoir détecter une attaque tel que le cas Stuxnet où le contrôleur a été détourné par reprogrammation. L'avantage des détecteurs proposés est qu'il ne nécessite pas d'avoir a priori un modèle mathématique du contrôleurA networked control system (NCS) is a control system in which the control loop is closed over a real-time network. NCSs are used in many industrial applications, and also in applications such as remote control, unmanned aerial vehicles or surgical teleoperation, ... The major advantages of NCS are a flexible architecture and a reduction of installation and maintenance costs, the main disadvantage of NCS is the network effects, such as time-delays, that influence the performance and stability of the control loop. These systems are also vulnerable to cyber attacks.This thesis makes some contributions regarding the detection of cyber-physical attacks as well as the development of a controller which capable of dealing with the other the bad effects of the network like time-delays.To achieve this goal, the proposed approach is to adapt model-free controller and to improve its use in NCS. The main idea is based on mutual benefit between Smith predictor and the basic model-free controller. Then, the intelligent structure of model-free control is applied along with Generalized Predictive Controller (GPC) to achieve the Intelligent Generalized Predictive Controller (IGPC) as an enhancement for the standard GPC. The IGPC is designed along with two different methods for cyber-attack detection.Moreover, a new security mechanism based on the deception for the cyber-physical attacks in NCS is proposed, this mechanism can allow to stop the cyber-attacks by providing the last line of defense when the attacker has an access to the remote plant.Finally, two detectors for controller hijacking attack are introduced. The objective is to be able to detect an attack such as the Stuxnet case where the controller has been reprogrammed and hijacked. The advantage of these proposed detectors is that there is not necessary to have a priori mathematical model of the controller
26
Zhang, Yueqian. "Resource Clogging Attacks in Mobile Crowd-Sensing: AI-based Modeling, Detection and Mitigation". Thesis, Université d'Ottawa / University of Ottawa, 2020. http://hdl.handle.net/10393/40082.
Abstract (sommario):
Mobile Crowdsensing (MCS) has emerged as a ubiquitous solution for data collection from embedded sensors of the smart devices to improve the sensing capacity and reduce the sensing costs in large regions. Due to the ubiquitous nature of MCS, smart devices require cyber protection against adversaries that are becoming smarter with the objective of clogging the resources and spreading misinformation in such a non-dedicated sensing environment. In an MCS setting, one of the various adversary types has the primary goal of keeping participant devices occupied by submitting fake/illegitimate sensing tasks so as to clog the participant resources such as the battery, sensing, storage, and computing. With this in mind, this thesis proposes a systematical study of fake task injection in MCS, including modeling, detection, and mitigation of such resource clogging attacks.
We introduce modeling of fake task attacks in MCS intending to clog the server and drain battery energy from mobile devices. We creatively grant mobility to the tasks for more extensive coverage of potential participants and propose two take movement patterns, namely Zone-free Movement (ZFM) model and Zone-limited Movement (ZLM) model. Based on the attack model and task movement patterns, we design task features and create structured simulation settings that can be modified to adapt different research scenarios and research purposes.
Since the development of a secure sensing campaign highly depends on the existence of a realistic adversarial model. With this in mind, we apply the self-organizing feature map (SOFM) to maximize the number of impacted participants and recruits according to the user movement pattern of these cities. Our simulation results verify the magnified effect of SOFM-based fake task injection comparing with randomly selected attack regions in terms of more affected recruits and participants, and increased energy consumption in the recruited devices due to the illegitimate task submission.
For the sake of a secure MCS platform, we introduce Machine Learning (ML) methods into the MCS server to detect and eliminate the fake tasks, making sure the tasks arrived at the user side are legitimate tasks. In our work, two machine learning algorithms, Random Forest and Gradient Boosting are adopted to train the system to predict the legitimacy of a task, and Gradient Boosting is proven to be a more promising algorithm. We have validated the feasibility of ML in differentiating the legitimacy of tasks in terms of precision, recall, and F1 score. By comparing the energy-consuming, effected recruits, and impacted candidates with and without ML, we convince the efficiency of applying ML to mitigate the effect of fake task injection.
27
Taub, Lawrence. "Application of a Layered Hidden Markov Model in the Detection of Network Attacks". NSUWorks, 2013. http://nsuworks.nova.edu/gscis_etd/320.
Abstract (sommario):
Network-based attacks against computer systems are a common and increasing problem. Attackers continue to increase the sophistication and complexity of their attacks with the goal of removing sensitive data or disrupting operations. Attack detection technology works very well for the detection of known attacks using a signature-based intrusion detection system. However, attackers can utilize attacks that are undetectable to those signature-based systems whether they are truly new attacks or modified versions of known attacks. Anomaly-based intrusion detection systems approach the problem of attack detection by detecting when traffic differs from a learned baseline. In the case of this research, the focus was on a relatively new area known as payload anomaly detection. In payload anomaly detection, the system focuses exclusively on the payload of packets and learns the normal contents of those payloads. When a payload's contents differ from the norm, an anomaly is detected and may be a potential attack. A risk with anomaly-based detection mechanisms is they suffer from high false positive rates which reduce their effectiveness. This research built upon previous research in payload anomaly detection by combining multiple techniques of detection in a layered approach. The layers of the system included a high-level navigation layer, a request payload analysis layer, and a request-response analysis layer. The system was tested using the test data provided by some earlier payload anomaly detection systems as well as new data sets. The results of the experiments showed that by combining these layers of detection into a single system, there were higher detection rates and lower false positive rates.
28
Siddiqui, Abdul Jabbar. "Securing Connected and Automated Surveillance Systems Against Network Intrusions and Adversarial Attacks". Thesis, Université d'Ottawa / University of Ottawa, 2021. http://hdl.handle.net/10393/42345.
Abstract (sommario):
In the recent years, connected surveillance systems have been witnessing an unprecedented
evolution owing to the advancements in internet of things and deep learning technologies. However,
vulnerabilities to various kinds of attacks both at the cyber network-level and at the physical worldlevel are also rising. This poses danger not only to the devices but also to human life and property. The goal of this thesis is to enhance the security of an internet of things, focusing on connected video-based surveillance systems, by proposing multiple novel solutions to address security issues at the cyber network-level and to defend such systems at the physical world-level.
In order to enhance security at the cyber network-level, this thesis designs and develops solutions to detect network intrusions in an internet of things such as surveillance cameras. The first solution is a novel method for network flow features transformation, named TempoCode. It introduces a temporal codebook-based encoding of flow features based on capturing the key patterns of benign traffic in a learnt temporal codebook. The second solution takes an unsupervised learning-based approach and proposes four methods to build efficient and adaptive ensembles of neural networks-based autoencoders for intrusion detection in internet of things such as surveillance cameras.
To address the physical world-level attacks, this thesis studies, for the first time to the best of
our knowledge, adversarial patches-based attacks against a convolutional neural network (CNN)-
based surveillance system designed for vehicle make and model recognition (VMMR). The connected video-based surveillance systems that are based on deep learning models such as CNNs
are highly vulnerable to adversarial machine learning-based attacks that could trick and fool the
surveillance systems. In addition, this thesis proposes and evaluates a lightweight defense solution
called SIHFR to mitigate the impact of such adversarial-patches on CNN-based VMMR systems,
leveraging the symmetry in vehicles’ face images.
The experimental evaluations on recent realistic intrusion detection datasets prove the effectiveness of the developed solutions, in comparison to state-of-the-art, in detecting intrusions of various
types and for different devices. Moreover, using a real-world surveillance dataset, we demonstrate
the effectiveness of the SIHFR defense method which does not require re-training of the target
VMMR model and adds only a minimal overhead. The solutions designed and developed in this
thesis shall pave the way forward for future studies to develop efficient intrusion detection systems
and adversarial attacks mitigation methods for connected surveillance systems such as VMMR.
29
Odesanmi, Abiola, e Daryl Moten. "Secure Telemetry: Attacks and Counter Measures on iNET". International Foundation for Telemetering, 2011. http://hdl.handle.net/10150/595801.
Abstract (sommario):
ITC/USA 2011 Conference Proceedings / The Forty-Seventh Annual International Telemetering Conference and Technical Exhibition / October 24-27, 2011 / Bally's Las Vegas, Las Vegas, NevadaiNet is a project aimed at improving and modernizing telemetry systems by moving from a link to a networking solution. Changes introduce new risks and vulnerabilities. The nature of the security of the telemetry system changes when the elements are in an Ethernet and TCP/IP network configuration. The network will require protection from intrusion and malware that can be initiated internal to, or external of the network boundary. In this paper we will discuss how to detect and counter FTP password attacks using the Hidden Markov Model for intrusion detection. We intend to discover and expose the more subtle iNet network vulnerabilities and make recommendations for a more secure telemetry environment.
30
Do, Van Long. "Sequential detection and isolation of cyber-physical attacks on SCADA systems". Thesis, Troyes, 2015. http://www.theses.fr/2015TROY0032/document.
Abstract (sommario):
Cette thèse s’inscrit dans le cadre du projet « SCALA » financé par l’ANR à travers le programme ANR-11-SECU-0005. Son objectif consiste à surveiller des systèmes de contrôle et d’acquisition de données (SCADA) contre des attaques cyber-physiques. Il s'agit de résoudre un problème de détection-localisation séquentielle de signaux transitoires dans des systèmes stochastiques et dynamiques en présence d'états inconnus et de bruits aléatoires. La solution proposée s'appuie sur une approche par redondance analytique composée de deux étapes : la génération de résidus, puis leur évaluation. Les résidus sont générés de deux façons distinctes, avec le filtre de Kalman ou par projection sur l’espace de parité. Ils sont ensuite évalués par des méthodes d’analyse séquentielle de rupture selon de nouveaux critères d’optimalité adaptés à la surveillance des systèmes à sécurité critique. Il s'agit donc de minimiser la pire probabilité de détection manquée sous la contrainte de niveaux acceptables pour la pire probabilité de fausse alarme et la pire probabilité de fausse localisation. Pour la tâche de détection, le problème d’optimisation est résolu dans deux cas : les paramètres du signal transitoire sont complètement connus ou seulement partiellement connus. Les propriétés statistiques des tests sous-optimaux obtenus sont analysées. Des résultats préliminaires pour la tâche de localisation sont également proposés. Les algorithmes développés sont appliqués à la détection et à la localisation d'actes malveillants dans un réseau d’eau potableThis PhD thesis is registered in the framework of the project “SCALA” which received financial support through the program ANR-11-SECU-0005. Its ultimate objective involves the on-line monitoring of Supervisory Control And Data Acquisition (SCADA) systems against cyber-physical attacks. The problem is formulated as the sequential detection and isolation of transient signals in stochastic-dynamical systems in the presence of unknown system states and random noises. It is solved by using the analytical redundancy approach consisting of two steps: residual generation and residual evaluation. The residuals are firstly generated by both Kalman filter and parity space approaches. They are then evaluated by using sequential analysis techniques taking into account certain criteria of optimality. However, these classical criteria are not adequate for the surveillance of safety-critical infrastructures. For such applications, it is suggested to minimize the worst-case probability of missed detection subject to acceptable levels on the worst-case probability of false alarm and false isolation. For the detection task, the optimization problem is formulated and solved in both scenarios: exactly and partially known parameters. The sub-optimal tests are obtained and their statistical properties are investigated. Preliminary results for the isolation task are also obtained. The proposed algorithms are applied to the detection and isolation of malicious attacks on a simple SCADA water network
31
SHARMA, RISHIE. "Detection of Low-Rate DoS Attacks againstHTTP Servers using Spectral Analysis". Thesis, KTH, Skolan för datavetenskap och kommunikation (CSC), 2014. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-155895.
Abstract (sommario):
Denial-of-Service (DoS) attacks pose a serious threat to any service provider on the Internet. While traditional DoS flooding attacks require the attacker to control at least as much resources as the service provider in order to be effective, so called lowrate DoS attacks can exploit weaknesses in careless design to effectively deny a service using minimal amounts of network traffic.This thesis investigates one such weakness in version 2.2 of the popular Apache HTTP Server software. The weakness regards how the server handles the persistent connection feature in HTTP 1.1. An attack simulator exploiting this weakness has been developed and shown to be effective. The attack was then studied with spectral analysis with the purpose of examining how well the attack could be detected.In line with other papers on spectral analysis of lowrate DoS attacks,the results show that there are disproportionate amounts of energyin the lower frequencies when the attack is present. However, by randomising the attack pattern, an attacker can reduce the disproportionto a degree where it might be impossible to correctly identify an attack in a real world scenario.
32
Haggerty, John. "DiDDeM : a system for early detection of denial-of-services attacks". Thesis, University of York, 2004. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.403810.
33
Saengudomlert, Poompat 1973. "Analysis and detection of jamming attacks in an all-optical network". Thesis, Massachusetts Institute of Technology, 1998. http://hdl.handle.net/1721.1/47508.
Abstract (sommario):
Thesis (M.S.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1998.Includes bibliographical references (p. 123-124).
by Poompat Saengudomlert.
M.S.
34
Nash, Daniel Charles. "An Intrusion Detection System for Battery Exhaustion Attacks on Mobile Computers". Thesis, Virginia Tech, 2005. http://hdl.handle.net/10919/33221.
Abstract (sommario):
Mobile personal computing devices continue to proliferate and individualsâ reliance on them for day-to-day needs necessitate that these platforms be secure. Mobile computers are subject to a unique form of denial of service attack known as a battery exhaustion attack, in which an attacker attempts to rapidly drain the battery of the device. Battery exhaustion attacks greatly reduce the utility of the mobile devices by decreasing battery life. If steps are not taken to thwart these attacks, they have the potential to become as widespread as the attacks that are currently mounted against desktop systems.
This thesis presents steps in the design of an intrusion detection system for detecting these attacks, a system that takes into account the performance, energy, and memory constraints of mobile computing devices. This intrusion detection system uses several parameters, such as CPU load and disk accesses, to estimate the power consumption of two test systems using multiple linear regression models, allowing us to find the energy used on a per process basis, and thus identifying processes that are potentially battery exhaustion attacks.
Master of Science
35
Al-Mafrachi, Basheer Husham Ali. "Detection of DDoS Attacks against the SDN Controller using Statistical Approaches". Wright State University / OhioLINK, 2017. http://rave.ohiolink.edu/etdc/view?acc_num=wright1513738941473344.
36
Stafford, William B. "Sequential pattern detection and time series models for predicting IED attacks". Thesis, Monterey, Calif. : Naval Postgraduate School, 2009. http://edocs.nps.edu/npspubs/scholarly/theses/2009/Mar/09Mar%5FStafford.pdf.
Abstract (sommario):
Thesis (M.S. in Information Technology Management)--Naval Postgraduate School, March 2009.Thesis Advisor(s): Kamel, Magdi. "March 2009." Description based on title screen as viewed on April 24, 2009. Author(s) subject terms: Sequential Pattern Detection, Time Series, Predicting IED Attacks, Data Mining. Includes bibliographical references (p. 77). Also available in print.
37
Li, Yuan Man. "SIFT-based image copy-move forgery detection and its adversarial attacks". Thesis, University of Macau, 2018. http://umaclib3.umac.mo/record=b3952093.
38
Goh, Vik Tor. "Intrusion detection framework for encrypted networks". Thesis, Queensland University of Technology, 2010. https://eprints.qut.edu.au/41733/1/Vik_Tor_Goh_Thesis.pdf.
Abstract (sommario):
Network-based Intrusion Detection Systems (NIDSs) monitor network traffic for signs of malicious activities that have the potential to disrupt entire network infrastructures and services. NIDS can only operate when the network traffic is available and can be extracted for analysis. However, with the growing use of encrypted networks such as Virtual Private Networks (VPNs) that encrypt and conceal network traffic, a traditional NIDS can no longer access network traffic for analysis. The goal of this research is to address this problem by proposing a detection framework that allows a commercial off-the-shelf NIDS to function normally in a VPN without any modification. One of the features of the proposed framework is that it does not compromise on the confidentiality afforded by the VPN. Our work uses a combination of Shamir’s secret-sharing scheme and randomised network proxies to securely route network traffic to the NIDS for analysis. The detection framework is effective against two general classes of attacks – attacks targeted at the network hosts or attacks targeted at framework itself. We implement the detection framework as a prototype program and evaluate it. Our evaluation shows that the framework does indeed detect these classes of attacks and does not introduce any additional false positives. Despite the increase in network overhead in doing so, the proposed detection framework is able to consistently detect intrusions through encrypted networks.
39
Wood, Adrian Michael. "A defensive strategy for detecting targeted adversarial poisoning attacks in machine learning trained malware detection models". Thesis, Edith Cowan University, Research Online, Perth, Western Australia, 2021. https://ro.ecu.edu.au/theses/2483.
Abstract (sommario):
Machine learning is a subset of Artificial Intelligence which is utilised in a variety of different fields to increase productivity, reduce overheads, and simplify the work process through training machines to automatically perform a task. Machine learning has been implemented in many different fields such as medical science, information technology, finance, and cyber security. Machine learning algorithms build models which identify patterns within data, which when applied to new data, can map the input to an output with a high degree of accuracy. To build the machine learning model, a dataset comprised of appropriate examples is divided into training and testing sets. The training set is used by the machine learning algorithm to identify patterns within the data, which are used to make predictions on new data. The test set is used to evaluate the performance of the machine learning model.
These models are popular because they significantly improve the performance of technology through automation of feature detection which previously required human input. However, machine learning algorithms are susceptible to a variety of adversarial attacks, which allow an attacker to manipulate the machine learning model into performing an unwanted action, such as misclassifying data into the attackers desired class, or reducing the overall efficacy of the ML model. One current research area is that of malware detection. Malware detection relies on machine learning to detect previously unknown malware variants, without the need to manually reverse-engineer every suspicious file. Detection of Zero-day malware plays an important role in protecting systems generally but is particularly important in systems which manage critical infrastructure, as such systems often cannot be shut down to apply patches and thus must rely on network defence.
In this research, a targeted adversarial poisoning attack was developed to allow Zero-day malware files, which were originally classified as malicious, to bypass detection by being misclassified as benign files. An adversarial poisoning attack occurs when an attacker can inject specifically-crafted samples into the training dataset which alters the training process to the desired outcome of the attacker. The targeted adversarial poisoning attack was performed by taking a random selection of the Zero-day file’s import functions and injecting them into the benign training dataset. The targeted adversarial poisoning attack succeeded for both Multi-Layer Perceptron (MLP) and Decision Tree models without reducing the overall efficacy of the target model. A defensive strategy was developed for the targeted adversarial poisoning attack for the MLP models by examining the activation weights of the penultimate layer at test time. If the activation weights were outside the norm for the target (benign) class, the file is quarantined for further examination. It was found to be possible to identify on average 80% of the target Zero-day files from the combined targeted poisoning attacks by examining the activation weights of the neurons from the penultimate layer.
40
Mousavinejad, Seyed Eman. "Cyber-Physical Attack Detection for Networked Control Systems". Thesis, Griffith University, 2020. http://hdl.handle.net/10072/395098.
Abstract (sommario):
Until 1960s, control systems consisted mainly of mechanical or analog electronic devices exchanging information among system components, i.e., sensors, controllers, and actuators, via wired communication. However, recent advancement in computer and communication industries have led to the growing use of Internet, embedded systems, wireless and digital communication technologies in many industrial control systems and transformed them into Networked Control Systems (NCSs).
A defining feature of an NCS is that it consists of a number of devices implemented distributively so that system information is exchanged through a shared communication network. In light of many distinct advantages of NCSs including flexible architectures and less installation and maintenance costs, the development and application of NCSs have been recently boosted in a wide range of practical areas and critical infrastructures including transportation systems, electrical power systems and smart grids, remote surgery, industrial and manufacturing systems.
Owing to heterogeneous IT components and open network connections among controllers, sensors, actuators, and other networked components, the Confidentiality, Integrity, and Availability (CIA) of exchanged data in an NCS may suffer from vulnerability to malicious cyber attacks. Undoubtedly, this kind of threat is mainly launched by an adversary in either the physical world or the cyber-space with the aim of substantial economic benefits or disrupting human life. Therefore, it is imperative to properly address security issues of NCSs so as to ensure their reliable and safe performance.
In securing NCSs, reliable attack detection is of utmost importance. Generally speaking, when cyber attacks are detected and located in a timely fashion, the damage to overall systems can be controlled within a tolerable limit. Motivated by security concerns of NCSs, the first major contribution of this thesis is the development of a novel centralized detection method based on set-membership filtering technique so as to detect cyber attacks in an NCS subject to Unknown-But-Bounded (UBB) process noise and UBB measurement noise. In response to it, a set-membership filter is designed so as to construct two ellipsoidal sets: 1) a prediction set and 2) an estimation set. The estimation ellipsoidal set is calculated through updating the prediction ellipsoidal set with the current sensor measurement data. Whether the filter can detect the occurrence of such an attack is determined by the existence of intersection between these two sets.
The developed centralized detection method may not be straightforwardly applicable for a large-scale NCS because it requires full knowledge of the entire network information. Furthermore, the computational overhead for this detection method is quite high and hence, it may make the use of the detection system unrealistic. Therefore, the second major contribution of this thesis is the development of a distributed attack detection method for a vehicular platoon system, which is one of the large-scale NCSs from real engineering world. Moreover, two recovery mechanisms are developed to mitigate the adversarial impacts of attacks on the performance of the vehicle platooning system. With these two recovery mechanisms, the system can be brought back to the normal condition after detection of the attacks.
In some practical situations, it is quite common for a crafty adversary to launch assorted attacks of different models and strategies for comprehensively compromising the sensor measurements and control signals. It has been well acknowledged that different attack strategies are generally stealthy to any detection method. Motivated by this observation, the property of system’s resiliency is of utmost significance. In this study, the focus lies on resilient remote tracking control through a shared communication network. Thus, the third major contribution of this thesis is the analysis of the joint problem of resilient tracking control and resilient estimation in NCSs subject to the presence of various cyber attacks that are modeled in a unified framework which leads the NCS to be operated and controlled via some digital and unprotected communication networks.Thesis (PhD Doctorate)
Doctor of Philosophy (PhD)
School of Eng & Built Env
Science, Environment, Engineering and Technology
Full Text
41
Gaubatz, Gunnar. "Tamper-resistant arithmetic for public-key cryptography". Worcester, Mass. : Worcester Polytechnic Institute, 2007. http://www.wpi.edu/Pubs/ETD/Available/etd-030107-115645/.
Abstract (sommario):
Dissertation (Ph.D.)--Worcester Polytechnic Institute.Keywords: Side Channel Attacks; Fault Attacks; Public-Key Cryptography; Error Detection; Error Detecting Codes. Includes bibliographical references (leaves 127-136).
42
Sivakumaran, Arun. "Malicious user attacks in decentralised cognitive radio networks". Diss., University of Pretoria, 2020. http://hdl.handle.net/2263/79657.
Abstract (sommario):
Cognitive radio networks (CRNs) have emerged as a solution for the looming spectrum crunch caused
by the rapid adoption of wireless devices over the previous decade. This technology enables efficient
spectrum utility by dynamically reusing existing spectral bands. A CRN achieves this by requiring its
users – called secondary users (SUs) – to measure and opportunistically utilise the band of a legacy
broadcaster – called a primary user (PU) – in a process called spectrum sensing. Sensing requires the
distribution and fusion of measurements from all SUs, which is facilitated by a variety of architectures
and topologies.
CRNs possessing a central computation node are called centralised networks, while CRNs composed of
multiple computation nodes are called decentralised networks. While simpler to implement, centralised
networks are reliant on the central node – the entire network fails if this node is compromised. In
contrast, decentralised networks require more sophisticated protocols to implement, while offering
greater robustness to node failure. Relay-based networks, a subset of decentralised networks, distribute
the computation over a number of specialised relay nodes – little research exists on spectrum sensing
using these networks. CRNs are vulnerable to unique physical layer attacks targeted at their spectrum sensing functionality.
One such attack is the Byzantine attack; these attacks occur when malicious SUs (MUs) alter their
sensing reports to achieve some goal (e.g. exploitation of the CRN’s resources, reduction of the CRN’s
sensing performance, etc.). Mitigation strategies for Byzantine attacks vary based on the CRN’s
network architecture, requiring defence algorithms to be explored for all architectures. Because of the
sparse literature regarding relay-based networks, a novel algorithm – suitable for relay-based networks
– is proposed in this work. The proposed algorithm performs joint MU detection and secure sensing by
large-scale probabilistic inference of a statistical model.
The proposed algorithm’s development is separated into the following two parts.
• The first part involves the construction of a probabilistic graphical model representing the
likelihood of all possible outcomes in the sensing process of a relay-based network. This is
done by discovering the conditional dependencies present between the variables of the model.
Various candidate graphical models are explored, and the mathematical description of the chosen
graphical model is determined.
• The second part involves the extraction of information from the graphical model to provide
utility for sensing. Marginal inference is used to enable this information extraction. Belief
propagation is used to infer the developed graphical model efficiently. Sensing is performed by
exchanging the intermediate belief propagation computations between the relays of the CRN.
Through a performance evaluation, the proposed algorithm was found to be resistant to probabilistic
MU attacks of all frequencies and proportions. The sensing performance was highly sensitive to
the placement of the relays and honest SUs, with the performance improving when the number of
relays was increased. The transient behaviour of the proposed algorithm was evaluated in terms of its
dynamics and computational complexity, with the algorithm’s results deemed satisfactory in this regard.
Finally, an analysis of the effectiveness of the graphical model’s components was conducted, with a
few model components accounting for most of the performance, implying that further simplifications
to the proposed algorithm are possible.Dissertation (MEng)--University of Pretoria, 2020.
Electrical, Electronic and Computer Engineering
MEng
Unrestricted
43
Myers, David. "Detecting cyber attacks on industrial control systems using process mining". Thesis, Queensland University of Technology, 2019. https://eprints.qut.edu.au/130799/1/David_Myers_Thesis.pdf.
Abstract (sommario):
Industrial control systems conduct processes which are core to our lives, from the generation, transmission, and distribution of power, to the treatment and supply of water. These industrial control systems are moving from dedicated, serial-based communications to switched and routed corporate networks to facilitate the monitoring and management of an industrial processes. However, this connection to corporate networks can expose industrial control systems to the Internet, placing them at risk of cyber-attack. In this study, we develop and evaluate a process-mining based anomaly detection system to generate process models of, and detect cyber-attacks on, industrial control system processes and devices.
44
Mushtaq, Maria. "Software-based Detection and Mitigation of Microarchitectural Attacks on Intel’s x86 Architecture". Thesis, Lorient, 2019. http://www.theses.fr/2019LORIS531.
Abstract (sommario):
Les attaques par canaux cachés basées sur les accès aux mémoires caches constituent une sous-catégorie représentant un puissant arsenal permettant de remettre en cause la sécurité d’algorithmes cryptographiques en ciblant leurs implémentations. Malgré de nombreux efforts, les techniques de protection contre ces attaques ne sont pas encore assez matures. Ceci est principalement dû au fait que la plupart des techniques ne protègent généralement pas contre tous les scénarii d’attaques. De plus, ces solutions peuvent impacter fortement les performances des systèmes. Cette thèse propose des arguments en faveur du renforcement de la sécurité et de la confidentialité dans les systèmes informatiques modernes tout en conservant leurs performances. Pour cela, la thèse développe une protection basée sur les besoins, qui permettent au système d’exploitation d’appliquer uniquement des mesures de protection après la détection des attaques. Ainsi, la détection peut servir de première ligne de défense. Cependant, pour que la stratégie de protection basée sur la détection soit efficace, il faut que cette dernière soit fiable, n’impacte que faiblement les performances et couvre un large spectre d’attaques avant que ces dernières atteignent leur but. Dans cette optique, cette thèse propose un cadre complet pour la protection basée sur la détection d’un ensemble d’attaques exploitant les mémoires caches lors de l’exécution sous des conditions de charge variables du système. De plus, la thèse propose de coupler l’utilisation du principe de détection avec un mécanisme de protection intégré au système d’exploitation Linux. Bien que le mécanisme de protection proposé soit appliqué à Linux, la solution est extensible à d’autres systèmes d’exploitation. Cette thèse démontre que la sécurité et la confidentialité doivent être pris en compte au niveau système et que les solutions de protection doivent adopter une approche holistiqueAccess-driven cache-based sidechannel attacks, a sub-category of SCAs, are strong cryptanalysis techniques that break cryptographic algorithms by targeting their implementations. Despite valiant efforts, mitigation techniques against such attacks are not very effective. This is mainly because most mitigation techniques usually protect against any given specific vulnerability and do not take a system-wide approach. Moreover, these solutions either completely remove or greatly reduce the prevailing performance benefits in computing systems that are hard earned over many decades. This thesis presents arguments in favor of enhancing security and privacy in modern computing architectures while retaining the performance benefits. The thesis argues in favor of a need-based protection, which would allow the operating system to apply mitigation only after successful detection of CSCAs. Thus, detection can serve as a first line of defense against such attacks. However, for detection-based protection strategy to be effective, detection needs to be highly accurate, should incur minimum system overhead at run-time, should cover a large set of attacks and should be capable of early stage detection, i.e., before the attack completes. This thesis proposes a complete framework for detection-based protection. At first, the thesis presents a highly accurate, fast and lightweight detection framework to detect a large set of Cache-based SCAs at run-time under variable system load conditions. In the follow up, the thesis demonstrates the use of this detection framework through the proposition of an OS-level run-time detection-based mitigation mechanism for Linux generalpurpose distribution. Though the proposed mitigation mechanism is proposed for Linux general distributions, which is widely used in commodity hardware, the solution is scalable to other operating systems. We provide extensive experiments to validate the proposed detection framework and mitigation mechanism. This thesis demonstrates that security and privacy are system-wide concerns and the mitigation solutions must take a holistic approach
45
Khanapure, Vishal. "Memory efficient distributed detection of node replication attacks in wireless sensor networks". [Gainesville, Fla.] : University of Florida, 2009. http://purl.fcla.edu/fcla/etd/UFE0025072.
46
Kendall, Kristopher (Kristopher Robert) 1976. "A database of computer attacks for the evaluation of intrusion detection systems". Thesis, Massachusetts Institute of Technology, 1999. http://hdl.handle.net/1721.1/9459.
Abstract (sommario):
Thesis (S.B. and M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1999.Includes bibliographical references (p. 121-124).
The 1998 DARPA intrusion detection evaluation created the first standard corpus for evaluating computer intrusion detection systems. This corpus was designed to evaluate both false alarm rates and detection rates of intrusion detection systems using many types of both known and new attacks embedded in a large amount of normal background traffic. The corpus was collected from a simulation network that was used to automatically generate realistic traffic-including attempted attacks. The focus of this thesis is the attacks that were developed for use in the 1998 DARPA intrusion detection evaluation. In all, over 300 attacks were included in the 9 weeks of data collected for the evaluation. These 300 attacks were drawn from 32 different attack types and 7 different attack scenarios. The attack types covered the different classes of computer attacks and included older, well-known attacks, newer attacks that have recently been released to publicly available forums, and some novel attacks developed specifically for this evaluation. The development of a high quality corpus for evaluating intrusion detection systems required not only a variety of attack types, but also required realistic variance in the methods used by the attacker. The attacks included in the 1998 DARPA intrusion detection evaluation were developed to provide a reasonable amount of such variance in attacker methods, Some attacks occur in a single session with all actions occurring in the clear, while others are broken up into several sessions spread out over a long period of time with the attacker taking deliberate steps to minimize the chances of detection by a human administrator or an intrusion detection system. In some attacks, the attacker breaks into a computer system just for fun, while in others the attacker is interested in collecting confidential information or causing damage. In addition to providing detailed descriptions of each attack type, this thesis also describes the methods of stealthiness and the attack scenarios that were developed to provide a better simulation of realistic computer attacks.
by Kristopher Kendall.
S.B.and M.Eng.
47
Sriskandarajah, Shriparen. "Detection and mitigation of denial-of-service attacks against software-defined networking". Thesis, Queensland University of Technology, 2021. https://eprints.qut.edu.au/226951/1/Shriparen_Sriskandarajah_Thesis.pdf.
Abstract (sommario):
Software-defined networking (SDN) is an emerging architecture in computer networking that was introduced to fulfill the demand of current Internet-based services and applications. New features introduced in the SDN architecture open the space for attackers to disrupt the SDN-based networks using new types of Denial-of-Service (DoS) attacks. In this study, first, we present a new DoS attack, namely the control channel DoS attack. Second, we present another new DoS attack to overwhelm the flow table of the SDN switches, namely the flow rule overwhelming attack. Finally, we propose novel strategies to detect and mitigate DoS attacks against the SDN architecture.
48
Cai, Hang. "Detecting Data Manipulation Attacks on Physiological Sensor Measurements in Wearable Medical Systems". Digital WPI, 2018. https://digitalcommons.wpi.edu/etd-dissertations/502.
Abstract (sommario):
Recent years have seen the dramatic increase of wearable medical systems (WMS) that have demonstrated promise for improving health monitoring and overall well-being. Ensuring that the data collected are secure and trustworthy is crucial. This is especially true in the presence of adversaries who want to mount data manipulation attacks on WMS, which aim to manipulate the sensor measurements with fictitious data that is plausible but not accurate. Such attacks force clinicians or any decision support system AI analyzing the WMS data, to make incorrect diagnosis and treatment decisions about the user’s health.
Given that there are different possible vulnerabilities found in WMS that can lead to data manipulation attacks, we take a different angle by developing an attack-agnostic approach, called Signal Interrelationship CApture for Physiological-process (SICAP), to detect data manipulation attacks on physiological sensor measurements in a WMS. SICAP approach leverages the idea that different physiological signals in the user’s body driven by the same underlying physiological process (e.g., cardiac process) are inherently related to each other. By capturing the interrelationship patterns between the related physiological signals, it can detect if any signal is maliciously altered. This is because the incorrect user data introduced by adversaries will have interrelationship patterns that are uncharacteris- tic of the individual’s physiological process and hence quite different from the ones SICAP expects. We demonstrate the efficacy of our approach in detecting data manipulation attacks by building different detection solutions for two commonly measured physiological sensor measurements in a WMS environment – electrocardiogram and arterial blood pressure.
The advantage of using this approach is that it allows for detection of data manipulation attacks by taking advantage of different types of physiological sensors, which already exist in typical WMS, thus avoiding the need of redundant sensors of the same type. Furthermore, SICAP approach is not designed to be stand-alone but provides the last line of defense for WMS. It is complementary to, and coexist with, any existing or future security solutions that may be introduced to protect WMS against data manipulation attacks.
49
Morgan, Justin L. "Clustering Web Users By Mouse Movement to Detect Bots and Botnet Attacks". DigitalCommons@CalPoly, 2021. https://digitalcommons.calpoly.edu/theses/2304.
Abstract (sommario):
The need for website administrators to efficiently and accurately detect the presence of web bots has shown to be a challenging problem. As the sophistication of modern web bots increases, specifically their ability to more closely mimic the behavior of humans, web bot detection schemes are more quickly becoming obsolete by failing to maintain effectiveness. Though machine learning-based detection schemes have been a successful approach to recent implementations, web bots are able to apply similar machine learning tactics to mimic human users, thus bypassing such detection schemes. This work seeks to address the issue of machine learning based bots bypassing machine learning-based detection schemes, by introducing a novel unsupervised learning approach to cluster users based on behavioral biometrics. The idea is that, by differentiating users based on their behavior, for example how they use the mouse or type on the keyboard, information can be provided for website administrators to make more informed decisions on declaring if a user is a human or a bot. This approach is similar to how modern websites require users to login before browsing their website; which in doing so, website administrators can make informed decisions on declaring if a user is a human or a bot. An added benefit of this approach is that it is a human observational proof (HOP); meaning that it will not inconvenience the user (user friction) with human interactive proofs (HIP) such as CAPTCHA, or with login requirements
50
Wang, Le. "Detection of Man-in-the-middle Attacks Using Physical Layer Wireless Security Techniques". Digital WPI, 2013. https://digitalcommons.wpi.edu/etd-theses/992.
Abstract (sommario):
"In a wireless network environment, all the users are able to access the wireless channel. Thus, if malicious users exploit this feature by mimicking the characteristics of a normal user or even the central wireless access point (AP), they can intercept almost all the information through the network. This scenario is referred as a Man-in-the-middle (MITM) attack. In the MITM attack, the attackers usually set up a rogue AP to spoof the clients. In this thesis, we focus on the detection of MITM attacks in Wi-Fi networks. The thesis introduces the entire process of performing and detecting the MITM attack in two separate sections. The first section starts from creating a rogue AP by imitating the characteristics of the legitimate AP. Then a multi-point jamming attack is conducted to kidnap the clients and force them to connect to the rogue AP. Furthermore, the sniffer software is used to intercept the private information passing through the rogue AP. The second section focuses on the detection of MITM attacks from two aspects: jamming attacks detection and rogue AP detection. In order to enable the network to perform defensive strategies more effectively, distinguishing different types of jamming attacks is necessary. We begin by using signal strength consistency mechanism in order to detect jamming attacks. Then, based on the statistical data of packets send ratio (PSR) and packets delivery ratio (PDR) in different jamming situations, a model is built to further differentiate the jamming attacks. At the same time, we gather the received signal strength indication (RSSI) values from three monitor nodes which process the random RSSI values employing a sliding window algorithm. According to the mean and standard deviation curve of RSSI, we can detect if a rogue AP is present within the vicinity. All these proposed approaches, either attack or detection, have been validated via computer simulations and experimental hardware implementations including Backtrack 5 Tools and MATLAB software suite. "