Program for 4th IEEE LCN Workshop on Network Security (WNS)

A real-time packet-level anomaly detection approach for high-speed network intrusion prevention is described. The approach is suitable for small and fast hardware implementation and was designed to be embedded in network appliances. Each network packet is characterized using a novel technique that efficiently maps the payload histogram onto a simple pair of features using hypercube hash functions, which were chosen for their implementation efficiency in both hardware and software. This two-dimensional feature space is quantized into a binary bitmap representing the normal and anomalous feature regions. The potential loss of accuracy due to the reduction in feature space is countered by the ability of the bitmaps to capture nearly arbitrary shaped regions in the feature space. These bitmaps are used as the classifiers for real-time detection. The proposed method is extremely efficient in both the offline machine learning and real-time detection components. Results using the 1999 DARPA Intrusion Detection Evaluation Data Set yield a 100% detection of all applicable attacks, with extremely low false positive rate. The approach is also evaluated on real traffic captures.

This paper deals with anomaly score aggregation and thresholding in multi-model anomaly-based approaches which require multiple detection models and profiles in order to characterize the different aspects of normal activities. Most works focus on profile/model definition while critical issues related to anomaly measuring, aggregating and thresholding have not received similar attention. In this paper, we in particular address the issue of anomaly scoring and aggregating which is a recurring problem in multi-model anomaly-based approaches. We propose a two stage aggregation/thresholding scheme particularly suitable for multi-model anomaly-based approaches. The basic idea of our scheme is the fact that anomalous behaviors induce either intra-model anomalies or inter-model ones. Our scheme is designed for real-time detection of both intra-model and inter-model anomalies. More precisely, we propose local thresholding in order to detect intra-model anomalies and use a Bayesian network in order to, on one hand, extract inter-model regularities and serve, on the other hand, as an aggregating function for computing the overall anomaly score associated with each analyzed audit event. Our experimental studies, carried out on recent and real $http$ traffic, show for instance that most Web-based attacks induce only intra-model anomalies and can be effectively detected in real-time. Moreover, this scheme significantly improves the detection rate of Web-based attacks involving inter-model anomalies.

In this paper we propose to use a hidden Markov model (HMM) to model sensors for an intrusion prevention system (IPS). Observations from different sensors are aggregated in the HMM and the intrusion frequency security metric is estimated. We use a Markov model that captures the interaction between the attacker and the network to model and predict the next step of an attacker. A new HMM is created and used for updating the estimated system state for each observation, based on the sensor trustworthiness and the time since last observation processed. Our objective is to calculate and maintain a state probability distribution that can be used for intrusion prediction and prevention. We show how our sensor model can be applied to an IPS architecture based on intrusion detection system (IDS) sensors, real-time traffic surveillance and online risk assessment. Our approach is illustrated by a small case study.

Malicious web pages that launch client-side attacks on web browsers have become an increasing problem in recent years. High-interaction client honeypots are security devices that can detect these malicious web pages on a network. However, high-interaction client honeypots are both resource-intensive and unable to handle the increasing array of vulnerable clients. This paper presents a novel classification method for detecting malicious web pages that involves inspecting the underlying server relationships. Because of the unique structure of malicious front-end web pages and centralized exploit servers, merely counting the number of domain name extensions and DNS servers used to resolve the host names of all web servers involved in rendering a page is sufficient to determine whether a web page is malicious or benign, independent of the vulnerable web browser targeted by these pages. Combining high-interaction client honeypots and this new classification method into a hybrid system leads to performance improvements.

We develop a class of adaptive security protocols with designs to allow group communication systems (GCSs) in mobile ad hoc networks (MANETs) to dynamically adjust operational settings to best satisfy application-imposed performance and security requirements, leveraging the inherent tradeoff between security and performance properties of the system. These adaptive security protocols include an intrusion detection protocol for dealing with insider attacks and a scalable region-based hierarchical group key management protocol for dealing with outsider attacks. Our design settings include the time interval over which intrusion detection should be performed, and the regional area size for the region-based hierarchical group key management protocol for group key management. When given a set of parameter values characterizing operational and environmental conditions of a GCS, we identify optimal design settings to be used by the system dynamically to maximize the mean time to security failure of the system while minimizing the total group communication cost incurred for GCSs in MANET environments.

The correctness of group key protocols in communication systems remains a great challenge because of dynamic characteristics of group key construction as we deal with open number of group members. In this paper, we use an event-B first-order proving system to provide invariant checking for group key secrecy property. We define a well-formed formal link between the group protocol model and the event-B counterpart model. Our approach is applied on a tree-based group Diffie-Hellman protocol that dynamically outputs group keys using the logical structure of a balanced binary tree.

The absence of an online trusted authority makes the issue of key revocation in mobile ad hoc networks (MANETs) particularly challenging. In this paper, we present a novel self-organized key revocation scheme based on the Dirichlet multinomial model and identity-based cryptography (IBC). Our key revocation scheme offers a theoretically sound basis for a node in MANETs to predict the behavior of other nodes based on its own observations and reports from peers. In our scheme, each node keeps track of three categories of behavior defined and classified by an external trusted authority, and updates its knowledge about other nodes' behavior with 3-dimension Dirichlet distribution. Differentiating between suspicious behavior and malicious behavior enables nodes to make multilevel response by either revoking keys of malicious nodes or ceasing the communication with suspicious nodes for some time to gather more information for making further decision. Furthermore, we also analyze the attack-resistant properties of our key revocation scheme through extensive simulations in the presence of adversaries.

In the recent years, Wireless Mesh Network (WMN) has evolved as a new paradigm for broadband wireless Internet access. The self-configurability, open wireless infrastructure, and different management styles of WMN make them vulnerable to malicious attackers. As the first step to secure WMNs, it is critical to incorporate an authentication mechanism for mesh clients. The existing proposals are primarily based on public key certificates, which incur considerable overhead in signature verification. We propose a network layer authentication mechanism called Merkle Tree based Mesh Authentication Protocol (MT-MAP) for WMNs. It incorporates inexpensive hash operations using merkle tree to authenticate single/multihop mesh clients. We also show how the use of hash tree facilitates fast and periodic refresh of authentication certificates. Finally, we present a security analysis to prove the robustness of MT-MAP against impersonation and replay attacks.