The growing Internet of Things (IoT) market introduces new security challenges for network admini... more The growing Internet of Things (IoT) market introduces new security challenges for network administrators. Most IoT devices are poorly configured making them a target of choice for attackers. Mirai botnet illustrates the threat posed by IoT devices. In this context, Machine Learning techniques can be leveraged to detect attacks in IoT networks. Indeed, contrary to desktop computers or laptops, IoT devices are used for very specific tasks. Therefore, the generated network traffic follows a predictable pattern making data analysis techniques well suited to detect a deviation from the expected behavior. In this paper, we present machine learning based techniques for IoT network monitoring. We first built an experimental smart home network to generate network traffic data. The network traffic is described using features, such as the size of the first N packets sent and received along with the corresponding inter-arrival times. We then train and test classification algorithms for devices...
It is generally agreed that two key points always attract special concerns during the modelling o... more It is generally agreed that two key points always attract special concerns during the modelling of anomaly-based intrusion detection. One is the techniques about discerning two classes with different features, another is the construction/selection of the observed sample of normally occurring patterns for system normality characterization. In this paper, instead of focusing on the design of specific anomaly detection models, we restrict our attention to the analysis of the anomaly detector's operating environments, which facilitates us to insight into anomaly detectors' operational capabilities, including their detection coverage and blind spots, and thus to evaluate them in convincing manners. Taking the similarity with the induction problem as the starting point, we cast anomaly detection in a statistical framework, which gives a formal analysis of anomaly detector's anticipated behavior from a high level. Some existing problems and possible solutions about the normalit...
In this paper, we propose a trust-based vehicular platoon crowdsensing scheme, named TripSense, i... more In this paper, we propose a trust-based vehicular platoon crowdsensing scheme, named TripSense, in VANET. The proposed TripSense scheme introduces a trust-based system to evaluate vehicles' sensing abilities and then selects the more capable vehicles in order to improve sensing results accuracy. In addition, the sensing tasks are accomplished by platoon member vehicles and preprocessed by platoon head vehicles before the data are uploaded to server. Hence, it is less time-consuming and more efficient compared with the way where the data are submitted by individual platoon member vehicles. Hence it is more suitable in ephemeral networks like VANET. Moreover, our proposed TripSense scheme integrates unlinkable pseudo-ID techniques to achieve PM vehicle identity privacy, and employs a privacy-preserving sensing vehicle selection scheme without involving the PM vehicle's trust score to keep its location privacy. Detailed security analysis shows that our proposed TripSense scheme...
This book constitutes the refereed proceedings of the 13th International Conference on Informatio... more This book constitutes the refereed proceedings of the 13th International Conference on Information and Communications Security, ICICS 2011, held in Beijing, China, in November 2011. The 33 revised full papers presented together with an invited talk were carefully reviewed and selected from 141 submissions. The papers are organized in topical sections on digital signatures, public key encryption, cryptographic protocols, applied cryptography, multimedia security, algorithms and evaluation, cryptanalysis, security applications, wireless network security, system security, and network security.
With the extensive application of deep learning (DL) algorithms in recent years, e.g., for detect... more With the extensive application of deep learning (DL) algorithms in recent years, e.g., for detecting Android malware or vulnerable source code, artificial intelligence (AI) and machine learning (ML) are increasingly becoming essential in the development of cybersecurity solutions. However, sharing the same fundamental limitation with other DL application domains, such as computer vision (CV) and natural language processing (NLP), AI-based cybersecurity solutions are incapable of justifying the results (ranging from detection and prediction to reasoning and decision-making) and making them understandable to humans. Consequently, explainable AI (XAI) has emerged as a paramount topic addressing the related challenges of making AI models explainable or interpretable to human users. It is particularly relevant in cybersecurity domain, in that XAI may allow security operators, who are overwhelmed with tens of thousands of security alerts per day (most of which are false positives), to bet...
This paper presents a dynamic policy enforcement mechanism that allows ISPs to specify security p... more This paper presents a dynamic policy enforcement mechanism that allows ISPs to specify security policies to mitigate the impact of network attacks by taking into account the specific requirements of their customers. The proposed policy-based management framework leverages the recent Software-Defined Networking (SDN) technology to provide a centralized platform that allows network administrators to define global network and security policies, which are then enforced directly to the OpenFlow switches. One of the major objectives of such a framework is to achieve fine-grained and automated attack mitigation in the ISP network, ultimately reducing the impact of attack and collateral damage to the customer networks. To evaluate the feasibility and effectiveness of framework, we develop a prototype that serves for one ISP and three customers. The experimental results demonstrate that our framework can successfully reduce the collateral damage on a customer network caused by the attack tra...
2019 IEEE 18th International Symposium on Network Computing and Applications (NCA)
Nowadays, IoT devices have been widely deployed for enabling various smart services, such as, sma... more Nowadays, IoT devices have been widely deployed for enabling various smart services, such as, smart home or ehealthcare. However, security remains as one of the paramount concern as many IoT devices are vulnerable. Moreover, IoT malware are constantly evolving and getting more sophisticated. IoT devices are intended to perform very specific tasks, so their networking behavior is expected to be reasonably stable and predictable. Any significant behavioral deviation from the normal patterns would indicate anomalous events. In this paper, we present a method to detect anomalous network communications in IoT networks using a set of sparse autoencoders. The proposed approach allows us to differentiate malicious communications from legitimate ones. So that, if a device is compromised only malicious communications can be dropped while the service provided by the device is not totally interrupted. To characterize network behavior, bidirectional TCP flows are extracted and described using statistics on the size of the first N packets sent and received, along with statistics on the corresponding interarrival times between packets. A set of sparse autoencoders is then trained to learn the profile of the legitimate communications generated by an experimental smart home network. Depending on the value of N, the developed model achieves attack detection rates ranging from 86.9% to 91.2%, and false positive rates ranging from 0.1% to 0.5%.
Capture the drifting of normal behavior traces for adaptive intrusion detection using modified SVMS
Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826)
To capture the drifting of normal behavior traces for suppressing false alarms of intrusion detec... more To capture the drifting of normal behavior traces for suppressing false alarms of intrusion detection, an adaptive intrusion detection system AID with incremental learning ability is proposed in this paper. A generic framework, including several important components, is discussed in details. One-class support vector machine is modified as the kernel algorithm of AID, and the performance is evaluated using reformulated 1998 DARPA BSM data set. The experimental results indicate that the modified SVMs can be trained in a incremental way, and the performance outperform that of the original ones with fewer support vectors (SVs) and less training time without decreasing detection accuracy. Both of these achievements benefit an adaptive intrusion detection system significantly.
SDAC: A New Software-Defined Access Control Paradigm for Cloud-Based Systems
A cloud-based system usually runs in multiple geographically distributed datacenters, making the ... more A cloud-based system usually runs in multiple geographically distributed datacenters, making the deployment of effective access control models extremely challenging. This paper presents a novel software-defined paradigm, called SDAC, to achieve scoped, flexible and dynamic access control. In particular, SDAC enables the tenant-specific generation of access control model and policy (SMPolicy in short), as well as their dynamic configuration by the cloud-hosting applications. To achieve that, SDAC uses an access control meta-model to initiate and customize different SMPolicies. Also, SDAC is decoupled into control plane and policy plane, allowing the global SMPolicy generated at the control plane to be efficiently propagated to the policy plane and enforced locally in different datacenters. As such, the local SMPolicy of a tenant can be synchronized with its global SMPolicy only when it’s necessary, e.g., a user or a role cannot be identified. To validate the feasibility and effective...
Performance Evaluation of Sensors Lightweight Security Mechanism
A large proportion of the Internet of Things devices are battery powered cheap units, designed to... more A large proportion of the Internet of Things devices are battery powered cheap units, designed to stay in the field for a long time. This is the case of connected sensors and actuators. In this demo, we analyze the performance of a system fully implementing an original cross-layer security mechanism for wireless sensor nodes, by precise energy measurement of different settings of the system.
The Cramer-Shoup cryptosystem has attracted much attention from the research community, mainly du... more The Cramer-Shoup cryptosystem has attracted much attention from the research community, mainly due to its efficiency in encryption/decryption, as well as the provable reductions of security against adaptively chosen ciphertext attacks in the standard model. At TCC 2005, Vasco et al. proposed a method for building Cramer-Shoup like cryptosystem over non-abelian groups and raised an open problem for finding a secure instantiation. Based on this work, we present another general framework for constructing Cramer-Shoup like cryptosystems. We firstly propose the concept of index exchangeable family (IEF) and an abstract construction of Cramer-Shoup like encryption scheme over IEF. The concrete instantiations of IEF are then derived from some reasonable hardness assumptions over abelian groups as well as non-abelian groups, respectively. These instantiations ultimately lead to simple yet efficient constructions of Cramer-Shoup like cryptosystems, including new non-abelian analogies that ca...
Body Area Networks (BAN) are wireless networks designed for deployment on or within the human bod... more Body Area Networks (BAN) are wireless networks designed for deployment on or within the human body. These networks are primarily intended for application within the medical domain due to their capabilities for enabling wireless monitoring of physiological signals, and remote administration of medical devices. Due to their intended use case, securing these devices is paramount. In recent years, several key generation and agreement schemes that rely upon physiological signals of the wearer are developed. However, we have found that the application of Electrocardiogram (ECG) signals in this context may not be appropriate due to a potential vulnerability, wherein previously recorded ECG signals could be used against current and future key agreement attempts to compromise their security. This is a violation of temporal variance which is one of a few properties that make ECG signals suitable for use in key agreement schemes. By extracting the QRS complex from prior recordings and distributing them apart from one another we can construct synthetic signals that have a high level of coherence, and thus allow for the key to be intercepted. Based on the conducted experiments we have found that the proposed attack method yields a 0.7 coherence level regardless of how far away the adversary is from the target. This makes the success of such an attack extremely likely and is therefore a real threat to the security of these schemes.
2018 IEEE International Conference on Big Data (Big Data)
The growing Internet of Things (IoT) market introduces new challenges for network activity monito... more The growing Internet of Things (IoT) market introduces new challenges for network activity monitoring. Legacy network monitoring is not tailored to cope with the huge diversity of smart devices. New network discovery techniques are necessary in order to find out what IoT devices are connected to the network. In this context, data analysis techniques can be leveraged to find out specific patterns that can help to recognize device types. Indeed, contrary to desktop computers, IoT devices perform very specific tasks making their networking behavior very predictable. In this paper, we present a machine learning based approach in order to recognize the type of IoT devices connected to the network by analyzing streams of packets sent and received. We built an experimental smart home network to generate network traffic data. From the generated data, we have designed a model to describe IoT device network behaviors. By leveraging the t-SNE technique to visualize our data, we are able to differentiate the network traffic generated by different IoT devices. The data describing the network behaviors are then used to train six different machine learning classifiers to predict the IoT device that generated the network traffic. The results are promising with an overall accuracy as high as 99.9% on our test set achieved by Random Forest classifier.
Encyclopedia of Cryptography, Security and Privacy
Computer networks have become an increasingly valuable target of malicious attacks due to the inc... more Computer networks have become an increasingly valuable target of malicious attacks due to the increased amount of valuable user data they contain. In response, network intrusion detection systems (NIDSs) have been developed to detect suspicious network activity. We present a study of unsupervised machine learning-based approaches for NIDS and show that a non-stationary model can achieve over 35× higher quality than a simple stationary model for a NIDS which acts as a sniffer in a network. We reproduce the results of packet header-based anomaly detection for detecting potential attacks in network traffic and are able to detect 62 of 201 attacks with a total of 86 false positives (an average of under 9 per day) on the 1999 DARPA dataset. Our implementation is open source, available at https://github.com/lukehsiao/ml-ids.
The Internet of Things world is in need of practical solutions for its security. Existing securit... more The Internet of Things world is in need of practical solutions for its security. Existing security mechanisms for IoT are mostly not implemented due to complexity, budget, and energy-saving issues. This is especially true for IoT devices that are battery powered, and they should be cost effective to be deployed extensively in the field. In this work, we propose a new cross-layer approach combining existing authentication protocols and existing Physical Layer Radio Frequency Fingerprinting technologies to provide hybrid authentication mechanisms that are practically proved efficient in the field. Even though several Radio Frequency Fingerprinting methods have been proposed so far, as a support for multi-factor authentication or even on their own, practical solutions are still a challenge. The accuracy results achieved with even the best systems using expensive equipment are still not sufficient on real-life systems. Our approach proposes a hybrid protocol that can save energy and com...
2018 IEEE International Conference on Big Data (Big Data), Dec 1, 2018
The growing Internet of Things (IoT) market introduces new challenges for network activity monito... more The growing Internet of Things (IoT) market introduces new challenges for network activity monitoring. Legacy network monitoring is not tailored to cope with the huge diversity of smart devices. New network discovery techniques are necessary in order to find out what IoT devices are connected to the network. In this context, data analysis techniques can be leveraged to find out specific patterns that can help to recognize device types. Indeed, contrary to desktop computers, IoT devices perform very specific tasks making their networking behavior very predictable. In this paper, we present a machine learning based approach in order to recognize the type of IoT devices connected to the network by analyzing streams of packets sent and received. We built an experimental smart home network to generate network traffic data. From the generated data, we have designed a model to describe IoT device network behaviors. By leveraging the t-SNE technique to visualize our data, we are able to differentiate the network traffic generated by different IoT devices. The data describing the network behaviors are then used to train six different machine learning classifiers to predict the IoT device that generated the network traffic. The results are promising with an overall accuracy as high as 99.9% on our test set achieved by Random Forest classifier.
2019 IEEE 18th International Symposium on Network Computing and Applications (NCA), Sep 1, 2019
Nowadays, IoT devices have been widely deployed for enabling various smart services, such as, sma... more Nowadays, IoT devices have been widely deployed for enabling various smart services, such as, smart home or ehealthcare. However, security remains as one of the paramount concern as many IoT devices are vulnerable. Moreover, IoT malware are constantly evolving and getting more sophisticated. IoT devices are intended to perform very specific tasks, so their networking behavior is expected to be reasonably stable and predictable. Any significant behavioral deviation from the normal patterns would indicate anomalous events. In this paper, we present a method to detect anomalous network communications in IoT networks using a set of sparse autoencoders. The proposed approach allows us to differentiate malicious communications from legitimate ones. So that, if a device is compromised only malicious communications can be dropped while the service provided by the device is not totally interrupted. To characterize network behavior, bidirectional TCP flows are extracted and described using statistics on the size of the first N packets sent and received, along with statistics on the corresponding interarrival times between packets. A set of sparse autoencoders is then trained to learn the profile of the legitimate communications generated by an experimental smart home network. Depending on the value of N, the developed model achieves attack detection rates ranging from 86.9% to 91.2%, and false positive rates ranging from 0.1% to 0.5%.
The Internet grows exponentially with the proliferation of network devices, mobile terminals and ... more The Internet grows exponentially with the proliferation of network devices, mobile terminals and users. However, the traditional TCP/IP model makes the Internet architecture struggle to cope with the increasing demand of computational resources and the performance of new applications such as multimedia content distribution, mobility and machine-to-machine (M2M) communications. Along with cloud computing, network function virtualization (NFV) and software-defined networks (SDN) have emerged as new networking paradigms which have the potential to significantly reduce the cost of network deployment and operation, along with providing flexibility, scalability and rapid deployment. In particular, NFV offers a new alternative for designing, deploying and managing networking services by decoupling the network functions from proprietary hardware appliances. Thus, their implementation and execution are made as software-based services. By decoupling the network control plane from the data plane, SDN allows programmable networks while enabling network service providers to have a better control over the entire network, thus providing a unified global view of the network while reducing network management complexity. In general, cloud computing, NFV and SDN complement each other and have mutual benefits.
Uploads
Papers by Zonghua Zhang