Оглавление
Leon Reznik. Intelligent Security Systems
Table of Contents
List of Tables
List of Illustrations
Guide
Pages
Intelligent Security Systems. How Artificial Intelligence, Machine Learning and Data Science Work For and Against Computer Security
Acknowledgments
Introduction. I.1 Who Is This Book For?
I.2 What Is This Book About?
I.3 What Is This Book Not About?
I.4 Book Organization and Navigation
I.5 Glossary of Basic Terms
I.6 The Cited NIST Publications
I.7 Data and Information Sources Used. I.7.1 Glossaries in the Area of Cybersecurity
I.7.2 Glossaries in the Area of Artificial Intelligence
I.7.3 Other Data and Information Sources Used. I.7.3.1 Antimalware Tools List and Comparison
1 Computer Security with Artificial Intelligence, Machine Learning, and Data Science Combination: What? How? Why? And Why Now and Together? 1.1 The Current Security Landscape
1.2 Computer Security Basic Concepts
1.3 Sources of Security Threats
1.4 Attacks Against IoT and Wireless Sensor Networks
1.4.1 Preliminary and Simple Attacks
1.4.2 Active Attacks
1.5 Introduction into Artificial Intelligence, Machine Learning, and Data Science. 1.5.1 Why Is AI Needed in Computer Security?
1.5.2 Artificial Intelligence – A Brief Introduction
1.5.3 Difference Between AI, ML, and DS
1.5.4 AI Techniques
1.5.5 Rules Based and ES
Example 1.6 Fuzzy Expert System for Security Evaluation
Example 1.7 The Content Table of the Security Evaluation System Knowledge Base – From Reznik and St. Jacques (2007)
Code 1.1 Example of Input Variables Description in an XML‐Based Language
Code 1.2 Rule Hierarchy Example in an XML‐Based Language
1.6 Fuzzy Logic and Systems
Example 1.8 Neuro‐Fuzzy Hybrid System (Negnevitsky and Kelareva 2001)
1.7 Machine Learning. 1.7.1 ML Algorithms Introduction
Algorithm 1.1 Supervised Learning Approach
Algorithm 1.2 Unsupervised Learning Approach
1.7.2 ML Classification for Cybersecurity
1.7.2.1 ML Algorithms Classification
1.8 Artificial Neural Networks (ANN)
1.8.1 What Is an ANN?
1.8.2 ANN Architecture
1.8.3 ANN Classification
1.8.3.1 Supervised Learning Topologies
1.8.3.2 Unsupervised Learning Topologies
1.9 Genetic Algorithms (GA)
Algorithm 1.3 Generic Genetic Algorithm Procedure
1.10 Hybrid Intelligent Systems
Review Questions
Exercises
References
2 Firewall Design and Implementation: How to Configure Knowledge for the First Line of Defense? 2.1 Firewall Definition, History, and Functions: What Is It? And Where Does It Come From?
2.1.1 Firewall Functions
2.2 Firewall Operational Models or How Do They Work?
2.3 Basic Firewall Architectures or How Are They Built Up?
2.3.1 Screening Router
2.3.2 Dual‐homed Gateway
2.3.3 Screened Host Gateway
2.3.4 Screened Subnet Architecture
2.4 Process of Firewall Design, Implementation, and Maintenance or What Is the Right Way to Put All Things Together?
2.4.1 Planning
2.4.2 Configuration
2.4.2.1 Installation of Hardware and Software
2.4.2.2 Security Policy Rules Configuration
2.4.2.3 Logging and Alerts Configuration
2.4.3 Testing
2.4.4 Deployment
2.4.5 Management
2.5 Firewall Policy Formalization with Rules or How Is the Knowledge Presented?
2.5.1 Rules Presentation
2.5.2 Policy Rule Types. 2.5.2.1 Packet Header Policy Rules
2.5.2.2 Application‐based Policy Rules
2.5.3 Firewall Rules Samples
2.5.3.1 Firewall 1 Rulesets
2.5.3.2 Firewall 2 Rulesets
2.5.3.3 Firewall 3 Rulesets
2.5.3.4 Firewall 4 Rulesets
2.5.3.5 Firewall 5 Rulesets
2.5.3.6 Firewall 6 Rulesets
2.5.3.7 Firewall 7 Rulesets
2.5.4 Firewall Rulesets Composition
2.5.4.1 Generation of Firewall Rules
2.5.4.2 Rules Composition Optimization
2.6 Firewalls Evaluation and Current Developments or How Are They Getting More and More Intelligent?
2.6.1 Firewall Evaluation
2.6.2 Making Firewalls Robust with Fuzzy Logic
2.6.3 Dynamic Firewall Updating with Machine Learning
2.6.4 Next‐generation Firewalls
Review Questions
Exercises
References
3 Intrusion Detection Systems: What Do They Do Beyond the First Line of Defense?
3.1 Definition, Goals, and Primary Functions
3.2 IDS from a Historical Perspective
3.2.1 Conceptualization and Early Years (1980–Mid‐1990s)
3.2.2 Commercialization of IDS (Mid‐1990s–2005)
3.2.3 Proliferation of Intrusion Detection and Prevention Systems (2006–2015)
3.2.4 AI and ML in IDS Design (2016–)
Example 3.1 McAfee HIPS
3.3 Typical IDS Architecture Topologies, Components, and Operational Ranges
3.4 IDS Types: Classification Approaches. 3.4.1 IDS Classification Scheme
3.4.2 Time Layer Classification
3.4.3 Classification Layer: Intrusion Detection Techniques
3.4.3.1 Misuse (aka Signature‐based) Detection
3.4.3.1.1 Conventional Signature Detection Techniques
Algorithm 3.1 Excaustive (brute force) search of a string pattern – pseudocode
Algorithm 3.2 Knuth et al. (1977) – pseodocode
Algorithm 3.3 Rabin and Karp (1987)
Algorithm 3.4 Boyer and Moore (1977)
3.4.3.2 Anomaly Based Intrusion Detection
3.4.3.2.1 Anomaly Based IDS Operation Based on Network Characteristic Patterns
3.4.3.2.2 Anomaly IDS Operation Based on User Profiles
3.4.3.3 Misuse Versus Anomaly IDS Comparison
3.4.3.4 Stateful Protocol‐based Detection
3.4.4 Hybrid Intrusion Detection
3.5 IDS Performance Evaluation
Reliability and Survivability
Information Presented to an Analyst
Severity and Potential Damage
Scalability and Interoperability
Configurability
3.6 Artificial Intelligence and Machine Learning Techniques in IDS Design. 3.6.1 Intelligent Techniques Used in IDS Design and Their Characteristics
Example 3.2 Rule‐based IDS (Agarwal and Joshi 2000) and (Levin 2000)
3.6.2 IDS Design Based on k‐means Algorithm
3.6.3 IDS Design Based on k‐Nearest Neighbor Algorithm
3.6.4 IDS Design Based on Genetic Algorithms
3.6.5 Artificial Neural Network Structures and Their Choice for Intrusion Detection. 3.6.5.1 Shallow ANN Topologies and Their Ensembles
3.6.5.2 Experimental Setup and Datasets1
Example 3.3 Dataset preparation for an IDS design and evaluation (Novikov et al. 2006a,b)
3.6.5.3 Separate ANN Agent Recognition Accuracy: MLP versus RBF Topologies Comparison (Novikov et al. 2006a,b)
3.6.5.4 Neural Network Optimization with GA by the Connectivity Space Reduction
3.6.5.4.1 Genetic Algorithm Composition and Parameters Selection
3.6.5.4.2 ANN Architecture Optimized with GA
3.6.5.5 IDS Design with Multiple Intelligent Heterogeneous Agents
3.7 Intrusion Detection Challenges and Their Mitigation in IDS Design and Deployment
3.7.1 Data Fluctuations
3.7.2 Attack Changes and Modifications
3.7.3 Delay Between a New Attack Signature Identification and Database Upgrading
3.7.4 Neglecting the Alarms
3.7.5 Software Bugs and Vulnerabilities
3.7.6 Overreliance on IDS and Relaxing Other Security Mechanisms
3.7.7 Encrypted Traffic and Other Data
3.7.8 Inaccurate Data
3.7.9 Attacks Against IDS Themselves
3.7.10 Human Intervention and High Experience is Required in IDS Maintenance
3.7.11 Lack of Resources for Big Data Analytics
3.7.12 IDS Deployment Advance Planning
3.7.13 Sensor to Manager Ratio
3.7.14 False Positive and False Negative Rates
3.7.15 Monitoring Traffic in Large Networks
3.8 Intrusion Detection Tools
3.8.1 SNORT
3.8.1.1 Features and Characteristics
3.8.1.2 Types of Operational Modes in SNORT. Packet Sniffer Mode
Packet Logger Mode
Intrusion Detection Mode
3.8.1.3 Limitations. Information Overload
Speed
Performance in Large Networks
3.8.1.4 Installation
3.8.1.5 Configuration
3.8.1.6 SNORT Rules
3.8.2 Other IDS Tools
3.8.3 Host‐based IDS Tools and Systems
Review Questions
Exercises
References
Note
4 Malware and Vulnerabilities Detection and Protection: What Are We Looking for and How? 4.1 Malware Definition, History, and Trends in Development
Example 4.1 Merry Christma: An Early Network Worm (Capek et al. 2003)
Example 4.2 The First Major Malware Internet Attack – Morris Worm
4.2 Malware Classification. 4.2.1 Malware Types
4.2.2 Viruses. 4.2.2.1 Virus Classification
4.2.2.2 File Infector Viruses
Example 4.3 Jerusalem Virus
Code 4.1 Code Snippet of a Jerusalem Virus
4.2.2.3 Boot Sector Viruses
Example 4.4 Stoned Virus Family
4.2.2.4 Multipartite Viruses
4.2.2.5 Macro Viruses and Worms
Example 4.5 Melissa virus – see (FBI News)
Code 4.2 Melissa Virus Code
4.2.2.6 Stealth Viruses
4.2.2.7 Polymorphic Viruses and Worms. Example 4.6 Frodo Virus
4.2.2.8 Metamorphic Viruses and Worms
Example 4.7 Stuxnet Malicious Program
4.2.3 Worms
Example 4.8 Conficker Worm – see Lawton (2009)
4.2.4 Trojan Horses (aka Trojans)
4.2.4.1 Software Trojans
Example 4.9 Zeus Trojan Horse
4.2.4.2 Hardware Trojans
4.2.5 Spyware
Example 4.10 CoolWebSearch
4.2.6 Adware
Example 4.11 Hiddad Hidden Adware (Sophos 2020 Threat Report by the SophosLabs Research Team)
4.2.7 Ransomware
Example 4.12 Petya Ransomware
Code 4.3 Petya.A Technical Details
Example 4.13 Ransomware Activity Targeting the Healthcare and Public Health Sector (Alert (AA20‐302A) 2020)
4.2.8 Rootkits
Example 4.14 XCP Rootkit
4.2.9 Botnets
Example 4.15 Mirai Botnet
Example 4.16 Koobface Botnet
Code 4.4 Mirai Botnet Instructions
4.3 Spam
4.3.1 Spam and Malicious Email
4.4 Software Vulnerabilities
Example 4.17 Heartbleed Vulnerability
Example 4.18 Cross‐Site Request Forgery (Calzavara et al. 2020)
4.5 Principles of Malware Detection and Anti‐malware Protection. 4.5.1 Ways of Malware Infection and Spread
4.5.2 Malware Detection Techniques
4.5.2.1 Signature‐Based Scanning
4.5.2.2 Heuristic‐Based Scanning
4.5.2.3 Behavioral‐Based Analysis
4.5.2.4 Integrity Checking
4.5.2.5 Cloud‐Based Detection
4.5.3 Content Analysis Techniques for Malware Prevention. 4.5.3.1 Content Filtering
4.5.3.2 Content Blocking
Example 4.19 Fortinet Web Content Management Tools
4.5.4 Anti‐spam Technologies and Techniques
4.6 Malware Detection Algorithms. 4.6.1 Conventional Signature Scanning Techniques
Example 4.20 Aho–Corasick Algorithm
Code 4.5 Aho–Corasick Algorithm (Aho‐Corasic 2020)
4.6.2 Machine Learning Techniques for Signature Match and Anomaly Detection
Example 4.21 Malware Detection Framework with Ensemble of Base Learners (Zhu et al. 2020)
4.6.3 Behavioral Analysis with Artificial Neural Networks
Example 4.22 Change Detection with Artificial Neural Networks
4.7 Anti‐malware Tools
4.7.1 Anti‐spam Tools
Review Questions
Exercises
References
5 Hackers versus Normal Users: Who Is Our Enemy and How to Differentiate Them from Us?
5.1 Hacker’s Activities and Protection Against
5.1.1 Definition or Who Is a Hacker?
5.1.2 History and Philosophy of Hackers
Example 5.1 Blue Box to Hijack Telephone Lines
5.1.3 Hacker’s Classification
5.1.4 Hacker’s Motives
5.1.5 Typical Hacker Activities
Example 5.2 SolarWinds Orion Supply Chain Compromise (March 2020 to January 2021) from Alert (AA20‐352A)
5.1.5.1 Phases of Hacking Attacks
5.1.5.2 Hacking Techniques
Example 5.3 Phishing Attacks
5.1.5.3 Typical Hacking Attacks
Example 5.4 The AWS DDoS Attack in 2020
Example 5.5 Exploitation of eBay’s Stored XSS Vulnerabilities
Example 5.6 OceanLotus Watering Hole Attack – from Cyware
Example 5.7 Spoofing Attacks
5.1.6 Hacking Tools
5.1.7 Anti‐hacking Protection
5.1.8 Use Design Case: Recurrent Neural Networks for Colluded Applications Attack Detection in Android OS Devices. 5.1.8.1 Colluded Applications Attack Model
5.1.8.2 Colluded Applications Attack Formalized Description
5.1.8.3 Data Collection and Preprocessing for an Attack Classifier Design. Data Collection
Data Preprocessing
5.1.8.4 Recurrent Neural Networks Models, Their Implementation and Performance Evaluation
5.2 Data Science Investigation of Ordinary Users’ Practice
5.2.1 How Secure Is a Computer Practice of a General Public?
5.2.2 Data Analysis. 5.2.2.1 Respondent Demographics
5.2.2.2 Occupation Practices and Personal History
5.2.3 Security Practice Analysis
5.2.4 Analysis Observations. 5.2.4.1 Firewall Usage
5.2.4.2 Antimalware Usage
5.2.4.3 Password Reuse
5.2.4.4 Password Usage
5.2.4.5 Filesharing Usage
5.2.4.6 Malware Infection
5.2.4.7 Account Management
5.2.5 Mobile Device Security Evaluation with Explicit Fuzzy Rules. 5.2.5.1 Mobile Device Security Evaluation Design
5.2.5.2 Analysis of Installed Applications
5.2.5.3 Analysis of Device Features
5.3 User’s Authentication
5.3.1 What Is a Good Authentication?
5.3.2 Types of Authentication
5.3.2.1 Authentication Methods
5.3.2.2 Authentication Protocols
Comparison Based on Attack Vulnerability
5.3.2.3 Multiple‐factor Authentication. Security Image/Caption
Knowledge‐based Security Questions
One‐time Pass\Verification Code
Effectiveness of Multifactor Authentication Against Attacks
5.3.3 Continuous Authentication
5.3.4 Continuous Authentication with Keyboard Typing Biometrics: Problems and Solutions
5.3.5 Keyboard Continuous Authentication System Design Use Case. 5.3.5.1 Authentication Design Principles
5.3.5.2 System Structure and Functional Organization
5.3.5.3 Authentication System Implementation
Code 5.1 Key Time Calculation
5.3.5.4 Feature Extraction and Classification Techniques
Method 1 Unweighted Nearest Neighbor
Method 2 Weighted Nearest Neighbor Classification Using Relative Key Press Timings
5.4 User’s Anonymity, Attacks Against It, and Protection
5.4.1 TOR
5.4.2 Web Fingerprinting Attack
5.4.2.1 WF Attacks Using Handcrafted Features
Example 5.8 Deep Fingerprinting (DF) Attack Model (Sirinam 2019) with CNN
5.4.3 Defense Against the WF Attacks
Review Questions
Exercises
References
Note
6 Adversarial Machine Learning: Who Is Machine Learning Working For? 6.1 Adversarial Machine Learning Definition
6.2 Adversarial Attack Taxonomy
6.3 Defense Strategies. 6.3.1 Countermeasures in the Training Phase
6.3.2 Countermeasures in the Execution/Testing Phase
6.4 Investigation of the Adversarial Attacks Influence on the Classifier Performance Use Case. 6.4.1 Data Corruption by the Poisoning Attacks
6.4.2 Data Restoration Procedures
Algorithm 6.1 Replacement of Corrupt Data by Mean Substitution
Algorithm 6.2 Replacement of Corrupt Data by Median Substitution
6.4.3 Classifier Performance Change with Corrupted and Restored Data
6.5 Generative Adversarial Networks. 6.5.1 GAN Composition
6.5.2 Unsupervised Learning with GANs
Example 6.1 GAN‐based Attack of Replacing Sign Images
Algorithm 6.3 Autonomous Vehicle Control Model Learning Algorithm
Review Questions
Exercises
References
Index. a
b
c
d
e
f
g
h
i
k
l
m
n
o
p
q
r
s
t
u
v
w
z
WILEY END USER LICENSE AGREEMENT
