Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010189912 | TK5105.59 Y464 2008 | Open Access Book | Book | Searching... |
Searching... | 30000010191413 | TK5105.59 Y464 2008 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Computer and network systems have given us unlimited opportunities of reducing cost, improving efficiency, and increasing revenues, as demonstrated by an increasing number of computer and network applications. Yet, our dependence on computer and network systems has also exposed us to new risks, which threaten the security of, and present new challenges for protecting our assets and information on computer and network systems. The reliability of computer and network systems ultimately depends on security and quality of service (QoS) performance.
This book presents quantitative modeling and analysis techniques to address these numerous challenges in cyber attack prevention and detection for security and QoS, including:
the latest research on computer and network behavior under attack and normal use conditions; new design principles and algorithms, which can be used by engineers and practitioners to build secure computer and network systems, enhance security practice and move to providing QoS assurance on the Internet; mathematical and statistical methods for achieving the accuracy and timeliness of cyber attack detection with the lowest computational overhead; guidance on managing admission control, scheduling, reservation and service of computer and network jobs to assure the service stability and end-to-end delay of those jobs even under Denial of Service attacks or abrupt demands.Secure Computer and Network Systems: Modeling, Analysis and Design is an up-to-date resource for practising engineers and researchers involved in security, reliability and quality management of computer and network systems. It is also a must-read for postgraduate students developing advanced technologies for improving computer network dependability.
Author Notes
Professor Ye received her Ph.D. degree (1991) in Industrial Engineering from Purdue University, West Lafayette, Indiana, and holds MS (1988) and BS (1985) degrees in Computer Science. With her multi-disciplinary educational background, Dr. Ye has devoted her academic career to establishing the scientific and engineering foundation for assuring quality/reliability of information systems and industrial systems.
Table of Contents
Preface | p. xi |
Part I An Overview of Computer and Network Security | |
1 Assets, vulnerabilities and threats of computer and network systems | p. 3 |
1.1 Risk assessment | p. 3 |
1.2 Assets and asset attributes | p. 4 |
1.2.1 Resource, process and user assets and their interactions | p. 5 |
1.2.2 Cause-effect chain of activity, state and performance | p. 6 |
1.2.3 Asset attributes | p. 8 |
1.3 Vulnerabilities | p. 11 |
1.3.1 Boundary condition error | p. 12 |
1.3.2 Access validation error and origin validation error | p. 12 |
1.3.3 Input validation error | p. 13 |
1.3.4 Failure to handle exceptional conditions | p. 13 |
1.3.5 Synchronization errors | p. 13 |
1.3.6 Environment error | p. 13 |
1.3.7 Configuration error | p. 14 |
1.3.8 Design error | p. 14 |
1.3.9 Unknown error | p. 15 |
1.4 Threats | p. 15 |
1.4.1 Objective, origin, speed and means of threats | p. 15 |
1.4.2 Attack stages | p. 21 |
1.5 Asset risk framework | p. 21 |
1.6 Summary | p. 22 |
References | p. 23 |
2 Protection of computer and network systems | p. 25 |
2.1 Cyber attack prevention | p. 25 |
2.1.1 Access and flow control | p. 25 |
2.1.2 Secure computer and network design | p. 29 |
2.2 Cyber attack detection | p. 29 |
2.2.1 Data, events and incidents | p. 30 |
2.2.2 Detection | p. 31 |
2.2.3 Assessment | p. 32 |
2.3 Cyber attack response | p. 32 |
2.4 Summary | p. 33 |
References | p. 33 |
Part II Secure System Architecture and Design | |
3 Asset protection-driven, policy-based security protection architecture | p. 39 |
3.1 Limitations of a threat-driven security protection paradigm | p. 39 |
3.2 A new, asset protection-driven paradigm of security protection | p. 40 |
3.2.1 Data to monitor: assets and asset attributes | p. 41 |
3.2.2 Events to detect: mismatches of asset attributes | p. 41 |
3.2.3 Incidents to analyze and respond: cause-effect chains of mismatch events | p. 42 |
3.2.4 Proactive asset protection against vulnerabilities | p. 42 |
3.3 Digital security policies and policy-based security protection | p. 43 |
3.3.1 Digital security policies | p. 43 |
3.3.2 Policy-based security protection | p. 45 |
3.4 Enabling architecture and methodology | p. 46 |
3.4.1 An Asset Protection Driven Security Architecture (APDSA) | p. 46 |
3.4.2 An Inside-Out and Outside-In (IOOI) methodology of gaining knowledge about data, events and incidents | p. 47 |
3.5 Further research issues | p. 48 |
3.5.1 Technologies of asset attribute data acquisition | p. 48 |
3.5.2 Quantitative measures of asset attribute data and mismatch events | p. 48 |
3.5.3 Technologies for automated monitoring, detection, analysis and control of data, events, incidents and COA | p. 49 |
3.6 Summary | p. 49 |
References | p. 50 |
4 Job admission control for service stability | p. 53 |
4.1 A token bucket method of admission control in DiffServ and InteServ models | p. 53 |
4.2 Batch Scheduled Admission Control (BSAC) for service stability | p. 55 |
4.2.1 Service stability in service reservation for instantaneous jobs | p. 56 |
4.2.2 Description of BSAC | p. 57 |
4.2.3 Performance advantage of the BSAC router model over a regular router model | p. 60 |
4.3 Summary | p. 64 |
References | p. 64 |
5 Job scheduling methods for service differentiation and service stability | p. 65 |
5.1 Job scheduling methods for service differentiation | p. 65 |
5.1.1 Weighted Shortest Processing Time (WSPT), Earliest Due Date (EDD) and Simplified Apparent Tardiness Cost (SATC) | p. 65 |
5.1.2 Comparison of WSPT, ATC and EDD with FIFO in the best effort model and in the DiffServ model in service differentiation | p. 66 |
5.2 Job scheduling methods for service stability | p. 70 |
5.2.1 Weighted Shortest Processing Time - Adjusted (WSPT-A) and its performance in service stability | p. 70 |
5.2.2 Verified Spiral (VS) and Balanced Spiral (BS) methods for a single service resource and their performance in service stability | p. 73 |
5.2.3 Dynamics Verified Spiral (DVS) and Dynamic Balanced Spiral (DBS) methods for parallel identical resources and their performance in service stability | p. 78 |
5.3 Summary | p. 79 |
References | p. 79 |
6 Job reservation and service protocols for end-to-end delay guarantee | p. 81 |
6.1 Job reservation and service in InteServ and RSVP | p. 81 |
6.2 Job reservation and service in I-RSVP | p. 82 |
6.3 Job reservation and service in SI-RSVP | p. 86 |
6.4 Service performance of I-RSVP and SI-RSVP in comparison with the best effort model | p. 89 |
6.4.1 The simulation of a small-scale computer network with I-RSVP, SI-RSVP and the best effort model | p. 89 |
6.4.2 The simulation of a large-scale computer network with I-RSVP, SI-RSVP and the best effort model | p. 91 |
6.4.3 Service performance of I-RSVP, SI-RSVP and the best effort model | p. 93 |
6.5 Summary | p. 102 |
References | p. 103 |
Part III Mathematical/Statistical Features and Characteristics of Attack and Normal Use Data | |
7 Collection of Windows performance objects data under attack and normal use conditions | p. 107 |
7.1 Windows performance objects data | p. 107 |
7.2 Description of attacks and normal use activities | p. 111 |
7.2.1 Apache Resource DoS | p. 111 |
7.2.2 ARP Poison | p. 111 |
7.2.3 Distributed DoS | p. 112 |
7.2.4 Fork Bomb | p. 113 |
7.2.5 FTP Buffer Overflow | p. 113 |
7.2.6 Hardware Keylogger | p. 113 |
7.2.7 Remote Dictionary | p. 113 |
7.2.8 Rootkit | p. 113 |
7.2.9 Security Audit | p. 114 |
7.2.10 Software Keylogger | p. 114 |
7.2.11 Vulnerability Scan | p. 114 |
7.2.12 Text Editing | p. 114 |
7.2.13 Web Browsing | p. 114 |
7.3 Computer network setup for data collection | p. 115 |
7.4 Procedure of data collection | p. 115 |
7.5 Summary | p. 118 |
References | p. 118 |
8 Mean shift characteristics of attack and normal use data | p. 119 |
8.1 The mean feature of data and two-sample test of mean difference | p. 119 |
8.2 Data pre-processing | p. 121 |
8.3 Discovering mean shift data characteristics for attacks | p. 121 |
8.4 Mean shift attack characteristics | p. 122 |
8.4.1 Examples of mean shift attack characteristics | p. 122 |
8.4.2 Mean shift attack characteristics by attacks and windows performance objects | p. 124 |
8.4.3 Attack groupings based on the same and opposite attack characteristics | p. 128 |
8.4.4 Unique attack characteristics | p. 136 |
8.5 Summary | p. 139 |
References | p. 139 |
9 Probability distribution change characteristics of attack and normal use data | p. 141 |
9.1 Observation of data patterns | p. 141 |
9.2 Skewness and mode tests to identify five types of probability distributions | p. 146 |
9.3 Procedure for discovering probability distribution change data characteristics for attacks | p. 148 |
9.4 Distribution change attack characteristics | p. 150 |
9.4.1 Percentages of the probability distributions under the attack and normal use conditions | p. 150 |
9.4.2 Examples of distribution change attack characteristics | p. 151 |
9.4.3 Distribution change attack characteristics by attacks and Windows performance objects | p. 151 |
9.4.4 Attack groupings based on the same and opposite attack characteristics | p. 161 |
9.4.5 Unique attack characteristics | p. 167 |
9.5 Summary | p. 173 |
References | p. 174 |
10 Autocorrelation change characteristics of attack and normal use data | p. 175 |
10.1 The autocorrelation feature of data | p. 175 |
10.2 Discovering the autocorrelation change characteristics for attacks | p. 176 |
10.3 Autocorrelation change attack characteristics | p. 178 |
10.3.1 Percentages of variables with three autocorrelation levels under the attack and normal use conditions | p. 178 |
10.3.2 Examples of autocorrelation change attack characteristics | p. 179 |
10.3.3 Autocorrelation change attack characteristics by attacks and Windows performance objects | p. 182 |
10.3.4 Attack groupings based on the same and opposite attack characteristics | p. 182 |
10.3.5 Unique attack characteristics | p. 193 |
10.4 Summary | p. 193 |
References | p. 196 |
11 Wavelet change characteristics of attack and normal use data | p. 197 |
11.1 The wavelet feature of data | p. 197 |
11.2 Discovering the wavelet change characteristics for attacks | p. 201 |
11.3 Wave change attack characteristics | p. 203 |
11.3.1 Examples of wavelet change attack characteristics | p. 203 |
11.3.2 Wavelet change attack characteristics by attacks and Windows performance objects | p. 204 |
11.3.3 Attack groupings based on the same and opposite attack characteristics | p. 222 |
11.3.4 Unique attack characteristics | p. 225 |
11.4 Summary | p. 243 |
References | p. 243 |
Part IV Cyber Attack Detection: Signature Recognition | |
12 Clustering and classifying attack and normal use data | p. 247 |
12.1 Clustering and Classification Algorithm - Supervised (CCAS) | p. 248 |
12.2 Training and testing data | p. 251 |
12.3 Application of CCAS to cyber attack detection | p. 251 |
12.4 Detection performance of CCAS | p. 253 |
12.5 Summary | p. 256 |
References | p. 256 |
13 Learning and recognizing attack signatures using artificial neural networks | p. 257 |
13.1 The structure and back-propagation learning algorithm of feedforward ANNs | p. 257 |
13.2 The ANN application to cyber attack detection | p. 260 |
13.3 Summary | p. 270 |
References | p. 271 |
Part V Cyber Attack Detection: Anomaly Detection | |
14 Statistical anomaly detection with univariate and multivariate data | p. 275 |
14.1 EWMA control charts | p. 275 |
14.2 Application of the EWMA control chart to cyber attack detection | p. 277 |
14.3 Chi-Square Distance Monitoring (CSDM) method | p. 284 |
14.4 Application of the CSDM method to cyber attack detection | p. 286 |
14.5 Summary | p. 288 |
References | p. 288 |
15 Stochastic anomaly detection using the Markov chain model of event transitions | p. 291 |
15.1 The Markov chain model of event transitions for cyber attack detection | p. 291 |
15.2 Detection performance of the Markov chain model-based anomaly detection technique and performance degradation with the increased mixture of attack and normal use data | p. 293 |
15.3 Summary | p. 295 |
References | p. 296 |
Part VI Cyber Attack Detection: Attack Norm Separation | |
16 Mathematical and statistical models of attack data and normal use data | p. 299 |
16.1 The training data for data modeling | p. 299 |
16.2 Statistical data models for the mean feature | p. 300 |
16.3 Statistical data models for the distribution feature | p. 300 |
16.4 Time-series based statistical data models for the autocorrelation feature | p. 301 |
16.5 The wavelet-based mathematical model for the wavelet feature | p. 304 |
16.6 Summary | p. 309 |
References | p. 312 |
17 Cuscore-based attack norm separation models | p. 313 |
17.1 The cuscore | p. 313 |
17.2 Application of the cuscore models to cyber attack detection | p. 314 |
17.3 Detection performance of the cuscore detection models | p. 316 |
17.4 Summary | p. 323 |
References | p. 325 |
Part VII Security Incident Assessment | |
18 Optimal selection and correlation of attack data characteristics in attack profiles | p. 329 |
18.1 Integer programming to select an optimal set of attack data characteristics | p. 329 |
18.2 Attack profiling | p. 330 |
18.3 Summary | p. 332 |
References | p. 332 |
Index | p. 333 |