Existing Cyber-Attack Detection Software and Security Schemes

Conventional Cyber-Security Schemes

This subsection covers various conventional cybersecurity schemes that are being currently employed in conjunction with data to ensure confidentiality and integrity, in conjunction with IoT technologies.

Access Control Technologies

Access control technologies are a segment of technology that is at the intersection of physical security and virtual security schemes. The three key tenets of access control technologies are boundary protection, authentication, and authorization.

These technologies aim to prevent unauthorized parties from viewing or accessing data that is outside their security clearance. This forms the basis for all of the layered security models implemented around the world that segment data based on the degree of confidentiality and control accessibility. Boundary protection schemes encompass methods to separate the information of distinctive magnitude by establishing tangible borders or logical boundaries between protected data and the users. The zones are known as demilitarized zones, in common parlance. Examples of boundary protection technologies include host-side firewall systems impeding illicit access via a

Simplified Architecture of Access Control Systems

FIGURE 5.8 Simplified Architecture of Access Control Systems.

private server, content management systems, and traffic control for inappropriate content including, but not limited to, spam files or classified information. Figure 5.8 illustrates an example of boundary protection technology and its associated architecture. Technology dependent on authentication works to identify and associate an identity with an individual based on three qualitative types: individual identity, such as biometric data, or iris scan; individual possession, such as smart cards and a token system; and last, individual privilege type, such as a password or code. A two-factor authentication seems to have become the industry norm, so as to reinforce security with access control.

System Integrity

Integrity encompasses system reliability or. in other words, an integrity-check mechanism that ensures the system maintains integrity and a malicious payload or attack has not affected it. Antivirus and antispyware software are common examples of technical software for this purpose. Essentially, a system integrity checker is tasked to ensure that malware has not modified, destroyed, or corrupted a system. The malware in question could be a virus, a Trojan horse, a worm, spyware, adware, etc. [23]. This software guards system gateways so as to impede any incoming malware and repair any damage malware may have caused. Figure 5.9 below' depicts a simplified architecture for a system integrity checker [24].

Cryptography

Cryptography is an indispensable tool for protecting information in computer systems. entailing the cryptographic system and the principle of a shared key. The origin of cryptography can be traced back to the development of the RSA algorithm, which

Simplified Architecture of System Integrity Checker

FIGURE 5.9 Simplified Architecture of System Integrity Checker.

was eventually granted a US patent [25]. “Cryptography” is defined as the study of the modification of data in a manner such that it achieves a form that hides its true nature, essentially making it a secret. Cryptography can be divided into three classes of algorithms. First is asymmetric algorithms, which use two keys, one public and one private. A public key enables the conversion of a plain message into cipher text, and the private key enables the decryption algorithm. As the name suggests, the private key is stored on a secure server and is not known to everyone. The second category is symmetric algorithms that involve a single key, which enables the conversion of a plain message into cipher text and cipher text conversion back into a plain message. The last category is hashing, which converts a plain message via a hashing function into a fixed length. This ensures integrity, as the value in the hashing function matches on the sender and receiver sides. VPN. TLS, PPTP, and SSL are a few examples of its implementation.

Audit and Monitoring

Audit and monitoring tools record the activities of a system, mapping responses for investigation purposes. Furthermore, they assess the status of security of devices, performing an analysis for attacks that are in progress or have concluded. The primary two classes of software in audit and monitoring are: intrusion detection system, intrusion protection system, S-E correlation, and cyber-forensics.

Intrusion detection can be further bifurcated into misuse detection and anomaly detection. Misuse detection (MD) consists of in-depth information about detected attacks and the weak points of the system, supplied by experts in a manner similar to a knowledge system. MD rummages around for attackers that decide to execute these attacks or gain an advantage based on system vulnerabilities. Though MD is often correct in detecting well-known attacks, these techniques cannot identify cyberthreats that are unknown to the system’s knowledge base. Anomaly detection (AD) depends on the assessment of profiles that exhibit conventional behavior of connections in the network, users of the system, and the host. AD identifies

TABLE 5.3

Misuse and Anomaly Detection Tools

Misuse Detection Tools

Anomaly Detection Tools

Data mining techniques

Statistics based

Rule-based approach

Rule-based approach

Algorithms based on state-transition analysis

Distance-based technique

Signature methods

Profiling methods

conventional authorized cyberactivity by employing a plethora of methods and then employs a range of quantitative and qualitative indicators to identify aberrations from the outlined conventional activity, as a prospective anomaly. Here, the advantage is that AD can detect unknown attacks, with the drawback of having a high false- notification rate. It may be noted that the aberrations identified by AD algorithms may not be an instance of aberrations and may in fact be cases of legitimate but unconventional system behavior. Table 5.3 highlights various techniques under the ambit of anomaly detection and misuse detection software.

Configuration Management and Assurance Tools

Configuration management and assurance tools concern methods and techniques to verify whether the executed settings on a system are correct/incorrect. The various tools involved are policy enforcement tools, network management tools, continuity of operations tools, and scanners and patch management. Table 5.4 highlights various examples of security discussed here.

Embedded-Programming-Based

Cyberattack detection systems (CADS) account for a crucial part of cyberattack analysis, and often these systems take up their own individual approaches. In embedded-programming-based approaches, a great deal of processing is already

TABLE 5.4

Various Classes of Cybersecurity and Their Subclasses

Class of Security Scheme

Subclasses and Examples

Access Control

Boundary Protection: Firewall and Content Management Authentication: Biometrics. Smart Token,

Authorization: User Rights and Privilege

System Integrity

Integrity Checkers and Anti-Virus and Anti-Spams

Cryptography

VPN. Digital Certificates

Audit and Monitoring

IDS. IPS, Correlation Tools, Forensics Tools

Configuration. Management, and Assurance Tools

Policy, Network Management. Continuity of Operations Tools, Scanners, and Patch Management

Critical Attack Vectors in IoT and Associated Infrastructure

FIGURE 5.10 Critical Attack Vectors in IoT and Associated Infrastructure.

done before the information reaches the CADS, in order to reduce the latter’s processing load. This same approach has been implemented in NICs [26], which reduces the traffic for computations and thus achieves a higher processing capacity for the central processor. Figure 5.Ю explains the various attack vectors associated with an IoT infrastructure. One of the most common vulnerabilities in an IoT device is a lack of processing capacity, which results in the DoS attack, as explained in Section 2 of this chapter. To avoid such attacks, embedded programming proves to be quite useful.

Agent-Based Approach

Under the aegis of analysis methodologies, another popular method implemented in a CADS system is an agent-based approach. The working principle behind this paradigm is the ability of servers to exchange information among themselves and inform and alert each other about a possible breach or malicious activities. It may be possible to contain a breach if the infected subnet is disconnected from the main network, essentially limiting the damage. This strategy can work with compromised servers, routers, switches, and other elements of a network. The drawback of this approach is the added work and processing of the detection system to enforce these measures on the network. This approach can be bifurcated into autonomous distributed systems, where they manage and perform the necessary communications with other entities in the environment, and multi-agent systems, which entail four elementary agents: the basic agent, the coordination agent, the global coordination agent, and the interface agent [27]. These individual agents each take up a certain task in the system, so as to efficiently divide the work in CADS.

TABLE 5.5

Examples of Various CADS Systems

S. No

CADS System

1.

Haystack

2.

MIDAS. Expert systems in cyberattack detection

3.

IDES/NIDS.A real-time intrusion-detection expert system

4.

Wisdom & Sense Detection

5.

NADIR An automated system for detecting network attack and misuse

6.

Hyperview. A neural network component for cyberattack detection.

7.

DIDS Distributed Intrusion Detection Systems

8.

ASAX Architecture and rule-based language for audit trail analysis

9.

USTAT State transition analysis

10.

GrIDS. A graph-based intrusion detection system for large networks

II.

Honey Pot

12.

EMERALD: Event monitoring enabling responses to anomalous live disturbance

Software-Engineering- and Artificial-Intelligence-Based

The software used in CADS systems is usually the key function and backbone of the system, hence there is reinvigorated interest among CADS developers to update the technology so as to better the system. A myriad of papers exists in the literature discussing various systems that implement novel programming tools for efficiency [28]. This system implements the signature-based approach, which comes under the aegis of misuse detection and anomaly detection. Further, as artificial intelligence and machine learning gain traction, there is active research in this domain. Techniques include fuzzy logic, genetic algorithm, and artificial neural network. Table 5.5 gives an example of various CADS systems currently in use.

 
Source
< Prev   CONTENTS   Source   Next >