Intrusion Detection

Attack Scenarios in Industrial Environments and How to Detect Them: A Roadmap


Cyberattacks on industrial companies have increased in the last years. The Industrial Internet of Things increases production efficiency at the cost of an enlarged attack surface. Physi-cal separation of productive networks has fallen prey to the paradigm of interconnectivity, present-ed by the Industrial Internet of Things. This leads to an increased demand for industrial intrusion detection solutions. There are, however, challenges in implementing industrial intrusion detection. There are hardly any data sets publicly available that can be used to evaluate intrusion detection algorithms. The biggest threat for industrial applications arises from state-sponsored and crim-inal groups.

Next-Generation Defensive Cyber Operations (DCO) Platform


The  frequency  and  complexity  of  recent  cyber  intrusions  have  made  the  job  of defending networks a daunting task. Signs of suspicious or malicious activity can be found in one of many data sources within the network. Local network defenders are held accountable for preventing cyber intrusions but generally are not provided with adequate tools to aid in prevention and detection. With the variety of local network-defense data sources (for example, log files, network traffic, endpoint artifacts) that must be analyzed for suspicious activity, a network defender’s responsibility has evolved from finding a needle in a haystack to finding parts of a needle from among multiple haystacks. The National Security Agency’s (NSA) next- generation Defensive Cyber Operations (DCO) sensor platform, known as CHUCK (Comprehensive Hunt & Ultimate Cyber Kit), is an initiative to provide a platform for local network defenders to collect large volumes of network-defense data from multiple sources within an environment, thereby enabling detection and discovery of new threats in a secure and timely manner.

Enhancing Cybersecurity by Defeating the Attack Lifecycle: Using Mobile Device Resource Usage Patterns to Detect Unauthentic Mobile Applications


Attacks are usually orchestrated based upon the motivation of the attackers, who are becoming increasingly savvy, better resourced, and more committed. This article examines cyber threats and vulnerabilities through the eyes of the perpetrator. To begin, the authors discuss some counter approaches that have produced limited benefits at best, and then introduce a novel approach that details the use of mobile device resource usage to discern unauthentic mobile applications from authentic applications.

Enhancing Response in Intrusion Detection Systems


With rising levels of attacks and misuse, intrusion detection systems are an increasingly important security technology for IT environments. However, while intrusion detection has been the focus of significant research, the issue of response has received relatively little attention. The majority of systems focus response efforts towards passive methods, which serve to notify and warn, but cannot prevent or contain an intrusion. Where more active responses are available, they typically rely upon manual initiation. The paper examines the reasons for this, and argues that a more comprehensive and reliable response framework is required in order to facilitate further automation of active responses. A range of factors are identified that a software-based responder agent could assess in order to improve response selection, and thereby increase trust in automated solutions.

Network-Based Anomaly Detection Using Discriminant Analysis


Anomaly-based Intrusion Detection Systems (IDS) can be a valuable tool for detecting novel network attacks. This paper analyzes the use of linear and non-linear discriminant analysis on packet header information from Transport and Internet layers of the TCP/IP model to classify packets as normal or abnormal. By training on normal traffic for a particular service (web and secure shell) and known attacks, the classifier can automatically identify differences between packets that may be used to classify future unknown traffic.

Radio Frequency Fingerprinting through Preamble Manipulation


This paper demonstrates a novel and complementary approach to exploiting physical-layer differences among wireless devices. This research records packets with standard-length IEEE 802.11b preambles using a software defined radio, manipulates the recorded preambles by shortening their length, then replays the altered packets toward the transceivers under test. Five transceiver types from three manufacturers are distinguishable by analysing differences in packet reception with respect to preamble length with greater than 99% accuracy using a small number of test packets.  The results demonstrate that preamble manipulation is effective for multi-factor device authentication, network intrusion detection, and remote transceiver type fingerprinting.

Securing the Cloud


This paper will review cloud technology utilized to support the Intelligence Community and will specifically address the National Security Agency’s research into vulnerabilities and risks related to cloud-based systems. Current implementation plans will be discussed for a multi- agency private cloud architecture that is under development. The paper will also review security challenges for a cloud architecture and will address specific technologies, such as data tagging, digital policy management, encryption, identity and access management, and auditing, along with intrusion detection and prevention.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.












Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.


Get in touch

  • Journal of Information Warfare
    114 Ballard Street
    Yorktown, VA
  • 757.871.3949