Cyberspace Safety and Security

Mobile commerce (m-commerce) delivers value-added services to customers and creates new market opportunities. However, establishing a secure m-commerce platform that offers high level of service can be challenging. This paper proposes a concept of m-identity targeted at control the access of involved parties in an m-commerce transaction. M-identity includes both identities of a user and his/her bound mobile device which is defined as a user’s biometric feature(s) taken by his/her bound mobile camera. As an additional factor of authentication, a watermark is embedded in the captured biometric images. The embedding key of the watermark is a shared secret between mobile device and central server. Then an m-identity authentication (MA) protocol is proposed. M-identity merges mobile device identity into biometrics images. Only the genuine owner whose biometric information captured by his/her bound mobile device can pass m-identity authentication. Combined with the watermark, this makes a 2 ½ factor authentication process. Fingerprint biometrics taken with the mobile camera is used as an example to show how MA protocol works.

Stolen phones, until the descent of smartphones, simply meant minutes’ overages or huge bills from long-distance calls. Now the cost could be anything ranging from your privacy, security, finance or simply “YOU”. A Smartphoneos knowledge of its user, if not protected, is a potential risk to the very user’s security and privacy. When a smartphone is stolen, it isn’t just the device you need to worry about but the treasure of private and sensitive data it holds, which can compromise your very safety and privacy if in the wrong hands. A determined adversary can potentially uncover a lot of things from a stolen iOS device — credit card numbers, passwords of various other accounts, bank account numbers, etc. On top of that, if it’s a work phone, the adversary can also gain entry into your company’s restricted network, which is otherwise highly secure and private. In this paper we propose a simple yet powerful method of protecting the loss of private and sensitive data resident on a stolen iOS devices, focusing mainly on iPhones. SafeCode security mechanism leverages on existing passcode protection mechanism on iOS devices to prevent the device from being “switched off” or “silenced” by the adversary when the device is stolen. SafeCode, in the best case scenario, extends the “window of opportunity” of recovering the stolen device. In the worst case scenario, SafeCode augments the probability of remotely wiping the device with the same extended “window of opportunity”.

Graphical passwords can replace alphanumeric passwords when the data entry device is not a keyboard, but a touchscreen instead, as is the case for modern mobile devices (smartphones and tablets). However, misinterpretations on the security of graphical passwords compared to textual ones can lead to insecure systems. This paper outlines a set of security best practices concerning the design of icon-based authentication mechanisms. The best practices have been derived from a behavioral study on the usability of a prototype. The paper also proposes methods for quality control and protection against brute force attacks against icon-based passwords.

Security in embedded systems such as smartphones requires protection of confidential data and applications. Many of security mechanisms use dynamic taint analysis techniques for tracking information flow in software. But these techniques cannot detect control flows that use conditionals to implicitly transfer information from objects to other objects. In particular, malicious applications can bypass Android system and get privacy sensitive information through control flows. We propose an enhancement of dynamic taint analysis that propagates taint along control dependencies by using the static analysis in embedded system such as Google Android operating system. By using this new approach, it becomes possible to protect sensitive information and detect most types of software exploits without reporting too many false positives.

This paper is devoted to multi-tier ensemble classifiers for the detection and filtering of phishing emails. We introduce a new construction of ensemble classifiers, based on the well known and productive multi-tier approach. Our experiments evaluate their performance for the detection and filtering of phishing emails. The multi-tier constructions are well known and have been used to design effective classifiers for email classification and other applications previously. We investigate new multi-tier ensemble classifiers, where diverse ensemble methods are combined in a unified system by incorporating different ensembles at a lower tier as an integral part of another ensemble at the top tier. Our novel contribution is to investigate the possibility and effectiveness of combining diverse ensemble methods into one large multi-tier ensemble for the example of detection and filtering of phishing emails. Our study handled a few essential ensemble methods and more recent approaches incorporated into a combined multi-tier ensemble classifier. The results show that new large multi-tier ensemble classifiers achieved better performance compared with the outcomes of the base classifiers and ensemble classifiers incorporated in the multi-tier system. This demonstrates that the new method of combining diverse ensembles into one unified multi-tier ensemble can be applied to increase the performance of classifiers if diverse ensembles are incorporated in the system.

This paper proposes a chattering-free terminal sliding-mode observer used for the network behavior anomaly detection in TCP/IP networks. The proposed observer can track the fluid-flow model representing the TCP/IP behaviors in a router level. Unlike traditional sliding-mode observers, the proposed observer behaves as a full-order dynamics during the sliding-mode motion. The smooth control signal of the observer can be directly utilized to estimate the queue length dynamics representing a distributed anomaly in the TCP/IP network. The simulations are carried out to verify the effectiveness of the proposed method.

While social media is a new and exciting technology, it has the potential to be misused by organized crime groups and individuals involved in the illicit drugs trade. In particular, social media provides a means to create new marketing and distribution opportunities to a global marketplace, often exploiting jurisdictional gaps between buyer and seller. The sheer volume of postings presents investigational barriers, but the platform is amenable to the partial automation of open source intelligence. This paper presents a new methodology for automating social media data, and presents two pilot studies into its use for detecting marketing and distribution of illicit drugs targeted at Australians. Key technical challenges are identified, and the policy implications of the ease of access to illicit drugs are discussed.

Anonymous communication has gained more and more interest from Internet users as privacy and anonymity problems have emerged. Dedicated anonymous networks such as Freenet and I2P allow anonymous file-sharing among users. However, one major problem with anonymous file-sharing networks is that the available content is highly reduced, mostly with outdated files, and non-anonymous networks, such as the BitTorrent network, are still the major source of content: we show that in a 30-days period, 21648 new torrents were introduced in the BitTorrent community, whilst only 236 were introduced in the anonymous I2P network, for four different categories of content.

Therefore, how can a user of these anonymous networks access this varied and non-anonymous content without compromising its anonymity? In this paper, we improve content availability in an anonymous environment by proposing the first internetwork model allowing anonymous users to access and share content in large public communities while remaining anonymous. We show that our approach can efficiently interconnect I2P users and public BitTorrent swarms without affecting their anonymity nor their performance. Our model is fully implemented and freely usable.

The potential privacy implications of the Smart Grid are one of the key challenges to its introduction. Frequent Smart Meter readings can, e.g., reveal sensitive details about a customer’s behaviour and preferences. The Vehicle-to-Grid (V2G) concept explores using electric vehicles as a centrally coordinated grid resource in a Smart Grid. It can similarly lead to privacy issues by revealing a customer’s whereabouts. Though these two privacy issues are closely related, until now, there exists no common architectural approach to protect privacy. In this work, we critically analyse the Smart Grid infrastructure mandated by German law and its shortcomings regarding V2G privacy. Based on this, we propose V2GPriv an architecture that demonstrates how the V2G concept can be integrated with a Smart Grid infrastructure to offer both privacy benefits and avoid costs of a separate V2G infrastructure.

We present a new architecture for a secure smart metering system. Our architecture is based on a special purpose hardware security module that encapsulates all security critical operations and provides the main functionality of the system in an active role. This new approach enables secure meter data handling within the smart grid. As a result, our architecture preserves the privacy of sensitive consumer data and the integrity of meter data. Additionally, our proposed solution enhances the security of components critical to the operation of the power grid.

The paper proposes a Distributed Identity-Based Encryption (DIBE) scheme. The DIBE scheme extends the traditional IBE to a distributed system which consists of some homogenous or heterogeneous subsystems. Each subsystem has its own different master key and can communicate each other in a secure mode, instead of sharing a common master key as that in a traditional IBE scheme. The paper presents and analyzes the key distributing algorithms for a subsystem to join or leave a system, and also a user to joining or leave a subsystem. It shows that the DIBE scheme has the properties of scalability and adaptability. The paper also analyzes the security and performance of the proposed scheme, including the correctness, complexity and application examples. Some simulation results demonstrate the performance of the DIBE by using the PBC function packet.

Recently, a new class of USB based attacks has emerged which unlike previous USB based threats does not exploit any vulnerability or depend on any operating system feature. The USB HID attack vector utilizes an emulated keyboard and onboard flash memory storage to simulate keystrokes on a victim machine. In this paper we propose an anomaly based approach to detect such an attack using a biometric called keystroke dynamics.

This paper present a novel Certificate-based authentication of public access points (APs). The presented approach is the first to consider authentication of public APs. It is also the first work to consider using digital Certificates for public AP authentication. Normally, when a user wants to access internet in public hot-spots like airports, coffee shops, library, etc., there is often lack of information for the user to make an informed decision on which AP to connect. Consequently, an adversary can easily place a rogue AP in a public hotspot luring users to connect to his AP. Unfortunately, most people focus their attention to the signal strength of the AP and the service fee, and very little attention to the security of the AP. This makes the job of the adversary significantly easier. The adversary can simply place a rogue AP with a look alike name (SSID) that is free to users. With the proposed Certificate-based authentication of APs, the user can readily see available certified APs in range and choose to connect to the one they prefer based on any parameter of choice – signal strength, service provider, fees, etc. Finally, we have shown that an adversary can neither generate fake Certificates nor steal the Certificate from a certified AP and cause significant damage. We have also addressed defense against most common threats to public APs such as – replay attacks, man-in-the-middle attacks, and fabrication attacks. The proposed solution is very robust in validating the authenticity of public APs and isolating rogue APs.

Users are inclined to share the data in a remote server if no strong security mechanism is in place. Searchable encryption satisfies the need of users to execute a search on encrypted data. But previous searchable encryption method like “public key encryption with keyword search (PEKS)” restricted the data open to certain users, because only the assigned users were able to search on the encrypted data. In this paper we will discuss the relation between Attribute Based Encryption (ABE) and searchable encryption and define a weak anonymity of ABE scheme, named “attribute privacy”. With the weak anonymity, we propose a general transformation from ABE to Attribute Based Encryption with Keyword Search (ABEKS) and a concrete attribute private key-policy ABE (KP-ABE) scheme. We present an ABEKS scheme based on this KP-ABE scheme and permit multi-users to execute a flexible search on the remote encrypted data.

Typical Cloud database services guarantee high availability and scalability, but they rise many concerns about data confidentiality. Combining encryption with SQL operations is a promising approach although it is characterized by many open issues. Existing proposals, which are based on some trusted intermediate server, limit availability and scalability of original cloud database services. We propose an alternative architecture that avoids any intermediary component, thus achieving availability and scalability comparable to that of unencrypted cloud database services. Moreover, our proposal guarantees data consistency in scenarios in which independent clients concurrently execute SQL queries, and the structure of the database can be modified.

In a cloud-computing scenario where users buy software from software providers and execute it at computing centers, a digital rights management (DRM) system has to be in place to check the software licenses during each software execution. However, the exposure of users to privacy invasion in the presence of DRM systems is problematic.

We come up with a concept that unites software providers’ and users’ demands for a secure and

privacy-preserving DRM system for cloud computing

. The employment of

proxy re-encryption

allows for a

prevention of profile building (under pseudonym)

of users by any party.

Recently, we have a problem about an attack generated by a botnet which consists of a group of compromised computers called bots. An attacker called botmaster controls it and a botnet invokes an attack such as scanning and DDoS attack. In this paper, we use the 3D-visualization to investigate the change of attack according to the darknet traffic. As a result, we discover the attack in which several source IP addresses transmit packets to a single destination within a short period of time. In addition, we find that the packet size and the destination port number are identical on its attack. Furthermore, we propose the method to detect this attack called behavior of collaborative attack. In our proposal, we focus on the number of source IP addresses which transmit packets to the single destination. We detected this packet and the rate of packet with the same packet size and destination port number occupied about 90% of the set unit of extracted packet.

Honeypots are a proven technology for network defence and forensics. This paper focuses on attacks directed to network devices that utilise SSH services. The research uses the SSH honeypot Kippo to gather data about attacks on the SSH service. Kippo uses python and SSL to generate mock SSH services and also provides a filesystem honeypot for attackers to interact with. The preliminary research has found that attacks of this type are manifest, have a variety of profiles and may be launched from a variety of platforms.

Physical access control systems play a central role in the protection of critical infrastructures, where both the provision of timely access and preserving the security of sensitive areas are paramount. In this paper we discuss the shortcomings of existing approaches to the administration of physical access control in complex environments. At the heart of the problem is the current dependency on human administrators to reason about the implications of the provision or the revocation of staff access to an area within these facilities. We demonstrate how utilising Building Information Models (BIMs) and the capabilities they provide, including 3D representation of a facility and path-finding, may reduce the incidents of errors made by security administrators.

Automatic assessment of Fingerprint Image Quality (FIQ) has significant influence on the performance of Automated Fingerprint Identification Systems (AFISs). Local texture and global texture clarity of fingerprint images are the main factors in the evaluation of FIQ. Available image size, dryness and Singular Points (SPs) of a fingerprint image are also considered as cofactors, each of them has different effect on the assessment of image quality. In this paper, Homogeneous-Zones-Divide is proposed to evaluate the global clarity of a fingerprint image. To be consistent with human perception of fingerprint images quality, the optimal weight is obtained by a constrained nonlinear optimization model. This optimal weight is further used to assess Composite Quality Score (CQS). Simulation on public database indicates that the precision of our method can achieve 97.5% of accurate rate and it can reasonably classify fingerprint images into four grades, which is helpful to improve the performance of (AFIS).

Leakage-resilient cryptographic protocols have recently been evolving intensively, studying the question of designing protocol that maintain security even in the presence of side-channel attacks. Under leakage assumption(the verifier uses side-channel attacks to obtain some information about the secret state of the prover), the known zero knowledge protocol may not preserve zero knowledge any more. Garg et.al. first studied leakage-resilient zero knowledge and presented an excellent construction for NP. Unfortunately, the definition is not suitable for honest verifier leakage-resilient zero knowledge. In this paper, we give a new definition of leakage-resilient zero knowledge and construct a leakage-resilient zero knowledge proof for approximate version of the closest vector problem(

$\textsc{G}_{\textsc{AP}}\textsc{CVP}_\gamma$

). We also give a definition of leakage-resilient bit commitment scheme.

New security threats arise frequently and impact on enterprise software security requirements. However, most existing security engineering approaches focus on capturing and enforcing security requirements at design time. Many do not address how a system should be adapted to cope with new unanticipated security requirements that arise at runtime. We describe a new approach - Model Driven Security Engineering at Runtime (MDSE@R) - enabling security engineers to dynamically specify and enforce system security requirements based on current needs. We introduce a new domain-specific visual language to model customer security requirements in a given application. Moreover, we introduce a new UML profile to help capturing system architectural characteristics along with security specifications mapped to system entities. Our MDSE@R toolset supports refinement and merger of these visual models and uses model-driven engineering to take the merged model and specify security controls to be enforced on the target system components. A combination of interceptors (via generated configurations) and injected code (using aspect-oriented programming) are used to integrate the specified security controls within the target system. We describe MDSE@R, give an example of using it in securing an ERP system, describe its implementation, and discuss an evaluation of applying MDSE@R on a set of open source applications.

High secure connectivity and invulnerability are two important goals of wireless sensor networks. However, many existing key management schemes for wireless sensor networks cannot achieve the two goals simultaneously. To solve the problem, the paper proposed a key management scheme based on hash chains and auxiliary nodes. In the scheme, adjacent sensor nodes can establish shared session keys with high probabilities; besides, the validity of chain keys including their identifiers can be distinguished by hash functions. Analyses show that the scheme not only can achieve the two goals to secure wireless sensor networks, but also can has advantages in terms of storage, communication overhead, and computation overhead.

In Wireless Mesh Networks (WMNs), mesh nodes cooperate and forward packets from each other in order to extend their communication range and reach nodes outside their transmission coverage. However, malicious nodes may refuse to cooperate by intentionally dropping packets in order to disrupt the integrity of network services. In this paper, we introduce a distributed and cooperative approach for detection of packet dropping attacks. Intrusion detectors are individually placed at each node to passively monitor the node behavior and exchange routing events and detection results with neighboring nodes. Based on the exchanged events, each node is able to instantly detect malicious behavior on the own node’s communication link or in the neighborhood. A virtualized mesh network environment composed of virtual machines is used to implement the distributed detection approach and demonstrate its effectiveness and reliability for detecting packet dropping attacks in the mesh network.

A number of security models have been proposed for RFID systems. Recent studies show that current models tend to be limited in the number of properties they capture. Consequently, models are commonly unable to distinguish between protocols with regard to finer privacy properties. This paper proposes a privacy model that introduces previously unavailable expressions of privacy. Based on the well-studied notion of indistinguishability, the model also strives to be simpler, easier to use, and more intuitive compared to previous models.

The Radio Frequency Identification (RFID) is an important technology of the Internet of Things. Along with the rapid growth of the RFID technology, security issues have acquired much attention recently. However, most of the RFID security works focus on fake identity or information leaking problems. Researchers seldom care about the security of system mechanism, such as media access control. This paper focuses on the anti-collision mechanism of ISO15693. We analyze the 16-slot anti-collision in ISO15693 in detail, demonstrate access vulnerability, present a potential attack approach of similar-tags collision and validate the attack efficiency through simulation. Afterwards, an improved anti-collision paradigm is proposed to mitigate the similar-tags attack. The empirical study shows that the improved anti-collision tactic is much more efficient than that in ISO15693.

Digital fingerprinting provides a means of tracing unauthorized re-distribution of digital objects. With an unique fingerprint being imperceptibly embedded in each authorized copy of the object, in case a pirate copy is found, by analysing the fingerprint in the observed pirate copy, the distributer can identify the users who produced the pirate copy. Collusion-secure fingerprinting schemes address the problem of collusion, where a group of users (a coalition) detect and change the fingerprint symbols in their copies before producing pirate copies. It has been proved that there exist collusion-secure fingerprinting schemes that can identify at least one member of the coalition for any reasonably sized coalition. In order to guarantee the quality of the object, short fingerprinting codes are preferred in practical applications. A lower bound on the code length has been derived by Peikert et al, that is, any collusion-secure fingerprinting codes must have length at least

o

(

s

2

log(1/

sε

)), where

s

is the size of coalition. Codes which achieve the lower bound are called optimal codes. However, currently known optimal codes do not have any efficient (polynomial time-complexity) tracing procedure to identify the coalition. The best known codes with efficient tracing algorithms, which were constructed by Cortrina-Navau and Fern

$\acute{a}$

ndez in 2010, have length

O

(

s

6

log(

s

/

ε

)log(

N

)), where

N

is the total number of authorized users. In this paper, we construct a class of codes which have an efficient tracing algorithm and have length

O

(

s

2

log(1/

ε

)log(

N

)). Our codes are much shorter than those by Cortrina-Navau and Fern

$\acute{a}$

ndez.

To alleviate the influence of key exposure, we combine forward-security with certificate-based cryptography and give formal definitions and the security model of forward-secure certificate-based signatures. Then we propose a forward-secure certificate-based signature scheme, which is proven to be existentially unforgeable against adaptive chosen message attacks in the standard model. Hence, we partially solve the key exposure problem in certificate-based signature scheme and improve the system security.

E-Infrastructures can be used to support e-science and e-research allowing different collaborators from disparate organisations, often from different disciplines and utilising heterogeneous software and hardware, to work together on common research problems. This is typically achieved through the formation of targeted Virtual Organisations (VO). Inter-organisational collaborations also bring challenges of security that must be overcome. There has been much work in e-Research-oriented security, i.e. at the middleware level, but far less on ensuring that middleware-oriented security is not made redundant through ensuring the robustness of the underlying hardware and software (fabric) upon which the e-Research middleware security is based, e.g. the operating systems, network configurations and core software required to support e-Research solutions. To tackle this, an integrated security framework is needed that is cognisant of VO requirements on e-Research middleware-oriented security and incorporates targeted fabric level security. In this paper we present an integrated architecture (ACVAS), which encompasses VO-specific fabric security including configuration-aware security monitoring (patch status monitoring) and vulnerability scanning and subsequent updating. We show how tool support can be used to pre-emptively identify and assess potential vulnerabilities in a VO, before they are potential exploited. We also outline how these vulnerabilities can be dynamically overcome to support the needs of the VO and associated e-Infrastructure to improve the overall VO security.

Dual-Policy Attribute Based Encryption (DP-ABE), proposed in 2009, is a combination of two variants, Ciphertext Policy-ABE (CP-ABE) and Key Policy-ABE (KP-ABE), where an encryptor can associate the data simultaneously with both a set of objective attributes and of subjective access policies. Or, a user is given a private key assigned simultaneously for both a set of objective attributes and a subjective access policy. A major problem of the above DP-ABE scheme is the ciphertext size linear to the number of attributes while the LSSS access structure can be assumed.

We propose two novel DP-ABEs, which achieve constant-size ciphertext, regardless of the number of attributes in a logical AND data access policy with wildcards. We present two constructions: the first scheme under the

q

-Bilinear Diffie Hellman Exponent (

q

-BDHE) and the second scheme under the Decisional Bilinear-Diffie-Hellman assumptions (DBDH).

Phishing attacks rise in quantity and quality. With short online lifetimes of those attacks, classical blacklist based approaches are not sufficient to protect online users. While attackers manage to achieve high similarity between original and fraudulent websites, this fact can also be used for attack detection. In many cases attackers try to make the Internet address (URL) from a website look similar to the original. In this work, we present a way of using the URL itself for automated detection of phishing websites by extracting and verifying different terms of a URL using search engine spelling recommendation.

We evaluate our concept against a large test set of 8730 real phishing URLs. In addition, we collected scores for the visual quality of a subset of those attacks to be able to compare the performance of our tests for different attack qualities. Results suggest that our heuristics are able to mark 54.3% of the malicious URLs as suspicious. With increasing visual quality of the phishing websites, the number of URL characteristics that allow a detection increases, as well.

The issue of securing control signaling in mobility management is still an unsolved concern. To offer enhanced security, features in the recent mobile IP protocols rely on the use of IP Security (IPSec) Security Association (SA). However, the SA itself will cease to be valid if a mobile node moves or a network moves. This paper proposes secure mobile IP (SecMIP) scheme based on one-time transaction key agreements instead of using the pre-generated IPsec SA. In the proposed scheme, the mobile node is responsible for relaying its blind key information from the Home Agent (HA) to the Foreign Agent (FA) while the relating secret value is securely kept in its HA. Receiving the Binding Update (BU) message that contains the FA’s blind key, the HA can calculate the same transaction key as the FA. We analyze the time required for the enemy to succeed to attack our SecMIP scheme on integrity and authentication. Based on the analysis results, we suggest the optimum use of the operational parameters in our SecMIP scheme relating to the length of the secret value and the length of the prime number

q

in digit. The derived dimensions can guarantee an average of 1 year required for exhaustive key searching by brute force approaches while maintaining a maximum addition of 200 millisecond time latency for the HA and the FA to process the secured BU message.

The distributed and open structure of cloud computing and services becomes an attractive target for potential cyber-attacks by intruders. The traditional Intrusion Detection and Prevention Systems (IDPS) are deemed largely inefficient to be deployed in cloud computing environments due to their openness, dynamicity and virtualization in offered services. This paper surveys and explores the possible solutions to detect and prevent intrusions in cloud computing systems by providing a comprehensive taxonomy of existing IDPS. It discusses the key features of IDPS that are challenging and crucial for choosing the right security measures for designing an IDPS. The paper further reviews the current state of the art of developed IDPSs for cloud computing which uses advanced techniques in overcoming the challenges imposed by cloud computing requirements for more resilient, effective and efficient IDPSs, abbreviated as CIPDS.

This paper shows the results of an investigation of cryptographic services for mobile devices running Android. The objective of the investigation was to assess the feasibility of sophisticated cryptographic services on modern smartphones running Android. First of all, the portability of cryptographic libraries was evaluated according to its feasibility. Second, performance measurements were taken for some of the libraries successfully ported.

Middleware typically includes a set of functions that provide services to distributed applications. To design middleware architectures, developers often employ architectural patterns – solutions to recurring software problems. In general these patterns do not contain any security features, however, it is possible to make secured versions of them using experience or by considering security threats and countermeasures in real-life implementations. Using this inductive approach we have built up a catalog of such (compound security) patterns for middleware. They can be used by developers early in the software development life-cycle to efficiently determine a set of relevant security requirements. In this paper we continue the same line of work to secure the Wrapper Façade and Distributed Publish/Subscribe patterns, extending the inductive approach from before with a deductive approach based on a use-case driven threat analysis. We document the resulting Secure Façade compound pattern briefly, and the Secure Publish/Subscribe in more detail.

With the development of intrusion detection systems (IDSs), a number of machine learning approaches have been applied to intrusion detection. For a traditional supervised learning algorithm, training examples with ground-truth labels should be given in advance. However, in real applications, the number of labeled examples is limited whereas a lot of unlabeled data is widely available, because labeling data requires a large amount of human efforts and is thus very expensive. To mitigate this issue, several semi-supervised learning algorithms, which aim to label data automatically without human intervention, have been proposed to utilize unlabeled data in improving the performance of IDSs. In this paper, we attempt to apply disagreement-based semi-supervised learning algorithm to anomaly detection. Based on our previous work, we further apply this approach to constructing a false alarm filter and investigate its performance of alarm reduction in a network environment. The experimental results show that the disagreement-based scheme is very effective in detecting intrusions and reducing false alarms by automatically labeling unlabeled data, and that its performance can further be improved by co-working with active learning.

With the volume of data required to be analysed and interpreted by security analysts, the possibility of human error looms large and the consequences possibly harmful for some systems in the event of an adverse event not being detected. In this paper we suggest machine learning algorithms that can assist in supporting the security function effectively and present a framework that can be used to choose the best algorithm for a specific domain. A qualitative framework was produced, and it is suggested that a naive Bayesian classifier and artificial neural network based algorithms are most likely the best candidates for the proposed application. A testing framework is proposed to conduct a quantitative evaluation of the algorithms as the next step in the determination of best fit for purpose algorithm. Future research will look to repeat this process for cyber security specific applications, and also examine GPGPU optimisations.