Intelligence and Security Informatics

Web is a platform for users to search for information to fulfill their information needs but it is also an ideal platform to express personal opinions and comments. A virtual community is formed when a number of members participate in this kind of communication. Nowadays, teenagers are spending extensive amount of time to communicate with strangers in these virtual communities. At the same time, criminals and terrorists are also taking advantages of these virtual communities to recruit members and identify victims. Many Web forum users may not be aware that their participation in these virtual communities have violated the laws in their countries, for example, downloading pirated software or multimedia contents. Police officers cannot combat against this kind of criminal activities using the traditional approaches. We must rely on computing technologies to analyze and visualize the activities within these virtual communities to identify the suspects and extract the active groups. In this work, we introduce the social network analysis technique and information visualization technique for the Gray Web Forum – forum that may threaten public safety.

Along with the rapid development of online gaming worldwide, online games have become the very successful and outstanding industry in recent years, especially in Massive Multiplayer Online Role-Playing Games (MMORPGs). Cyber-criminal activity arising from online games is increasing at an alarming rate. Further, online gaming crimes have turned out the most serious cybercrime in many countries, such as Taiwan, South Korea, China, Hong Kong, and so on. According to our analysis of online gaming characteristics in Taiwan from the year of 2002 to 2004, the majority of online gaming crime is theft and fraud, but fraud gets higher from 20% to 36%. Identity theft and social engineering are the major criminal means. The offenders are mainly male and always proceed alone. The age of offenders is low (average over 60% in the age range of 15-25). The offenders are mostly students, workers and the unemployed, most of them not having criminal records. The type of game giving rise to most of the criminal cases is still Lineage Online, but other games are getting higher from 0.8% to 28.4%. The value of the online gaming loss over $1500 U.S. dollars is getting higher from 3.8% to 9.9%. In this paper, we present an empirical analysis of online gaming criminal activity from the year of 2002 to 2004 in Taiwan and suggest ways to combat the criminal activity.

Organizations and governments are becoming vulnerable to a wide variety of security breaches against their information infrastructure. The magnitude of this threat is evident from the increasing rate of cyber attacks against computers and critical infrastructure. Weblogs, or blogs, have also rapidly gained in numbers over the past decade. Weblogs may provide up-to-date information on the prevalence and distribution of various cyber security threats as well as terrorism events. In this paper, we analyze weblog posts for various categories of cyber security threats related to the detection of cyber attacks, cyber crime, and terrorism. Existing studies on intelligence analysis have focused on analyzing news or forums for cyber security incidents, but few have looked at weblogs. We use probabilistic latent semantic analysis to detect keywords from cyber security weblogs with respect to certain topics. We then demonstrate how this method can present the blogosphere in terms of topics with measurable keywords, hence tracking popular conversations and topics in the blogosphere. By applying a probabilistic approach, we can improve information retrieval in weblog search and keywords detection, and provide an analytical foundation for the future of security intelligence analysis of weblogs.

As witnessed in many recent disastrous events, emergency management is becoming more and more important to prevent hazards, plan for actions, quickly respond to minimize losses, and to recover from damages. In this paper, we propose the complete higher-order Voronoi diagram based emergency management system for what-if analysis which is particularly useful in highly dynamic environments. This system is based on a unified order-

k

Delaunay triangle data structure which supports various topological and regional queries, and what-if analysis. The proposed system encompasses: 1) what-if scenarios when new changes are dynamically updated; 2) what-if scenarios when order-

k

generators (disasters or professional bodies) or their territorial regions are of interest; (3) what-if scenarios when ordered order-

k

generators or their territorial regions are of interest; 4) what-if scenarios when

k

-th nearest generators or their territorial regions are of interest; 5) what-if scenarios with mixtures of the above.

Under the difficult circumstances such as catastrophic terrorism, emergency rescue and assistance planning (ERAP) always involves complex sets of objectives and constraints. We propose a multi-agent constraint programming framework which is aimed to tackling complex operations problems during the emergency response processes. The framework employs the component-based agent model to support ERAP problem specification, solving, composition/decomposition, feedback and dynamic control. A typical emergency response system is composed of seven types of top-level agents, which are further composed of sub-agents at lower levels of granularity. In particular, agents that play key roles in task control and problem solving are based on asynchronous team (A-Team) in which sub-agents share a population and evolve an optimized set of solutions. A case study is presented to illustrate our approach.

A basic requirement for a practical tracking system is to adjust the tracking model in real time when the appearance of the tracked object changes. However, since the scale of the targets often varied irregularly, systems with fixed-size tracking window usually could not accommodate to these scenarios. In present paper, a new multi-scale information measure for image was introduced to probe the size-changes of tracked objects. An automatic window-size updating method was then proposed and integrated into the classical color histogram based mean-shift and particle filtering tracking frameworks. Experimental results demonstrated that the improved algorithms could select the proper size of tracking window not only when the object scale increases but the scale decreases as well with minor extra computational overhead.

According to the characters of emergency decision-making in crisis management, this paper proposes a special decision-making method to deal with the inadequate information, uncertainty and dynamical trend. This CBR-based decision support method retrieves similar cases from Case Base and forecasts the prior distribution of absent feature values using Bayesian Dynamic Forecasting Model. Then the result is put into Markov-based state transition matrix to order suggested solutions by suitability and assist consensus achieving among decision makers. This novel method is suitable to emergency decision making as it provides support for the dynamic and evolutionary character of emergency response.

Wireless Sensor Networks (WSNs) have an excellent application to monitor environments such as military surveillance and forest fire. However, WSNs are of interest to adversaries in many scenarios. They are susceptible to some types of attacks because they are deployed in open and unprotected environments. The WSNs are constituted of scarce resource devices. These security mechanisms which used for wired networks cannot be transferred directly to wireless sensor networks. In this paper we propose lightweight anomaly intrusions detection. In the scheme, we investigate different key features for WSNs and define some rules to building an efficient, accurate and effective Intrusion Detection Systems (IDSs). We also propose a moving window function method to gather the current activity data. The scheme fits the demands and restrictions of WSNs. The scheme does not need any cooperation among monitor nodes. Simulation results show that we proposed IDSs is efficient and accurate in detecting different kinds of attacks.

The development of network and distributed computing has aroused more and more information exchange between far away servers and clients. Many traditional access control systems based on certificates or predefined access control policies are insufficient to deal with abnormal access requests or hidden intrusions. A flexible and efficient mechanism is needed to support open authentication and secure interoperations. In this paper, we address this issue by proposing an Adaptive Secure Interoperation system using Trust-Level (ASITL), which involves a statistical learning algorithm to judge an access request event, an adaptive calculating algorithm to dynamically adjust a user’s trust-level and a self-protecting mechanism to prevent the system from potential risks. In particular, we also presented examples to demonstrate the secure working flow of ASITL.

Compliance checker is an important component for

automated trust negotiation

(ATN) to examine whether the credentials match the access control policies. A good design for compliance checker helps to speed up trust establishment between parties during the negotiation, and can also improve negotiation efficiency. Unfortunately, it has been noted that compliance checker has got little attention in design and implementation. On the contrary, more work has been spent on the algorithms on how to protect sensitive information. A

RT

0

based compliance checker

(RBCC) model for ATN is presented in this paper. We give its architecture and workflow, and illustrate how it works through a practical example. The case study shows that the model satisfies compliance checker’s basic requirements and provides good information feedback mechanism to protect sensitive information.

Intrusion detection is a hot topic related to information and national security. Supervised network intrusion detection has been an active and difficult research hotspot in the field of intrusion detection for many years. However, a lot of issues haven’t been resolved successfully yet. The most important one is the loss of detection performance attribute to the difficulties in obtaining adequate attack data for the supervised classifiers to model the attack patterns, and the data acquisition task is always time-consuming which greatly relies on the domain experts. In this paper, we propose a novel network intrusion detection method based on TCM-KNN (Transductive Confidence Machines for K-Nearest Neighbors) algorithm. Experimental results on the well-known KDD Cup 1999 dataset demonstrate the proposed method is robust and more effective than the state-of-the-art intrusion detection method even provided with “small” dataset for training.

Intrusion detection, especially anomaly detection, requires sufficient security background knowledge. It is very significant to recognize system anomaly behavior under the condition of poor domain knowledge. In this paper, the general methods for system calls anomaly detection are summarized and HMM used for anomaly detection is deeply discussed from detection theory, system framework and detection methods. Moreover, combining with experiments, the detection efficiency and real-time performance of HMM with all-states transition and part-states transition are analyzed in detail in the paper.

Among the challenges in the field of network security management, one significant problem is the increasing difficulty in identifying the security incidents which pose true threat to the protected network system from tremendous volume of raw security alerts. This paper presents our work on integrated management of network security data for true threat identification within the SATA (Security Alert and Threat Analysis) project. An algorithm for real-time threat analysis of security alerts is presented. Early experiments performed in a branch network of CERNET (China Education and Research Network) including an attack testing sub-network have shown that the system can effectively identify true threats from various security alerts.

Vulnerabilities in network protocol software have been problematic since Internet infrastructure was deployed. These vulnerabilities damage the reliability of network software and create security holes in computing environment. Many critical security vulnerabilities exist in application network services of which specification or description has not been published. In this paper, we propose a security assessment methodology based on fault injection techniques to improve reliability of the application network services with no specifications published. We also implement a tool for security testing based on the proposed methodology. Windows RPC network services are chosen as an application network service considering its unknown protocol specification and are validated by the methodology. It turns out that the tool detects unknown vulnerabilities in Windows network module.

Secure routing and data transmission has stimulated wide interest in Ad Hoc network research since it is more vulnerable to attacks due to its structural characteristics. Several efficient and secure schemes have been proposed to protect the network from external attacks. However, they still lack very efficient ways to detect and resist internal attacks. Here we proposed a secure data transmission protocol (SDTP) based on the Reed-Solomon error-correct coding to achieve secure data transmission in a Byzantine attack-existing environment. This protocol can distinguish malicious behaviors from transmission errors and locate the malicious node accurately. The algorithms used in this protocol also apply to secure routing protocols.

In recent years, distributed denial of service (DDoS) attacks have brought increasing threats to the Internet since attack traffic caused by DDoS attacks can consume lots of bandwidth or computing resources on the Internet and the availability of DDoS attack tools has become more and more easy. However, due to the similarity between DDoS attack traffic and transient bursts of normal traffic, it is very difficult to detect DDoS attacks accurately and quickly. In this paper, a novel DDoS detection approach based on Hidden Markov Models (HMMs) and cooperative reinforcement learning is proposed, where a distributed cooperation detection scheme using source IP address monitoring is employed. To realize earlier detection of DDoS attacks, the detectors are distributed in the mediate network nodes or near the sources of DDoS attacks and HMMs are used to establish a profile for normal traffic based on the frequencies of new IP addresses. A cooperative reinforcement learning algorithm is proposed to compute optimized strategies of information exchange among the distributed multiple detectors so that the detection accuracies can be improved without much load on information communications among the detectors. Simulation results on distributed detection of DDoS attacks generated by TFN2K tools illustrate the effectiveness of the proposed method.

We propose a new watermarking algorithm for relational database which is based on spread spectrum techniques in this paper. We assign different owners for different identification key to generate the special watermarking signal and insert it into appropriate tuples. At the watermarking detection step, we use the technique of even parity check and majority voting for the watermark accuracy. It is to establish that a false positive judgment is highly unlikely by evaluating the similarity of watermarks between the original and the one gotten from the detection step. Experimental results are also presented to support that it is robust in the present of the various attacks and positive updating such as adding, deleting and modifying.

Anticipatory Event Detection (AED) is a framework for monitoring and tracking important and relevant news events at a fine grain resolution. AED has been previously tested successfully on news topics like NBA basketball match scores and mergers and acquisitions, but were limited to a static event representation model. In this paper, we discuss two recent attempts of adding content burstiness to AED. A burst is intuitively a sudden surge in frequency of some quantifiable measure, in our case, the document frequency. We examine two schemes for utilizing the burstiness of individual words, one for revamping the static document representation, and the other for extracting bursty and discriminatory words from the two states of the AED Event Transition Graph.

The investigation of community structures in networks is an important issue in many domains and disciplines. There have been considerable recent interest algorithms for finding communities in networks. In this paper we present a method of detecting community structure based on hypergraph model. The hypergraph model maps the relationship in the original data into a hypergraph. A hyperedge represents a relationship among subsets of data and the weight of the hyperedge reflects the strength of this affinity. We assign the density of a hyperedge to its weight. We present and illustrate the results of experiments on the Enron data set. These experiments demonstrate that our approach is applicable and effective.

Until now, classification is a primary technology in Pedestrian Detection. However, most existing single-classifiers and cascaded classifiers can hardly satisfy practical needs (e.g. false negative rate, false positive rate and detection speed). In this paper, we proposed an assembly classifier which was specifically designed for pedestrian detection in order to get higher detection rate and lower false positive rate at high speed. The assembly classifier is trained to select out the best single-classifiers, all of which will be arranged in a proper structure; finally, a treelike classifier is obtained. The experimental results have validated that the proposed assembly classifier generates better results than most of the existing single-classifiers and cascaded classifiers.

Internet auctions are one of the few successful new business models. Owing to the nature of Internet auctions, e.g. high degree of anonymity, relaxed legal constraints, and low costs for entry and exit, etc..., fraudsters are easily to setup a scam or deception in auction activities. Undeniable fact is that information asymmetry between sellers and buyers and lacking of immediately examining authenticity of the merchandise, the buyer can’t verify the seller and the characteristics of the merchandise until after the transaction is completed. This paper proposes a simple method which is detected potential fraudster by social network analysis (SNA) and decision tree to provide a feasible mechanism of playing capable guardians in buyers’ auction activities. Through our simple method, buyers can easily avoid defraud in auction activities.

The aim of this study is to explore trends in computer crime and cybercrime research from 1974 to 2006. All publications for this analysis were drawn from the ISI Web of Science, the Science Citation Index (SCI), and the Social Science Citation Index (SSCI). The ISI Web of Science is considered a powerful and relatively accurate tool in bibliometric studies. About 292 papers related to computer crime and cybercrime were published during this period. The greatest number of these papers was written in English, and the annual output increased significantly after 2003. In the period under study, most papers originated in the USA. Approximately 57% of the publications were articles, and 72% of these articles had single authors. More bibliometric analyses are described in this study, which shows a high scientific production of articles on computer crime and cybercrime publications.

Taiwan’s Freedom of Information Act (TFOIA) aims at protecting people’s right to know and making the information easily, evenly formulated and obtained by the public. The access to government information not only enhances people’s understanding, trust, and supervision on public affairs, but also promotes their participation in democracy. The goal of open and transparent administration can be achieved only by sharing the information with the public. All government agencies must have everything set, especially after one-year adjustment of TFOIA that was passed in December 2005. In expectation of publicizing government’s efforts and achievement, we design a score card on the basis of regulations made by TFOIA for all governmental websites. Meanwhile, we also conduct a survey of 248 governmental websites to see whether the websites offer legal and proper information to the public or not. The findings of the research confirm that the information disclosed on government websites still remains insufficient, except for data on official organizations, duties, addresses, telephone numbers, fax numbers, websites, e-mail addresses, and the like. Moreover, the information disclosed on the websites has a remarkable connection with organizational levels and functional attributes of all government offices. In general, according to the score card, TFOIA scores only 1.25 on the average, far from the regulated full score 3.0. Apparently, TFOIA still has much room for improvement.

Software watermarking is a technique to protect programs from piracy through embedding secret information into the programs. As software unauthorized use and modification are ubiquitous in the world, progresses in software watermarking will certainly benefit software research and industry. In this paper, we study one of core concepts in this area – informed recognition. To recognize a watermark in a software is to judge the existence of such a watermark in the corresponding software code.

Protecting RDF(S) repository is a topic in many Web applications. In RDF(S) repository, sensitive information can be inferred from non-sensitive data by iteratively applying the inference rules. Therefore, the problem of inference control is a crucial need for protecting RDF(S) repository. This paper presents an inference control algorithm that can prevent illegal inference effectively. In the algorithm, the inference dependence graph is defined to compute the logic expression of sensitive RDF(S) triples set, which is translated into the disjunctive normal form for obtaining the answers of the inference control problem.

The goal of intrusion detection systems(IDS) is to protect from the signs of security problems. However, since an IDS usually depends on the monitored data and has to identify an intruder, the running of IDS comes to threaten users’ privacy. In this paper, we propose a new privacy preserving method in intrusion detection system by applying cryptographic methods to log files. It can meet the enhanced privacy of users as well as the security of network providers without TTP.

Disaster prevention and recovery is an important branch of security informatics. People need to investigate the disaster prevention and recovery capacity of information systems in order to make them more robust. In this paper we propose a framework to evaluate the disaster defense ability of information systems. In the research a hierarchy of criterions is built up which covers both the disaster prevention ability and the disaster recovery ability. And a fuzzy assessment method is designed to fit the evaluating process. We also develop a software tool based on the framework to assist the information security evaluators.

Safety is a critical element to the business success of the passenger airline industry. It is because of the imprecision or vagueness inherent in the subjective assessment of the experts that we use fuzzy set theory to deal with safety evaluation problems. In this paper, A novel airline safety evaluation method based on fuzzy TOPSIS is proposed. The merit of the method is that it can deal with both quantitative and qualitative assessment in the process evaluation. In addition, the method can be easily applied to safety evaluation with little computation load. A numerical example is used to illustrate the efficiency of the proposed method.

This paper presents an framework to analyze the security of data transmission protocols in wireless sensor network (WSN). The proposed framework is based on the simulation paradigm and it defines three attack models in terms of the adversary’s attacking ability. Furthermore, it provides a ideal model to verify whether a given protocol is secure or not under these three different attack models. The framework is proved to be effective by analyzing a ”secure” data transmission protocol SDD. This is the first time that the notion of provable security is applied in wireless sensor networks.

Motivated by frequency hopping, port and address hopping technique is thought to be essential and efficient for active cyber-defense and intelligence security. A novel scheme of timestamp-based synchronization is proposed and a prototype using port and address hopping tactic is carried out. Then a test-bed is implemented for the fragment transmission of plaintext over different LANs. In order to evaluate the performance of the hopping tactic, experiments on DoS and eavesdropping attacks are performed which demonstrate that port and address hopping mechanism has better performance than no hopping tactic and simple port hopping service.

Internet becomes more and more popular, and most companies and institutes use web services for e-business and many other purposes. As results, Internet and web services become core infrastructure for a company or an institute and become more and more important. With the explosion of Internet, the occurrence of cyber terrorism has grown very rapidly. It is difficult to find and close all security flaws in a computer system that is connected to a network. Internet worms take advantages of these security flaws, and attack a large number of hosts with self-propagating techniques.

It is quite challenging to simulate very large-scale worm attacks. This paper propose a hybrid model for large-scale simulations, and the proposed model will be both detailed enough to generate realistic packet traffic, and efficient enough to model a worm spreading through the Internet.

Web-based open source information collection and analysis are playing a significant role in terrorism informatics studies [1, 2]. In this paper, we present a research effort in this area with a particular focus on China-related terrorism activities.

Telemarketing Fraud Problems.

Nowadays, computers and computer networks are ubiquitous and used in every facet of modern society. Although information technology has enabled global businesses to flourish, it also becomes one of the major enablers for sophisticated fraud schemes. The computer and network reliant world allows fraudsters to make the acquaintance of victims, acquiring them and eventually committing crimes without any face-to-face contact.

Since the incident about 9.11, the Security Sectors of many countries have put great attentions on gathering and mining of crime data and establishing anti-terrorist databases. With the emergence of anti-terrorist application, data mining for anti-terrorist has attracted great attention from both researchers and officers as well as in China. The purpose of analyzing and mining related terrorist or crimes data is that analyzing of psychology, behavior and related laws about crime, and providing hidden clues to prevent a criminal case, and forecasting terror happening to keeping with crime limits.

The Hall for Workshop of Metasynthetic Engineering (HWME) is a methodology that can be used to deal with problems in open complex giant systems, such as strategic decisions of national emergency actions. The discussion process is the key component of the HWME system, in which the generalized experts provide a valuable knowledge to human experts. In this paper, a novel framework is proposed, which can explore the personalized information of generalized experts. An item-based collaborative filtering approach is adopted to recommendation for HWME system. Under this framework, human experts can make the best use of information provided by the generalized experts and then give a more effective judgment.

To integrate network security devices to make them act as a battle team and efficiently handle the large amount of security events produced by various network applications, Network Security Intelligent Centralized Management is a basic solution. In this paper, we introduce an intelligent agent-oriented Network Security Intelligent Centralized Management System, and give a description about the system model, mechanism, hierarchy of security events, data flow diagram, filtering and transaction and normalization of security events, clustering and merging algorithm, and correlation algorithm. The experiment shows that the system can significantly reduce false positives and improve the quality of security events. It brings convenience for security administrators to integrate security devices and deal with large security events.

Detecting anomalous communication patterns is an important security informatics application. Take the example of monitoring email communications. An efficient method that can identify emails that are unusual relative to the common behavior among a network of email originators and recipients can serve many useful functions, one of which is to filter out anomalous email exchanges for further investigation.

The modeling of human social behavior is central to the design and system development of security-related applications [Liu

et al

, 2006, Wang

et al

, in press]. Social modeling can help identify social relations between entities, leading to better understanding and representation of social information required for ISI system design. Social reasoning provides computational frameworks to facilitate the inference of social knowledge, and in turn, can enhance the social and cognitive functionality of the related analysis. In this paper, we propose an agent-based model to represent social information, and based on the proposed social structure, we discuss the reasoning and analysis techniques to support the design and development of artificial social systems for ISI applications.

Botnet is a new trend in Internet attacks. Because the propagation of botnets will not cause large traffic like worm, it is often difficult to detect it. Till now, the most common method to detect botnets is to use honeynets. Although previous work has described an active detection technique using DNS hijacking technique[1], there are little information about how to detect the domain names which botnets used. Some researchers also use DNS based method to detect botnets[2,3], but all of them use simple signature or statistical method which require much prior knowledge.

In order to holistically analyze the scope of risk propagation caused by threats, considering the relationship among the threats, a previous study [1] proposed a probabilistic model for risk propagation based on the Markov process [2]. Using our proposed model, the occurrence probability and occurrence frequency for each threat in an information system can be estimated holistically, and applied to establish countermeasures against those threats. Nevertheless, result gaps between the expected output data evaluated by the proposed Markov process-based, risk propagation model and the real-world observations reported by the Korean Information Security Agency (KISA) [3] can arise due to the unexpected emergence of malicious applications such as Netbus and Subsevens, and new Internet worms. Therefore, the Hidden Markov Model [2] (HMM)-based, probabilistic approach is proposed in this paper to overcome this limitation.

We present a symptom-based taxonomy for an early detection of network attacks. Since this taxonomy uses symptoms in the network it is relatively easy to access the information to classify the attack. Accordingly it is quite early to detect an attack as the symptom always appears before the main stage of the attack. Furthermore, we are able to classify unknown attacks if the symptom of unknown attacks is correlated with the one of the already known attacks.