Even though today’s intrusion detection systems are quite effective, they sometimes miss serious attacks or have too many false alerts. Many times the interpretation of alarms are difficult. The systems report of low-level events, but does not specify the success or how a process in a cyber-physical system could be influenced by the attack in question. Some techniques are now mature enough to always be running on the system, allowing real time analysis which can be coupled with an intrusion detection system to allow a more semantically rich alert to be issued in some circumstances.
This thesis will focus on combining different types / sources of information in a system, fuse them, to have a richer set of alerts for attack detection. The goal in this thesis is to build on top of several open-source tools but the students must be familiar with network-based tools (wireshark, understanding the protocols), as well as assembly (from the program traces of maybe Panda). You should also be familiar with some cyberphysical system.
The first step is a survey, and deciding what types of information to be collected and how. This decision is done in combination with a view on the final validation of the results (what environment can we actually test)?
An example of the final thesis would be to run Snort/Bro in conjunction with a program analysis packet such as Panda to better understand the alerts from the network-based IDS and how the alerts should be interpreted. The system to be protected should be some sort of cyber-physical system, where measured values are propagated throughout the system and used elsewhere. For that reason, detecting any tampering of the values might be of higher priority than detecting an attack against a single node. The students should use a testbed to generate network traffic, and see what they can infer about the original process (hidden) based on the traffic (observed variables). Good knowledge of hidden Markov models is a prerequisite.
For whom is this a good thesis?
If you love security, have an understanding of system building, can work with the OS, and are used to virtual machines, and system call traces this is a good thesis. You should also be interested in some sort of background to “fuse” the streams, may it be machine learning or pattern matching, and know at least one programming language to be able to work directly with hardware. If you have never used a virtual machine, this thesis may still be for you if you are up to a challenge.
How to apply? Submit your application before November 11, 2022.
If you have any question/comment about the thesis work, contact us:
Magnus Almgren; firstname.lastname@example.org