Thesis (Ph.D., Computer Science)--University of Idaho, June 2014 | This dissertation examines the concepts and implementation of a network based autonomic cyber sensor framework. The research provides an answer to the need to protect Ethernet connected control systems, such as those found in critical infrastructures, from cyber assaults. A layered architecture, which utilizes computational intelligence techniques for learning and a multi-level communication scheme, is described. Genetic Algorithms, Neural Networks, Fuzzy logic, Clustering, passive network scanning and dynamic virtual honeypots are all integral methods of the presented work. The application of computational intelligence techniques provides heuristics for specific problems such as anomaly detection and rule creation. The framework integrates several of these techniques into a broader overall solution while shielding the complexity from the user.
Contributions of this dissertation include introduction of a multi-level architecture with a two-layer information communication scheme. This scheme segregates modifications of components from changing standards and centralizes the complexity of external messaging to a single component reducing implementation costs and the security exposure of the sensor. A process of automatic creation and dynamic updates to emulated network hosts is described. This process provides an independent view of attached devices without interfering with an operational network. A network anomaly recognition system based on data clustering and advanced fuzzy logic is presented. While traditional approaches improve false positives at the expense of false negatives, or vice versa, this approach enables improvement of both accuracy measurements simultaneously.
Two related algorithms for communication of network situational awareness are detailed. They bridge the semantic gap between identifying a binary anomaly value to communicating what it means to a human. The use of intrusion detection rules as a knowledge base for learning systems such as neural networks is introduced. This leverages the large set of existing knowledge represented by the static rules sets and makes the information available for anomaly behavior systems. Finally, the automatic creation of intrusion detection rules based upon network traffic identified by anomaly behavior systems is shown resulting in a reduction of human effort needed to create rules,