Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:


To Detect Cyberattacks, New Software System Developed at UB Profiles ’Normal’ Computer Habits


An early version of a new software system developed by University at Buffalo researchers that detects cyberattacks while they are in progress by drawing highly personalized profiles of users has proven successful 94 percent of the time in simulated attacks.

The "user-level anomaly detection system" was described here today (Oct. 10, 2002) at the military communications conference known as MILCOM 2002.

"We have developed a new paradigm, proactively encapsulating user intent where you basically generate a profile for every single user in the system where security is a major concern," said Shambhu Upadhyaya, Ph.D., associate professor of computer science and engineering at UB and co-author of the paper.

In addition to the paper presentation, MILCOM invited Upadhyaya to give a half-day tutorial on the new intrusion detection system at the meeting.

Upadhyaya directs UB’s Center of Excellence in Information Systems Assurance Research and Education, one of 36 in the U.S. chosen by the National Security Agency to develop new programs to conduct research and train students to protect the nation’s information technology systems from cyberterrorism.

The new UB intrusion detection system is being developed for application in highly secure facilities, such as those in the military.

"Existing approaches look at a past record of computer activity because those systems produce audits of activity for every user," he explained. "Our methodology is a marriage of two known techniques: misuse and anomaly detection. We use an assertion/rule-based approach to precisely capture the initial bracket of activity and then fine-tune this profile to reflect ongoing activity, making highly personalized and accurate profiles possible.

"Also, since users are being constantly monitored, this system can detect intrusions or attacks on-the-fly."

The UB system generates a user profile according to data about standard operations and commands that each user follows to carry out specific tasks.

The system is designed to detect significant deviations from procedures followed by normal users.

While some commercially available computer security packages already feature user-profiling, Upadhyaya noted that they are based on "low-level" methods -- meaning they seek out deviations on the basis of huge amounts of data, so they end up creating many false alarms.

"User modeling is computationally hard," said Upadhyaya. "Since many of these existing systems treat this problem purely statistically, any deviation from the norm is signaled as an anomaly, but it is often the case that an intrusion has not occurred.

"It’s a nuisance because an alarm can go off as often as every five minutes," he said.

By contrast, the system he developed with co-authors Rankumar Chinchani, a doctoral candidate in the UB Department of Computer Science and Engineering, and Kevin Kwiat of the Air Force Research Laboratory in Rome, N.Y., is based on the idea that the computation habits of normal users generally are well-defined and that he or she will work within those bounds.

"The normal behavior of computer users has been very well characterized," said Upadhyaya. "Normal users stick within well-defined parameters. Intruders or hackers, on the other hand, will not be able to carry out their intended operations within such well-defined parameters, and so will make the scope of his or her activities overly permissive," said Upadhyaya. "Our system is based on detecting that kind of behavior."

The key to the UB system’s success and its "scalable" feature is that its monitoring system operates at a high level, examining commands that users execute to perform certain operations. This is in contrast to the low-level monitoring that many existing packages perform, which examine commands as basic as the ones and zeroes of which email messages are composed.

"Our system is looking for a sequence of operations that falls within certain ’normal’ parameters," he explained.

"For example, if you want to make a document, you do certain things in a certain order, you create the document, you use a word processing program, you may run Spellcheck. Our system knows what to look for in the normal sequence that is necessary to accomplish this job. Any deviations from that are assumed to be potential cyberattacks."

The work was funded by the Air Force Research Laboratory in Rome, N.Y.

Ellen Goldbaum | EurekAlert!
Further information:

More articles from Information Technology:

nachricht Green Light for Galaxy Europe
15.03.2018 | Albert-Ludwigs-Universität Freiburg im Breisgau

nachricht Tokyo Tech's six-legged robots get closer to nature
12.03.2018 | Tokyo Institute of Technology

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: Locomotion control with photopigments

Researchers from Göttingen University discover additional function of opsins

Animal photoreceptors capture light with photopigments. Researchers from the University of Göttingen have now discovered that these photopigments fulfill an...

Im Focus: Surveying the Arctic: Tracking down carbon particles

Researchers embark on aerial campaign over Northeast Greenland

On 15 March, the AWI research aeroplane Polar 5 will depart for Greenland. Concentrating on the furthest northeast region of the island, an international team...

Im Focus: Unique Insights into the Antarctic Ice Shelf System

Data collected on ocean-ice interactions in the little-researched regions of the far south

The world’s second-largest ice shelf was the destination for a Polarstern expedition that ended in Punta Arenas, Chile on 14th March 2018. Oceanographers from...

Im Focus: ILA 2018: Laser alternative to hexavalent chromium coating

At the 2018 ILA Berlin Air Show from April 25–29, the Fraunhofer Institute for Laser Technology ILT is showcasing extreme high-speed Laser Material Deposition (EHLA): A video documents how for metal components that are highly loaded, EHLA has already proved itself as an alternative to hard chrome plating, which is now allowed only under special conditions.

When the EU restricted the use of hexavalent chromium compounds to special applications requiring authorization, the move prompted a rethink in the surface...

Im Focus: Radar for navigation support from autonomous flying drones

At the ILA Berlin, hall 4, booth 202, Fraunhofer FHR will present two radar sensors for navigation support of drones. The sensors are valuable components in the implementation of autonomous flying drones: they function as obstacle detectors to prevent collisions. Radar sensors also operate reliably in restricted visibility, e.g. in foggy or dusty conditions. Due to their ability to measure distances with high precision, the radar sensors can also be used as altimeters when other sources of information such as barometers or GPS are not available or cannot operate optimally.

Drones play an increasingly important role in the area of logistics and services. Well-known logistic companies place great hope in these compact, aerial...

All Focus news of the innovation-report >>>



Industry & Economy
Event News

Ultrafast Wireless and Chip Design at the DATE Conference in Dresden

16.03.2018 | Event News

International Tinnitus Conference of the Tinnitus Research Initiative in Regensburg

13.03.2018 | Event News

International Virtual Reality Conference “IEEE VR 2018” comes to Reutlingen, Germany

08.03.2018 | Event News

Latest News

Wandering greenhouse gas

16.03.2018 | Earth Sciences

'Frequency combs' ID chemicals within the mid-infrared spectral region

16.03.2018 | Physics and Astronomy

Biologists unravel another mystery of what makes DNA go 'loopy'

16.03.2018 | Life Sciences

Science & Research
Overview of more VideoLinks >>>