网络入侵检测系统中的警报聚类

到目前为止,网络管理员对入侵检测系统(IDS)所产生的警报还是以在辅助工具下的手工操作进行整理,从而得到一个高级别的攻击描述。为了有效融合多种入侵检测系统报警信息,提高警告的准确性,警报聚类自动分析工具被建议使用来产生高级别的攻击描述。除此之外,警报聚类自动分析工具还可以有效地分析威胁,融合不同的信息源,例如来自于不同IDS中的信息源。该文提出了新的警报聚类系统,以便把来自于多种IDS所产生的警报进行警报聚类,产生攻击描述。实验结果表明,通过警报聚类模块有效地总结攻击可以产生高级别的警报,并大幅度地减少了要提交给管理员的警报数量。此外,以这些高级别警报为基础还可以进一步地进行威胁分析。     

Defining quality metrics for graph clustering evaluation

Evaluation of clustering has significant importance in various applications of expert and intelligent systems. Clusters are evaluated in terms of quality and accuracy. Measuring quality is a unsupervised approach that completely depends on edges, whereas measuring accuracy is a supervised approach that measures similarity between the real clustering and the predicted clustering. Accuracy cannot be measured for most of the real-world networks since real clustering is unavailable. Thus, it will be advantageous from the viewpoint of expert systems to develop a quality metric that can assure certain level of accuracy along with the quality of clustering.In this paper we have proposed a set of three quality metrics for graph clustering that have the ability to ensure accuracy along with the quality. The effectiveness of the metrics has been evaluated on benchmark graphs as well as on real-world networks and compared with existing metrics. Results indicate competency of the suggested metrics while dealing with accuracy, which will definitely improve the decision-making in expert and intelligent systems. We have also shown that our metrics satisfy all of the six quality-related properties.     

Probability based document clustering and image clustering using content-based image retrieval

Clustering of related or similar objects has long been regarded as a potentially useful contribution of helping users to navigate an information space such as a document collection. Many clustering algorithms and techniques have been developed and implemented but as the sizes of document collections have grown these techniques have not been scaled to large collections because of their computational overhead. To solve this problem, the proposed system concentrates on an interactive text clustering methodology, probability based topic oriented and semi-supervised document clustering. Recently, as web and various documents contain both text and large number of images, the proposed system concentrates on content-based image retrieval (CBIR) for image clustering to give additional effect to the document clustering approach. It suggests two kinds of indexing keys, major colour sets (MCS) and distribution block signature (DBS) to prune away the irrelevant images to given query image. Major colour sets are related with colour information while distribution block signatures are related with spatial information. After successively applying these filters to a large database, only small amount of high potential candidates that are somewhat similar to that of query image are identified. Then, the system uses quad modelling method (QM) to set the initial weight of two-dimensional cells in query image according to each major colour and retrieve more similar images through similarity association function associated with the weights. The proposed system evaluates the system efficiency by implementing and testing the clustering results with Dbscan and K-means clustering algorithms. Experiment shows that the proposed document clustering algorithm performs with an average efficiency of 94.4% for various document categories.     

Robustness analysis of privacy-preserving model-based recommendation schemes

Privacy-preserving model-based recommendation methods are preferable over privacy-preserving memory-based schemes due to their online efficiency. Model-based prediction algorithms without privacy concerns have been investigated with respect to shilling attacks. Similarly, various privacy-preserving model-based recommendation techniques have been proposed to handle privacy issues. However, privacy-preserving model-based collaborative filtering schemes might be subjected to shilling or profile injection attacks. Therefore, their robustness against such attacks should be scrutinized.In this paper, we investigate robustness of four well-known privacy-preserving model-based recommendation methods against six shilling attacks. We first apply masked data-based profile injection attacks to privacy-preserving k-means-, discrete wavelet transform-, singular value decomposition-, and item-based prediction algorithms. We then perform comprehensive experiments using real data to evaluate their robustness against profile injection attacks. Next, we compare non-private model-based methods with their privacy-preserving correspondences in terms of robustness. Moreover, well-known privacy-preserving memory- and model-based prediction methods are compared with respect to robustness against shilling attacks. Our empirical analysis show that couple of model-based schemes with privacy are very robust.     

A defence scheme against Identity Theft Attack based on multiple social networks

Recently, on-line social networking sites become more and more popular. People like to share their personal information such as their name, birthday and photos on these public sites. However, personal information could be misused by attackers. One kind of attacks called Identity Theft Attack is addressed in on-line social networking sites. After collecting the personal information of a victim, the attacker can create a fake identity to impersonate this victim and cheat the victim’s friends in order to destroy the trust relationships on the on-line social networking sites. In this paper, we propose a scheme to protect users from Identity Theft Attacks. In our work, users’ personal information can be still kept public. It means that this scheme does not violate the nature of the social networks. Compared with previous works, the proposed scheme incurs less overhead for users. Experimental results also demonstrate the practicality of the proposed scheme.     

A fuzzy model for managing natural noise in recommender systems

E-commerce customers demand quick and easy access to products in large search spaces according to their needs and preferences. To support and facilitate this process, recommender systems (RS) based on user preferences have recently played a key role. However the elicitation of customers preferences is not always precise either correct, because of external factors such as human errors, uncertainty and vagueness proper of human beings and so on. Such a problem in RS is known as natural noise and can bias customers recommendations. Despite different proposals have been presented to deal with natural noise in RS none of them is able to manage properly the inherent uncertainty and vagueness of customers preferences. Hence, this paper is devoted to a new fuzzy method for managing in a flexible and adaptable way such uncertainty of natural noise in order to improve recommendation accuracy. Eventually a case study is performed to show the improvements produced by this fuzzy method regarding previous proposals.     

Information-theoretic software clustering

The majority of the algorithms in the software clustering literature utilize structural information to decompose large software systems. Approaches using other attributes, such as file names or ownership information, have also demonstrated merit. At the same time, existing algorithms commonly deem all attributes of the software artifacts being clustered as equally important, a rather simplistic assumption. Moreover, no method that can assess the usefulness of a particular attribute for clustering purposes has been presented in the literature. In this paper, we present an approach that applies information theoretic techniques in the context of software clustering. Our approach allows for weighting schemes that reflect the importance of various attributes to be applied. We introduce LIMBO, a scalable hierarchical clustering algorithm based on the minimization of information loss when clustering a software system. We also present a method that can assess the usefulness of any nonstructural attribute in a software clustering context. We applied LIMBO to three large software systems in a number of experiments. The results indicate that this approach produces clusterings that come close to decompositions prepared by system experts. Experimental results were also used to validate our usefulness assessment method. Finally, we experimented with well-established weighting schemes from information retrieval, Web search, and data clustering. We report results as to which weighting schemes show merit in the decomposition of software systems.     

Approximate algorithms with generalizing attribute values for k-anonymity

When a table containing individual data is published, disclosure of sensitive information should be prohibitive. Since simply removing identifiers such as name and social security number may reveal the sensitive information by linking attacks which joins the published table with other tables on some attributes, the notion of k-anonymity which makes each record in the table be indistinguishable with k−1 other records by suppression or generalization has been proposed previously. It is shown to be NP-hard to k-anonymize a table minimizing information loss. The approximation algorithms with up to O(k) approximation ratio were proposed when generalization is used for anonymization.     

A novel image segmentation algorithm based on neutrosophic similarity clustering

Segmentation is an important research area in image processing, which has been used to extract objects in images. A variety of algorithms have been proposed in this area. However, these methods perform well on the images without noise, and their results on the noisy images are not good. Neutrosophic set (NS) is a general formal framework to study the neutralities’ origin, nature, and scope. It has an inherent ability to handle the indeterminant information. Noise is one kind of indeterminant information on images. Therefore, NS has been successfully applied into image processing algorithms. This paper proposed a novel algorithm based on neutrosophic similarity clustering (NSC) to segment gray level images. We utilize the neutrosophic set in image processing field and define a new similarity function for clustering. At first, an image is represented in the neutrosophic set domain via three membership sets: T, I and F. Then, a neutrosophic similarity function (NSF) is defined and employed in the objective function of the clustering analysis. Finally, the new defined clustering algorithm classifies the pixels on the image into different groups. Experiments have been conducted on a variety of artificial and real images. Several measurements are used to evaluate the proposed method's performance. The experimental results demonstrate that the NSC method segment the images effectively and accurately. It can process both images without noise and noisy images having different levels of noises well. It will be helpful to applications in image processing and computer vision.     

A triangle area based nearest neighbors approach to intrusion detection

Intrusion detection is a necessary step to identify unusual access or attacks to secure internal networks. In general, intrusion detection can be approached by machine learning techniques. In literature, advanced techniques by hybrid learning or ensemble methods have been considered, and related work has shown that they are superior to the models using single machine learning techniques. This paper proposes a hybrid learning model based on the triangle area based nearest neighbors (TANN) in order to detect attacks more effectively. In TANN, the k-means clustering is firstly used to obtain cluster centers corresponding to the attack classes, respectively. Then, the triangle area by two cluster centers with one data from the given dataset is calculated and formed a new feature signature of the data. Finally, the k-NN classifier is used to classify similar attacks based on the new feature represented by triangle areas. By using KDD-Cup ’99 as the simulation dataset, the experimental results show that TANN can effectively detect intrusion attacks and provide higher accuracy and detection rates, and the lower false alarm rate than three baseline models based on support vector machines, k-NN, and the hybrid centroid-based classification model by combining k-means and k-NN.     

Collaborative RFID intrusion detection with an artificial immune system

The current RFID systems are fragile to external attacks, due to the limitations of encryption authentication and physical protection methods used in implementation of RFID security systems. In this paper, we propose a collaborative RFID intrusion detection method that is based on an artificial immune system (AIS). The new method can enhance the security of RFID systems without need to amend the existing technical standards of RFID. Mimicking the immune cell collaboration in biological immune systems, RFID operations are defined as self and nonself antigens, representing legal and illegal RFID operations, respectively. Data models are defined for antigens’ epitopes. Known RFID attacks are defined as danger signals represented by nonself antigens. We propose a method to collect RFID data for antigens and danger signals. With the antigen and danger signal data available, we use a negative selection algorithm to generate adaptive detectors for self antigens as RFID legal operations. We use an immune based clustering algorithm aiNet to generate collaborative detectors for danger signals of RFID intrusions. Simulation results have shown that the new RFID intrusion detection method has effectively reduced the false detection rate. The detection rate on known types of attacks was 98% and the detection rate on unknown type of attacks was 93%.     

Clustering large attributed information networks: an efficient incremental computing approach

In recent years, many information networks have become available for analysis, including social networks, road networks, sensor networks, biological networks, etc. Graph clustering has shown its effectiveness in analyzing and visualizing large networks. The goal of graph clustering is to partition vertices in a large graph into clusters based on various criteria such as vertex connectivity or neighborhood similarity. Many existing graph clustering methods mainly focus on the topological structures, but largely ignore the vertex properties which are often heterogeneous. Recently, a new graph clustering algorithm, SA-cluster, has been proposed which combines structural and attribute similarities through a unified distance measure. SA-Cluster performs matrix multiplication to calculate the random walk distances between graph vertices. As part of the clustering refinement, the graph edge weights are iteratively adjusted to balance the relative importance between structural and attribute similarities. As a consequence, matrix multiplication is repeated in each iteration of the clustering process to recalculate the random walk distances which are affected by the edge weight update. In order to improve the efficiency and scalability of SA-cluster, in this paper, we propose an efficient algorithm In-Cluster to incrementally update the random walk distances given the edge weight increments. Complexity analysis is provided to estimate how much runtime cost Inc-Cluster can save. We further design parallel matrix computation techniques on a multicore architecture. Experimental results demonstrate that Inc-Cluster achieves significant speedup over SA-Cluster on large graphs, while achieving exactly the same clustering quality in terms of intra-cluster structural cohesiveness and attribute value homogeneity.     

Evaluating recommender systems from the user’s perspective: survey of the state of the art

A recommender system is a Web technology that proactively suggests items of interest to users based on their objective behavior or explicitly stated preferences. Evaluations of recommender systems (RS) have traditionally focused on the performance of algorithms. However, many researchers have recently started investigating system effectiveness and evaluation criteria from users?? perspectives. In this paper, we survey the state of the art of user experience research in RS by examining how researchers have evaluated design methods that augment RS??s ability to help users find the information or product that they truly prefer, interact with ease with the system, and form trust with RS through system transparency, control and privacy preserving mechanisms finally, we examine how these system design features influence users?? adoption of the technology. We summarize existing work concerning three crucial interaction activities between the user and the system: the initial preference elicitation process, the preference refinement process, and the presentation of the system??s recommendation results. Additionally, we will also cover recent evaluation frameworks that measure a recommender system??s overall perceptive qualities and how these qualities influence users?? behavioral intentions. The key results are summarized in a set of design guidelines that can provide useful suggestions to scholars and practitioners concerning the design and development of effective recommender systems. The survey also lays groundwork for researchers to pursue future topics that have not been covered by existing methods.     

Exploring fusion architecture for a common operational picture

Every commander's dream is to have a graphic picture of the unfolding battlespace to show the locations and movements of all entities along with extra prompter information. The DoD command concepts have evolved to yield the common operational picture (COP) and four-stage hierarchy of information fusion. We explore an architecture for refining the fusion for building a more accurate picture. It uses a central processing center to fuse tracks from multiple tracking centers with a cognitive approach that associates local tracks with central tracks and refines estimates via our new fuzzy clustering algorithm. A refinement of target identification at the central tracker is based on the local track IDs, which resolves conflicting identities in the local tracks of the same target. Situation assessment (SA) and force threat assessment (TA) are approached using our fuzzy classifier with built-in fuzzy clustering, but these are not fully developed here due to their complexity. We also propose a dual distributed-centralized tracker that establishes central tracks with both fuzzy clustering and an adaptive α–β filter and fuses the resulting tracks.     

OWA-based linkage method in hierarchical clustering: Application on phylogenetic trees

The linkage methods are mostly used in hierarchical clustering. In this paper, we integrate Ordered Weighted Averaging (OWA) operator with hierarchical clustering in order to find distances between clusters. In case of using OWA operator in order to find distance between clusters, OWA acts as a generalized case of single linkage, complete linkage, and average linkage methods. In order to illustrate the proposed method, we handle a phylogenetic tree constructed by hierarchical clustering of protein sequences. To illustrate the efficiency of the method, we use 2D-data set. We obtain graphs demonstrating the relationships of the clusters and we calculate the root-mean-square standard deviation (RMSSDT) and R-squared (RS) validity indices, respectively, which are frequently used to evaluate results of the hierarchical clustering algorithms.     

Chirp-Loc: Multi-factor authentication via acoustically-generated location signatures

Context-based authentication has been proposed as a way to enable secure authentication with minimal or even no user interaction requirements by using sensor data to ensure the device being authenticated is in possession of the person initiating the authentication request. A key limitation of practically all context-based authentication systems is that they are vulnerable to context manipulation attacks where an attacker manipulates the environment to create a desired response in the sensor data. We contribute Chirp-Loc as a system that has been designed to improve the robustness of context-based authentication solutions against context-manipulation attacks. Chirp-Loc integrates an innovative approach based on room impulse response (RIR) to establish a location fingerprint that characterizes the physical environment instead of the ambient environment. We describe the design and development of an Android prototype of Chirp-Loc. We also conduct extensive accuracy and security analysis of Chirp-Loc by considering a multi-factor authentication solution that uses Chirp-Loc to verify the proximity of an authentication token, such as a smartphone. Through extensive experiments, we demonstrate that Chirp-Loc offers high degree of security and usability. Our work paves the way for improving the resilience of context-based authentication against attackers that manipulate the context information and offers a way to implement authentication systems that minimize user interaction demands while offering a high degree of security.     

An incrementally deployable path address scheme

The research community has proposed numerous network security solutions, each dealing with a specific problem such as address spoofing, denial-of-service attacks, denial-of-quality attacks, reflection attacks, viruses, or worms. However, due to the lack of fundamental support from the Internet, individual solutions often share little common ground in their design, which causes a practical problem: deploying all these vastly different solutions will add exceedingly high complexity to the Internet routers. In this paper, we propose a simple generic extension to the Internet, providing a new type of information, called path addresses, that simplify the design of security systems for packet filtering, fair resource allocation, packet classification, IP traceback, filter push-back, etc. IP addresses are owned by end hosts; path addresses are owned by the network core, which is beyond the reach of the hosts. We describe how to enhance the Internet protocols for path addresses that meet the uniqueness requirement, completeness requirement, safety requirement, and incrementally deployable requirement. We evaluate the performance of our scheme both analytically and by simulations, which show that, at small overhead, the false positive ratio and the false negative ratio can both be made negligibly small.     

Detecting attacks on networks

As Internet based and intranet based network systems have evolved, they have become invaluable tools that businesses can use to share information and conduct business with online partners. However, hackers have also learned to use these systems to access private networks and their resources. Studies have shown that many organizations have suffered external and internal network intrusions. Internet systems are subject to various types of attacks. Traditional network security products, such as firewalls, can be penetrated from outside and can also leave organizations vulnerable to internal attacks. Generally, victims do not find out that their networks have been attacked until they examine system logs the next day, after the damage has been done. Network intrusion detection systems solve this problem by detecting external and internal security breaches as they happen and immediately notifying security personnel and network administrators by e mail or pager. Intrusion detection systems use several types of algorithms to detect possible security breaches, including algorithms for statistical anomaly detection, rule based anomaly detection, and a hybrid of the two