Arif Ghafoor

Muhamad Felemban, Yahya Javeed, Jason Kobes et al.

Data-intensive applications exhibit increasing reliance on Database Management Systems (DBMSs, for short). With the growing cyber-security threats to government and commercial infrastructures, the need to develop high resilient cyber systems is becoming increasingly important. Cyber-attacks on DBMSs include intrusion attacks that may result in severe degradation in performance. Several efforts have been directed towards designing an integrated management system to detect, respond, and recover from malicious attacks. In this paper, we propose a data Partitioning-based Intrusion Management System (PIMS, for short) that can endure intense malicious intrusion attacks on DBMS. The novelty in PIMS is the ability to contain the damage into data partitions, termed Intrusion Boundaries (IBs, for short). The IB Demarcation Problem (IBDP, for short) is formulated as a mixed integer nonlinear programming. We prove that IBDP is NP-hard. Accordingly, two heuristic solutions for IBDP are introduced. The proposed architecture for PIMS includes novel IB-centric response and recovery mechanisms, which executes compensating transactions. PIMS is prototyped within PostgreSQL, an open-source DBMS. Finally, empirical and experimental performance evaluation of PIMS are conducted to demonstrate that intelligent partitioning of data tuples improves the overall availability of the DBMS under intrusion attacks.

Yahya Javed, Mosab A. Khayat, Ali A. Elghariani et al.

The increase in scale of cyber networks and the rise in sophistication of cyber-attacks have introduced several challenges in intrusion detection. The primary challenge is the requirement to detect complex multi-stage attacks in realtime by processing the immense amount of traffic produced by present-day networks. In this paper we present PRISM, a hierarchical intrusion detection architecture that uses a novel attacker behavior model-based sampling technique to minimize the realtime traffic processing overhead. PRISM has a unique multi-layered architecture that monitors network traffic distributedly to provide efficiency in processing and modularity in design. PRISM employs a Hidden Markov Model-based prediction mechanism to identify multi-stage attacks and ascertain the attack progression for a proactive response. Furthermore, PRISM introduces a stream management procedure that rectifies the issue of alert reordering when collected from distributed alert reporting systems. To evaluate the performance of PRISM, multiple metrics have been proposed, and various experiments have been conducted on a multi-stage attack dataset. The results exhibit up to 7.5x improvement in processing overhead as compared to a standard centralized IDS without the loss of prediction accuracy while demonstrating the ability to predict different attack stages promptly.

Muhamad Felemban, Anas Daghistani, Yahya Javeed et al.

With the growing cyber-security threats, ensuring the security of data in Cloud data centers is a challenging task. A prominent type of attack on Cloud data centers is data tampering attack that can jeopardize the confidentiality and the integrity of data. In this article, we present a security and performance driven architecture for these centers that incorporates an intrusion management system for multi-tenant distributed transactional databases. The proposed architecture uses a novel data partitioning and placement scheme based on damage containment and communication cost of distributed transactions. In addition, we present a benchmarking framework for evaluating the performance of the proposed architecture. The results illustrate a trade-off between security and performance goals for Cloud data centers.

Mosab Khayat, Morteza Karimzadeh, David S. Ebert et al.

Many evaluation methods have been used to assess the usefulness of Visual Analytics (VA) solutions. These methods stem from a variety of origins with different assumptions and goals, which cause confusion about their proofing capabilities. Moreover, the lack of discussion about the evaluation processes may limit our potential to develop new evaluation methods specialized for VA. In this paper, we present an analysis of evaluation methods that have been used to summatively evaluate VA solutions. We provide a survey and taxonomy of the evaluation methods that have appeared in the VAST literature in the past two years. We then analyze these methods in terms of validity and generalizability of their findings, as well as the feasibility of using them. We propose a new metric called summative quality to compare evaluation methods according to their ability to prove usefulness, and make recommendations for selecting evaluation methods based on their summative quality in the VA domain.

Mosab Khayat, Arif Ghafoor

Many evaluation methods have been applied to assess the usefulness of visual analytics solutions. These methods are branching from a variety of origins with different assumptions, and goals. We provide a high-level overview of the process employed in each method using the generic evaluation model "GEM" that generalizes the process of usefulness evaluation. The model treats evaluation methods as processes that generate evidence of usefulness as output. Our model serves three purposes: It educate new VA practitioners about the heterogeneous evaluation practices in the field, it highlights potential risks in the process of evaluation which reduces their validity and It provide a guideline to elect suitable evaluation method.

Tawfeeq Shawly, Ali Elghariani, Jason Kobes et al.

With the growing amount of cyber threats, the need for development of high-assurance cyber systems is becoming increasingly important. The objective of this paper is to address the challenges of modeling and detecting sophisticated network attacks, such as multiple interleaved attacks. We present the interleaving concept and investigate how interleaving multiple attacks can deceive intrusion detection systems. Using one of the important statistical machine learning (ML) techniques, Hidden Markov Models (HMM), we develop two architectures that take into account the stealth nature of the interleaving attacks, and that can detect and track the progress of these attacks. These architectures deploy a database of HMM templates of known attacks and exhibit varying performance and complexity. For performance evaluation, in the presence of multiple multi-stage attack scenarios, various metrics are proposed which include (1) attack risk probability, (2) detection error rate, and (3) the number of correctly detected stages. Extensive simulation experiments are used to demonstrate the efficacy of the proposed architectures.