Computer security

The need to secure and control access to rooms in premises has shifted from allowing some people to enter a room to giving permission to specific persons to access a room and recording who entered the room and the time they spent in it. With such need for higher security in mind, we design an access control system for controlling physical access of people to locations or to specific units in these locations. Our study gives emphasis to the organization of physical locations, including nested rooms, and the approach used to assign permission to people to access such locations. We also define some security policies to be used in such model as well as appropriate user interfaces. Finally, we develop two patterns based on our model.

This work discusses and compares two different approaches that design and implement a requirement for security in an application. The construction process followed for the security features determines how easily further changes can be accommodated, after the application has been built. How the problem is decomposed into modules, and when, determines if a solution or parts from the solution will be reusable without modification in the same application after changes have been made to address a new or altered requirement. Two construction perspectives are analyzed. In the first perspective, security features are embedded within the application design. In the second approach, the security design is separated from the rest of the application. For this latter implementation, an aspect oriented approach is used. The analysis performed shows that how the problem is decomposed leads to different designs, which present different levels of challenge for the application's future evolution. If a more adaptable solution can be designed and implemented, then the application will be more flexible to accommodate new changes and, as a consequence, be more reusable.

The security of wireless networks has gained considerable importance due to the rapid proliferation of wireless communications. While computer network heuristics and rules are being used to control and monitor the security of Wireless Local Area Networks (WLANs), mining and learning behaviors of network users can provide a deeper level of security analysis. The objective and contribution of this thesis is three fold: exploring the security vulnerabilities of the IEEE 802.11 standard for wireless networks; extracting features or metrics, from a security point of view, for modeling network traffic in a WLAN; and proposing a data mining-based approach to intrusion detection in WLANs. A clustering- and expert-based approach to intrusion detection in a wireless network is presented in this thesis. The case study data is obtained from a real-word WLAN and contains over one million records. Given the clusters of network traffic records, a distance-based heuristic measure is proposed for labeling clusters as either normal or intrusive. The empirical results demonstrate the promise of the proposed approach, laying the groundwork for a clustering-based framework for intrusion detection in computer networks.

Medical information is very private and sensitive. With the digitization of medical data, it is becoming accessible through distributed systems, including the Internet. Access to all this information and appropriate exchange of data makes the job of health providers more effective, however, the number of people that can potentially access this information increases by orders of magnitude. Private health information is not well protected. We present guidelines for security models for medical information systems. First, we model the structure of the medical information in the form of object-oriented patterns. Second, we study models and patterns in use today and compare them to our patterns. Next we define requirements necessary for controlling access, and describe the common policies and restrictions of security models for medical applications. We present some of the medical record access control restrictions directly in a conceptual model of the medical information.

Increasing aggressions through cyber terrorism pose a constant threat to information security in our day to day life. Implementing effective intrusion detection systems (IDSs) is an essential task due to the great dependence on networked computers for the operational control of various infrastructures. Building effective IDSs, unfortunately, has remained an elusive goal owing to the great technical challenges involved, and applied data mining techniques are increasingly being utilized in attempts to overcome the difficulties. This thesis presents a comparative study of the traditional "direct" approaches with the recently explored "indirect" approaches of classification which use class binarization and combiner techniques for intrusion detection. We evaluate and compare the performance of IDSs based on various data mining algorithms, in the context of a well known network intrusion evaluation data set. It is empirically shown that data mining algorithms when applied using the indirect classification approach yield better intrusion detection models.

We discuss a set of indirect combining techniques for addressing multi-category classification problems that have been used in many domains, but not for intrusion detection systems. In contrast to the indirect combining techniques, direct techniques generally extend associated binary classifiers to handle multi-category classification problems. An indirect combining technique decomposes the original multi-category problem into, based on some criteria, multiple binary-category problems. We investigated two different approaches for building the binary classifiers. The results of the binary classifiers are then merged using a combining technique---three different combining techniques were studied. We implement some of the indirect combining techniques proposed in recent literature, and apply them to a case study of the DARPA KDD-1999 network intrusion detection project. The results demonstrate the usefulness of using indirect combining techniques for the multi-category classification problem of intrusion detection systems.

Network security is an important subject in today's extensively interconnected computer world. The industry, academic institutions, small and large businesses and even residences are now greatly at risk from the increasing onslaught of computer attacks. Such malicious efforts cause damage ranging from mere violation of confidentiality and issues of privacy up to actual financial loss if business operations are compromised, or even further, loss of human lives in the case of mission-critical networked computer applications. Intrusion Detection Systems (IDS) have been used along with the help of data mining modeling efforts to detect intruders, yet with the limitation of organizational resources it is unreasonable to inspect every network alarm raised by the IDS. Modified Expected Cost of Misclassification ( MECM) is a model selection measure that is resource-aware and cost-sensitive at the same time, and has proven to be effective for the identification of the best resource-based intrusion detection model.

The aim of this work is to explore the utilization of permutation-based transformations to achieve compression, encryption and steganography in the domain of digital videos. The main contribution of this dissertation is a novel type of digital video encryption that has several advantages over other currently available digital video encryption methods. An extended classification of digital video encryption algorithms is presented in order to clarify these advantages. The classification itself represents an original work, since to date, no such comprehensive classification is provided in known scientific literature. Both security and performance aspects of the proposed method are thoroughly analyzed to provide evidence for high security and performance efficiency. Since the basic model is feasible only for a certain class of video sequences and video codecs, several extensions providing broader applicability are described along with the basic algorithm. An additional significant contribution is the proposition of a novel type of digital video steganography based on disguising a given video by another video. Experimental results are generated for a number of video sequences to demonstrate the performance of proposed methods.

An un-supervised learning algorithm on application level intrusion detection, named Graph Sequence Learning Algorithm (GSLA), is proposed in this dissertation. Experiments prove its effectiveness. Similar to most intrusion detection algorithms, in GSLA, the normal profile needs to be learned first. The normal profile is built using a session learning method, which is combined with the one-way Analysis of Variance method (ANOVA) to determine the value of an anomaly threshold. In the proposed approach, a hash table is used to store a sparse data matrix in triple data format that is collected from a web transition log instead of an n-by-n dimension matrix. Furthermore, in GSLA, the sequence learning matrix can be dynamically changed according to a different volume of data sets. Therefore, this approach is more efficient, easy to manipulate, and saves memory space. To validate the effectiveness of the algorithm, extensive simulations have been conducted by applying the GSLA algorithm to the homework submission system at our computer science and engineering department. The performance of GSLA is evaluated and compared with traditional Markov Model (MM) and K-means algorithms. Specifically, three major experiments have been done: (1) A small data set is collected as a sample data, and is applied to GSLA, MM, and K-means algorithms to illustrate the operation of the proposed algorithm and demonstrate the detection of abnormal behaviors. (2) The Random Walk-Through sampling method is used to generate a larger sample data set, and the resultant anomaly score is classified into several clusters in order to visualize and demonstrate the normal and abnormal behaviors with K-means and GSLA algorithms. (3) Multiple professors' data sets are collected and used to build the normal profiles, and the ANOVA method is used to test the significant difference among professors' normal profiles. The GSLA algorithm can be made as a module and plugged into the IDS as an anomaly detection system.

In our society, large volumes of documents are exchanged on a daily basis. Since documents can easily be scanned, modified and reproduced without any loss in quality, unauthorized use and modification of documents is of major concern. An authentication watermark embedded into a document as an invisible, fragile mark can be used to detect illegal document modification. However, the authentication watermark can only be used to determine whether documents have been tampered with, and additional protection may be needed to prevent unauthorized use and distribution of those documents. A solution to this problem is a two-level, multipurpose watermark. The first level watermark is an authentication mark used to detect document tampering, while the second level watermark is a robust mark, which identifies the legitimate owner and/or user of specific document. This dissertation introduces a new adaptive two-level multipurpose watermarking scheme suitable for binary document images, such as scanned text, figures, engineering and road maps, architectural drawings, music scores, and handwritten text and sketches. This watermarking scheme uses uniform quantization and overlapped embedding to add two watermarks, one robust and the other fragile, into a binary document image. The two embedded watermarks serve different purposes. The robust watermark carries document owner or document user identification, and the fragile watermark confirms document authenticity and helps detect document tampering. Both watermarks can be extracted without accessing the original document image. The proposed watermarking scheme adaptively selects an image partitioning block size to optimize the embedding capacity, the image permutation key to minimize watermark detection error, and the size of local neighborhood in which modification candidate pixels are scored to minimize visible distortion of watermarked documents. Modification candidate pixels are scored using a novel, objective metric called the Structural Neighborhood Distortion Measure (SNDM). Experimental results confirm that this watermarking scheme, which embeds watermarks by modifying image pixels based on their SNDM scores, creates smaller visible document distortion than watermarking schemes which base watermark embedding on any other published pixel scoring method. Document tampering is detected successfully and the robust watermark can be detected even after document tampering renders the fragile watermark undetectable.