data mining in security: ja'far alqatawna
TRANSCRIPT
Application of Data Mining in Security: Trends and Research
Directions
Ja’far AlqatawnaUniversity of Jordan
Presentation at University of Granada
CITIC-UGR
About me
Ja’far Alqatawna
– Education:• PhD in E-Business Security, SHU, UK.• MSc. in Information & communication Systems Security, The Royal Institute of
Technology (KTH), Sweden.• BEng. In Computer Engineering, Mu’tah, Jordan.
– Work experience• Associate Professor at KASIT and head of BIT department at University of Jordan.• Program coordinator: MSc. In Web Intelligence.• Worked as Assistant Technical Director, Computer Center, University of Jordan(UJ). • Worked for the Swedish Institute of computer Science at the Security Policy and Trust
Lab. Sweden.• Co-Founder of Jordan Information Security & Digital Forensics Reacher Group.• Member of IEEE.
– Contact: [email protected]
Teaching Experience
• BSc. Level:
– e-Business, e-Business Security, Web Programming.
• MSc.
– Info Security, Secure Software Development(MSc. IS Security and digital criminology).
– Web Security(MSc. Web Intelligence).
Agenda
• Security observations.
• Security statistics.
• Insecurity: contributed factors.
• Why the interest in Data Mining.
• Application of Data Mining in Security.
• Ongoing Research Projects
Security: What can be observed over the last five
decades?
• DES & 3DES encryption (1974-1997).
• MD5 hashing (1991-1996).
• Very advanced encryption algorithms and protocols(AES, RSA, SSL,…).
• More and more of perimeter defense (firewall, Anti-Viruses, Authentication, Access Controls…).
However, security incidents are increasing significantly!!!!
Security: What do statistics really tell us?
for Microsoft Applications
Source: http://www.cvedetails.com/
What About Software Developers!!!!!!
Insecurity: Contributed factors
New technological innovations
– Web 2.0
– IoT
– Mobile App.
– Cloud
• Connectivity
• Extensibility
• Complexity
• Instant user generated
contents/applications
• Security as an afterthought
The Golden rule:
A 100% Secure system is not exist!
SHODAN: Internet of Things Search Engine
Why the interest in Data Mining
• Security is pervasive and perimeters are dissolving:– Cloud– Mobile/BYOD– OSN– E-Business
• Data Mining is powerful.– Classification– Clustering– Prediction– Contextual intelligence– Big Data analytics– Long-term correlation
Application of Data Mining in Security
• Huge amount of data is produced over the cyberspace.• Remarkable increase in the rate of various types of
cyber-attacks.
• DM can contribute to several security areas such as:1. Behavioral Biometrics & Continuous Authentication.2. Malicious Spam detection.3. Cybercrimes and Botnet detection.4. Insider misuse detection5. Sybil attacks6. Adaptive security
Behavioral Biometrics & Continuous Authentication
• Identification
• Verification
• Authentication
• Authorization
Methods of Authentication:
Something you Know.
Something you have.
Where you are.
Something you are.
Something you do.
Area #1: A Biometric Framework for Intrusion Detection over Social Networks
Published work:Alqatawna, J.: An adaptive multimodal biometric framework for intrusion detection in online social networks. IJCSNS International Journal of Computer Science and Network Security 15(4), 19–25 (2015)
• OSN platforms:– Profile based service
– Extremely interactive and generate substantial amount information.
– Subject to several security and privacy threats.
User session
Login Logout
Static Authentication
Authentication function
Something user knows:password,PIN Code,or secret question
Window of Attack
Password guessing
Phishing Attack
Session Hijacking
Machine Hijacking
Characteristics of the proposed framework
• Defense-in-depth:
1. A typical static authentication function at the login stage.
2. A set of continuous authentication functions during the user's active session:
I. Keystroke dynamics
II. Moues Dynamics
III. Touch Screen Dynamics
3. Profile-based Anomaly Detection.
User session
Login Logout
Static
Authentication
Authentication function
Something user
knows:
password,
PIN Code,
or secret
question
Continuous
Authentication
Continuous Authentication
Login Logout
Static Authentication
Authentication function
Something user
knows:
password,
PIN Code,
or secret
question
Set of
Continuous authentication
functions
user session
User activities over the OSN
Analyze
Detect
Continuous Authentication & Anomaly
Detection
Login Logout
Static Authentication
Authentication function
Something
user knows:
password,
PIN Code,
or secret
question
user session
User activities over the OSN
Pro
file-B
ased
An
om
aly
Dete
cto
r
Device
Detector
Keystroke
Dynamics
Mouse
Dynamics
Touch
Dynamics
Response
The Way Forward
• Prototype/implementation of the framework components.
• Open Source OSN platform to apply these components.
• Ground-truth Dataset.
• Effective data extraction and classification techniques.
Area #2: Malicious Spam detection
Published work:Alqatawna, J. , Faris, H. , Jaradat, K. , Al-Zewairi, M. and Adwan, O. (2015) Improving
Knowledge Based Spam Detection Methods: The Effect of Malicious Related Features in
Imbalance Data Distribution. International Journal of Communications, Network and System
Sciences, 8, 118-129. doi: 10.4236/ijcns.2015.85014.
Ongoing projects:Project 1: Malicious Spam Detection in Email Systems of Educational Institutes.
Project 2: Spammers Detection over Online Social Networks Based on Public Attributes: The
case of twitter.
Project 1: Malicious Spam Detection in Email Systems of Educational Institutes.
• 10,000 spam emails have been collected from University of Jordan and are being analyzed based on the following methodology:– Social Engineering techniques employed by
attackers(topics, impersonation, obfuscation,…etc.)
– Attack vectors: links, doc, exe, pdf, embedded code.
– Malware families: adware, bot, ransomware, rootkit,…etc.
Project 1: Malicious Spam Detection in Email Systems of Educational Institutes…NEXT STEP
• Constructing a complete dataset (Spam and Ham) from Educational context.
• Investigating Malicious spam features related to the Ed. Context.
• Build effective classification method.
Project 2: Spammers Detection over Online Social Networks
Based on Public Attributes: The case of twitter.
• In OSNs phishing attack is four times more effective than blind attempts1.
• Primary Attack vector: Spam messages with malicious links.
• Many of the profile attributes are public and can be extracted using TwitteR.
• MSc student is working on feature extraction.
1 Gao, H., Hu, J., Huang, T., Wang, J., & Chen, Y. (2011). Security issues in online social networks.
Internet Computing, IEEE, 15(4), 56-6
Feature extraction…
1. Suspicious Words : such as (Diet, Click here, Health, Make Money, Give Me, Vote , Free, etc.)
2. Default Image : Default image doesn’t changed for a while.
3. % Links in tweets: High Percentage links (URL) per tweet
4. Following to Followers ratio: follows more than being followed.
5. Repeated Words : High Percentage duplicate Words per tweet.
6. Tweet to response ratio: tweets more than responding to users comments.
7. Time between tweets: Tweets at the regular time internal.
8. Description – Tweets inconsistency: Profile description different form tweets topics.
9. Divers interest: Following or interest in various type of people.
10. Number of Tweet per Day : Number of tweet per day.
Another Area
• Botnet detection.
• Intrusion detection.
• Insider attacks and misuse detection.
• Sybil detection.
• Adaptive Security.
Thank you for listening
?
Thank You
Visit Jordan