Geospatial intrusion detection.
Introduction
Geospatial intrusion detection is a cross pollination of geographic information systems and network security. It enhances situational awareness in ways done in existing solutions. An exception that is notable is the network security field. It has been riding the coattails of the sectors that are, financially, motivated which include online target marketing, credit cards fraud and digital rights management. In order to perform the detection the address of the server is geolocated by each hit, then the results are examined in order to identify the outliers using the spatial outlier detection and their cause is determined by manual examination. Geospatial anomaly detection can also be added to the general intrusion as a way of finding inappropriate usage. Also, statistical and heuristic methods and geospatial anomaly detection are, easily, integrated into a capability of comprehensive intrusion detection.
Outlier detection
Outlier detection is an algorithm used for process improvement, auditing and anomaly detection for both applied and general statistics. It is always applied in the field of spatial data and then compared with four algorithms for the effectiveness. They identify the iterative and median algorithms as relevant to successful detection of unusual outliers. Since the outliers in the individual web usage have associated malware, quantities or misconfiguration can be described using these techniques. In cases where there are no associated values for general spatial outlier detection, then use direct statistical application using distance cell based and the Nearest-Neighbor approaches which have been used successfully in detection. Additional approximations have been employed successfully for every large data set. These named techniques are used for anomaly geospatial detection in identifying the overall distance and density based on the outliers representing unusual global usage.
IP address mapping
IP address mapping has been mapped successfully by GeoLite and IP2Location. IP space is a natural domain for the network centric data. Though less common than networks and geospatial graphs, it has a variety of approaches using organization of IP space for visualization. The potential values, differences and drawbacks of IP space approach uses mapping functions that can be problematic depending on display dimension.
Intrusion detection
Intrusion detection is concerned with attacks and network based intrusions. The solution is to correlate the attack and the attack location if the attacker is on the move. Prior art detection systems are on site at company’s consolidated premises location in a single building. Decoy servers such as honeypot systems are set up to gather information about an intruder or attacker into the enterprise system. Honey pot system is normally set up to be an easy prey for intruders so that their activities can be traced or logged.
The dataset is used to represent HTTPS and HTTP which uses a proxy server where all the web requests are routed. The proxy server records corresponding time stamp, each request and the user name making the request. The requests represent homogenous users group from their geospatial location and the perspective of their employment. The users are permitted to use the internet so long as it is not excessive and some uses like viewing pornography and internet gambling are prohibited.
Architecture
In geospatial architecture, proxy log geoanomaly detection system uses a two tiered architecture with a thick client besides an external API for visualization. API is integrated, with Google Earth, to allow for mapping of results that are robust and greater data visualization. Through ODBC, the presentation allows for connection to a backend datastore and displays the results and pre-analysis raw data of the analysis. C# is used because of its ease of integration with many backend data sources. SQL server 2003 Database is a data layer since geographic operations are on a cell basis. The scalability and ease of integration of SQL server is preferred rather than MySQL or other similar packages that have integrated geospatial structures. The SQL also allows for easy downstorage to Access 2003 for standalone and remote operation of the tool. There are two external applications, in addition to the main tool, first is the external image viewing Microsoft API used to view and resize the cell output visually. The second one is the Google Earth API that is used with the Google Earth geographic markup language, the KML to send the results to a Google Earth application directly.
Geocoding
In geocoding, the original data set is de-identified. This process is done so as to remove any information that is personally identifiable. All query string should be entirely removed, and the domain names associated with the organization are altered to be generic. This is done to hide any individual information that is in the request and also the organization represented. Individual s are replaced with a sequential, unique identifier in order to maintain the grouping of information. After performing initial cleansing, the dataset is parsed into fixed records and then bulkloaded to a Microsoft SQL server database. After loading, aggregate separate table is created based on grouping usage per site, this will enable quick lookups. Unused data in the geolocation algorithm is discarded, then the data is cleansed of requests that will not result in successful transfers.
Geoanomaly detection
In geoanomaly detection,, a spatial outlier algorithm is applied after geocoding to the full dataset so as to find the abnormal usage. The cell based approach is used to identify the outliers. This approach is beneficial because of its speed in implementation of a live system when it is combined with simple queue structure. It also works well with static data. Two models are designed to run the system. Weighted and unweighted mode the unweighted ignores the total number of visits to that site and takes each unique site as a single visit. The weighted inserts each person’s site visit into a cell.
Visualization
Data is visualized in different ways. The first one is primary visualization, which is done by highlighting the outliers. The second one is the secondary visualization performed by color coding the normalized grid based on algorithm results. The third one is tertiary visualization achieved using an interface to Google Earth in displaying the results in an interactive manner. The application is integrated with Google Earth for interactive viewing. For given Google Earth plotting, outlier’s results can be translated into KML. The plotting may include the original data and the outliers, thus clustering can be viewed on the map and distances shown between the clusters and outliers in a direct manner.
Future
The futures of geospatial intrusion detection include user centered detection, live metrics and alternative method implementation. For live metrics high usage operation is required, high memory of at least three gigabytes for it to function quickly and also live detection need to be optimized in order to provide a quick response mechanism. In user-centered detection, in RTM operations the window size should be made bigger. In an alternative method implementation, iterative approaches should find more outliers on the weighted side, and the density approaches should be made to perform like the cell approach.
Conclusion
Geospatial intrusion detection systems show a strong potential for the detection of spatial anomalies in the form of outliers. The system can detect several instances of unusual usage. They are expected to be turned over to human analyst in the unusual categories of foreign use gambling and pornography. These systems ability to detect the installed spyware via usage makes it viable.
Intrusion detection and prevention are rapidly adapted in the market with the increase in security threats to the enterprise networks; also there has been an increase in compliance policies and the number of regulations enforced by the government bodies for the security of data. The rapid increase in the number of intrusion incidences in the business networks has forced the enterprises to increase the budget for IT security by using new advanced security technologies. Intrusion detection systems have been boosted by these aspects to a great extent. These systems have enabled organizations to give a comprehensive security layer to their networks. The devices have provided prevention an efficient monitoring of threats like Zero-day threats and DDoS attacks. With increased use of wireless devices in the workspace, enterprises are also using wireless intrusion prevention systems. These systems are cost effective, and they provide a solution to business organizations as they focus on their core operations. These systems have emerged from network traffic and simple data monitoring to filtering of applications and network packets.
References
Axelsson S. (2000). Intrusion Detection Systems: A Survey and Taxonomy. Chalmers University Tech Report.
Valeur F. Vigna, Kruegel C. and Kirda E. (2006). An anomaly-driven reverse proxy for web applications. ACM symposium on Applied computing Dijon, France: ACM Press.
Fossen & Espen. (2005). Principles of Internet Investigations: Basic Reconnaissance, Geopositioning and Public Information Sources. Department of Telematics. Norwegian University of Science and Technology
NewsWire. (2014). Intrusion Detection System (IDS/IPS) Market. Retrieved 2nd June 2, 2014 from <http://wireless.sys-con.com/node/3053065>
Bridge. (2013). Applied Communication Sciences Receives Department of Energy Grant for Groundbreaking Cyber Security Energy Infrastructure Research. Retrieved 2nd June 2, 2014 from <http://www.the-si.com/content/applied-communication-sciences-receives-department-energy-grant-groundbreaking-cyber-securit>
SafariBooks. (2008). Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Retrieved 2nd June 2, 2014 from <http://my.safaribooksonline.com/book/networking/intrusion-detection/9780321591890/intrusion-detection-systems/ch03lev1sec3#X2ludGVybmFsX0h0bWxWaWV3P3htbGlkPTk3ODAzMjE1OTE4OTAlMkZwcmVmMDQmcXVlcnk9>
Bailey T. & Gatrell A. (1995). Interactive Spatial Data Analysis. Harlow. Essex, England: Longman
Koch R. Rodosek D. (2013). Advanced Geolocation of IP Addresses. Electronic Science and Engineering
Sridhar R. Rajeev & Kyuseok S. (2000). Efficient algorithms for mining outliers from large data. Dallas, Texas:United States: ACM Press.
Hawkins d. (1980). Identification of outliers. London ; New York: Chapman