Contribución a la automatización de sistemas de respuesta frente a intrusiones mediante ontologías

La seguridad en redes informáticas es un área que ha sido ampliamente estudiada y objeto de una extensa investigación en los últimos años. Debido al continuo incremento en la complejidad y sofisticación de los ataques informáticos, el aumento de su velocidad de difusión, y la lentitud de reacción frente a las intrusiones existente en la actualidad, se hace patente la necesidad de mecanismos de detección y respuesta a intrusiones, que detecten y además sean capaces de bloquear el ataque, y mitiguen su impacto en la medida de lo posible. Los Sistemas de Detección de Intrusiones o IDSs son tecnologías bastante maduras cuyo objetivo es detectar cualquier comportamiento malicioso que ocurra en las redes. Estos sistemas han evolucionado rápidamente en los últimos años convirtiéndose en herramientas muy maduras basadas en diferentes paradigmas, que mejoran su capacidad de detección y le otorgan un alto nivel de fiabilidad. Por otra parte, un Sistema de Respuesta a Intrusiones (IRS) es un componente de seguridad que puede estar presente en la arquitectura de una red informática, capaz de reaccionar frente a los incidentes detectados por un Sistema de Detección de Intrusiones (IDS). Por desgracia, esta tecnología no ha evolucionado al mismo ritmo que los IDSs, y la reacción contra los ataques detectados es lenta y básica, y los sistemas presentan problemas para ejecutar respuestas de forma automática. Esta tesis doctoral trata de hacer frente al problema existente en la reacción automática frente a intrusiones, mediante el uso de ontologías, lenguajes formales de especificación de comportamiento y razonadores semánticos como base de la arquitectura del sistema de un sistema de respuesta automática frente a intrusiones o AIRS. El objetivo de la aproximación es aprovechar las ventajas de las ontologías en entornos heterogéneos, además de su capacidad para especificar comportamiento sobre los objetos que representan los elementos del dominio modelado. Esta capacidad para especificar comportamiento será de gran utilidad para que el AIRS infiera la respuesta óptima frente a una intrusión en el menor tiempo posible. Abstract Security in networks is an area that has been widely studied and has been the focus of extensive research over the past few years. The number of security events is increasing, and they are each time more sophisticated, and quickly spread, and slow reaction against intrusions, there is a need for intrusion detection and response systems to dynamically adapt so as to better detect and respond to attacks in order to mitigate them or reduce their impact. Intrusion Detection Systems (IDSs) are mature technologies whose aim is detecting malicious behavior in the networks. These systems have quickly evolved and there are now very mature tools based on different paradigms (statistic anomaly-based, signature-based and hybrids) with a high level of reliability. On the other hand, Intrusion Response System (IRS) is a security technology able to react against the intrusions detected by IDS. Unfortunately, the state of the art in IRSs is not as mature as with IDSs. The reaction against intrusions is slow and simple, and these systems have difficulty detecting intrusions in real time and triggering automated responses. This dissertation is to address the existing problem in automated reactions against intrusions using ontologies, formal behaviour languages and semantic reasoners as the basis of the architecture of an automated intrusion response systems or AIRS. The aim is to take advantage of ontologies in heterogeneous environments, in addition to its ability to specify behavior of objects representing the elements of the modeling domain. This ability to specify behavior will be useful for the AIRS in the inference process of the optimum response against an intrusion, as quickly as possible.

Application of Agent Technology for Fault Diagnosis of Telecommunication Networks

La presente tesis doctoral contribuye al problema del diagnóstico autonómico de fallos en redes de telecomunicación. En las redes de telecomunicación actuales, las operadoras realizan tareas de diagnóstico de forma manual. Dichas operaciones deben ser llevadas a cabo por ingenieros altamente cualificados que cada vez tienen más dificultades a la hora de gestionar debidamente el crecimiento exponencial de la red tanto en tamaño, complejidad y heterogeneidad. Además, el advenimiento del Internet del Futuro hace que la demanda de sistemas que simplifiquen y automaticen la gestión de las redes de telecomunicación se haya incrementado en los últimos años. Para extraer el conocimiento necesario para desarrollar las soluciones propuestas y facilitar su adopción por los operadores de red, se propone una metodología de pruebas de aceptación para sistemas multi-agente enfocada en simplificar la comunicación entre los diferentes grupos de trabajo involucrados en todo proyecto de desarrollo software: clientes y desarrolladores. Para contribuir a la solución del problema del diagnóstico autonómico de fallos, se propone una arquitectura de agente capaz de diagnosticar fallos en redes de telecomunicación de manera autónoma. Dicha arquitectura extiende el modelo de agente Belief-Desire- Intention (BDI) con diferentes modelos de diagnóstico que gestionan las diferentes sub-tareas del proceso. La arquitectura propuesta combina diferentes técnicas de razonamiento para alcanzar su propósito gracias a un modelo estructural de la red, que usa razonamiento basado en ontologías, y un modelo causal de fallos, que usa razonamiento Bayesiano para gestionar debidamente la incertidumbre del proceso de diagnóstico. Para asegurar la adecuación de la arquitectura propuesta en situaciones de gran complejidad y heterogeneidad, se propone un marco de argumentación que permite diagnosticar a agentes que estén ejecutando en dominios federados. Para la aplicación de este marco en un sistema multi-agente, se propone un protocolo de coordinación en el que los agentes dialogan hasta alcanzar una conclusión para un caso de diagnóstico concreto. Como trabajos futuros, se consideran la extensión de la arquitectura para abordar otros problemas de gestión como el auto-descubrimiento o la auto-optimización, el uso de técnicas de reputación dentro del marco de argumentación para mejorar la extensibilidad del sistema de diagnóstico en entornos federados y la aplicación de las arquitecturas propuestas en las arquitecturas de red emergentes, como SDN, que ofrecen mayor capacidad de interacción con la red. ABSTRACT This PhD thesis contributes to the problem of autonomic fault diagnosis of telecommunication networks. Nowadays, in telecommunication networks, operators perform manual diagnosis tasks. Those operations must be carried out by high skilled network engineers which have increasing difficulties to properly manage the growing of those networks, both in size, complexity and heterogeneity. Moreover, the advent of the Future Internet makes the demand of solutions which simplifies and automates the telecommunication network management has been increased in recent years. To collect the domain knowledge required to developed the proposed solutions and to simplify its adoption by the operators, an agile testing methodology is defined for multiagent systems. This methodology is focused on the communication gap between the different work groups involved in any software development project, stakeholders and developers. To contribute to overcoming the problem of autonomic fault diagnosis, an agent architecture for fault diagnosis of telecommunication networks is defined. That architecture extends the Belief-Desire-Intention (BDI) agent model with different diagnostic models which handle the different subtasks of the process. The proposed architecture combines different reasoning techniques to achieve its objective using a structural model of the network, which uses ontology-based reasoning, and a causal model, which uses Bayesian reasoning to properly handle the uncertainty of the diagnosis process. To ensure the suitability of the proposed architecture in complex and heterogeneous environments, an argumentation framework is defined. This framework allows agents to perform fault diagnosis in federated domains. To apply this framework in a multi-agent system, a coordination protocol is defined. This protocol is used by agents to dialogue until a reliable conclusion for a specific diagnosis case is reached. Future work comprises the further extension of the agent architecture to approach other managements problems, such as self-discovery or self-optimisation; the application of reputation techniques in the argumentation framework to improve the extensibility of the diagnostic system in federated domains; and the application of the proposed agent architecture in emergent networking architectures, such as SDN, which offers new capabilities of control for the network.

Replication Data Management,needs and solutions: an initial evaluation of conceptual approaches for integrating heterogeneous replication study data

Replication Data Management (RDM) aims at enabling the use of data collections from several iterations of an experiment. However, there are several major challenges to RDM from integrating data models and data from empirical study infrastructures that were not designed to cooperate, e.g., data model variation of local data sources. [Objective] In this paper we analyze RDM needs and evaluate conceptual RDM approaches to support replication researchers. [Method] We adapted the ATAM evaluation process to (a) analyze RDM use cases and needs of empirical replication study research groups and (b) compare three conceptual approaches to address these RDM needs: central data repositories with a fixed data model, heterogeneous local repositories, and an empirical ecosystem. [Results] While the central and local approaches have major issues that are hard to resolve in practice, the empirical ecosystem allows bridging current gaps in RDM from heterogeneous data sources. [Conclusions] The empirical ecosystem approach should be explored in diverse empirical environments.

Bio-inspired enhancement of reputation systems for intelligent environments

Providing security to the emerging field of ambient intelligence will be difficult if we rely only on existing techniques, given their dynamic and heterogeneous nature. Moreover, security demands of these systems are expected to grow, as many applications will require accurate context modeling. In this work we propose an enhancement to the reputation systems traditionally deployed for securing these systems. Different anomaly detectors are combined using the immunological paradigm to optimize reputation system performance in response to evolving security requirements. As an example, the experiments show how a combination of detectors based on unsupervised techniques (self-organizing maps and genetic algorithms) can help to significantly reduce the global response time of the reputation system. The proposed solution offers many benefits: scalability, fast response to adversarial activities, ability to detect unknown attacks, high adaptability, and high ability in detecting and confining attacks. For these reasons, we believe that our solution is capable of coping with the dynamism of ambient intelligence systems and the growing requirements of security demands.

A simulation environment for bio-inspired heterogeneous chained modular robots

This paper presents a new simulation environment aimed at heterogeneous chained modular robots. This simulator allows testing the feasibility of the design, checking how modules are going to perform in the field and verifying hardware, electronics and communication designs before the prototype is built, saving time and resources. The paper shows how the simulator is built and how it can be set up to adapt to new designs. It also gives some examples of its use showing different heterogeneous modular robots running in different environments.