Using Graphs to Visualise and Detect Anomalies in Access Control System Transactions

Physical Access Control Systems are commonly used to secure doors in buildings such as airports, hospitals, government buildings and offices. These systems are designed primarily to provide an authentication mechanism, but they also log each door access as a transaction in a database. Unsupervised learning techniques can be used to detect inconsistencies or anomalies in the mobility data, such as a cloned or forged Access Badge, or unusual behaviour by staff members. In this paper, we present an overview of our method of inferring directed graphs to represent a physical building network and the flows of mobility within it. We demonstrate how the graphs can be used for Visual Data Exploration, and outline how to apply algorithms based on Information Theory to the graph data in order to detect inconsistent or abnormal behaviour.

Event-driven implicit authentication for mobile access control

In order to protect user privacy on mobile devices, an event-driven implicit authentication scheme is proposed in this paper. Several methods of utilizing the scheme for recognizing legitimate user behavior are investigated. The investigated methods compute an aggregate score and a threshold in real-time to determine the trust level of the current user using real data derived from user interaction with the device. The proposed scheme is designed to: operate completely in the background, require minimal training period, enable high user recognition rate for implicit authentication, and prompt detection of abnormal activity that can be used to trigger explicitly authenticated access control. In this paper, we investigate threshold computation through standard deviation and EWMA (exponentially weighted moving average) based algorithms. The result of extensive experiments on user data collected over a period of several weeks from an Android phone indicates that our proposed approach is feasible and effective for lightweight real-time implicit authentication on mobile smartphones.

Fuzzy logic-based implicit authentication for mobile access control

In order to address the increasing compromise of user privacy on mobile devices, a Fuzzy Logic based implicit authentication scheme is proposed in this paper. The proposed scheme computes an aggregate score based on selected features and a threshold in real-time based on current and historic data depicting user routine. The tuned fuzzy system is then applied to the aggregated score and the threshold to determine the trust level of the current user. The proposed fuzzy-integrated implicit authentication scheme is designed to: operate adaptively and completely in the background, require minimal training period, enable high system accuracy while provide timely detection of abnormal activity. In this paper, we explore Fuzzy Logic based authentication in depth. Gaussian and triangle-based membership functions are investigated and compared using real data over several weeks from different Android phone users. The presented results show that our proposed Fuzzy Logic approach is a highly effective, and viable scheme for lightweight real-time implicit authentication on mobile devices.

Implementation and Evaluation of Measurement-Based Admission Control Schemes Within a Converged Networks QoS Management Framework

Policy-based network management (PBNM) paradigms provide an effective tool for end-to-end resource
management in converged next generation networks by enabling unified, adaptive and scalable solutions
that integrate and co-ordinate diverse resource management mechanisms associated with heterogeneous
access technologies. In our project, a PBNM framework for end-to-end QoS management in converged
networks is being developed. The framework consists of distributed functional entities managed within a
policy-based infrastructure to provide QoS and resource management in converged networks. Within any
QoS control framework, an effective admission control scheme is essential for maintaining the QoS of
flows present in the network. Measurement based admission control (MBAC) and parameter basedadmission control (PBAC) are two commonly used approaches. This paper presents the implementationand analysis of various measurement-based admission control schemes developed within a Java-based
prototype of our policy-based framework. The evaluation is made with real traffic flows on a Linux-based experimental testbed where the current prototype is deployed. Our results show that unlike with classic MBAC or PBAC only schemes, a hybrid approach that combines both methods can simultaneously result in improved admission control and network utilization efficiency

Cross-layer Framework for Fine-grained Channel Access in Next Generation High-density WiFi Networks

Densely deployed WiFi networks will play a crucial role in providing the capacity for next generation mobile internet. However, due to increasing interference, overlapped channels in WiFi networks and throughput efficiency degradation, densely deployed WiFi networks is not a guarantee to obtain higher throughput. An emergent challenge is how to efficiently utilize scarce spectrum resources, by matching physical layer resources to traffic demand. In this aspect, access control allocation strategies play a pivotal role but remain too coarse-grained. As a solution, this research proposes a flexible framework for fine-grained channel width adaptation and multi-channel access in WiFi networks. This approach, named SFCA (Sub-carrier Fine-grained Channel Access), adopts DOFDM (Discontinuous Orthogonal Frequency Division Multiplexing) at the PHY layer. It allocates the frequency resource with a sub-carrier granularity, which facilitates the channel width adaptation for multi-channel access and thus brings more flexibility and higher frequency efficiency. The MAC layer uses a frequency-time domain backoff scheme, which combines the popular time-domain BEB scheme with a frequency-domain backoff to decrease access collision, resulting in higher access probability for the contending nodes. SFCA is compared with FICA (an established access scheme) showing significant outperformance. Finally we present results for next generation 802.11ac WiFi networks.

Performance analysis of an improved power-saving medium access protocol for IEEE 802.11 point coordination function WLAN

Wireless enabled portable devices must operate with the highest possible energy efficiency while still maintaining a minimum level and quality of service to meet the user's expectations. The authors analyse the performance of a new pointer-based medium access control protocol that was designed to significantly improve the energy efficiency of user terminals in wireless local area networks. The new protocol, pointer controlled slot allocation and resynchronisation protocol (PCSAR), is based on the existing IEEE 802.11 point coordination function (PCF) standard. PCSAR reduces energy consumption by removing the need for power saving stations to remain awake and listen to the channel. Using OPNET, simulations were performed under symmetric channel loading conditions to compare the performance of PCSAR with the infrastructure power saving mode of IEEE 802.11, PCF-PS. The simulation results demonstrate a significant improvement in energy efficiency without significant reduction in performance when using PCSAR. For a wireless network consisting of an access point and 8 stations in power saving mode, the energy saving was up to 31% while using PCSAR instead of PCF-PS, depending upon frame error rate and load. The results also show that PCSAR offers significantly reduced uplink access delay over PCF-PS while modestly improving uplink throughput.

Improved power-saving medium access protocol for IEEE 802.11e QoS-enabled wireless networks

The performance of a new pointer-based medium-access control protocol that was designed to significantly improve the energy efficiency of user terminals in quality-of-service-enabled wireless local area networks was analysed. The new protocol, pointer-controlled slot allocation and resynchronisation protocol (PCSARe), is based on the hybrid coordination function-controlled channel access mode of the IEEE 802.11e standard. PCSARe reduces energy consumption by removing the need for power-saving stations to remain awake for channel listening. Discrete event network simulations were performed to compare the performance of PCSARe with the non-automatic power save delivery (APSD) and scheduled-APSD power-saving modes of IEEE 802.11e. The simulation results show a demonstrable improvement in energy efficiency without significant reduction in performance when using PCSARe. For a wireless network consisting of an access point and eight stations in power-saving mode, the energy saving was up to 39% when using PCSARe instead of IEEE 802.11e non-APSD. The results also show that PCSARe offers significantly reduced uplink access delay over IEEE 802.11e non-APSD, while modestly improving the uplink throughput. Furthermore, although both had the same energy consumption, PCSARe gave a 25% reduction in downlink access delay compared with IEEE 802.11e S-APSD.

Design and Implementation of a Measurement-Based Policy-Driven Resource Management Framework For Converged Networks

This paper presents the design and implementation of a measurement-based QoS and resource management framework, CNQF (Converged Networks’ QoS Management Framework). CNQF is designed to provide unified, scalable QoS control and resource management through the use of a policy-based network
management paradigm. It achieves this via distributed functional entities that are deployed to co-ordinate the resources of the transport network through centralized policy-driven decisions supported by measurement-based control architecture. We present the CNQF architecture, implementation of the
prototype and validation of various inbuilt QoS control mechanisms using real traffic flows on a Linux-based experimental test bed.

WLAN Security Processor

A novel wireless local area network (WLAN) security processor is described in this paper. It is designed to offload security encapsulation processing from the host microprocessor in an IEEE 802.11i compliant medium access control layer to a programmable hardware accelerator. The unique design, which comprises dedicated cryptographic instructions and hardware coprocessors, is capable of performing wired equivalent privacy, temporal key integrity protocol, counter mode with cipher block chaining message authentication code protocol, and wireless robust authentication protocol. Existing solutions to wireless security have been implemented on hardware devices and target specific WLAN protocols whereas the programmable security processor proposed in this paper provides support for all WLAN protocols and thus, can offer backwards compatibility as well as future upgrade ability as standards evolve. It provides this additional functionality while still achieving equivalent throughput rates to existing architectures. © 2006 IEEE.

Fault reconstruction in linear dynamic systems using multivariate statistics

Treasure et al. (2004) recently proposed a new sub space-monitoring technique, based on the N4SID algorithm, within the multivariate statistical process control framework. This dynamic-monitoring method requires considerably fewer variables to be analysed when compared with dynamic principal component analysis (PCA). The contribution charts and variable reconstruction, traditionally employed for static PCA, are analysed in a dynamic context. The contribution charts and variable reconstruction may be affected by the ratio of the number of retained components to the total number of analysed variables. Particular problems arise if this ratio is large and a new reconstruction chart is introduced to overcome these. The utility of such a dynamic contribution chart and variable reconstruction is shown in a simulation and by application to industrial data from a distillation unit.

Performance analysis of a metro WDM ring networks with variable-length packets under symmetric and asymmetric traffic

In this paper, we discuss and evaluate two proposed metro wavelength division multiplexing (WDM) ring network architectures for variable-length packet traffic in storage area networks (SANs) settings. The paper begins with a brief review of the relevant architectures and protocols in the literature. Subsequently, the network architectures along with their medium access control (MAC) protocols are described. Performance of the two network architectures is studied by means of computer simulation in terms of their queuing delay, node throughput and proportion of packets dropped. The network performance is evaluated under symmetric and asymmetric traffic scenarios with Poisson and self-similar traffic. (C) 2011 Elsevier Inc. All rights reserved.

Detecting Anomalies in Graphs with Numeric Labels

This paper presents Yagada, an algorithm to search labelled graphs for anomalies using both structural data and numeric attributes. Yagada is explained using several security-related examples and validated with experiments on a physical Access Control database. Quantitative analysis shows that in the upper range of anomaly thresholds, Yagada detects twice as many anomalies as the best-performing numeric discretization algorithm. Qualitative evaluation shows that the detected anomalies are meaningful, representing a com- bination of structural irregularities and numerical outliers.