Experiences in Passively Detecting Session Hijacking Attacks in IEEE 802.11 Networks

Current IEEE 802.11 wireless networks are vulnerable to session hijacking attacks as the existing standards fail to address the lack of authentication of management frames and network card addresses, and rely on loosely coupled state machines. Even the new WLAN security standard - IEEE 802.11i does not address these issues. In our previous work, we proposed two new techniques for improving detection of session hijacking attacks that are passive, computationally inexpensive, reliable, and have minimal impact on network performance. These techniques utilise unspoofable characteristics from the MAC protocol and the physical layer to enhance confidence in the intrusion detection process. This paper extends our earlier work and explores usability, robustness and accuracy of these intrusion detection techniques by applying them to eight distinct test scenarios. A correlation engine has also been introduced to maintain the false positives and false negatives at a manageable level. We also explore the process of selecting optimum thresholds for both detection techniques. For the purposes of our experiments, Snort-Wireless open source wireless intrusion detection system was extended to implement these new techniques and the correlation engine. Absence of any false negatives and low number of false positives in all eight test scenarios successfully demonstrated the effectiveness of the correlation engine and the accuracy of the detection techniques.

Detecting and resolving redundancies in EP3P policies

Current regulatory requirements on data privacy make it increasingly important for enterprises to be able to verify and audit their compliance with their privacy policies. Traditionally, a privacy policy is written in a natural language. Such policies inherit the potential ambiguity, inconsistency and mis-interpretation of natural text. Hence, formal languages are emerging to allow a precise specification of enforceable privacy policies that can be verified. The EP3P language is one such formal language. An EP3P privacy policy of an enterprise consists of many rules. Given the semantics of the language, there may exist some rules in the ruleset which can never be used, these rules are referred to as redundant rules. Redundancies adversely affect privacy policies in several ways. Firstly, redundant rules reduce the efficiency of operations on privacy policies. Secondly, they may misdirect the policy auditor when determining the outcome of a policy. Therefore, in order to address these deficiencies it is important to identify and resolve redundancies. This thesis introduces the concept of minimal privacy policy - a policy that is free of redundancy. The essential component for maintaining the minimality of privacy policies is to determine the effects of the rules on each other. Hence, redundancy detection and resolution frameworks are proposed. Pair-wise redundancy detection is the central concept in these frameworks and it suggests a pair-wise comparison of the rules in order to detect redundancies. In addition, the thesis introduces a policy management tool that assists policy auditors in performing several operations on an EP3P privacy policy while maintaining its minimality. Formal results comparing alternative notions of redundancy, and how this would affect the tool, are also presented.

The reliability and validity of the Severity of Dependence Scale for detecting cannabis dependence in psychosis.

Aims: To determine the reliability and validity of the Severity of Dependence Scale (SDS) for detecting cannabis dependence in a large sample of in-patients with a schizophrenia spectrum disorder. Design: Cross-sectional study. Participants: Participants were 153 in-patients with a schizophrenia spectrum disorder in Brisbane, Australia. Measurements: Participants were administered the SDS for cannabis dependence in the past 12 months. The presence of Diagnostic and Statistical Manual Version-IV (DSM-IV) cannabis dependence in the previous 12 months was assessed using the Comprehensive International Diagnostic Interview (CIDI). Findings: The SDS had high levels of internal consistency and strong construct and concurrent validity. Individuals with a score of ≥2 on the SDS were nearly 30 times more likely to have DSM-IV cannabis dependence. The SDS was the strongest predictor of DSM-IV cannabis dependence after controlling for other predictor variables. Conclusions: The SDS is a brief, valid and reliable screen for cannabis dependence among people with psychosis

Detecting and monitoring of lymphoedema

Much of what we know about lymphoedema is derived from studies involving cancer cohorts, in particular breast cancer. Yet even within this setting, and despite the known profound physical, social and psychological effects, our understanding of associated risk factors and effectiveness of prevention and treatment strategies is poorly studied with inconsistent results. The limitations of our current methods to detect and monitor lymphoedema contribute to our lack of understanding of this condition. Current measurement approaches applied in the clinical and research setting will be described during this presentation. The strengths, limitations and practical considerations relevant to measurement methods will also be addressed. Improving the way we detect and monitor lymphoedema is necessary and critical for advancing the lymphoedema field and is relevant for the detection and monitoring of lymphoedema in the clinic as well as in research.

Detecting and characterising malicious executable payloads

Buffer overflow vulnerabilities continue to prevail and the sophistication of attacks targeting these vulnerabilities is continuously increasing. As a successful attack of this type has the potential to completely compromise the integrity of the targeted host, early detection is vital. This thesis examines generic approaches for detecting executable payload attacks, without prior knowledge of the implementation of the attack, in such a way that new and previously unseen attacks are detectable. Executable payloads are analysed in detail for attacks targeting the Linux and Windows operating systems executing on an Intel IA-32 architecture. The execution flow of attack payloads are analysed and a generic model of execution is examined. A novel classification scheme for executable attack payloads is presented which allows for characterisation of executable payloads and facilitates vulnerability and threat assessments, and intrusion detection capability assessments for intrusion detection systems. An intrusion detection capability assessment may be utilised to determine whether or not a deployed system is able to detect a specific attack and to identify requirements for intrusion detection functionality for the development of new detection methods. Two novel detection methods are presented capable of detecting new and previously unseen executable attack payloads. The detection methods are capable of identifying and enumerating the executable payload’s interactions with the operating system on the targeted host at the time of compromise. The detection methods are further validated using real world data including executable payload attacks.

Spatial variability of soil organic carbon in grasslands: implications for detecting change at different scales

Extensive data used to quantify broad soil C changes (without information about causation), coupled with intensive data used for attribution of changes to specific management practices, could form the basis of an efficient national grassland soil C monitoring network. Based on variability of extensive (USDA/NRCS pedon database) and intensive field-level soil C data, we evaluated the efficacy of future sample collection to detect changes in soil C in grasslands. Potential soil C changes at a range of spatial scales related to changes in grassland management can be verified (alpha=0.1) after 5 years with collection of 34, 224, 501 samples at the county, state, or national scales, respectively. Farm-level analysis indicates that equivalent numbers of cores and distinct groups of cores (microplots) results in lowest soil C coefficients of variation for a variety of ecosystems. Our results suggest that grassland soil C changes can be precisely quantified using current technology at scales ranging from farms to the entire nation. (C) 2001 Elsevier Science Ltd. All rights reserved.

Detecting attacks in encrypted networks using secret-sharing schemes

Secret-sharing schemes describe methods to securely share a secret among a group of participants. A properly constructed secret-sharing scheme guarantees that the share belonging to one participant does not reveal anything about the shares of others or even the secret itself. Besides being used to distribute a secret, secret-sharing schemes have also been used in secure multi-party computations and redundant residue number systems for error correction codes. In this paper, we propose that the secret-sharing scheme be used as a primitive in a Network-based Intrusion Detection System (NIDS) to detect attacks in encrypted Networks. Encrypted networks such as Virtual Private Networks (VPNs) fully encrypt network traffic which can include both malicious and non-malicious traffic. Traditional NIDS cannot monitor such encrypted traffic. We therefore describe how our work uses a combination of Shamir's secret-sharing scheme and randomised network proxies to enable a traditional NIDS to function normally in a VPN environment.

Simple Serological Assays for Detecting Rice Tungro Viruses

An attempt was made to produce sensitive and specific polyclonal antisera against the viruses causing rice tungro disease, and to assess their potential for use in simple diagnostic tests. Using a multiple, sequential injection procedure, seven batches of polyclonal antisera against rice tungro bacilliform virus (RTBV) and rice tungro spherical virus (RTSV) were produced. These were characterized for their sensitivity and specificity using ring-interface precipitin test and double antibody sandwich (DAS) ELISA. Thirty-one weeks after the first immunization, antiserum batch B6b for RTBV showed the highest ring interface titer (DEP = 1:1920). For RTSV, batches S3, S4b and S5b all had similar titres (DEP = 1:640). In DAS-ELISA, however, significant differences among purified antisera (IgG) batches were observed only at IgG dilution of 10-3. At that dilution, IgGB4b showed the greatest sensitivity, while IgGS3 showed greatest sensitivity for RTSV. When all IgG batches were tested against 11 tungro field isolates (dual RTBV-RTSV infections) at sample dilution of 1:10, IgGB4b and IgGB6b for RTBV and IgGS3 and IgGS6b for RTSV performed equally well. However, after cross adsorption with healthy plant extracts in a specially prepared healthy plant-Sepharose affinity column, only IgGB6b could be used specifically to detect RTBV in a simple tissue-print assay.

Detecting collusive fraud in enterprise resource planning systems

In today's technological age, fraud has become more complicated, and increasingly more difficult to detect, especially when it is collusive in nature. Different fraud surveys showed that the median loss from collusive fraud is much greater than fraud perpetrated by a single person. Despite its prevalence and potentially devastating effects, collusion is commonly overlooked as an organizational risk. Internal auditors often fail to proactively consider collusion in their fraud assessment and detection efforts. In this paper, we consider fraud scenarios with collusion. We present six potentially collusive fraudulent behaviors and show their detection process in an ERP system. We have enhanced our fraud detection framework to utilize aggregation of different sources of logs in order to detect communication and have further enhanced it to render it system-agnostic thus achieving portability and making it generally applicable to all ERP systems.

Automatically detecting pain in video through facial action units

In a clinical setting, pain is reported either through patient self-report or via an observer. Such measures are problematic as they are: 1) subjective, and 2) give no specific timing information. Coding pain as a series of facial action units (AUs) can avoid these issues as it can be used to gain an objective measure of pain on a frame-by-frame basis. Using video data from patients with shoulder injuries, in this paper, we describe an active appearance model (AAM)-based system that can automatically detect the frames in video in which a patient is in pain. This pain data set highlights the many challenges associated with spontaneous emotion detection, particularly that of expression and head movement due to the patient's reaction to pain. In this paper, we show that the AAM can deal with these movements and can achieve significant improvements in both the AU and pain detection performance compared to the current-state-of-the-art approaches which utilize similarity-normalized appearance features only.

CAT Detect (Computer Activity Timeline Detection) : a tool for detecting inconsistency in computer activity timelines

The construction of timelines of computer activity is a part of many digital investigations. These timelines of events are composed of traces of historical activity drawn from system logs and potentially from evidence of events found in the computer file system. A potential problem with the use of such information is that some of it may be inconsistent and contradictory thus compromising its value. This work introduces a software tool (CAT Detect) for the detection of inconsistency within timelines of computer activity. We examine the impact of deliberate tampering through experiments conducted with our prototype software tool. Based on the results of these experiments, we discuss techniques which can be employed to deal with such temporal inconsistencies.