Academic Positions

  • January 2016 Present

    Assistant Professor

    Florida Atlantic University


  • Fall 2015

    Visiting Research Scientist

    Carnegie Mellon University


  • 2009 Present

    Permanent Research Scientist

    NCFTA Canada

Education & Training

  • Ph.D. 2015

    Computer Science

    Concordia University

  • M.A.Sc.2011

    Information Systems Security

    Concordia University

  • B.A.Sc.2009

    Computer Information Systems

    Notre Dame University

Honors, Awards and Grants

  • 2017
    Best Paper Award at the 28th Annual IEEE International Symposium on Personal, Indoor and Mobile Radio Communications
    (IEEE PIMRC 2017) .
  • 2015
    Natural Sciences and Engineering Research Council of Canada (NSERC) Postdoctoral Fellowship (PDF):
    Top 1% of all Canadian Computer Science Ph.D. Students.
  • 2015
    Fonds de recherche du Québec - Nature et technologies (FRQNT) Postdoctoral Fellowship.
  • 2013-2015
    Alexander Graham Bell Canada Graduate Scholarship (CGS) from NSERC:
    Top 1 distinguished Nationwide Scholarship.
  • 2013-2015
    Fonds de recherche du Québec - Nature et technologies (FRQNT) Doctorate Scholarship:
    Ranked 2nd in the province of Québéc.
  • 2014
    Best Paper Award at the International Digital Forensics Research Conference (DFRWS), Denver, USA, August 2014.
    DFRWS is the most renowned Digital Forensics venue.
  • 2013
    Best Paper Award at the International Conference on Availability, Reliability and Security (ARES), Regensburg, Germany, September 2013.
  • 2013
    Best Paper Award at the International Symposium on Network Computing and Applications (NCA), Boston, USA, August 2013.

Cyber Threat Intelligence
Laboratory Personel


Adil Atifi

M.A.Sc. Student

Research Topic: Network Traffic Correlation For Cyber Threat Intelligence


Yongliang Huang

M.A.Sc. Student

Research Topic: TBD


Andrea Patrice Wright

Ph.D. Student (co-supervised with Dr. Nasir Ghani from USF)

Research Topic: TBD


Elham Nosrati

Ph.D. Student

Research Topic: TBD


Sophina Luitel

M.A.Sc. Student

Research Topic: A Platform For Cyber Threat Intelligence Gathering and Visualization


Farooq Shaikh

M.A.Sc. Student (co-supervised with Dr. Nasir Ghani from USF)

Research Topic: Internet Measurements for IoT Security


Nataliia Neshenko

M.A.Sc. Student

Research Topic: Internet Measurements for IoT Security


Great lab Personel!

I am lucky to have the opportunity to work with a number of excellent graduate students on various highly impactful research topics.


Filter by type:

Sort by year:

A Time Series Approach for Inferring Orchestrated Probing Campaigns by Analyzing Darknet Traffic

Elias Bou-Harb, Claude Fachkha, Mourad Debbabi, Chadi Assi
Conference Paper2015 10th International Conference on Availability, Reliability and Security (ARES)

Abstract

This paper aims at inferring probing campaigns by investigating dark net traffic. The latter probing events refer to a new phenomenon of reconnaissance activities that are distinguished by their orchestration patterns. The objective is to provide a systematic methodology to infer, in a prompt manner, whether or not the perceived probing packets belong to an orchestrated campaign. Additionally, the methodology could be easily leveraged to generate network traffic signatures to facilitate capturing incoming packets as belonging to the same inferred campaign. Indeed, this would be utilized for early cyber attack warning and notification as well as for simplified analysis and tracking of such events. To realize such goals, the proposed approach models such challenging task as a problem of interpolating and predicting time series with missing values. By initially employing trigonometric interpolation and subsequently executing state space modeling in conjunction with a time-varying window algorithm, the proposed approach is able to pinpoint orchestrated probing campaigns by only monitoring few orchestrated flows. We empirically evaluate the effectiveness of the proposed model using 330 GB of real dark net data. By comparing the outcome with a previously validated work, the results indeed demonstrate the promptness and accuracy of the proposed approach.

Inferring Internet-scale infections by correlating malware and probing activities

Elias Bou-Harb, Claude Fachkha, Mourad Debbabi, Chadi Assi
Conference Paper2014 IEEE International Conference on Communications (ICC)

Abstract

This paper presents a new approach to infer malware-infected machines by solely analyzing their generated probing activities. In contrary to other adopted methods, the proposed approach does not rely on symptoms of infection to detect compromised machines. This allows the inference of malware infection at very early stages of contamination. The approach aims at detecting whether the machines are infected or not as well as pinpointing the exact malware type/family, if the machines were found to be compromised. The latter insights allow network security operators of diverse organizations, Internet service providers and backbone networks to promptly detect their clients' compromised machines in addition to effectively providing them with tailored anti-malware/patch solutions. To achieve the intended goals, the proposed approach exploits the darknet Internet space and employs statistical methods to infer large-scale probing activities. Subsequently, such activities are correlated with malware samples by leveraging fuzzy hashing and entropy based techniques. The proposed approach is empirically evaluated using 60 GB of real darknet traffic and 65 thousand real malware samples. The results concur that the rationale of exploiting probing activities for worldwide early malware infection detection is indeed very promising. Further, the results demonstrate that the extracted inferences exhibit noteworthy accuracy and can generate significant cyber security insights that could be used for effective mitigation.

Behavioral analytics for inferring large-scale orchestrated probing events

Elias Bou-Harb, Mourad Debbabi, Chadi Assi
Conference Paper2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)

Abstract

The significant dependence on cyberspace has indeed brought new risks that often compromise, exploit and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, inferring probing events, which are commonly the first stage of any cyber attack, render a promising tactic to achieve that task. We have been receiving for the past three years 12 GB of daily malicious real darknet data (i.e., Internet traffic destined to half a million routable yet unallocated IP addresses) from more than 12 countries. This paper exploits such data to propose a novel approach that aims at capturing the behavior of the probing sources in an attempt to infer their orchestration (i.e., coordination) pattern. The latter defines a recently discovered characteristic of a new phenomenon of probing events that could be ominously leveraged to cause drastic Internet-wide and enterprise impacts as precursors of various cyber attacks. To accomplish its goals, the proposed approach leverages various signal and statistical techniques, information theoretical metrics, fuzzy approaches with real malware traffic and data mining methods. The approach is validated through one use case that arguably proves that a previously analyzed orchestrated probing event from last year is indeed still active, yet operating in a stealthy, very low rate mode. We envision that the proposed approach that is tailored towards darknet data, which is frequently, abundantly and effectively used to generate cyber threat intelligence, could be used by network security analysts, emergency response teams and/or observers of cyber events to infer large-scale orchestrated probing events for early cyber attack warning and notification.

Fingerprinting Internet DNS Amplification DDoS Activities

Claude Fachkha, Elias Bou-Harb, Mourad Debbabi
Conference Paper2014 6th International Conference on New Technologies, Mobility and Security (NTMS)

Abstract

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo- location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.

Towards a forecasting model for distributed denial of service activities

Claude Fachkha, Elias Bou-Harb, Mourad Debbabi
Conference Paper2013 12th IEEE International Symposium on Network Computing and Applications (NCA). (Best Paper Award)

Abstract

Distributed Denial of Service (DDoS) activities continue to dominate today's attack landscape. This work proposes a DDoS forecasting model to provide significant insights to organizations, security operators and emergency response teams during and after a targeted DDoS attack. Specifically, the work strives to predict, within minutes, the attacks' impact features, namely, intensity/rate (packets/sec) and size (estimated number of used compromised machines/bots). The goal is to understand the future short term trend of the ongoing DDoS attack in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Our analysis employs real dark net data to explore the feasibility of applying the forecasting model on targeted DDoS attacks and subsequently evaluate the accuracy of the predictions. To achieve its tasks, our proposed approach leverages a number of time series fluctuation analysis and forecasting methods. The extracted inferences from various DDoS case studies exhibit promising accuracy reaching at some points less than 1% error rate. Further, our model could lead to better understanding of the scale and speed of DDoS attacks and should generate inferences that could be adopted for immediate response and hence mitigation as well as accumulated for the purpose of long term large-scale DDoS analysis.

A Statistical Approach for Fingerprinting Probing Activities

Elias Bou-Harb, Mourad Debbabi, Chadi Assi
Conference Paper2013 Eighth International Conference on Availability, Reliability and Security (ARES). (Best Paper Award)

Abstract

Probing is often the primary stage of an intrusion attempt that enables an attacker to remotely locate, target, and subsequently exploit vulnerable systems. This paper attempts to investigate whether the perceived traffic refers to probing activities and which exact scanning technique is being employed to perform the probing. Further, this work strives to examine probing traffic dimensions to infer the `machinery' of the scan, whether the probing activity is generated from a software tool or from a worm/bot net and whether the probing is random or follows a certain predefined pattern. Motivated by recent cyber attacks that were facilitated through probing, limited cyber security intelligence related to the mentioned inferences and the lack of accuracy that is provided by scanning detection systems, this paper presents a new approach to fingerprint probing activity. The approach leverages a number of statistical techniques, probabilistic distribution methods and observations in an attempt to understand and analyze probing activities. To prevent evasion, the approach formulates this matter as a change point detection problem that yielded motivating results. Evaluations performed using 55 GB of real dark net traffic shows that the extracted inferences exhibit promising accuracy and can generate significant insights that could be used for mitigation purposes.

Investigating the dark cyberspace: Profiling, threat-based analysis and correlation

Claude Fachkha, Elias Bou-Harb, Amine Boukhtouta, Son Dinh, Farkhund Iqbal, Mourad Debbabi
Conference Paper2012 7th International Conference on Risk and Security of Internet and Systems (CRiSIS)

Abstract

An effective approach to gather cyber threat intelligence is to collect and analyze traffic destined to unused Internet addresses known as darknets. In this paper, we elaborate on such capability by profiling darknet data. Such information could generate indicators of cyber threat activity as well as providing in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet embedded threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Such work proves that specific darknet threats are correlated. Moreover, it provides insights about threat patterns and allows the interpretation of threat scenarios.

A first look on the effects and mitigation of VoIP SPIT flooding in 4G mobile networks

Elias Bou-Harb, Mourad Debbabi, Chadi Assi
Conference Paper2012 IEEE International Conference on Communications (ICC)

Abstract

The fourth generation of mobile networks is considered a technology-opportunistic and user-centric system. Part of its new architecture, 4G networks will implement an evolved packet core. Although this will provide various critical advantages, it will however expose telecom networks to serious IP-based attacks. One often adopted solution to mitigate such attacks is based on a centralized security architecture. This centralized approach nonetheless, requires large processing resources to handle large amount of traffic, which may result in a significant over dimensioning problem in the centralized nodes causing this approach to fail from achieving its security task. In this paper, we primarily contribute by presenting a first look on the DoS effects of VoIP SPIT flooding on 4G mobile networks. We further contribute by proposing a distributed architecture on the mobile network infrastructure that is secure, efficient and cost-effective.

On detecting and clustering distributed cyber scanning

Elias Bou-Harb, Mourad Debbabi, Chadi Assi
Conference Paper2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC)

Abstract

This paper proposes an approach that is composed of two techniques that respectively tackle the issues of detecting corporate cyber scanning and clustering distributed reconnaissance activity. The first employed technique is based on a non-attribution anomaly detection approach that focuses on what is being scanned rather than who is performing the scanning. The second technique adopts a statistical time series approach that is rendered by observing the correlation status of a traffic signal to perform the identification and clustering. To empirically validate both techniques, we experiment with two real network traffic datasets and implement two proof-of-concept environments. The first dataset comprises of unsolicited one-way telescope/darknet traffic while the second dataset has been captured in our lab through a customized setup. The results show, on one hand, that for a class C network with 250 active hosts and 5 monitored servers, the proposed detection technique's training period required a stabilization time of less than 1 second and a state memory of 80 bytes. Moreover, in comparison with Snort's sfPortscan technique, it was able to detect 4215 unique scans and yielded zero false negative. On the other hand, the proposed clustering technique is able to correctly identify and cluster the scanning machines with high accuracy even in the presence of legitimate traffic.

CSC-Detector: A System to Infer Large-Scale Probing Campaigns

Elias Bou-Harb, Chadi Assi, Mourad Debbabi
Journal Paper 2016 IEEE Transactions on Dependable and Secure Computing

Abstract

This paper uniquely leverages unsolicited real darknet data to propose a novel system, CSC-Detector, that aims at identifying Cyber Scanning Campaigns. The latter define a new phenomenon of probing events that are distinguished by their orchestration (i.e., coordination) patterns. To achieve its aim, CSC-Detector adopts three engines. Its fingerprinting engine exploits a unique observation to extract probing activities from darknet traffic. The system’s inference engine employs a set of behavioral analytics to generate numerous significant insights related to the machinery of the probing sources while its analysis engine exploits the previously obtained inferences to automatically infer the campaigns. CSC-Detector is empirically evaluated and validated using 240 GB of real darknet data. The outcome discloses 3 recent, previously unreported large-scale probing campaigns targeting diverse Internet services. Further, one of those inferred campaigns revealed that the sipscan campaign that was initially analyzed by CAIDA is arguably still active, yet operating in a stealthy, very low rate mode. We envision that the proposed system that is tailored towards darknet data, which is frequently, abundantly and effectively used to generate cyber threat intelligence, could be used by network security analysts, emergency response teams and/or observers of cyber events to infer large-scale orchestrated probing campaigns. This would be utilized for early cyber attack warning and notification as well as for simplified analysis and tracking of such events.

A novel cyber security capability: Inferring Internet-scale infections by correlating malware and probing activities

Elias Bou-Harb, Chadi Assi, Mourad Debbabi
Journal Paper 2016 Elsevier Journal of Computer Networks

Abstract

This paper presents a new approach to infer worldwide malware-infected machines by solely analyzing their generated probing activities. In contrary to other adopted methods, the proposed approach does not rely on symptoms of infection to detect compromised machines. This allows the inference of malware infection at very early stages of contamination. The approach aims at detecting whether the machines are infected or not as well as pinpointing the exact malware type/family. The latter insights allow network security operators of diverse organizations, Internet service providers and backbone networks to promptly detect their clients’ compromised machines in addition to effectively providing them with tailored anti-malware/patch solutions. To achieve the intended goals, the proposed approach exploits the darknet Internet space and initially filters out misconfiguration traffic targeting such space using a probabilistic model. Subsequently, the approach employs statistical methods to infer large-scale probing activities as perceived by the dark space. Consequently, such activities are correlated with malware samples by leveraging fuzzy hashing and entropy based techniques. The proposed approach is empirically evaluated using a recent 60 GB of real darknet traffic and 65 thousand real malware samples. The results concur that the rationale of exploiting probing activities for worldwide early malware infection detection is indeed very promising. Further, the results, which were validated using publically available data resources, demonstrate that the extracted inferences exhibit noteworthy accuracy and can generate significant cyber security insights that could be used for effective mitigation.

Inferring distributed reflection denial of service attacks from darknet

Claude Fachkha, Elias Bou-Harb, Mourad Debbabi
Journal Paper 2015 Elsevier Journal of Computer Communications

Abstract

This work proposes a novel approach to infer and characterize Internet-scale DNS Distributed Reflection Denial of Service (DRDoS) attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DRDoS activities such as intensity, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks and the expectation maximization and k-means clustering techniques in an attempt to identify campaigns of DRDoS Attacks. We empirically evaluate the proposed approach using 1.44 TB of real darknet data collected from a/13 address space during a recent several months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DRDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The extracted insights from various validated DNS DRDoS case studies lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DRDoS activities.

On the inference and prediction of DDoS campaigns

Claude Fachkha, Elias Bou-Harb, Mourad Debbabi
Journal Paper 2015 Wiley Journal of Wireless Communications and Mobile Computing

Abstract

This work proposes a distributed denial-of-service (DDoS) inference and forecasting model that aims at providing insights to organizations, security operators, and emergency response teams during and after a DDoS attack. Specifically, our work strives to predict, within minutes, the attacks' features, namely intensity/rate (packets/second) and size (estimated number of used compromised machines/bots). The goal is to understand the future short-term trend of the ongoing DDoS attack in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. Our analysis employs real darknet data to explore the feasibility of applying the inference and forecasting models on DDoS attacks and evaluate the accuracy of the predictions. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods, and forecasting approaches. The extracted inferences from various DDoS case studies exhibit a promising accuracy reaching at some points less than 1% error rate. Further, our approach could lead to a better understanding of the scale, speed, and size of DDoS attacks and generates inferences that could be adopted for immediate response and mitigation. Moreover, the accumulated insights could be used for the purpose of long-term large-scale DDoS analysis.

On fingerprinting probing activities

Elias Bou-Harb, Mourad Debbabi, Chadi Assi
Journal Paper 2014 Elsevier Journal of Computers & Security

Abstract

Motivated by recent cyber attacks that were facilitated through probing, limited cyber security intelligence and the lack of accuracy that is provided by scanning detection systems, this paper presents a new approach to fingerprint probing activity. It investigates whether the perceived traffic refers to probing activities and which exact scanning technique is being employed to perform the probing. Further, this work strives to examine probing traffic dimensions to infer the ‘machinery’ of the scan; whether the probing is random or follows a certain predefined pattern; which probing strategy is being employed; and whether the probing activity is generated from a software tool or from a worm/bot. The approach leverages a number of statistical techniques, probabilistic distribution methods and observations in an attempt to understand and analyze probing activities. To prevent evasion, the approach formulates this matter as a change point detection problem that yielded motivating results. Evaluations performed using 55 GB of real darknet traffic shows that the extracted inferences exhibit promising accuracy and can generate significant insights that could be used for mitigation purposes.

Cyber Scanning: A Comprehensive Survey

Elias Bou-Harb, Mourad Debbabi, Chadi Assi
Journal Paper 2014 IEEE Journal of Communications Surveys & Tutorials

Abstract

Cyber scanning refers to the task of probing enterprise networks or Internet wide services, searching for vulnerabilities or ways to infiltrate IT assets. This misdemeanor is often the primarily methodology that is adopted by attackers prior to launching a targeted cyber attack. Hence, it is of paramount importance to research and adopt methods for the detection and attribution of cyber scanning. Nevertheless, with the surge of complex offered services from one side and the proliferation of hackers' refined, advanced, and sophisticated techniques from the other side, the task of containing cyber scanning poses serious issues and challenges. Furthermore recently, there has been a flourishing of a cyber phenomenon dubbed as cyber scanning campaigns - scanning techniques that are highly distributed, possess composite stealth capabilities and high coordination - rendering almost all current detection techniques unfeasible. This paper presents a comprehensive survey of the entire cyber scanning topic. It categorizes cyber scanning by elaborating on its nature, strategies and approaches. It also provides the reader with a classification and an exhaustive review of its techniques. Moreover, it offers a taxonomy of the current literature by focusing on distributed cyber scanning detection methods. To tackle cyber scanning campaigns, this paper uniquely reports on the analysis of two recent cyber scanning incidents. Finally, several concluding remarks are discussed.

Multidimensional investigation of source port 0 probing

Elias Bou-Harb, Nour-Eddine Lakhdari, Hamad Binsalleeh, Mourad Debbabi
Journal Paper 2014 Elsevier Journal of Digital Investigation

Abstract

During November 2013, the operational cyber/network security community reported an unprecedented increase of traffic originating from source port 0. This event was deemed as malicious although its core aim and mechanism were obscured. This paper investigates that event using a multifaceted approach that leverages three real network security feeds that we receive on a daily basis, namely, darknet, passive DNS and malware data. The goal is to analyze such event from the perspectives of those feeds in order to generate significant insights and inferences that could contribute to disclosing the inner details of that incident. The approach extracts and subsequently fingerprints such malicious traffic from the received darknet data. By executing unsupervised machine learning techniques on the extracted traffic, we disclose clusters of activities that share similar machinery. Further, by employing a set of statistical-based behavioral analytics, we capture the mechanisms of those clusters, including their strategies, techniques and nature. We consequently correlate the sources with passive DNS in order to investigate their maliciousness. Moreover, to examine if the sources are malware contaminated, we execute a correlation mechanism between the darknet data and the malware feeds. The outcome reveals that such traffic indeed is reconnaissance/probing activities originating from three different horizontal scans utilizing packets with a TCP header length of 0 or packets with odd flag combinations. The results as well demonstrate that 28% of the scanning sources host malicious/blacklisted domains as they are often used for spamming, phishing and other fraud activities. Additionally, the outcome portrays that the bot probing sources are infected by ‘Virus.Win32.Sality’. By correlating various evidence, we confirm that such malware specimen is in fact responsible for part of the source port 0 probing event. We concur that this work is a first attempt ever to comprehend the machinery of such unique event and we hope that the community could consider it as a building block for auxiliary analysis and investigation.

Communication security for smart grid distribution networks

Elias Bou-Harb, Claude Fachkha, Makan Pourzandi, Mourad Debbabi, Chadi Assi
Journal Paper 2013 IEEE Journal of Communications Magazine

Abstract

The operation and control of the next generation electrical grids will depend on a complex network of computers, software, and communication technologies. Being compromised by a malicious adversary would cause significant damage, including extended power outages and destruction of electrical equipment. Moreover, the implementation of the smart grid will include the deployment of many new enabling technologies such as advanced sensors and metering, and the integration of distributed generation resources. Such technologies and various others will require the addition and utilization of multiple communication mechanisms and infrastructures that may suffer from serious cyber vulnerabilities. These need to be addressed in order to increase the security and thus the greatest adoption and success of the smart grid. In this article, we focus on the communication security aspect, which deals with the distribution component of the smart grid. Consequently, we target the network security of the advanced metering infrastructure coupled with the data communication toward the transmission infrastructure. We discuss the security and feasibility aspects of possible communication mechanisms that could be adopted on that subpart of the grid. By accomplishing this, the correlated vulnerabilities in these systems could be remediated, and associated risks may be mitigated for the purpose of enhancing the cyber security of the future electric grid.

A systematic approach for detecting and clustering distributed cyber scanning

Elias Bou-Harb, Mourad Debbabi, Chadi Assi
Journal Paper 2013 Elsevier Journal of Computer Networks

Abstract

We present in this paper an approach that is composed of two techniques that respectively tackle the issues of detecting corporate cyber scanning and clustering distributed reconnaissance activity. The first employed technique is based on a non-attribution anomaly detection approach that focuses on what is being scanned rather than who is performing the scanning. The second technique adopts a statistical time series approach that is rendered by observing the correlation status of a traffic signal to perform the identification and clustering. To empirically validate both techniques, we utilize and examine two real network traffic datasets and implement two experimental environments. The first dataset comprises of unsolicited one-way telescope/darknet traffic while the second dataset has been captured in our lab through a customized setup. The results show, on one hand, that for a class C network with 250 active hosts and 5 monitored servers, the training period of the proposed detection technique required a stabilization time of less than 1 s and a state memory of 80 bytes. Moreover, in comparison with Snort’s sfPortscan technique, it was able to detect 4215 unique scans and yielded zero false negative. On the other hand, the proposed clustering technique is able to correctly identify and cluster the scanning machines with high accuracy even in the presence of legitimate traffic. We further validate this clustering technique by formulating the presented scenario as a machine learning problem. Specifically, we compare our proposed technique with an unsupervised data clustering technique that adopts the k-means and the expectation maximization approach. The results authenticate our clustering technique rendering it feasible for adoption.

A secure, efficient, and cost-effective distributed architecture for spam mitigation on LTE 4G mobile networks

Elias Bou-Harb, Makan Pourzandi, Mourad Debbabi, Chadi Assi
Journal Paper 2013 Wiley Journal of Security and Communication Networks

Abstract

The 4G of mobile networks will be a technology-opportunistic and user-centric system, combining the economical and technological advantages of various transmission technologies. As a part of its new architecture, LTE networks will implement an evolved packet core. Although this will provide various critical advantages, it will, on the other hand, expose telecom networks to serious IP-based attacks. One often adopted solution to mitigate such attacks is based on a centralized security architecture. However, this approach requires large processing and memory resources to handle huge amounts of traffic, which, in turn, causes a significant over dimensioning problem in the centralized nodes. Hence, it may cause this approach to fail from achieving its security task. In this paper, we focus on a SPAM flooding attack, namely SMTP SPAM, and demonstrate, through simulations and discussion, its DoS impact on the Long Term Evolution (LTE) network and subsequent effects on the mobile network operator. Our main contribution involves proposing a distributed architecture on the LTE network that is secure and that mitigates attacks efficiently by solving the over dimensioning problem. It is also cost-effective by utilizing ‘off-the-shelf’ low-cost hardware in the distributed nodes. Through additional simulation and analysis, we demonstrate the feasibility and effectiveness of our approach.

Current Teaching

  • January 2016 Present

    COT 6930 Cyber Security: Measurement and Data Analysis

    This new graduate course introduces data science to the field of cyber security. Digital investigation approaches for cyber security will be discussed. Further, data analytics and traffic analysis methodologies will be presented. Data acquisition and sound analysis methods will also be elaborated. Approaches for inferring and attributing various types of cyber attacks will be presented.

Teaching History

  • 2011 2014

    INSE 6120 Cryptographic Protocols and Network Security Lab

    The course introduces concepts, methodologies, techniques, tools and research problems in network security. Methods used in the design and analysis of security protocols, as well as an introduction to the most prominent cryptographic protocols will be presented. We will address the issue of network security policies, authentication and authorization services. In addition, we will address issues such as botnets, darknets and network security monitoring.

  • 2011 2014

    INSE 6140 Middleware and Application Security Lab

    This course aims to give students a good grasp of research problems, concepts, methodologies, techniques and tools that are used in application and middleware security. Application and middleware security are two large area of research that contains different contributions. This means that we shall address some of the topics that we feel interesting and could guide the students in their research. Moreover, this course guides students to new research ideas especially when Game Theory and Mechanism design are given. In addition, the course objective is to make students familiar with the security flaws that middleware and different applications could face. Different solutions will be given to inform students about: How to model applications and link them with each other taking into consideration security. Linking applications to each other is the simple definition of “middleware” that we shall address it from security standpoint.

  • 2012 2014

    INSE 7120 Advanced Network Management Guest Lectures

    Appreciate the need for interoperable network management; Understand general concepts and architecture behind standards based network management; Understand concepts and terminology associated with SNMP and TMN; Appreciate network management as a typical distributed application; Get a feeling of current trends in network management technologies; Understand Advanced Information Processing Techniques such as Distributed Object Technologies, Software Agents and Internet Technologies used for network management

  • 2009 2013

    Comp 248 Object-Oriented Programming Lab

    The primary objective of this course is to enable you to understand the basic principles of programming. The language used for the course is Java, chosen because it supports object oriented programming and because it is becoming widely used in industry. The course will include discussions and explanations of the following topics: introduction to programming; writing, compiling, and running simple programs; expressions, variables, and assignments; control structures; objects and classes, methods, and arrays.

  • 2012 2012

    COMP 6471 Software Design Methodologies Lab

    The principal objectives of the course are to clarify the basic concepts of design; to explain how those concepts are applied to software; and to describe design techniques that have been successfully applied. We focus on object-oriented design using UML models, architectural styles and patterns, and design patterns. We touch on software reuse, software frameworks, generic programming, design rationale, issue-driven design, and other topics.