Master of Science in Engineering, University of Toledo, 2009, Electrical Engineering

Mobile ad hoc networks (MANETs) are autonomous, infrastructure-less networks in which mobile nodes organize themselves in a network without the help of any predefined infrastructure. Securing MANETs is an important part of deploying and utilizing them, since they are often used in critical applications where data and communications integrity in important. Existing solutions for wireless networks can be used to obtain a certain level of such security. However, these solutions may not always be sufficient for MANETs, since their characteristics create vulnerabilities that cannot be addressed by these solutions. To obtain an acceptable level of security in such a context, traditional security solutions should be coupled with an intrusion detection mechanism.We propose using a quantitative method to detect intrusion in MANETS with mobile nodes. Our method is a behavioral anomaly based system, which makes it dynamic, scalable, configurable and robust. We verify our method using simulations where mobile nodes follow linear movement patterns. The simulations are run with mobile nodes and employing Ad-hoc on-demand Distance Vector (AODV) routing. It is observed that the malicious node detection rate is very good, and the false positive detection rate is low.

Committee: Mansoor Alam Dr (Committee Chair); Daniel Solarek (Committee Member); Henry Ledgard Dr (Committee Member) Subjects: Computer Science; Electrical Engineering

MS, Kent State University, 2007, College of Arts and Sciences / Department of Computer Science

Immune System is essential for the survival of the species. How exactly this sophisticated defense mechanism accomplishes the level of discrimination remains deeply enigmatic. Both Immune System and Intrusion Detection System work toward a comparable goal, identifying and responding to malicious agents. The effectiveness of an Intrusion Detection System however, depends on its ability to accurately differentiate between an event and an incident. Today computer scientists and researchers are borrowing some of the underlying principles of Immunology to implement such a system. The Human Immune System primarily involves highly specific recognition of foreign antigens and tolerance of self antigens. For more than six decades, the concept of ‘self / non-self' formed the central theme of Immunology. The model states that all foreign entities that are not part of the organism trigger an immune response, whereas self elements do not. In the last few years, several researchers have challenged the authenticity of this concept and have come up with rival ideas. One such notion is the Danger Theory for Immunology. According to this new viewpoint, the Immune System does not discriminate between self and non-self elements but between danger and non-danger. Danger is perceived as a signal emitted by the cells that die an unnatural death. Detection of a foreign entity occurs in conjunction with the detection of danger signals which are emanated as a result of discontinuity in the constant interactions between the immune receptors and their targets. In this thesis, the author proposes a new Danger Theory based Event-Incident Model for Intrusion Detection System. The proposed model also borrows some key characteristics of autonomous multi-agent system. It employs a group of detectors known as the ‘Mobile Intrusion Detection Squad' and utilizes the ‘Divide and Conquer Approach' to identify and respond to both distributed and coordinated attacks. The literature of Immune-based Intrusio (open full item for complete abstract)

Committee: Michael Rothstein (Advisor) Subjects: Computer Science

Master of Science, Miami University, 2023, Computer Science and Software Engineering

A botnet is an army of zombified computers infected with malware and controlled by malicious actors to carry out tasks such as Distributed Denial of Service (DDoS) attacks. Billions of Internet of Things (IoT) devices are primarily targeted to be infected as bots since they are configured with weak credentials or contain common vulnerabilities. Detecting botnet propagation by monitoring the network traffic is difficult as they easily blend in with regular network traffic. The traditional machine learning (ML) based Intrusion Detection System (IDS) requires the raw data to be captured and sent to the ML processor to detect intrusion. In this research, we examine the viability of a cross-device federated intrusion detection mechanism where each device runs the ML model on its data and updates the model weights to the central coordinator. This mechanism ensures the client's data is not shared with any third party, terminating privacy leakage. The model examines each data packet separately and predicts anomalies. We evaluate our proposed mechanism on a real botnet propagation dataset called MedBIoT. In addition, we also examined whether any device taking part in federated learning can employ a poisoning attack on the overall system.

Committee: Suman Bhunia (Advisor); Khodakhast Bibak (Committee Member); Daniela Inclezan (Committee Member) Subjects: Computer Science

MS, University of Cincinnati, 2020, Education, Criminal Justice, and Human Services: Information Technology

Signature-based intrusion detection methods report high accuracy with low false alarm rates. However, they do not perform well when faced with new or emerging threats. This work focuses on anomaly-based data-driven methods to identify potential zero-day-attacks using a specific class of neural networks known as the autoencoder. The significance of this study is that explicit labels are not used in the training process, and rather than categorizing each individual flow or packet, the time dimension which has often been ignored in the literature is leveraged to identify traffic that does not conform to the normal or expected behavior.

Committee: Chengcheng Li Ph.D. (Committee Chair); Bilal Gonen Ph.D. (Committee Member); Kijung Lee Ph.D. (Committee Member) Subjects: Information Technology

Master of Computing and Information Systems, Youngstown State University, 2020, Department of Computer Science and Information Systems

Wi-Fi has become the wireless networking standard that allows short-to medium-range devices to connect without wires. For the last 20 years, the Wi-Fi technology has been so pervasive that most devices in use today are mobile and connect to the internet through Wi-Fi. Unlike wired network, a wireless network lacks a clear boundary, which leads to significant Wi-Fi network security concerns, especially because the current security measures are prone to several types of intrusion. To address this problem, machine learning and deep learning methods have been successfully developed to identify network attacks. However, collecting data to develop models is expensive and raises privacy concerns. The goal of this thesis is to evaluate a federated learning approach that would alleviate such privacy concerns. This work on intrusion detection is performed in a simulated environment. During the work, different experiments have concluded to define points that can affect the accuracy of a model to allow edge devices to collaboratively update global anomaly detection models using a privacy-aware approach. Three comparison tests were done in order to find the optimal results; different training rates, different training methods, different parameters. Using different combinations of 5 parameters - training algorithms, number of epochs, devices per round, round numbers and size of the sample set-, these tests with the AWID intrusion detection data set, show that our federated approach is effective in terms of classification accuracy (with an accuracy range of 88-95%), computation cost, as well as communication cost. In our study, the best case had the most rounds, epoch and the devices per round compared to the others.

Committee: Alina Lazar PhD (Advisor); Feng Yu PhD (Committee Member); John Sullins PhD (Committee Member) Subjects: Artificial Intelligence; Computer Science; Information Science; Information Systems

PhD, University of Cincinnati, 2018, Engineering and Applied Science: Computer Science and Engineering

Real-time designs of deep learning algorithms are challenged by two less frequently addressed issues. The first is data inefficiency, i.e., the model requires several epochs of trial and error to converge which makes it impractical to be applied to real-time applications. The second is the high precision computation load of the deep learning algorithms needed to achieve high accuracy during training and inference. To address the first issue, we propose a compressed training model for the contrastive divergence algorithm (CD) in the Deep Belief Network (DBN). The goal is to dynamically adjust the training vector according to the feedback from the free energy and the reconstruction error, which allows for better generalization. Furthermore, based on the previous compressed algorithm and to reduce the saturation of the Tanh and the Sigmoid activation functions, we propose a fast activation function, namely the Adaptive Linear Function (ALF). The ALF increases the convergence speed and accuracy of online training and inference using the Deep Belief Network (DBN). To address the second issue, we propose a Hybrid-Stochastic-Dynamic-Fixed-Point (HSDFP) method, which provides a training environment with high reduction in calculation, area, and power in FPGA. Cyber-Physical Systems (CPS) have become increasingly connected in recent years in what is known as the IoT (Internet of Things). As a result, the window for attacks available for hackers and adversaries has been greatly increased. The majority of the techniques currently available for detecting attacks use signature detection by checking against a database of known attacks. More work is needed to improve detection of zero-day attacks. It is not feasible to generate a profile for large systems such as large networks to detect misuse or anomalies. Exploring deep learning for security detection is a valid approach because deep learning algorithms can extract features from raw data. Deep learning has shown high (open full item for complete abstract)

Committee: Carla Purdy Ph.D. (Committee Chair); Raj Bhatnagar Ph.D. (Committee Member); Bilal Gonen (Committee Member); Ali Minai Ph.D. (Committee Member); Philip Wilsey Ph.D. (Committee Member) Subjects: Computer Engineering

Doctor of Philosophy, The Ohio State University, 2012, Computer Science and Engineering

Malicious codes are one of the biggest threats on the Internet according to the US-CERT vulnerability database. One salient example is Conficker, a malicious code targeting MS Windows that was released in 2009. Before it was discovered, millions of computers on the Internet were infected. Many approaches to malicious code detection have been proposed. However, such approaches have a key weakness: they do not leverage context information from target systems and input data in order to perform detection. Malicious codes can fully utilize context information for attack purposes, thereby evading detection. To address this issue, we propose a methodology that leverages such context information for malicious code detection. Based on this methodology, we design and implement three detection systems for malicious code detection on servers, Web browsers, and smartphones. Our first system takes ``snapshots'' of a target process's virtual memory space and leverages these snapshots to reveal malicious codes' true behaviors when consuming input data. Based on the first system, we construct the second system, which leverages Web browsers' JavaScript code execution environment to detect malicious JavaScript codes that exploit browsers' memory errors. Our third system uses an information flow tracking mechanism to detect malicious codes that steal sensitive information stored in smartphones. We comprehensively evaluate these detection systems with many real-world malicious codes. Our experimental results indicate that the context information can be used to greatly improve detection effectiveness with reasonable overhead.

Committee: Dong Xuan (Advisor); Ten H. Lai (Committee Member); Feng Qin (Committee Member) Subjects: Computer Science

Master of Science (MS), Ohio University, 2005, Electrical Engineering & Computer Science (Engineering and Technology)

Anomaly-based intrusion detection systems identify intrusions by monitoring network traffic for abnormal behavior. Integrated Network-Based Ohio University Network Detective Service (INBOUNDS) is an anomaly-based intrusion detection system being developed at Ohio University. The Multiple Self-organizing map based Intrusion Detection System (MSIDS) module for INBOUNDS analyzes the time-based behavior of normal network connections for anomalies, using the Self-Organizing Map (SOM) algorithm. The MSIDS module builds profiles of normal network behavior by characterizing the network traffic with four parameters. A SOM, developed for each time interval, captures the characteristic network behavior for that time interval using the four parameters. This approach achieves better characterization of normal network behavior, leading to better intrusion detection capability. During real-time operation, the four-dimensional vectors, representing the attack connection for the time intervals, are fed into respective trained SOMs. For each input vector in the four-dimensional space, a “winner” neuron is determined. If the distance between the input vector and the winner neuron for any SOM is greater than a certain threshold value, the MSIDS module classifies the network connection as an intrusion. Moreover, detecting the attack in early stages of the connection leads to near real-time response to intrusions.

Committee: Carl Bruggeman (Advisor) Subjects:

Master of Science (MS), Ohio University, 2004, Computer Science (Engineering)

Anomaly-based intrusion detection is a research area in Computer Security, wherein computer and network attacks are differentiated from normal computer interactions. Anomaly-based intrusion detection systems detect attacks by analyzing either computer or network data and flagging abnormalities as intrusions. The abnormalities are detected by analyzing certain parameters that are present in the data. Our approach analyzes certain network parameters, which characterize either a connection or a network service on a monitored host or a network service on a monitored network. This categorization of parameters helps detect varied classes of attacks including denial-of-service, port scan and buffer overflow attacks. Anomaly-based systems use various analysis techniques to detect parameter anomalies. A new approach based on Bayesian Networks technique for analyzing and detecting anomalies is presented here. The advantage of Bayesian Networks lies in their ability to adaptively learn normal values of parameters without much training, which makes it suitable for real-time analysis. Bayesian Network can be used to combine current evidence and previous knowledge to obtain the probability of anomaly. This property helps in detecting previously seen attacks faster, since the previous knowledge provides strong evidence of an attack. The same property helps reduce the number of false positives, since considerable evidence needs to accumulate for the Bayesian Network to report high probability of anomaly.

Committee: Shawn Ostermann (Advisor) Subjects: Computer Science

MS, University of Cincinnati, 2023, Engineering and Applied Science: Computer Science

Due to the rapid advancements in wireless and telecommunications systems, security in cyberspace has significantly impacted different crucial infrastructures. For developing a novel cyber security defense and protection, in addition to data on the present state of security, the system should also collect historical data. Moreover, it gives adaptive security management and control. For improving the level of safety of key system components, a Data Mining Intrusion detection system (DataMIDS) framework utilizing a selection of features based on Functional Perturbation and attack detection based on BNM-tGAN approach was developed. The developed framework was trained and put to the test using data collection in order to recognize different attacks. Initially, the data was inconsistent and incomplete due to poor scaling, missing values, overlapped, and imbalanced data. The issue of inconsistent or unstructured data was addressed in order to enhance decision-making for identifying attacks. The work deals with the missing values alongside utilizing the established Absolute Median Deviation-based Robust Scaler (AMD-RS) to address scaling performance. The pertinent feature selection of the data was carried out using the '3' FS techniques i.e., ICS-FSO wrapper, HpTT-DT embedded, and XavND-Relief filter method. The data mining-based methodology places an emphasis on feature engineering as well as feature selection and offers shallow feature learning. The data were divided while being trained using the suggested BNM-tGAN. The experiment results demonstrated that the proposed approaches were more accurate in identifying attacks across various datasets. The proposed techniques attained a low false detection rate and computation time in contrast with present techniques. In comparison with other approaches, it continues to be rather resistant to malicious attacks.

Committee: FNU NITIN Ph.D. (Committee Chair); Yizong Cheng Ph.D. (Committee Member); Raj Bhatnagar Ph.D. (Committee Member) Subjects: Computer Science

Doctor of Philosophy, University of Toledo, 2023, Engineering

Intrusion detection systems (IDSs) have evolved significantly since the first time they were introduced and have become one of the most essential defenses in a network. With the advent of machine learning (ML), several improvements and enhancements have been made to the capabilities of traditional IDSs. However, every advancement brings with it a range of new challenges and threats. Although ML expanded the abilities of IDSs, there are certain problems that need to be investigated and this research attempts to highlight and address some of the existing problems. One of the problems is that a major portion of the research progress involving IDSs has been achieved using decades-old datasets. This work aims to study recently published research IDS datasets and analyze the performances of ML-based IDS models when trained with such datasets. Another problem focused on in this research is the vulnerabilities of ML models to adversarial environments. The work identifies that a majority of research progress achieved relevant to ML-powered IDSs is toward the direction of improving the performance efficiency of the IDS models under normal settings, i.e., toward optimizing the detection rates with genuine data. Relatively little progress is made towards making the IDS models robust to adversarial environments and deceptive inputs that target the IDSs rather than the premises (networks or hosts) guarded by them. This is a serious concern in cybersecurity which needs more investigation and problem-solving. In regard to this concern, various types of adversarial attacks are studied, and the behaviors of IDSs in certain white-box adversarial settings are assessed when the models are trained with modern research datasets. The study extends further by developing a defense mechanism against a white-box evasion attack which is considered to be very powerful for image-classication-based models. As the IDS models deployed in real-world environments are more susceptible to black-bo (open full item for complete abstract)

Committee: Weiqing Sun (Advisor); Weiqing Sun (Committee Chair); Junghwan Kim (Committee Member); Mohammed Niamat (Committee Member); Devinder Kaur (Committee Member); Ahmad Javaid (Committee Co-Chair) Subjects: Computer Science

MS, University of Cincinnati, 2021, Education, Criminal Justice, and Human Services: Information Technology

The prevalence of cyberattacks on the home network today sparked great concern among researchers. With the advent of telecommuting and stay-at-home orders, cyber attackers have found network intrusion easier than usual as SOHO networks are generally incapable of rescinding the advanced intrusion techniques developed today. Therefore, there are more sensitive data online today than usual. Firewall configurations, Antivirus scans, and secure locks have all been studied and found to be ineffective in combating these advanced techniques. The researcher examines the design of a more advanced system of detecting and understanding attacks on home networks to solve this issue. The researcher takes an experimentation approach at combining the functionalities of Elasticsearch SIEM and Snort IDS to reinforce a secure SOHO network. A virtual simulation of real-life cyber-attack scenarios was carried out. The researcher found that the design was more effective in reporting attacks than the most alternative. The tools allowed the researcher to analyze the detected attacks, visualize them, and correlate them with open-source rules that take further actions against detected intrusions. Although this design requires more than a basic understanding of setting up, the researcher believes that the quality of its effectiveness may spur further research on how SIEM configuration may be made more accessible and straightforward to use to SOHO administrators.

Committee: M. Murat Ozer Ph.D. (Committee Chair); Ryan Moore (Committee Member) Subjects: Information Technology

MS, University of Cincinnati, 2021, Education, Criminal Justice, and Human Services: Information Technology

The ever-expanding scope of the third industrial revolution spawned a dynamic digital age of computers and the world wide web (internet). The Internet of Things (IoT) is one of the latest technologies that will forever change how humans interact with information systems. These technologies involve embedding sensors and software applications into physical objects which allow them to transmit and share data with other devices over the Internet ranging from simple smart home appliance management to self-driving cars. The universal applications of IoT technology cannot be overemphasized. It is currently being utilized in remote healthcare and the telecommunications industry with a projected large-scale deployment in critical infrastructure such as power grids and water purification. As with everything else related to information systems, this presents an increased amount of vulnerabilities and security issues that could have dire consequences if left unattended. Research shows that 70% of current IoT devices are moderately easy to compromise or hack. [37]. Therefore, an efficient mechanism is needed to safeguard these devices as they are connected to the internet. This thesis introduces a novel deep learning-based anomaly detection model to predict cyberattacks on IoT devices and to identify new outliers as they occur over time. Long Short-Term Memory(LSTM) is an efficient deep learning architecture that addresses spatial and temporal information. Therefore, it could perform effectively in an anomaly detection model for IoT security. The model recorded a high detection accuracy of 98%, precision of 85%, recall of 84%, and finally an F1-score of 83% using the IoT network intrusion detection dataset. The performance of the LSTM based model approach developed in this study was analyzed and compared to the state-of-the-art deep learning-based anomaly detection for IoT devices.

Committee: Nelly Elsayed Ph.D. (Committee Chair); M. Murat Ozer Ph.D. (Committee Member); Hazem Said Ph.D. (Committee Member) Subjects: Information Technology

MS, University of Cincinnati, 2020, Engineering and Applied Science: Aerospace Engineering

The aim of this research is to investigate two fundamental challenges to vehicle platooning: security and path following. For the first part of this investigation, we focus on the security vulnerabilities of vehicle platoons that make them susceptible to external attacks. These attacks are designed to cause oscillations within the platoon in a manner that results in collisions and pile-ups. In order to address such a scenario, this research focuses on the design and detection of such adversarial agents in vehicle platoons. To achieve this, we consider a highway scenario and model a bi-directional predecessor-leader following the platoon. We then introduce an attacker that can disrupt the normal performance of the platoon and cause oscillations that amplify and eventually lead to collisions. Then, we compare methodologies for detecting and isolating the adversarial agent under various information availability scenarios. Finally, we prove that it is possible to identify a compromised vehicle with a high accuracy using only the noisy local sensor information available on-board to each vehicle. Secondly, we focus on the challenge of coordinated control in constrained environments. When navigating in challenging environments with very limited infrastructure or landmarks (mines, farms, etc), it is nearly impossible for modern-day autonomous vehicles to stay on the desired path. A cost-effective solution for such a challenge would be to have one manned "leader" vehicle that the other vehicles can follow. Therefore, we propose and implement a novel guidance algorithm that ensures multi-vehicle platoons to stay on the path when traversing such environments. We further investigate the string stability of the platoon and its dependence on the characteristics of the trajectory chosen.

Committee: Rajnikant Sharma Ph.D. (Committee Chair); Manish Kumar Ph.D. (Committee Member); Boyang Wang Ph.D. (Committee Member) Subjects: Aerospace Materials

Master of Science, University of Toledo, 2020, Engineering (Computer Science)

Studies have shown the vulnerability of machine learning algorithms against adversarial samples in image classification problems in deep neural networks. However, there is a need for performing comprehensive studies of adversarial machine learning in the intrusion detection domain, where current research has been mainly conducted on the widely available KDD'99 and NSL-KDD datasets. In this study, we evaluate the vulnerability of contemporary datasets (in particular, UNSW-NB15 and Bot-IoT datasets) that represent the modern network environment against popular adversarial deep learning attack methods, and assess various machine learning classifiers' robustness against the generated adversarial examples. Our study shows the feasibility of the attacks for both datasets where adversarial samples successfully decreased the overall performance.

Committee: Weiqing Sun (Committee Chair); Ahmad Javaid (Committee Member); Devinder Kaur (Committee Member) Subjects: Computer Engineering; Computer Science

MS, University of Cincinnati, 2020, Education, Criminal Justice, and Human Services: Information Technology

Internet of things (IoT) applications in our daily lives has made life easier, but also comes with associated security threats. The vulnerability of the IoT system stems from the vulnerability of each connected device and transmission of threats through an interconnected home network. Smart homes are one of the applications of IoT, which is comprised of connected devices for easier interaction. An isolated IoT system with no internet connection has some level of safety from attacks because it is not exposed to the internet, although these devices have their innate vulnerabilities from the manufacturer. IoT gateways connecting IoT devices to the internet can create a backdoor into the smart home system that an attacker can exploit. Therefore, Internet-connected IoT devices have a high-security risk and one of the ways to detect an intrusion into an IoT gateway is through anomalies in the traffic passing through it. This thesis introduces early work on an intrusion detection system (IDS) by detecting anomalies in the smart home network using Extreme Learning Machine and Artificial Immune System (AIS-ELM). AIS uses the Clonal Algorithm for the optimization of the input parameters, and ELM analyzes the input parameter for better convergence in detecting anomalous activity. The larger implications of this work are the potential to apply this approach to a smart home network gateway and combine it with a push notification system that will allow the homeowner to identify any abnormalities in the smart home network and take appropriate action to mitigate threats.

Committee: Nelly Elsayed Ph.D. (Committee Chair); Jess Kropczynski Ph.D. (Committee Chair); Shane Halse Ph.D. (Committee Member) Subjects: Information Technology

MS, University of Cincinnati, 2017, Engineering and Applied Science: Electrical Engineering

Streaming datasets often pose a myriad of challenges for machine learning algorithms, some of which include insufficient storage and changes in the underlying distributions of the data during different time intervals. This thesis proposes a hierarchical clustering based method (unsupervised learning) for determining signatures of data in a time window and thus building a classifier based on the match between the observed clusters and known patterns of clustering. When new clusters are observed, they are added to the collection of possible global list of clusters, used to generate a signature for data in a time window. Dendrograms are created from each time window, and their clusters were compared to a global list of clusters. The global clusters list is only updated if none of the existing global clusters that can model data points in any later time window. The global clusters were then used in the testing phase to classify novel data chunks according to their Tanimoto similarities. Although the training samples were only taken from 20% of the entire KDD Cup 99 dataset, we validated our approach by using test data from different regions of the datasets at multiple intervals and the classifier performance achieved was comparable to other methods that had used the entire datasets for training.

Committee: Raj Bhatnagar Ph.D. (Committee Chair); Gowtham Atluri (Committee Member); Nan Niu Ph.D. (Committee Member) Subjects: Computer Science

Master of Science in Cyber Security (M.S.C.S.), Wright State University, 2017, Computer Science

In an earlier paper, a method called One-class Classification using Length statistics of (jumping) Emerging Patterns (OCLEP) was introduced for masquerader detection. Jumping emerging patterns (JEPs) for a test instance are minimal patterns that match the test instance but they do not match any normal instances. OCLEP was based on the observation that one needs long JEPs to differentiate an instance of one class from instances of the same class, but needs short JEPs to differentiate an instance of one class from instances of a different class. In this thesis, we present OCLEP+, One-class Classification using Length statistics of Emerging Patterns Plus by adding several new ideas to OCELP. OCLEP+ retains the one-class training feature of OCELP, hence it only requires the normal class data for training. Moreover, OCELP+ has the advantage of being not model or signature based, making it hard to evade. OCLEP+ uses only length statistics of JEPs, making it a robust method. Experiments show that OCELP+ is more accurate than OCLEP and one-class SVM, on the NSL-KDD datasets.

Committee: Guozhu Dong Ph.D. (Advisor); Junjie Zhang Ph.D. (Committee Member); Bin Wang Ph.D. (Committee Member) Subjects: Computer Science; Information Systems

Doctor of Philosophy (PhD), Wright State University, 2017, Computer Science and Engineering PhD

As the Internet has grown increasingly popular as a communication and information sharing platform, it has given rise to two major types of Internet security threats related to two primary entities: end-users and network services. First, information leakages from networks can reveal sensitive information about end-users. Second, end-users systems can be compromised through attacks on network services, such as scanning-and-exploit attacks, spamming, drive-by downloads, and fake anti-virus software. Designing threat assessments to detect these threats is, therefore, of great importance, and a number of the detection systems have been proposed. However, these existing threat assessment systems face significant challenges in terms of i) behavioral diversity, ii) data heterogeneity, and iii) large data volume. To address the challenges of the two major threat types, this dissertation offers three unique contributions. First, we built a new system to identify network users via Domain Name System (DNS) traffic, which is one of the most important behavior-based tracking methods for addressing privacy threats. The goal of our system is to boost the effectiveness of existing user identification systems by designing effective fingerprint patterns based on semantically limited DNS queries that are missed by existing tracking efforts. Second, we built a novel system to detect fake anti-virus (AV) attacks, which represent an active trend in the distribution of Internet-based malware. Our system aims to boost the effectiveness of existing fake AV attack detection by detecting fake AV attacks in three challenging scenarios: i) fake AV webpages that require user interaction to install malware, instead of using malicious content to run automatic exploitation without users consent (e.g., shellcode); ii) fake AV webpages designed to impersonate real webpages using a few representative elements, such as the names and icons of anti-virus products from authentic anti-virus webpages (open full item for complete abstract)

Committee: Junjie Zhang Ph.D. (Advisor); Adam Robert Bryant Ph.D. (Committee Member); Bin Wang Ph.D. (Committee Member); Xuetao Wei Ph.D. (Committee Member) Subjects: Computer Science

Doctor of Philosophy (PhD), Wright State University, 2016, Computer Science and Engineering PhD

Software defined networking (SDN), a new networking paradigm that separates the network data plane from the control plane, has been considered as a flexible, layered, modular, and efficient approach to managing and controlling networks ranging from wired, infrastructure-based wireless (e.g., cellular wireless networks, WiFi, wireless mesh net- works), to infrastructure-less wireless networks (e.g. mobile ad-hoc networks, vehicular ad-hoc networks) as well as to offering new types of services and to evolving the Internet architecture. Most work has focused on the SDN application in traditional and wired and/or infrastructure based networks. Wireless networks have become increasingly more heterogeneous. Secure and collab- orative operation of mobile wireless ad-hoc networks poses significant challenges due to the decentralized nature of mobile ad hoc wireless networks, mobility of nodes, and re- source constraints. Recent developments in software defined networking shed new light on how to control and manage an ad hoc wireless network. Given the wide deployment and availability of heterogeneous wireless technologies, the control and management of ad hoc wireless networks with the new software defined networking paradigm is offered more flexibility and opportunities to deal with trust and security issues and to enable new features and services. This dissertation focuses on the SDN MANET architecture design issues for provid- ing secure collaborative operation. Specifically, (I) We have proposed four design options for software defined secure collaborative ad hoc wireless network architecture. The de- sign options are organized into (a) centralized SDN controller architecture with controller replication and (b) distributed SDN controller architecture. While these proposed architec- ture options exhibit different characteristics, many common challenges are shared amongst these options. Challenges include fault-tolerance, scalability, efficiency, and security. The unstr (open full item for complete abstract)

Committee: Bin Wang Ph.D. (Advisor); Yong Pei Ph.D. (Committee Member); Krishnaprasad Thirunarayan Ph.D. (Committee Member); Zhiqiang Wu Ph.D. (Committee Member) Subjects: Computer Engineering; Computer Science