Maria-Elena Mihailescu

Bio: Maria-Elena Mihailescu is an academic researcher from Politehnica University of Bucharest. The author has contributed to research in topics: Hypervisor & Virtual machine. The author has an hindex of 1, co-authored 7 publications receiving 3 citations.

The Proposition and Evaluation of the RoEduNet-SIMARGL2021 Network Intrusion Detection Dataset.

Abstract: Cybersecurity is an arms race, with both the security and the adversaries attempting to outsmart one another, coming up with new attacks, new ways to defend against those attacks, and again with new ways to circumvent those defences. This situation creates a constant need for novel, realistic cybersecurity datasets. This paper introduces the effects of using machine-learning-based intrusion detection methods in network traffic coming from a real-life architecture. The main contribution of this work is a dataset coming from a real-world, academic network. Real-life traffic was collected and, after performing a series of attacks, a dataset was assembled. The dataset contains 44 network features and an unbalanced distribution of classes. In this work, the capability of the dataset for formulating machine-learning-based models was experimentally evaluated. To investigate the stability of the obtained models, cross-validation was performed, and an array of detection metrics were reported. The gathered dataset is part of an effort to bring security against novel cyberthreats and was completed in the SIMARGL project.

Suspend feature for multiple devices of same type in bhyve

Abstract: The FreeBSD specific hypervisor solution, bhyve, is a mature virtualization solution that allows its users to configure the virtual machines in a robust manner by adding different types of devices. Moreover, the virtual machine state can be suspended for a later use by using the snapshotting mechanism. However, the existing snapshot mechanism can only store the state of one device of each type. This behaviour may be troublesome for entities that want to use the save and restore mechanism for virtual machines with multiple same type devices (e.g., two disks, two network interfaces) since it can lead to an inconsistent virtual machine state. This paper proposes a solution for extending this feature by allowing the saving and restoration of multiple devices of the same type, whenever they are used together.

File Spooler and Copy System for Fast Data Transfer

Abstract: The ALICE (A Large Ion Collider Experiment) experiment at the CERN (European Organization for Nuclear Research) LHC (Large Hadron Collider) is preparing for the LHC Run3, beginning in 2021, with a detector and computing upgrade. On the computing side, a large, purpose-build computing farm (O2) consisting of CPU and GPU will process the data coming from the experimental setup at an average input rate of some 2TB/sec and output rate of 100GB/sec. The farm will consist of few hundred off-the-shelve servers, called Event Processing Nodes (EPN), collectively connected to a remote disk-based storage system. The EPNs will process data in near-real time during the ALICE detector operation with expected output rate to storage of ~100GB/sec. To avoid interruptions of processing due to network glitches or overload, we foresee to equip the EPNs with fast high-capacity SSDs for temporary data storage. The data stored on the SSDs must be transferred asynchronously to the remote storage element. The transfer operation is time-critical, as the SSDs will be able to hold at most a few hours of data accumulation. This paper presents a method for fast copying the files generated by the EPNs while ensuring no data loss and caching all the encountered errors.

Booting a Linux Kernel Under Bhyve on ARMv7

Abstract: ARM processors are more energy efficient when compared to their older and more powerful x86 counterparts. As such, more complex systems (e.g., servers) would greatly benefit from using them should they become powerful enough to be able to handle complex tasks. One such task, that is an essential tool for system administrators, is the ability to run virtual machines in order to provide secure and isolated environments for certain applications. With ARM-powered servers being under development for years already, anticipating the needs of system administrators and adding relevant features to the operating system may prove critical to increase the user base. Linux is by far the most successful free operating system, so any virtualization mechanism will need to be able to run a virtual machine with Linux before it may be considered viable for use in large-scale deployments. Consequently, bhyve, FreeBSD’s virtual machine manager requires a proof of concept that runs a Linux-based operating system.

FreeBSD as a compute node in OpenStack

Abstract: At the moment, the demand for Infrastructure as a Service (IaaS) is higher than ever, as many companies from industry and open-source communities are focused on improving virtualization solutions. The aim of such a system is to provide virtual instances in a timely manner, persisting in quality and swiftness, while remaining simple and accessible for users. This paper proposes a model for a heterogeneous environment that offers services of IaaS using OpenStack as a cloud computing platform with Linux as a controller node and FreeBSD as a compute node. bhyve, the FreeBSD’s hypervisor, will be used to create the virtual instances.

Towards Zero-Shot Flow-Based Cyber-Security Anomaly Detection Framework

Abstract: Network flow-based cyber anomaly detection is a difficult and complex task. Although several approaches to tackling this problem have been suggested, many research topics remain open. One of these concerns the problem of model transferability. There is a limited number of papers which tackle transfer learning in the context of flow-based network anomaly detection, and the proposed approaches are mostly evaluated on outdated datasets. The majority of solutions employ various sophisticated approaches, where different architectures of shallow and deep machine learning are leveraged. Analysis and experimentation show that different solutions achieve remarkable performance in a single domain, but transferring the performance to another domain is tedious and results in serious deterioration in prediction quality. In this paper, an innovative approach is proposed which adapts sketchy data structures to extract generic and universal features and leverages the principles of domain adaptation to improve classification quality in zero- and few-shot scenarios. The proposed approach achieves an F1 score of 0.99 compared to an F1 score of 0.97 achieved by the best-performing related methods.

How to Effectively Collect and Process Network Data for Intrusion Detection

Abstract: The number of security breaches in the cyberspace is on the rise. This threat is met with intensive work in the intrusion detection research community. To keep the defensive mechanisms up to date and relevant, realistic network traffic datasets are needed. The use of flow-based data for machine-learning-based network intrusion detection is a promising direction for intrusion detection systems. However, many contemporary benchmark datasets do not contain features that are usable in the wild. The main contribution of this work is to cover the research gap related to identifying and investigating valuable features in the NetFlow schema that allow for effective, machine-learning-based network intrusion detection in the real world. To achieve this goal, several feature selection techniques have been applied on five flow-based network intrusion detection datasets, establishing an informative flow-based feature set. The authors’ experience with the deployment of this kind of system shows that to close the research-to-market gap, and to perform actual real-world application of machine-learning-based intrusion detection, a set of labeled data from the end-user has to be collected. This research aims at establishing the appropriate, minimal amount of data that is sufficient to effectively train machine learning algorithms in intrusion detection. The results show that a set of 10 features and a small amount of data is enough for the final model to perform very well.

VHS-22 – A Very Heterogeneous Set of Network Traffic Data for Threat Detection

Abstract: Researching new methods of detecting network threats, e.g., malware-related, requires large and diverse sets of data. In recent years, a variety of network traffic datasets have been proposed, which have been intensively used by the research community. However, most of them are quite homogeneous, which means that detecting threats using these data became relatively easy, allowing for detection accuracy close to 100%. Therefore, they are not a challenge anymore. As a remedy, in this article we propose a VHS-22 dataset – a Very Heterogeneous Set of network traffic data. We prepared it using a software network probe and a set of existing datasets. We describe the process of dataset creation, as well as its basic statistics. We also present initial experiments on attack detection, which yielded lower results than for other datasets. We claim that the data in the VHS-22 dataset are more demanding, and therefore that our dataset can better stimulate further progress in detecting network threats.

Malicious Network Behavior Detection Using Fusion of Packet Captures Files and Business Feature Data.

Abstract: Information and communication technologies have essential impacts on people’s life. The real time convenience of the internet greatly facilitates the information transmission and knowledge exchange of users. However, network intruders utilize some communication holes to complete malicious attacks. Some traditional machine learning (ML) methods based on business features and deep learning (DL) methods extracting features automatically are used to identify these malicious behaviors. However, these approaches tend to use only one type of data source, which can result in the loss of some features that can not be mined in the data. In order to address this problem and to improve the precision of malicious behavior detection, this paper proposed a one-dimensional (1D) convolution-based fusion model of packet capture files and business feature data for malicious network behavior detection. Fusion models improve the malicious behavior detection results compared with single ones in some available network traffic and Internet of things (IOT) datasets. The experiments also indicate that early data fusion, feature fusion and decision fusion are all effective in the model. Moreover, this paper also discusses the adaptability of one-dimensional convolution and two-dimensional (2D) convolution to network traffic data.

Human-driven and human-centred cybersecurity: policy-making implications

Abstract: Purpose The purpose of this paper is to challenge the prevailing, stereotypical approach of the human aspect of cybersecurity, i.e. treating people as weakness or threat. Instead, several reflections are presented, pertaining to the ways of making cybersecurity human-centred. Design/methodology/approach This paper bases on the authors’ own experiences, gathered whilst working in cybersecurity projects; the resulting comments and reflections have been enriched and backed up by the results of a targeted literature study. Findings The findings show that the way the human aspects of cybersecurity are understood is changing, and deviates from the stereotypical approach. Practical implications This paper provides a number of practical recommendations for policymakers, as well as cybersecurity managers on how to make the cybersecurity more human-centred; it also inspires further research directions. Originality/value This paper presents a fresh, positive approach to humans in cybersecurity and opens the doors to further discourse about new paradigms in the field.