Network Evaluation, Monitoring, and Exploitation of Secure Information Systems

The NEMESIS research group focuses on the development of innovative intrusion defense technologies.  A central focus of our work is the application of advanced artificial intelligence and complex adaptive systems in preventing, detecting, and responding to distributed network attacks.

Current Research Problems
Each of these problems is a current area of research that will contribute to the overall NEMESIS research effort.  While each student will work on a specific research problem with a specific approach each of these problems are complex enough that multiple students may be conducting research on each simultaneously

Detection of Attacks Distributed Across Time
  • Network attacks can be significantly more difficult to detect if the the steps in the attack are spread over a period of hours or days.  
Detection of Attacks Executed by Multiple Users
  • The detection of network attacks can also be complicated if multiple attackers attackers work together to conduct an attack.

Applying Data Reduction Techniques to Streamline Data Analysis
  • A significant limitation of existing IDS approaches is the difficulty in identifying relevant information in complex high-speed network data streams.  Only a fraction of the available data is applicable to the IDS analysis but locating the appropriate data, especially in real-time, is extremely difficult.  A method is required to identified relevant data elements based on the needs of the IDS dynamically and in real-time.  

Dynamic Attack Models that Can Represent New Attacks in Near Real-time
  • Current attack modeling relies on attack trees or pseudo-code to describe an attack.  While both are useful for an individual to understand an attack sequence in the conceptual sense, neither are applicable for use as online inputs to IDS in real-time.  A new method is required that is able to capture the relevant information and then serve as an input vector to an IDS.
Detection of Attacks in Noisy Environments
  • Due to the variety of activity and processes occuring in a network environment the identification of the subset of data that is relevant to analysis can be extremely difficult.  

Detection of Attacks with Incomplete Information
  • IDS approaches rarely have a complete view of an attack, but they typically require the observed activity to match an existing model of the attack to complete the detection process.

Adaptive Verification of Penetration Testing Effectiveness
  • Penetration testing is frequently used to evaluate the security of information systems.  Automated penetration testing tools require an adaptive mechanism that would allow them to determine the effectiveness of penetration efforts in real-time.

Back Tracing Network Attackers
  • There is currently no effective method of tracing an attacker back to the source.  Tagging and node hoping provide little information and lack reliability.

Potential Approaches to Address Research Problems
Due to the complexity of the indicated research problems innovative solutions will be required to solve them.  The following approaches, or a combination of the approaches, would be acceptable for NEMESIS research
Swarm Intelligence
Artificial Immune Systems
Adaptive Neural Networks (e.g., ART, SOM, LVQ, RBF)
Self Organizing Systems
Complex Adaptive Systems
Genetic Algorithms
Evolutionary Algorithms


Qualified doctoral students who are interested in investigating one of the indicated problems are being recruited.  The process begins with an email to Dr. Cannady indicating which of the problems you are interested in and your experience and expertise.  That will be followed by the development of a suitable problem statement, followed by an annotated bibliography, followed by an idea paper.  Each of these problems are designed to lead to the dissertation.  If you are interested/qualified/capable to do the work, I will provide you the supervision and support necessary to get you through the dissertation process.

A few points to consider:

  1. I will be working closely with each student and there will probably be some level of group collaboration between students working in similar areas.

  2. Each student will be required to publish the results of their research in a peer-review journal or conference proceeding (in addition to their dissertation).

  3. The approach will need to be validated by building (coding) and testing a suitable prototype.

  4. No policy work and no case studies.

  5. Regular progress in your research is required.  If you are too involved in coursework, your job, or your other responsibilities to dedicate to doctoral research then you should wait until you can apply the requisite time to the work before contacting me.  Students who fail to progress in their research for one month will receive a letter of warning.  Failure to make progress for a second month will result in the student being dismissed from the research group.  

Dr. Jim Cannady