Multi-hypothesis comparison of Farquhar and Collatz photosynthesis models reveals the unexpected influence of empirical assumptions at leaf and global scales.

Mechanistic photosynthesis models are at the heart of terrestrial biosphere models (TBMs) simulating the daily, monthly, annual and decadal rhythms of carbon assimilation (A). These models are founded on robust mathematical hypotheses that describe how A responds to changes in light and atmospheric CO2 concentration. Two predominant photosynthesis models are in common usage: Farquhar (FvCB) and Collatz (CBGB). However, a detailed quantitative comparison of these two models has never been undertaken. In this study, we unify the FvCB and CBGB models to a common parameter set and use novel multi-hypothesis methods (that account for both hypothesis and parameter variability) for process-level sensitivity analysis. These models represent three key biological processes: carboxylation, electron transport, triose phosphate use (TPU) and an additional model process: limiting-rate selection. Each of the four processes comprises 1-3 alternative hypotheses giving 12 possible individual models with a total of 14 parameters. To broaden inference, TBM simulations were run and novel, high-resolution photosynthesis measurements were made. We show that parameters associated with carboxylation are the most influential parameters but also reveal the surprising and marked dominance of the limiting-rate selection process (accounting for 57% of the variation in A vs. 22% for carboxylation). The limiting-rate selection assumption proposed by CBGB smooths the transition between limiting rates and always reduces A below the minimum of all potentially limiting rates, by up to 25%, effectively imposing a fourth limitation on A. Evaluation of the CBGB smoothing function in three TBMs demonstrated a reduction in global A by 4%-10%, equivalent to 50%-160% of current annual fossil fuel emissions. This analysis reveals a surprising and previously unquantified influence of a process that has been integral to many TBMs for decades, highlighting the value of multi-hypothesis methods.

A comprehensive guide to CAN IDS data and introduction of the ROAD dataset.

Although ubiquitous in modern vehicles, Controller Area Networks (CANs) lack basic security properties and are easily exploitable. A rapidly growing field of CAN security research has emerged that seeks to detect intrusions or anomalies on CANs. Producing vehicular CAN data with a variety of intrusions is a difficult task for most researchers as it requires expensive assets and deep expertise. To illuminate this task, we introduce the first comprehensive guide to the existing open CAN intrusion detection system (IDS) datasets. We categorize attacks on CANs including fabrication (adding frames, e.g., flooding or targeting and ID), suspension (removing an ID's frames), and masquerade attacks (spoofed frames sent in lieu of suspended ones). We provide a quality analysis of each dataset; an enumeration of each datasets' attacks, benefits, and drawbacks; categorization as real vs. simulated CAN data and real vs. simulated attacks; whether the data is raw CAN data or signal-translated; number of vehicles/CANs; quantity in terms of time; and finally a suggested use case of each dataset. State-of-the-art public CAN IDS datasets are limited to real fabrication (simple message injection) attacks and simulated attacks often in synthetic data, lacking fidelity. In general, the physical effects of attacks on the vehicle are not verified in the available datasets. Only one dataset provides signal-translated data but is missing a corresponding "raw" binary version. This issue pigeon-holes CAN IDS research into testing on limited and often inappropriate data (usually with attacks that are too easily detectable to truly test the method). The scarcity of appropriate data has stymied comparability and reproducibility of results for researchers. As our primary contribution, we present the Real ORNL Automotive Dynamometer (ROAD) CAN IDS dataset, consisting of over 3.5 hours of one vehicle's CAN data. ROAD contains ambient data recorded during a diverse set of activities, and attacks of increasing stealth with multiple variants and instances of real (i.e. non-simulated) fuzzing, fabrication, unique advanced attacks, and simulated masquerade attacks. To facilitate a benchmark for CAN IDS methods that require signal-translated inputs, we also provide the signal time series format for many of the CAN captures. Our contributions aim to facilitate appropriate benchmarking and needed comparability in the CAN IDS research field.

Situ: Identifying and Explaining Suspicious Behavior in Networks.

Despite the best efforts of cyber security analysts, networked computing assets are routinely compromised, resulting in the loss of intellectual property, the disclosure of state secrets, and major financial damages. Anomaly detection methods are beneficial for detecting new types of attacks and abnormal network activity, but such algorithms can be difficult to understand and trust. Network operators and cyber analysts need fast and scalable tools to help identify suspicious behavior that bypasses automated security systems, but operators do not want another automated tool with algorithms they do not trust. Experts need tools to augment their own domain expertise and to provide a contextual understanding of suspicious behavior to help them make decisions. In this paper we present Situ, a visual analytics system for discovering suspicious behavior in streaming network data. Situ provides a scalable solution that combines anomaly detection with information visualization. The system's visualizations enable operators to identify and investigate the most anomalous events and IP addresses, and the tool provides context to help operators understand why they are anomalous. Finally, operators need tools that can be integrated into their workflow and with their existing tools. This paper describes the Situ platform and its deployment in an operational network setting. We discuss how operators are currently using the tool in a large organization's security operations center and present the results of expert reviews with professionals.