Protocol-independent Detection of Dictionary Attacks

Data throughput of current high-speed networks makes it prohibitively expensive to detect attacks using conventional means of deep packet inspection. The network behavior analysis seemed to be a solution, but it lacks in several aspects. The academic research focuses on sophisticated and advanced detection schemes that are, however, often problematic to deploy into the production. In this paper we try different approach and take inspiration from industry practice of using relatively simple but effective solutions. We introduce a model of malicious traffic based on practical experience that can be used to create simple and effective detection methods. This model was used to develop a successful proof-of-concept method for protocol-independent detection of dictionary attacks that is validated with empirical data in this paper

Honeypot-based Security Enhancements for Information Systems

The purpose of this thesis is to explore honeypot-based security enhancements for information systems. First, we provide a comprehensive survey of the research that has been carried out on honeypots and honeynets for Internet of Things (IoT), Industrial Internet of Things (IIoT), and Cyber-physical Systems (CPS). We provide a taxonomy and extensive analysis of the existing honeypots and honeynets, state key design factors for the state-of-the-art honeypot/honeynet research and outline open issues. Second, we propose S-Pot, a smart honeypot framework based on open-source resources. S-Pot uses enterprise and IoT honeypots to attract attackers, learns from attacks via ML classifiers, and dynamically configures the rules of SDN. Our performance evaluation of S-Pot in detecting attacks using various ML classifiers shows that it can detect attacks with 97% accuracy using J48 algorithm. Third, for securing host-based Docker containers from cryptojacking, using honeypots, we perform a forensic analysis to identify indicators for the detection of unauthorized cryptomining, present measures for securing them, and propose an approach for monitoring host-based Docker containers for cryptojacking detection. Our results reveal that host temperature, combined with container resource usage, Stratum protocol, keywords in DNS requests, and the use of the container’s ephemeral ports are notable indicators of possible unauthorized cryptomining

The Dark Menace: Characterizing Network-based Attacks in the Cloud

ABSTRACT As the cloud computing market continues to grow, the cloud platform is becoming an attractive target for attackers to disrupt services and steal data, and to compromise resources to launch attacks. In this paper, using three months of NetFlow data in 2013 from a large cloud provider, we present the first large-scale characterization of inbound attacks towards the cloud and outbound attacks from the cloud. We investigate nine types of attacks ranging from network-level attacks such as DDoS to application-level attacks such as SQL injection and spam. Our analysis covers the complexity, intensity, duration, and distribution of these attacks, highlighting the key challenges in defending against attacks in the cloud. By characterizing the diversity of cloud attacks, we aim to motivate the research community towards developing future security solutions for cloud systems

Utilising Deep Learning techniques for effective zero-day attack detection

Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDS capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation to detect zero-day attacks. The aim is to build an IDS model with high recall while keeping the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation—CICIDS2017 and NSL-KDD. To demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89% - 99%] for the NSL-KDD dataset and [75% - 98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout

Detection and prevention of username enumeration attack on SSH protocol: machine learning approach

A Dissertation Submitted in Partial Fulfillment of the Requirement for the Degree of Master’s in Information System and Network Security of the Nelson Mandela African Institution of Science and TechnologyOver the last two decades (2000–2020), the Internet has rapidly evolved, resulting in symmetrical and asymmetrical Internet consumption patterns and billions of users worldwide. With the immense rise of the Internet, attacks and malicious behaviors pose a huge threat to our computing environment. Brute-force attack is among the most prominent and commonly used attacks, achieved out using password-attack tools, a wordlist dictionary, and a usernames list – obtained through a so – called an enumeration attack. In this study, we investigate username enumeration attack detection on SSH protocol by using machine-learning classifiers. We apply four asymmetrical classifiers on our generated dataset collected from a closed environment network to build machine-learning-based models for attack detection. The use of several machine-learners offers a wider investigation spectrum of the classifiers’ ability in attack detection. Additionally, we investigate how beneficial it is to include or exclude network ports information as features-set in the process of learning. We evaluated and compared the performances of machine-learning models for both cases. The models used are k-nearest neighbor (KNN), naïve Bayes (NB), random forest (RF) and decision tree (DT) with and without ports information. Our results show that machine-learning approaches to detect SSH username enumeration attacks were quite successful, with KNN having an accuracy of 99.93%, NB 95.70%, RF 99.92%, and DT 99.88%. Furthermore, the results improved when using ports information. The best selected model was then deployed into intrusion detection and prevention system (IDS/IPS) to automatically detect and prevent username enumeration attack. Study also recommends the use of Deep Learning in future studies

Intrusion Detection and Security Assessment in a University Network

This thesis first explores how intrusion detection (ID) techniques can be used to provide an extra security layer for today‟s typically security-unaware Internet user. A review of the ever-growing network security threat is presented along with an analysis of the suitability of existing ID systems (IDS) for protecting users of varying security expertise. In light of the impracticality of many IDS for today‟s users, a web-enabled, agent-based, hybrid IDS is proposed. The motivations for the system are presented along with details of its design and implementation. As a test case, the system is deployed on the DCU network and results analysed. One of the aims of an IDS is to uncover security-related issues in its host network. The issues revealed by our IDS demonstrate that a full DCU network security assessment is warranted. This thesis describes how such an assessment should be carried out and presents corresponding results. A set of security-enhancing recommendations for the DCU network are presented

Optimisation of John the Ripper in a clustered Linux environment

To aid system administrators in enforcing strict password policies, the use of password cracking tools such as Cisilia (C.I.S.I.ar, 2003) and John the Ripper (Solar Designer, 2002), have been employed as software utilities to look for weak passwords. John the Ripper (JtR) attempts to crack the passwords by using a dictionary, brute-force or other mode of attack. The computational intensity of cracking passwords has led to the utilisation of parallel-processing environments to increase the speed of the password-cracking task. Parallel-processing environments can consist of either single systems with multiple processors, or a collection of separate computers working together as a single, logical computer system; both of these configurations allow operations to run concurrently. This study aims to optimise and compare the execution of JtR on a pair of Beowulf clusters, which arc a collection of computers configured to run in a parallel manner. Each of the clusters will run the Rocks cluster distribution, which is a Linux RedHat based cluster-toolkit. An implementation of the Message Passing Interface (MPI), MPICH, will be used for inter-node communication, allowing the password cracker to run in a parallel manner. Experiments were performed to test the reliability of cracking a single set of password samples on both a 32-bit and 64-bit Beowulf cluster comprised of Intel Pentium and AMD64 Opteron processors respectively. These experiments were also used to test the effectiveness of the brute-force attack against the dictionary attack of JtR. The results from this thesis may provide assistance to organisations in enforcing strong password policies on user accounts through the use of computer clusters and also to examine the possibility of using JtR as a tool to reliably measure password strength