Botnet Detection in Virtual Environments Using NetFlow

For both enterprises and service providers, the exponential growth of cloud and virtual infrastructures brings vast performance and financial benefits but this growth has undoubtedly introduced unforeseen problems in terms of new opportunities for malware and cybercrime to flourish. Botnets could be created entirely within the cloud using virtual resources, for a myriad of purposes including DDoS-as-a-Service. This study has sought to determine whether distributed packet capture utilising mirroring technology or some form of sampling mechanism provides better performance for detecting cybercrime style activities within virtual environments. Recommendations are for a distributed monitoring technique which can provide end-to-end monitoring capabilities while minimising the performance impact on popular adoptions of cloud or virtual infrastructures. Investigations have concentrated on distributed monitoring techniques utilising virtual network switches, looking for a proof of concept demonstrator where sample Command & Control and Peer-to-Peer botnet activities can be detected utilising flow capture technologies such as NetFlow, sFlow or IPFIX. This paper demonstrates how by inserting a monitoring function into a virtual or cloud architecture the capture and analysis of traffic parameters using NetFlow can be used to identify the presence of an HTTP-based Command & Control botnet

An Analysis of Pre-Infection Detection Techniques for Botnets and other Malware

Traditional techniques for detecting malware, such as viruses, worms and rootkits, rely on identifying virus-specific signature definitions within network traffic, applications or memory. Because a sample of malware is required to define an attack signature, signature detection has drawbacks when accounting for malware code mutation, has limited use in zero-day protection and is a post-infection technique requiring malware to be present on a device in order to be detected. A malicious bot is a malware variant that interconnects with other bots to form a botnet. Amongst their multiple malicious uses, botnets are ideal for launching mass Distributed Denial of Services attacks against the ever increasing number of networked devices that are starting to form the Internet of Things and Smart Cities. Regardless of topology; centralised Command & Control or distributed Peer-to-Peer, bots must communicate with their commanding botmaster. This communication traffic can be used to detect malware activity in the cloud before it can evade network perimeter defences and to trace a route back to source to takedown the threat. This paper identifies the inefficiencies exhibited by signature-based detection when dealing with botnets. Total botnet eradication relies on traffic-based detection methods such as DNS record analysis, against which malware authors have multiple evasion techniques. Signature-based detection displays further inefficiencies when located within virtual environments which form the backbone of data centre infrastructures, providing malware with a new attack vector. This paper highlights a lack of techniques for detecting malicious bot activity within such environments, proposing an architecture based upon flow sampling protocols to detect botnets within virtualised environments

Social recruiting: a next generation social engineering attack

Social engineering attacks initially experienced success due to the lack of understanding of the attack vector and resultant lack of remedial actions. Due to an increase in media coverage corporate bodies have begun to defend their interests from this vector. This has resulted in a new generation of social engineering attacks that have adapted to the industry response. These new forms of attack take into account the increased likelihood that they will be detected; rendering traditional defences against social engineering attacks moot. This paper highlights these attacks and will explain why traditional defences fail to address them as well as suggest new methods of incident response

Analysis of SQL Injection Detection Techniques

SQL Injection is one of the vulnerabilities in OWASPs Top Ten List for Web Based Application Exploitation.These types of attacks takes place on Dynamic Web applications as they interact with the databases for the various operations.Current Content Management System like Drupal, Joomla or Wordpress have all the information stored in their databases. A single intrusion into these types of websites can lead to overall control of websites by the attacker. Researchers are aware of the basic SQL Injection attacks but there are numerous SQL Injection attacks which are yet to be Prevented and Detected. Over here, we present the extensive review for the Advanced SQL Injection attack such as Fast Flux Sql Injection, Compounded SQL Injection and Deep Blind SQL Injection. We also analyze the detection and prevention using the classical methods as well as modern approaches. We will be discussing the Comparative Evaluation for prevention of SQL Injection

Comparative Study of Supervised Learning Methods for Malware Analysis, Journal of Telecommunications and Information Technology, 2014, nr 4

Malware is a software designed to disrupt or even damage computer system or do other unwanted actions. Nowadays, malware is a common threat of the World Wide Web. Anti-malware protection and intrusion detection can be significantly supported by a comprehensive and extensive analysis of data on the Web. The aim of such analysis is a classification of the collected data into two sets, i.e., normal and malicious data. In this paper the authors investigate the use of three supervised learning methods for data mining to support the malware detection. The results of applications of Support Vector Machine, Naive Bayes and k-Nearest Neighbors techniques to classification of the data taken from devices located in many units, organizations and monitoring systems serviced by CERT Poland are described. The performance of all methods is compared and discussed. The results of performed experiments show that the supervised learning algorithms method can be successfully used to computer data analysis, and can support computer emergency response teams in threats detection

KHẢO SÁT CÁC NỀN TẢNG VÀ KỸ THUẬT XỬ LÝ LOG TRUY CẬP DỊCH VỤ MẠNG CHO PHÁT HIỆN NGUY CƠ MẤT AN TOÀN THÔNG TIN

In the layers of information security measures, the monitoring and detection measures of anomalous activities and information insecurity risks are considered the second defense layer behind firewalls and access controls. This defense layer includes intrusion detection and prevention systems for hosts and networks. This paper examines platforms, tools and techniques for processing and analyzing access logs of network service servers for the detection of anomalous activities and information insecurity risks. Based on the survey results, the paper proposes the architecture of the monitoring and information security insurance system for small and medium-sized networks of organizations with limited resources.Trong hệ thống lớp các giải pháp đảm bảo an toàn thông tin, các giải pháp giám sát phát hiện bất thường và các nguy cơ mất an toàn trong hệ thống mạng được xem là lớp phòng vệ thứ hai, sau lớp tường lửa và các biện pháp kiểm soát truy nhập. Lớp giải pháp này gồm các hệ thống giám sát, phát hiện và ngăn chặn tấn công, xâm nhập cho các host và mạng. Bài báo này khảo sát, đánh giá các nền tảng, công cụ và các kỹ thuật xử lý, phân tích log truy cập các máy chủ dịch vụ phục vụ phát hiện các hành vi bất thường và nguy cơ mất an toàn thông tin. Trên cơ sở đó, bài báo đề xuất mô hình kiến trúc hệ thống giám sát, hỗ trợ đảm bảo an toàn thông tin cho các tổ chức có quy mô hệ thống mạng và nguồn lực hạn chế

Anomaly detection based on machine learning techniques

Master of ScienceDepartment of Computer ScienceWilliam H. HsuThis report presents an experimental exploration of supervised inductive learning methods for the task of Domain Name Service (DNS) query filtering for anomaly detection. The anomaly types for which I implement a learning monitor represent specific attack vectors, such as distributed denial-of-service (DDOS), remote-to-user (R2U), and probing, that have been increasing in size and sophistication in recent years. A number of anomaly detection measures, such as honeynet-based and Intrusion Detection System (IDS)-based, have been proposed. However, IDS-based solutions that use signatures seem to be ineffective, because attackers associated with recent anomalies are equipped with sophisticated code update and evasion techniques. By contrast, anomaly detection methods do not require pre-built signatures and thus have the capability to detect new or unknown anomalies. Towards this end, this project implements and applies an anomaly detection model learned from DNS query data and evaluates the effectiveness of an implementation of this model using popular machine learning techniques. Experimental results show how this machine learning approach uses existing inductive learning algorithms such as k-NN (k-nearest neighbour), Decision trees and Naive Bayes can be used effectively in anomaly detection

Statistical methods for the detection of non-technical losses: a case study for the Nelson Mandela Bay Municipality

Electricity is one of the most stolen commodities in the world. Electricity theft can be defined as the criminal act of stealing electrical power. Several types of electricity theft exist, including illegal connections and bypassing and tampering with energy meters. The negative financial impacts, due to lost revenue, of electricity theft are far reaching and affect both developing and developed countries. . Here in South Africa, Eskom loses over R2 Billion annually due to electricity theft. Data mining and nonparametric statistical methods have been used to detect fraudulent usage of electricity by assessing abnormalities and abrupt changes in kilowatt hour (kWh) consumption patterns. Identifying effective measures to detect fraudulent electricity usage is an active area of research in the electrical domain. In this study, Support Vector Machines (SVM), Naïve Bayes (NB) and k-Nearest Neighbour (KNN) algorithms were used to design and propose an electricity fraud detection model. Using the Nelson Mandela Bay Municipality as a case study, three classifiers were built with SVM, NB and KNN algorithms. The performance of these classifiers were evaluated and compared