A parallel approach to pca based malicious activitydetection in distributed honeypot data

Model order selection (MOS) schemes, which are frequently employed inseveral signal processing applications, are shown to be effective tools for the detectionof malicious activities in honeypot data. In this paper, we extend previous results byproposing an efficient and parallel MOS method for blind automatic malicious activitydetection in distributed honeypots. Our proposed scheme does not require any previousinformation on attacks or human intervention. We model network traffic data as signalsand noise and then apply modified signal processing methods. However, differently fromthe previous centralized solutions, we propose that the data colected by each honeypotnode be processed by nodes in a cluster (that may consist of the collection nodesthemselves) and then grouped to obtain the final results. This is achieved by having eachnode locally compute the Eigenvalue Decomposition (EVD) to its own sample correlationmatrix (obtained from the honeypot data) and transmit the resulting eigenvalues to acentral node, where the global eigenvalues and final model order are computed. Themodel order computed from the global eigenvalues through RADOI represents the numberof malicious activities detected in the analysed data. The feasibility of the proposedapproach is demonstrated through simulation experiments

A New Procedure to Detect Low Interaction Honeypots

Honeypots  systems  are   an   important  piece  of   the   network  security infrastructure and can be deployed to accomplish different purposes such as: network sensing, capturing and learning about 0-day exploits, capturing and analyzing of black hat techniques, deterring black hats and data gathering for doing  statistical  analysis  over  the  Internet  traffic,  among  others. Nevertheless, all honeypots need to look like real systems, due to if a honeypot is unmasked, it loses its value. This paper presents a new procedure to detect low interaction honeypots, through HTTP request, regardless honeypot architecture. It is important to mention that Low Interaction Honeypots network services need to be improved in order to get trustworthy information. Otherwise, it should consider data obtained by low interaction honeypots like inaccurate and unreliable information.DOI:http://dx.doi.org/10.11591/ijece.v4i6.688

Improving intrusion detection systems using data mining techniques

Recent surveys and studies have shown that cyber-attacks have caused a lot of damage to organisations, governments, and individuals around the world. Although developments are constantly occurring in the computer security field, cyber-attacks still cause damage as they are developed and evolved by hackers. This research looked at some industrial challenges in the intrusion detection area. The research identified two main challenges; the first one is that signature-based intrusion detection systems such as SNORT lack the capability of detecting attacks with new signatures without human intervention. The other challenge is related to multi-stage attack detection, it has been found that signature-based is not efficient in this area. The novelty in this research is presented through developing methodologies tackling the mentioned challenges. The first challenge was handled by developing a multi-layer classification methodology. The first layer is based on decision tree, while the second layer is a hybrid module that uses two data mining techniques; neural network, and fuzzy logic. The second layer will try to detect new attacks in case the first one fails to detect. This system detects attacks with new signatures, and then updates the SNORT signature holder automatically, without any human intervention. The obtained results have shown that a high detection rate has been obtained with attacks having new signatures. However, it has been found that the false positive rate needs to be lowered. The second challenge was approached by evaluating IP information using fuzzy logic. This approach looks at the identity of participants in the traffic, rather than the sequence and contents of the traffic. The results have shown that this approach can help in predicting attacks at very early stages in some scenarios. However, it has been found that combining this approach with a different approach that looks at the sequence and contents of the traffic, such as event- correlation, will achieve a better performance than each approach individually

Determining the effectiveness of deceptive honeynets

Over the last few years, incidents of network based intrusions have rapidly increased, due to the increase and popularity of various attack tools easily available for download from the Internet. Due to this increase in intrusions, the concept of a network defence known as Honeypots developed. These honeypots are designed to ensnare attackers and monitor their activities. Honeypots use the principles of deception such as masking, mimicry, decoying, inventing, repackaging and dazzling to deceive attackers. Deception exists in various forms. It is a tactic to survive and defeat the motives of attackers. Due to its presence in the nature, deception has been widely used during wars and now in Information Systems. This thesis considers the current state of honeypot technology as well as describes the framework of how to improve the effectiveness of honeypots through the effective use of deception. In this research, a legitimate corporate deceptive network is created using Honeyd (a type of honeypot) which is attacked and improved using empirical learning approach. The data collected during the attacking exercise were analysed, using various measures, to determine the effectiveness of the deception in the honeypot network created using honeyd. The results indicate that the attackers were deceived into believing the honeynet was a real network which instead was a deceptive network

Web attack risk awareness with lessons learned from high interaction honeypots

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk

A neural-visualization IDS for honeynet data

Neural intelligent systems can provide a visualization of the network traffic for security staff, in order to reduce the widely known high false-positive rate associated with misuse-based Intrusion Detection Systems (IDSs). Unlike previous work, this study proposes an unsupervised neural models that generate an intuitive visualization of the captured traffic, rather than network statistics. These snapshots of network events are immensely useful for security personnel that monitor network behavior. The system is based on the use of different neural projection and unsupervised methods for the visual inspection of honeypot data, and may be seen as a complementary network security tool that sheds light on internal data structures through visual inspection of the traffic itself. Furthermore, it is intended to facilitate verification and assessment of Snort performance (a well-known and widely-used misuse-based IDS), through the visualization of attack patterns. Empirical verification and comparison of the proposed projection methods are performed in a real domain, where two different case studies are defined and analyzedRegional Government of Gipuzkoa, the Department of Research, Education and Universities of the Basque Government, and the Spanish Ministry of Science and Innovation (MICINN) under projects TIN2010-21272-C02-01 and CIT-020000-2009-12 (funded by the European Regional Development Fund). This work was also supported in the framework of the IT4Innovations Centre of Excellence project, reg. no. CZ.1.05/1.1.00/02.0070 supported by the Operational Program 'Research and Development for Innovations' funded through the Structural Funds of the European Union and the state budget of the Czech RepublicElectronic version of an article published as International Journal of Neural Systems, Volume 22, Issue 02, April 2012 10.1142/S0129065712500050 ©copyright World Scientific Publishing Company http://www.worldscientific.com/worldscinet/ijn

Analysis of intrusion prevention methods

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2004Includes bibliographical references (leaves: 105-108)Text in English; Abstract: Turkish and Englishviii, 108 leavesToday, the pace of the technological development and improvements has compelled the development of new and more complex applications. The obligatory of application development in a short time to rapidly changing requirements causes skipping of some stages, mostly the testing stage, in the software development cycle thus, leads to the production of applications with defects. These defects are, later, discovered by intruders to be used to penetrate into computer systems. Current security technologies, such as firewalls, intrusion detection systems, honeypots, network-based antivirus systems, are insufficient to protect systems against those, continuously increasing and rapid-spreading attacks. Intrusion Prevention System (IPS) is a new technology developed to block today.s application-specific, data-driven attacks that spread in the speed of communication. IPS is the evolved and integrated state of the existing technologies; it is not a new approach to network security. In this thesis, IPS products of various computer security appliance developer companies have been analyzed in details. At the end of these analyses, the requirements of network-based IPSs have been identified and an architecture that fits those requirements has been proposed. Also, a sample network-based IPS has been developed by modifying the open source application Snort