724 research outputs found
The Dark Side(-Channel) of Mobile Devices: A Survey on Network Traffic Analysis
In recent years, mobile devices (e.g., smartphones and tablets) have met an
increasing commercial success and have become a fundamental element of the
everyday life for billions of people all around the world. Mobile devices are
used not only for traditional communication activities (e.g., voice calls and
messages) but also for more advanced tasks made possible by an enormous amount
of multi-purpose applications (e.g., finance, gaming, and shopping). As a
result, those devices generate a significant network traffic (a consistent part
of the overall Internet traffic). For this reason, the research community has
been investigating security and privacy issues that are related to the network
traffic generated by mobile devices, which could be analyzed to obtain
information useful for a variety of goals (ranging from device security and
network optimization, to fine-grained user profiling).
In this paper, we review the works that contributed to the state of the art
of network traffic analysis targeting mobile devices. In particular, we present
a systematic classification of the works in the literature according to three
criteria: (i) the goal of the analysis; (ii) the point where the network
traffic is captured; and (iii) the targeted mobile platforms. In this survey,
we consider points of capturing such as Wi-Fi Access Points, software
simulation, and inside real mobile devices or emulators. For the surveyed
works, we review and compare analysis techniques, validation methods, and
achieved results. We also discuss possible countermeasures, challenges and
possible directions for future research on mobile traffic analysis and other
emerging domains (e.g., Internet of Things). We believe our survey will be a
reference work for researchers and practitioners in this research field.Comment: 55 page
Behavioral complexity analysis of networked systems to identify malware attacks
2020 Fall.Includes bibliographical references.Internet of Things (IoT) environments are often composed of a diverse set of devices that span a broad range of functionality, making them a challenge to secure. This diversity of function leads to a commensurate diversity in network traffic, some devices have simple network footprints and some devices have complex network footprints. This network-complexity in a device's traffic provides a differentiator that can be used by the network to distinguish which devices are most effectively managed autonomously and which devices are not. This study proposes an informed autonomous learning method by quantifying the complexity of a device based on historic traffic and applies this complexity metric to build a probabilistic model of the device's normal behavior using a Gaussian Mixture Model (GMM). This method results in an anomaly detection classifier with inlier probability thresholds customized to the complexity of each device without requiring labeled data. The model efficacy is then evaluated using seven common types of real malware traffic and across four device datasets of network traffic: one residential-based, two from labs, and one consisting of commercial automation devices. The results of the analysis of over 100 devices and 800 experiments show that the model leads to highly accurate representations of the devices and a strong correlation between the measured complexity of a device and the accuracy to which its network behavior can be modeled
Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates
Understanding the properties exhibited by large scale network probing traffic
would improve cyber threat intelligence. In addition, the prediction of probing
rates is a key feature for security practitioners in their endeavors for making
better operational decisions and for enhancing their defense strategy skills.
In this work, we study different aspects of the traffic captured by a /20
network telescope. First, we perform an exploratory data analysis of the
collected probing activities. The investigation includes probing rates at the
port level, services interesting top network probers and the distribution of
probing rates by geolocation. Second, we extract the network probers
exploration patterns. We model these behaviors using transition graphs
decorated with probabilities of switching from a port to another. Finally, we
assess the capacity of Non-stationary Autoregressive and Vector Autoregressive
models in predicting port probing rates as a first step towards using more
robust models for better forecasting performance.Comment: IEEE Intelligence and Security Informatic
Deteção de intrusões de rede baseada em anomalias
Dissertação de mestrado integrado em Eletrónica Industrial e ComputadoresAo longo dos últimos anos, a segurança de hardware e software tornou-se uma grande preocupação. À medida
que a complexidade dos sistemas aumenta, as suas vulnerabilidades a sofisticadas técnicas de ataque têm
proporcionalmente escalado. Frequentemente o problema reside na heterogenidade de dispositivos conectados ao
veÃculo, tornando difÃcil a convergência da monitorização de todos os protocolos num único produto de segurança.
Por esse motivo, o mercado requer ferramentas mais avançadas para a monitorizar ambientes crÃticos à vida
humana, tais como os nossos automóveis.
Considerando que existem várias formas de interagir com os sistemas de entretenimento do automóvel como
o Bluetooth, o Wi-fi ou CDs multimédia, a necessidade de auditar as suas interfaces tornou-se uma prioridade,
uma vez que elas representam um sério meio de aceeso à rede interna do carro. Atualmente, os mecanismos de
segurança de um carro focam-se na monitotização da rede CAN, deixando para trás as tecnologias referidas e não
contemplando os sistemas não crÃticos. Como exemplo disso, o Bluetooth traz desafios diferentes da rede CAN,
uma vez que interage diretamente com o utilizador e está exposto a ataques externos.
Uma abordagem alternativa para tornar o automóvel num sistema mais robusto é manter sob supervisão as
comunicações que com este são estabelecidas. Ao implementar uma detecção de intrusão baseada em anomalias,
esta dissertação visa analisar o protocolo Bluetooth no sentido de identificar interações anormais que possam
alertar para uma situação fora dos padrões de utilização. Em última análise, este produto de software embebido
incorpora uma grande margem de auto-aprendizagem, que é vital para enfrentar quaisquer ameaças desconhecidas
e aumentar os nÃveis de segurança globais. Ao longo deste documento, apresentamos o estudo do problema seguido
de uma metodologia alternativa que implementa um algoritmo baseado numa LSTM para prever a sequência de
comandos HCI correspondentes a tráfego Bluetooth normal. Os resultados mostram a forma como esta abordagem
pode impactar a deteção de intrusões nestes ambientes ao demonstrar uma grande capacidade para identificar padrões anómalos no conjunto de dados considerado.In the last few years, hardware and software security have become a major concern. As the systems’ complexity
increases, its vulnerabilities to several sophisticated attack techniques have escalated likewise. Quite often, the
problem lies in the heterogeneity of the devices connected to the vehicle, making it difficult to converge the monitoring
systems of all existing protocols into one security product. Thereby, the market requires more refined tools to monitor
life-risky environments such as personal vehicles.
Considering that there are several ways to interact with the car’s infotainment system, such as Wi-fi, Bluetooth,
or CD player, the need to audit these interfaces has become a priority as they represent a serious channel to reach
the internal car network. Nowadays, security in car networks focuses on CAN bus monitoring, leaving behind the
aforementioned technologies and not contemplating other non-critical systems. As an example of these concerns,
Bluetooth brings different challenges compared to CAN as it interacts directly with the user, being exposed to external
attacks.
An alternative approach to converting modern vehicles and their set of computers into more robust systems
is to keep track of established communications with them. By enforcing anomaly-based intrusion detection this
dissertation aims to analyze the Bluetooth protocol to identify abnormal user interactions that may alert for a non conforming pattern. Ultimately, such embedded software product incorporates a self-learning edge, which is vital to
face newly developed threats and increasing global security levels. Throughout this document, we present the study
case followed by an alternative methodology that implements an LSTM based algorithm to predict a sequence of
HCI commands corresponding to normal Bluetooth traffic. The results show how this approach can impact intrusion
detection in such environments by expressing a high capability of identifying abnormal patterns in the considered
data
The use of machine learning with signal- and NLP processing of source code to fingerprint, detect, and classify vulnerabilities and weaknesses with MARFCAT
We present a machine learning approach to static code analysis and
fingerprinting for weaknesses related to security, software engineering, and
others using the open-source MARF framework and the MARFCAT application based
on it for the NIST's SATE2010 static analysis tool exposition workshop found at
http://samate.nist.gov/SATE2010Workshop.htmlComment: 33 pages, 11 tables; some results presented at SATE2010; NIST,
October 2011; shorter version of v5 appears in the NIST technical report at
http://samate.nist.gov/docs/NIST_Special_Publication_500-283.pdf#page=49
where its presentation is found at
http://samate.nist.gov/docs/SATE2010/SATE10_13_Marfcat_Mokhov.pdf and the
MARFCAT OSS release at
http://sourceforge.net/projects/marf/files/Applications/MARFCAT
- …