562 research outputs found

    NEDAC: A worm countermeasure mechanism

    Get PDF
    This article presents an Internet worm countermeasure mechanism that uses DNS activities as a behavioural technique to detect worm propagation. The mechanism also uses a data-link containment solution to block traffic from an infected host. The concept has been demonstrated using a developed prototype and tested in a virtualised network environment. An empirical analysis of network worm propagation has been conducted to test the capabilities of the developed countermeasure mechanism. The results show that the developed mechanism is sensitive in containing Internet worms.Keywords: Worm Detection, Malware, cyber defens

    Towards automated distributed containment of zero-day network worms

    Get PDF
    Worms are a serious potential threat to computer network security. The high potential speed of propagation of worms and their ability to self-replicate make them highly infectious. Zero-day worms represent a particularly challenging class of such malware, with the cost of a single worm outbreak estimated to be as high as US$2.6 Billion. In this paper, we present a distributed automated worm detection and containment scheme that is based on the correlation of Domain Name System (DNS) queries and the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary. The proposed countermeasure scheme also utilizes cooperation between different communicating scheme members using a custom protocol, which we term Friends. The absence of a DNS lookup action prior to an outgoing TCP SYN or UDP datagram to a new destination IP addresses is used as a behavioral signature for a rate limiting mechanism while the Friends protocol spreads reports of the event to potentially vulnerable uninfected peer networks within the scheme. To our knowledge, this is the first implementation of such a scheme. We conducted empirical experiments across six class C networks by using a Slammer-like pseudo-worm to evaluate the performance of the proposed scheme. The results show a significant reduction in the worm infection, when the countermeasure scheme is invoked

    Early containment of fast network worm malware

    Get PDF
    This paper presents a countermeasure mechanism for the propagation of fast network worm malware. The mechanism uses a cross layer architecture with a detection technique at the network layer to identify worm infection and a data-link containment solution to block an identified infected host. A software prototype of the mechanism has been used to demonstrate its effective. An empirical analysis of network worm propagation has been conducted to test the mechanism. The results show that the developed mechanism is effective in containing self-propagating malware with almost no false positives

    Early detection and containment of network worm

    Get PDF
    This paper presents a network security framework for containing the propagation of network worms. The framework employs a detection mechanism at the network layer to identify the presence of a network worm and a data-link containment solution to block the infected host. A prototype of the mechanism has been used to demonstrate the effectiveness of the developed framework. An empirical analysis of network worm propagation has been conducted to test the framework. The results show that the developed framework is effective in containing network worms with almost no false positives

    Containment of fast scanning computer network worms

    Get PDF
    This paper presents a mechanism for detecting and containing fast scanning computer network worms. The countermeasure mechanism, termed NEDAC, uses a behavioural detection technique that observes the absence of DNS resolution in newly initiated outgoing connections. Upon detection of abnormal behaviour by a host, based on the absence of DNS resolution, the detection system then invokes a data link containment system to block traffic from the host. The concept has been demonstrated using a developed prototype and tested in a virtualised network environment. An empirical analysis of network worm propagation has been conducted based on the characteristics of reported contemporary vulnerabilities to test the capabilities of the countermeasure mechanism. The results show that the developed mechanism is sensitive in detecting and blocking fast scanning worm infection at an early stage

    Know Your Enemy: Stealth Configuration-Information Gathering in SDN

    Full text link
    Software Defined Networking (SDN) is a network architecture that aims at providing high flexibility through the separation of the network logic from the forwarding functions. The industry has already widely adopted SDN and researchers thoroughly analyzed its vulnerabilities, proposing solutions to improve its security. However, we believe important security aspects of SDN are still left uninvestigated. In this paper, we raise the concern of the possibility for an attacker to obtain knowledge about an SDN network. In particular, we introduce a novel attack, named Know Your Enemy (KYE), by means of which an attacker can gather vital information about the configuration of the network. This information ranges from the configuration of security tools, such as attack detection thresholds for network scanning, to general network policies like QoS and network virtualization. Additionally, we show that an attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk of being detected. We underline that the vulnerability exploited by the KYE attack is proper of SDN and is not present in legacy networks. To address the KYE attack, we also propose an active defense countermeasure based on network flows obfuscation, which considerably increases the complexity for a successful attack. Our solution offers provable security guarantees that can be tailored to the needs of the specific network under consideratio

    SPECTRAL GRAPH-BASED CYBER DETECTION AND CLASSIFICATION SYSTEM WITH PHANTOM COMPONENTS

    Get PDF
    With cyber attacks on the rise, cyber defenders require new, innovative solutions to provide network protection. We propose a spectral graph-based cyber detection and classification (SGCDC) system using phantom components, the strong node concept, and the dual-degree matrix to detect, classify, and respond to worm and distributed denial-of-service (DDoS) attacks. The system is analyzed using absorbing Markov chains and a novel Levy-impulse model that characterizes network SYN traffic to determine the theoretical false-alarm rates of the system. The detection mechanism is analyzed in the face of network noise and congestion using Weyl’s theorem, the Davis-Kahan theorem, and a novel application of the n-dimensional Euclidean metric. The SGCDC system is validated using real-world and synthetic datasets, including the WannaCry and Blaster worms and a SYN flood attack. The system accurately detected and classified the attacks in all but one case studied. The known attacking nodes were identified in less than 0.27 sec for the DDoS attack, and the worm-infected nodes were identified in less than one second after the second infected node began the target search and discovery process for the WannaCry and Blaster worm attacks. The system also produced a false-alarm rate of less than 0.005 under a scenario. These results improve upon other non-spectral graph systems that have detection rates of less than 0.97 sec and false alarm rates as high as 0.095 sec for worm and DDoS attacks.Lieutenant Commander, United States NavyApproved for public release. distribution is unlimite
    • …
    corecore