Fast flux botnet detection framework using adaptive dynamic evolving spiking neural network algorithm

A botnet, a set of compromised machines controlled distantly by an attacker, is the basis of numerous security threats around the world. Command and Control servers are the backbones of botnet communications, where the bots and botmasters send report and attack orders to each other. Botnets are also categorized according to their C&C protocols. A Domain Name System method known as Fast-Flux Service Network (FFSN) – a special type of botnet – has been engaged by bot herders to cover malicious botnet activities and increase the lifetime of malicious servers by quickly changing the IP addresses of the domain name over time. Although several methods have been suggested for detecting FFSNs, they have low detection accuracy especially with zero-day domain. In this research, we propose a new system called Fast Flux Killer System (FFKS) that has the ability to detect FF-Domains in online mode with an implementation constructed on Adaptive Dynamic evolving Spiking Neural Network (ADeSNN). The proposed system proved its ability to detect FF domains in online mode with high detection accuracy (98.77%) compare with other algorithms, with low false positive and negative rates respectively. It is also proved a high level of performance. Additionally, the proposed adaptation of the algorithm enhanced and helped in the parameters customization process

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

PROVIDE: hiding from automated network scans with proofs of identity

Network scanners are a valuable tool for researchers and administrators, however they are also used by malicious actors to identify vulnerable hosts on a network. Upon the disclosure of a security vulnerability, scans are launched within hours. These opportunistic attackers enumerate blocks of IP addresses in hope of discovering an exploitable host. Fortunately, defensive measures such as port knocking protocols (PKPs) allow a service to remain stealth to unauthorized IP addresses. The service is revealed only when a client includes a special authentication token (AT) in the IP/TCP header. However this AT is generated from a secret shared between the clients/servers and distributed manually to each endpoint. As a result, these defense measures have failed to be widely adopted by other protocols such as HTTP/S due to challenges in distributing the shared secrets. In this paper we propose a scalable solution to this problem for services accessed by domain name. We make the following observation: automated network scanners access servers by IP address, while legitimate clients access the server by name. Therefore a service should only reveal itself to clients who know its name. Based on this principal, we have created a proof of the verifier’s identity (a.k.a. PROVIDE) protocol that allows a prover (legitimate user) to convince a verifier (service) that it is knowledgeable of the verifier’s identity. We present a PROVIDE implementation using a PKP and DNS (PKP+DNS) that uses DNS TXT records to distribute identification tokens (IDT) while DNS PTR records for the service’s domain name are prohibited to prevent reverse DNS lookups. Clients are modified to make an additional DNS TXT query to obtain the IDT which is used by the PKP to generate an AT. The inclusion of an AT in the packet header, generated from the DNS TXT query, is proof the client knows the service’s identity. We analyze the effectiveness of this mechanism with respect to brute force attempts for various strength ATs and discuss practical considerations.This work has been supported by the National Science Foundation (NSF) awards #1430145, #1414119, and #1012798

Application of PSVR-DNS Algorithm for Attacker Detection and Isolation

The DNS (Domain Name System) is used to map and convert human-friendly domain names to the numeric IP (Internet Protocol) addresses. As with the operation of any communication system, there are some security risks associated with the operation of DNS. Actions targeting the availability or stability of a network\u27s DNS service are considered DNS attack. For example, a high volume of traffic and a large number of requests coming to DNS servers are part of a type of DoS (Denial of Service) attack that uses DNS for amplification. Although most DNS servers are open source, some commercial protective DNS services are available for network traffic control, filtering and automatic blocking of requests to undesirable, dangerous or malicious internet domains, but the price of such services is high. In this paper, a new PSVR-DNS (Probability Support Vector Regression-Domain Name System) algorithm is proposed for the purpose of detecting and isolating attackers who pose a threat to an uninterrupted work of the DNS servers. The main focus is on the prevention of the DNS cache poisoning. The collected results showed that the proposed PSVR-DNS algorithm achieves better performance related to faster detection and isolation of attacks compared to some existing algorithms

Centralized prevention of denial of service attacks

The world has come to depend on the Internet at an increasing rate for communication, e-commerce, and many other essential services. As such, the Internet has become an integral part of the workings of society at large. This has lead to an increased vulnerability to remotely controlled disruption of vital commercial and government operations---with obvious implications. This disruption can be caused by an attack on one or more specific networks which will deny service to legitimate users or an attack on the Internet itself by creating large amounts of spurious traffic (which will deny services to many or all networks). Individual organizations can take steps to protect themselves but this does not solve the problem of an Internet wide attack. This thesis focuses on an analysis of the different types of Denial of Service attacks and suggests an approach to prevent both categories by centralized detection and limitation of excessive packet flows