8,602 research outputs found
Threshold Verification Technique for Network Intrusion Detection System
Internet has played a vital role in this modern world, the possibilities and
opportunities offered are limitless. Despite all the hype, Internet services
are liable to intrusion attack that could tamper the confidentiality and
integrity of important information. An attack started with gathering the
information of the attack target, this gathering of information activity can be
done as either fast or slow attack. The defensive measure network administrator
can take to overcome this liability is by introducing Intrusion Detection
Systems (IDSs) in their network. IDS have the capabilities to analyze the
network traffic and recognize incoming and on-going intrusion. Unfortunately
the combination of both modules in real time network traffic slowed down the
detection process. In real time network, early detection of fast attack can
prevent any further attack and reduce the unauthorized access on the targeted
machine. The suitable set of feature selection and the correct threshold value,
add an extra advantage for IDS to detect anomalies in the network. Therefore
this paper discusses a new technique for selecting static threshold value from
a minimum standard features in detecting fast attack from the victim
perspective. In order to increase the confidence of the threshold value the
result is verified using Statistical Process Control (SPC). The implementation
of this approach shows that the threshold selected is suitable for identifying
the fast attack in real time.Comment: 8 Pages, International Journal of Computer Science and Information
Securit
The internet worm
In November 1988 a worm program invaded several thousand UNIX-operated Sun workstations and VAX computers attached to the Research Internet, seriously disrupting service for several days but damaging no files. An analysis of the work's decompiled code revealed a battery of attacks by a knowledgeable insider, and demonstrated a number of security weaknesses. The attack occurred in an open network, and little can be inferred about the vulnerabilities of closed networks used for critical operations. The attack showed that passwork protection procedures need review and strengthening. It showed that sets of mutually trusting computers need to be carefully controlled. Sharp public reaction crystalized into a demand for user awareness and accountability in a networked world
Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization
Logs are one of the most fundamental resources to any security professional.
It is widely recognized by the government and industry that it is both
beneficial and desirable to share logs for the purpose of security research.
However, the sharing is not happening or not to the degree or magnitude that is
desired. Organizations are reluctant to share logs because of the risk of
exposing sensitive information to potential attackers. We believe this
reluctance remains high because current anonymization techniques are weak and
one-size-fits-all--or better put, one size tries to fit all. We must develop
standards and make anonymization available at varying levels, striking a
balance between privacy and utility. Organizations have different needs and
trust other organizations to different degrees. They must be able to map
multiple anonymization levels with defined risks to the trust levels they share
with (would-be) receivers. It is not until there are industry standards for
multiple levels of anonymization that we will be able to move forward and
achieve the goal of widespread sharing of logs for security researchers.Comment: 17 pages, 1 figur
Wie repräsentativ sind die Messdaten eines Honeynet?
Zur Früherkennung von kritischen Netzphänomenen wurden in der Vergangenheit viele Arten von verteilten Sensornetze im Internet etabliert und erforscht. Wir betrachten das Phänomen Verteilung von bösartiger Software im Netz'', das punktuell etwa mit dem InMAS-Sensorsystem gemessen werden kann. Unklar war jedoch immer die Frage, wie repräsentativ die Daten sind, die durch ein solches Sensornetz gesammelt werden. In diesem Dokument wird ein methodisches Rahmenwerk beschrieben, mit dem Maßzahlen der Repräsentativität an Messungen von Malware-Sensornetzen geheftet werden können. Als methodischer Ansatz wurden Techniken der empirischen Sozialforschung verwendet. Als Ergebnis ist festzuhalten, dass ein Sensornetz mit mindestens 100 zufällig über den Netzbereich verteilten Sensoren notwendig erscheint, um überhaupt belastbare Aussagen über die Repräsentativität von Sensornetz-Messungen machen zu können
DDoS-Capable IoT Malwares: comparative analysis and Mirai Investigation
The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far
An Innovative Signature Detection System for Polymorphic and Monomorphic Internet Worms Detection and Containment
Most current anti-worm systems and intrusion-detection systems use signature-based technology instead of anomaly-based technology. Signature-based technology can only detect known attacks with identified signatures. Existing anti-worm systems cannot detect unknown Internet scanning worms automatically because these systems do not depend upon worm behaviour but upon the worm’s signature. Most detection algorithms used in current detection systems target only monomorphic worm payloads and offer no defence against polymorphic worms, which changes the payload dynamically. Anomaly detection systems can detect unknown worms but usually suffer from a high false alarm rate. Detecting unknown worms is challenging, and the worm defence must be automated because worms spread quickly and can flood the Internet in a short time. This research proposes an accurate, robust and fast technique to detect and contain Internet worms (monomorphic and polymorphic). The detection technique uses specific failure connection statuses on specific protocols such as UDP, TCP, ICMP, TCP slow scanning and stealth scanning as characteristics of the worms. Whereas the containment utilizes flags and labels of the segment header and the source and destination ports to generate the traffic signature of the worms. Experiments using eight different worms (monomorphic and polymorphic) in a testbed environment were conducted to verify the performance of the proposed technique. The experiment results showed that the proposed technique could detect stealth scanning up to 30 times faster than the technique proposed by another researcher and had no false-positive alarms for all scanning detection cases. The experiments showed the proposed technique was capable of containing the worm because of the traffic signature’s uniqueness
- …