Economic Factors of Vulnerability Trade and Exploitation

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

Classification, testing and optimization of intrusion detection systems

Modem network security products vary greatly in their underlying technology and architecture. Since the introduction of intrusion detection decades ago, intrusion detection technologies have continued to evolve rapidly. This rapid change has led to the introduction of a wealth of security devices, technologies and algorithms that perform functions originally associated with intrusion detection systems. This thesis offers an analysis of intrusion detection technologies, proposing a new classification system for intrusion detection systems. Working closely with the development of a new intrusion detection product, this thesis introduces a method of testing related technologies in a production environment by outlining and executing a series of denial of service and scan and probe attacks. Based on the findings of these experiments, a series of enhancements to the core intrusion detection product is introduced to improve its capabilities and adapt to modem needs of security products

Penetration testing applied to 5G Core Network

5G Networks are nowadays a widely used technology, rapidly spreading all over the world, due to an effective need of flexibility and scalability of resources and because of the continuous demands of the latter, by the users. This thesis analyses the 5G Core from the security point of view, checking for any kind of vulnerabilities and weaknesses that can be exploited by baleful users. Indeed, it presents first the parsing of each of the available Core singularly; and then the comparison between three open source 5G Core: Open5gs, Free5gs and OpenAirInterface. Looking for similarities, security flaws and everything that can give a reasoning to choose one of these Core with respect to the others. Sure enough, the idea is that, at the end of this analysis we should render an opinion regarding which one of these three is the best in terms of Confidentiality, Integrity and Availability, also providing countermeasures for each of the weaknesses found.5G Networks are nowadays a widely used technology, rapidly spreading all over the world, due to an effective need of flexibility and scalability of resources and because of the continuous demands of the latter, by the users. This thesis analyses the 5G Core from the security point of view, checking for any kind of vulnerabilities and weaknesses that can be exploited by baleful users. Indeed, it presents first the parsing of each of the available Core singularly; and then the comparison between three open source 5G Core: Open5gs, Free5gs and OpenAirInterface. Looking for similarities, security flaws and everything that can give a reasoning to choose one of these Core with respect to the others. Sure enough, the idea is that, at the end of this analysis we should render an opinion regarding which one of these three is the best in terms of Confidentiality, Integrity and Availability, also providing countermeasures for each of the weaknesses found

Graceful Degradation in IoT Security

As the consumer grade IoT devices industry advances, personal privacy is constantly eroded for the sake of convenience. Current security solutions, although available, ignore convenience by requiring the purchase of additional hardware, implementing confusing, out of scope updates for a non-technical user, or quarantining a device, rendering it useless. This paper proposes a solution that simultaneously maintains convenience and privacy, tailored for the Internet of Things. We propose a novel graceful degradation technique which targets individual device functionalities for acceptance or denial at the network level. When combined with current anomaly detection and fingerprinting methods, graceful degradation provides a personalized IoT security solution for the modern user

Autoencoder-Based Representation Learning to Predict Anomalies in Computer Networks

With the recent advances in Internet-of-thing devices (IoT), cloud-based services, and diversity in the network data, there has been a growing need for sophisticated anomaly detection algorithms within the network intrusion detection system (NIDS) that can tackle advanced network threats. Advances in Deep and Machine learning (ML) has been garnering considerable interest among researchers since it has the capacity to provide a solution to advanced threats such as the zero-day attack. An Intrusion Detection System (IDS) is the first line of defense against network-based attacks compared to other traditional technologies, such as firewall systems. This report adds to the existing approaches by proposing a novel strategy to incorporate both supervised and unsupervised learning to Intrusion Detection Systems (IDS). Specifically, the study will utilize deep Autoencoder (DAE) as a dimensionality reduction tool and Support Vector Machine (SVM) as a classifier to perform anomaly-based classification. The study diverts from other similar studies by performing a thorough analysis of using deep autoencoders as a valid non-linear dimensionality tool by comparing it against Principal Component Analysis (PCA) and tuning hyperparameters that optimizes for \u27F-1 Micro\u27 score and \u27Balanced Accuracy\u27 since we are dealing with a dataset with imbalanced classes. The study employs robust analysis tools such as Precision-Recall Curves, Average-Precision score, Train-Test Times, t-SNE, Grid Search, and L1/L2 regularization. Our model will be trained and tested on a publicly available datasets KDDTrain+ and KDDTest+

Statistical methods used for intrusion detection

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 58-64)Text in English; Abstract: Turkish and Englishx, 71 leavesComputer networks are being attacked everyday. Intrusion detection systems are used to detect and reduce effects of these attacks. Signature based intrusion detection systems can only identify known attacks and are ineffective against novel and unknown attacks. Intrusion detection using anomaly detection aims to detect unknown attacks and there exist algorithms developed for this goal. In this study, performance of five anomaly detection algorithms and a signature based intrusion detection system is demonstrated on synthetic and real data sets. A portion of attacks are detected using Snort and SPADE algorithms. PHAD and other algorithms could not detect considerable portion of the attacks in tests due to lack of sufficiently long enough training data