Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Open issues in differentiating misbehavior and anomalies for VANETs

This position paper proposes new challenges in data-centric misbehavior detection for vehicular ad-hoc networks (VANETs). In VANETs, which aim to improve safety and efficiency of road transportation by enabling communication between vehicles, an important challenge is how vehicles can be certain that messages they receive are correct. Incorrectness of messages may be caused by malicious participants, damaged sensors, delayed messages or they may be triggered by software bugs. An essential point is that due to the wide deployment in these networks, we cannot assume that all vehicles will behave correctly. This effect is stronger due to the privacy requirements, as those requirements include multiple certificates per vehicle to hide its identity. To detect these incorrect messages, the research community has developed misbehavior data-centric detection mechanisms, which attempt to recognize the messages by semantically analyzing the content. The detection of anomalous messages can be used to detect and eventually revoke the certificate of the sender, if the message was malicious. However, this approach is made difficult by rare events –such as accidents–, which are essentially anomalous messages that may trigger the detection mechanisms. The idea we wish to explore in this paper is how attack detection may be improved by also considering the detection of specific types of anomalous events, such as accidents

Performance Evaluation of Network Anomaly Detection Systems

Nowadays, there is a huge and growing concern about security in information and communication technology (ICT) among the scientific community because any attack or anomaly in the network can greatly affect many domains such as national security, private data storage, social welfare, economic issues, and so on. Therefore, the anomaly detection domain is a broad research area, and many different techniques and approaches for this purpose have emerged through the years. Attacks, problems, and internal failures when not detected early may badly harm an entire Network system. Thus, this thesis presents an autonomous profile-based anomaly detection system based on the statistical method Principal Component Analysis (PCADS-AD). This approach creates a network profile called Digital Signature of Network Segment using Flow Analysis (DSNSF) that denotes the predicted normal behavior of a network traffic activity through historical data analysis. That digital signature is used as a threshold for volume anomaly detection to detect disparities in the normal traffic trend. The proposed system uses seven traffic flow attributes: Bits, Packets and Number of Flows to detect problems, and Source and Destination IP addresses and Ports, to provides the network administrator necessary information to solve them. Via evaluation techniques, addition of a different anomaly detection approach, and comparisons to other methods performed in this thesis using real network traffic data, results showed good traffic prediction by the DSNSF and encouraging false alarm generation and detection accuracy on the detection schema. The observed results seek to contribute to the advance of the state of the art in methods and strategies for anomaly detection that aim to surpass some challenges that emerge from the constant growth in complexity, speed and size of today’s large scale networks, also providing high-value results for a better detection in real time.Atualmente, existe uma enorme e crescente preocupação com segurança em tecnologia da informação e comunicação (TIC) entre a comunidade científica. Isto porque qualquer ataque ou anomalia na rede pode afetar a qualidade, interoperabilidade, disponibilidade, e integridade em muitos domínios, como segurança nacional, armazenamento de dados privados, bem-estar social, questões econômicas, e assim por diante. Portanto, a deteção de anomalias é uma ampla área de pesquisa, e muitas técnicas e abordagens diferentes para esse propósito surgiram ao longo dos anos. Ataques, problemas e falhas internas quando não detetados precocemente podem prejudicar gravemente todo um sistema de rede. Assim, esta Tese apresenta um sistema autônomo de deteção de anomalias baseado em perfil utilizando o método estatístico Análise de Componentes Principais (PCADS-AD). Essa abordagem cria um perfil de rede chamado Assinatura Digital do Segmento de Rede usando Análise de Fluxos (DSNSF) que denota o comportamento normal previsto de uma atividade de tráfego de rede por meio da análise de dados históricos. Essa assinatura digital é utilizada como um limiar para deteção de anomalia de volume e identificar disparidades na tendência de tráfego normal. O sistema proposto utiliza sete atributos de fluxo de tráfego: bits, pacotes e número de fluxos para detetar problemas, além de endereços IP e portas de origem e destino para fornecer ao administrador de rede as informações necessárias para resolvê-los. Por meio da utilização de métricas de avaliação, do acrescimento de uma abordagem de deteção distinta da proposta principal e comparações com outros métodos realizados nesta tese usando dados reais de tráfego de rede, os resultados mostraram boas previsões de tráfego pelo DSNSF e resultados encorajadores quanto a geração de alarmes falsos e precisão de deteção. Com os resultados observados nesta tese, este trabalho de doutoramento busca contribuir para o avanço do estado da arte em métodos e estratégias de deteção de anomalias, visando superar alguns desafios que emergem do constante crescimento em complexidade, velocidade e tamanho das redes de grande porte da atualidade, proporcionando também alta performance. Ainda, a baixa complexidade e agilidade do sistema proposto contribuem para que possa ser aplicado a deteção em tempo real

A Method for Malicious Network Packet Detection based on Anomalous TTL Values

In the current digital age, a pervasive shift towards digitalization is evident in all aspects of life, encompassing entertainment, education, business, and more. Consequently, the demand for internet access has surged, paralleled therefore unfortunate escalation in cybercrimes. This study undertakes an exploration into the intrinsic nature of network packets, aiming to discern their potential for malice or legitimacy. In the internet, 32 intermediate nodes are encountered by a Network packet before it reaches its final host. Our findings suggest that the time-to-live (TTL) parameter in certain IP packets diverges from the initial TTL by more than 32 intermediary hops. It's likely that these packets are generated by specialized software. We anticipate that malicious IP packets exhibit unconventional TTL values, influenced by factors such as the source machine's operating system and protocols like TCP/ICMP/UDP, etc. To gauge the effectiveness and value of the proposed method, an experiment was conducted utilizing the SNORT NIDS system. Filtering rules based on signatures were formulated to thoroughly analyze the traffic. Real network data, along with DARPA and MACCDC 2012 datasets, were employed as inputs for the SNORT NIDS, and it has been observed that the suggested approach successfully detects the anomalous network packets

A Machine Learning Approach for Prediction of Signaling SIP Dialogs

POCI-01-0145-FEDER-030433 LISBOA-01-0145-FEDER-0307095 UIDB/EEA/50008/2020In this paper, we propose a machine learning methodology for prediction of signaling sessions established with the Session Initiation Protocol (SIP). Given the increasing importance of predicting and detecting abnormal sequences of SIP messages to avoid SIP signaling-based attacks, we first propose a Bayesian inference method capable of representing the statistical relation between a SIP message, observed by a SIP user agent or a SIP server, and prior trustworthy SIP dialogs. The Bayesian inference method, a Hidden Markov Model (HMM) enriched with $n-$ gram Markov observations, is updated over time, so the inference can be used in real-time. The HMM is then used for predicting and detecting SIP dialogs through a lightweight implementation of Viterbi algorithm for sparse state spaces. Experimental results are also reported, where a SIP dataset representing prior information collected by a SIP user agent and/or a SIP server is used to predict or detect if a received sequence of SIP messages is legitimate according to similar SIP dialogs already observed. Finally, we discuss the results obtained for a dataset of abnormal SIP sequences, not observed during the inference stage, showing the effective utility of the proposed methodology to detect abnormal SIP sequences in a short period of time.publishersversionpublishe