2,138 research outputs found
Fingerprinting Internet DNS Amplification DDoS Activities
This work proposes a novel approach to infer and characterize Internet-scale
DNS amplification DDoS attacks by leveraging the darknet space. Complementary
to the pioneer work on inferring Distributed Denial of Service (DDoS)
activities using darknet, this work shows that we can extract DDoS activities
without relying on backscattered analysis. The aim of this work is to extract
cyber security intelligence related to DNS Amplification DDoS activities such
as detection period, attack duration, intensity, packet size, rate and
geo-location in addition to various network-layer and flow-based insights. To
achieve this task, the proposed approach exploits certain DDoS parameters to
detect the attacks. We empirically evaluate the proposed approach using 720 GB
of real darknet data collected from a /13 address space during a recent three
months period. Our analysis reveals that the approach was successful in
inferring significant DNS amplification DDoS activities including the recent
prominent attack that targeted one of the largest anti-spam organizations.
Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS
attacks. Further, the results uncover high-speed and stealthy attempts that
were never previously documented. The case study of the largest DDoS attack in
history lead to a better understanding of the nature and scale of this threat
and can generate inferences that could contribute in detecting, preventing,
assessing, mitigating and even attributing of DNS amplification DDoS
activities.Comment: 5 pages, 2 figure
How Do Tor Users Interact With Onion Services?
Onion services are anonymous network services that are exposed over the Tor
network. In contrast to conventional Internet services, onion services are
private, generally not indexed by search engines, and use self-certifying
domain names that are long and difficult for humans to read. In this paper, we
study how people perceive, understand, and use onion services based on data
from 17 semi-structured interviews and an online survey of 517 users. We find
that users have an incomplete mental model of onion services, use these
services for anonymity and have varying trust in onion services in general.
Users also have difficulty discovering and tracking onion sites and
authenticating them. Finally, users want technical improvements to onion
services and better information on how to use them. Our findings suggest
various improvements for the security and usability of Tor onion services,
including ways to automatically detect phishing of onion services, more clear
security indicators, and ways to manage onion domain names that are difficult
to remember.Comment: Appeared in USENIX Security Symposium 201
Mining Unclassified Traffic Using Automatic Clustering Techniques
In this paper we present a fully unsupervised algorithm to identify classes of traffic inside an aggregate. The algorithm leverages on the K-means clustering algorithm, augmented with a mechanism to automatically determine the number of traffic clusters. The signatures used for clustering are statistical representations of the application layer protocols. The proposed technique is extensively tested considering UDP traffic traces collected from operative networks. Performance tests show that it can clusterize the traffic in few tens of pure clusters, achieving an accuracy above 95%. Results are promising and suggest that the proposed approach might effectively be used for automatic traffic monitoring, e.g., to identify the birth of new applications and protocols, or the presence of anomalous or unexpected traffi
KISS: Stochastic Packet Inspection Classifier for UDP Traffic
This paper proposes KISS, a novel Internet classifica- tion engine. Motivated by the expected raise of UDP traffic, which stems from the momentum of Peer-to-Peer (P2P) streaming appli- cations, we propose a novel classification framework that leverages on statistical characterization of payload. Statistical signatures are derived by the means of a Chi-Square-like test, which extracts the protocol "format," but ignores the protocol "semantic" and "synchronization" rules. The signatures feed a decision process based either on the geometric distance among samples, or on Sup- port Vector Machines. KISS is very accurate, and its signatures are intrinsically robust to packet sampling, reordering, and flow asym- metry, so that it can be used on almost any network. KISS is tested in different scenarios, considering traditional client-server proto- cols, VoIP, and both traditional and new P2P Internet applications. Results are astonishing. The average True Positive percentage is 99.6%, with the worst case equal to 98.1,% while results are al- most perfect when dealing with new P2P streaming applications
Structures in magnetohydrodynamic turbulence: detection and scaling
We present a systematic analysis of statistical properties of turbulent
current and vorticity structures at a given time using cluster analysis. The
data stems from numerical simulations of decaying three-dimensional (3D)
magnetohydrodynamic turbulence in the absence of an imposed uniform magnetic
field; the magnetic Prandtl number is taken equal to unity, and we use a
periodic box with grids of up to 1536^3 points, and with Taylor Reynolds
numbers up to 1100. The initial conditions are either an X-point configuration
embedded in 3D, the so-called Orszag-Tang vortex, or an
Arn'old-Beltrami-Childress configuration with a fully helical velocity and
magnetic field. In each case two snapshots are analyzed, separated by one
turn-over time, starting just after the peak of dissipation. We show that the
algorithm is able to select a large number of structures (in excess of 8,000)
for each snapshot and that the statistical properties of these clusters are
remarkably similar for the two snapshots as well as for the two flows under
study in terms of scaling laws for the cluster characteristics, with the
structures in the vorticity and in the current behaving in the same way. We
also study the effect of Reynolds number on cluster statistics, and we finally
analyze the properties of these clusters in terms of their velocity-magnetic
field correlation. Self-organized criticality features have been identified in
the dissipative range of scales. A different scaling arises in the inertial
range, which cannot be identified for the moment with a known self-organized
criticality class consistent with MHD. We suggest that this range can be
governed by turbulence dynamics as opposed to criticality, and propose an
interpretation of intermittency in terms of propagation of local instabilities.Comment: 17 pages, 9 figures, 5 table
Site Characterization Using Integrated Imaging Analysis Methods on Satellite Data of the Islamabad, Pakistan, Region
We develop an integrated digital imaging analysis approach to produce a first-approximation site characterization map for Islamabad, Pakistan, based on remote-sensing data. We apply both pixel-based and object-oriented digital imaging analysis methods to characterize detailed (1:50,000) geomorphology and geology from Advanced Spaceborne Thermal Emission and Reflection Radiometer (ASTER) satellite imagery. We use stereo-correlated relative digital elevation models (rDEMs) derived from ASTER data, as well as spectra in the visible near-infrared (VNIR) to thermal infrared (TIR) domains. The resulting geomorphic units in the study area are classified as mountain (including the Margala Hills and the Khairi Murat Ridge), piedmont, and basin terrain units. The local geologic units are classified as limestone in the Margala Hills and the Khairi Murat Ridge and sandstone rock types for the piedmonts and basins. Shear-wave velocities for these units are assigned in ranges based on established correlations in California. These ranges include Vs30-values to be greater than 500 m/sec for mountain units, 200–600 m/sec for piedmont units, and less than 300 m/sec for basin units. While the resulting map provides the basis for incorporating site response in an assessment of seismic hazard for Islamabad, it also demonstrates the potential use of remote-sensing data for site characterization in regions where only limited conventional mapping has been done
A Streamwise Constant Model of Turbulence in Plane Couette Flow
Streamwise and quasi-streamwise elongated structures have been shown to play
a significant role in turbulent shear flows. We model the mean behavior of
fully turbulent plane Couette flow using a streamwise constant projection of
the Navier Stokes equations. This results in a two-dimensional, three velocity
component () model. We first use a steady state version of the model to
demonstrate that its nonlinear coupling provides the mathematical mechanism
that shapes the turbulent velocity profile. Simulations of the model
under small amplitude Gaussian forcing of the cross-stream components are
compared to DNS data. The results indicate that a streamwise constant
projection of the Navier Stokes equations captures salient features of fully
turbulent plane Couette flow at low Reynolds numbers. A system theoretic
approach is used to demonstrate the presence of large input-output
amplification through the forced model. It is this amplification
coupled with the appropriate nonlinearity that enables the model to
generate turbulent behaviour under the small amplitude forcing employed in this
study.Comment: Journal of Fluid Mechanics 2010, in pres
- …