343 research outputs found
TRIDEnT: Building Decentralized Incentives for Collaborative Security
Sophisticated mass attacks, especially when exploiting zero-day
vulnerabilities, have the potential to cause destructive damage to
organizations and critical infrastructure. To timely detect and contain such
attacks, collaboration among the defenders is critical. By correlating
real-time detection information (alerts) from multiple sources (collaborative
intrusion detection), defenders can detect attacks and take the appropriate
defensive measures in time. However, although the technical tools to facilitate
collaboration exist, real-world adoption of such collaborative security
mechanisms is still underwhelming. This is largely due to a lack of trust and
participation incentives for companies and organizations. This paper proposes
TRIDEnT, a novel collaborative platform that aims to enable and incentivize
parties to exchange network alert data, thus increasing their overall detection
capabilities. TRIDEnT allows parties that may be in a competitive relationship,
to selectively advertise, sell and acquire security alerts in the form of
(near) real-time peer-to-peer streams. To validate the basic principles behind
TRIDEnT, we present an intuitive game-theoretic model of alert sharing, that is
of independent interest, and show that collaboration is bound to take place
infinitely often. Furthermore, to demonstrate the feasibility of our approach,
we instantiate our design in a decentralized manner using Ethereum smart
contracts and provide a fully functional prototype.Comment: 28 page
Analyzing IDS botnets detection
Mestrado de dupla diplomação com a UTFPR - Universidade Tecnológica Federal do ParanáIn a world increasingly connected with equipment permanently attached, the risk
of cybersecurity had rise. Among the various vulnerabilities and forms of exploitation,
the Botnets are those being addressed in this work. The number of botnets related
infections has grown critically and, due to botnets’ increased capacity and potential use
for future infections, a continued development of solutions is needed to strengthen the
protection of networks and systems. Intrusion Detection Systems (IDS) are one of the
solutions that try to follow this evolution. The continuous evolution of tools and attack
forms in order to evade detection, using mechanisms such as encryption (IPSec, SSL) and
diverse architecture and different ways of implementing Botnets create great challenges
to those who try to detect them. In order to better understand these challenges, this
work proposes an architecture to map the behavior of botnets. For this, a topology was
created with several components, such as Network Intrusion Detection System (NIDS)
and Host Intrusion Detection System (HIDS), aided with information from honeypots for
the detection and analysis of attacks. This approach enabled real data to be obtained
from attempts, some successfully, from Malware infections, with the aim of transforming
systems into Bots and integrating them into Botnets. An exploratory analysis of the data
is performed to verify the detection capabilities and the cases where the components do
not provide correct information. Some methods based on machine learning were also used
to process and analyze the collected data.Num mundo cada vez mais conectado com cada vez mais equipamentos ligados em permanência
o risco de cibersegurança tem aumentado. De entre as diversas vulnerabilidades
e formas de exploração continuada as Botnets são as visadas neste trabalho. Os números
de infeções relacionadas com as Botnets têm crescido de forma critica e devido dotar de
maiores capacidades os atacantes e seu grande poder de infeção futura é necessário um
desenvolvimento continuo de soluções para reforçar a proteção das redes e sistemas. Os
Sistemas de Deteccao de Intrusao (IDS) são uma das soluções que tentam acompanhar
esta evolução deste tipo de ameaça. A evolução continua das ferramentas e formas de
ataque por forma a fugir à detecção, utilizando mecanismos como tráfego cifrado (IPSec,
SSL) e arquitectura diversa e formas diferentes da implementação das Botnets levantam
grandes desafios a quem as tenta detectar. Por forma a compreender melhor estes desafios,
este trabalho propõe uma arquitetura para mapear o comportamento das Botnets.
Para isso criou-se uma topologia com diversos componentes, como Network Intrusion
Detection System (NIDS) e Host Intrusion Detection System (HIDS), auxiliados com informação
de honeypots para a deteção e análise de ataques. Esta abordagem permitiu
obter dados reais de tentativas, algumas com sucesso, de infeções de Malware, com o
intuito de transformar os sistemas em Bots e os integrar em Botnets. É efetuada uma
análise exploratória dos dados para verificar a capacidade de deteção e os casos em que
os sistemas não fornecem informação correta. Foram também utilizados alguns métodos
baseados em machine learning para tratamento e análise dos dados coletados
ANALYSIS OF BOTNET CLASSIFICATION AND DETECTION BASED ON C&C CHANNEL
Botnet is a serious threat to cyber-security. Botnet is a robot that can enter the computer and perform DDoS attacks through attacker’s command. Botnets are designed to extract confidential information from network channels such as LAN, Peer or Internet. They perform on hacker's intention through Command & Control(C&C) where attacker can control the whole network and can clinch illegal activities such as identity theft, unauthorized logins and money transactions. Thus, for security reason, it is very important to understand botnet behavior and go through its countermeasures. This thesis draws together the main ideas of network anomaly, botnet behavior, taxonomy of botnet, famous botnet attacks and detections processes.
Based on network protocols, botnets are mainly 3 types: IRC, HTTP, and P2P botnet. All 3 botnet's behavior, vulnerability, and detection processes with examples are explained individually in upcoming chapters. Meanwhile saying shortly, IRC Botnet refers to early botnets targeting chat and messaging applications, HTTP Botnet targets internet browsing/domains and P2P Botnet targets peer network i.e. decentralized servers. Each Botnet's design, target, infecting and spreading mechanism can be different from each other. For an instance, IRC Botnet is targeted for small environment attacks where HTTP and P2P are for huge network traffic. Furthermore, detection techniques and algorithms filtration processes are also different among each of them. Based on these individual botnet's behavior, many research papers have analyzed numerous botnet detection techniques such as graph-based structure, clustering algorithm and so on. Thus, this thesis also analyzes popular detection mechanisms, C&C channels, Botnet working patterns, recorded datasets, results and false positive rates of bots prominently found in IRC, HTTP and P2P.
Research area covers C&C channels, botnet behavior, domain browsing, IRC, algorithms, intrusion and detection, network and peer, security and test results. Research articles are conducted from scientific books through online source and University of Turku library
A Holistic Approach to Service Survivability
We present SABER (Survivability Architecture: Block, Evade, React), a proposed survivability architecture that blocks, evades and reacts to a variety of attacks by using several security and survivability mechanisms in an automated and coordinated fashion. Contrary to the ad hoc manner in which contemporary survivable systems are built--using isolated, independent security mechanisms such as firewalls, intrusion detection systems and software sandboxes--SABER integrates several different technologies in an attempt to provide a unified framework for responding to the wide range of attacks malicious insiders and outsiders can launch. This coordinated multi-layer approach will be capable of defending against attacks targeted at various levels of the network stack, such as congestion-based DoS attacks, software-based DoS or code-injection attacks, and others. Our fundamental insight is that while multiple lines of defense are useful, most conventional, uncoordinated approaches fail to exploit the full range of available responses to incidents. By coordinating the response, the ability to survive even in the face of successful security breaches increases substantially. We discuss the key components of SABER, how they will be integrated together, and how we can leverage on the promising results of the individual components to improve survivability in a variety of coordinated attack scenarios. SABER is currently in the prototyping stages, with several interesting open research topics
From Intrusion Detection to Attacker Attribution: A Comprehensive Survey of Unsupervised Methods
Over the last five years there has been an increase in the frequency and diversity of network attacks. This holds true, as more and more organisations admit compromises on a daily basis. Many misuse and anomaly based Intrusion Detection Systems (IDSs) that rely on either signatures, supervised or statistical methods have been proposed in the literature, but their trustworthiness is debatable. Moreover, as this work uncovers, the current IDSs are based on obsolete attack classes that do not reflect the current attack trends. For these reasons, this paper provides a comprehensive overview of unsupervised and hybrid methods for intrusion detection, discussing their potential in the domain. We also present and highlight the importance of feature engineering techniques that have been proposed for intrusion detection. Furthermore, we discuss that current IDSs should evolve from simple detection to correlation and attribution. We descant how IDS data could be used to reconstruct and correlate attacks to identify attackers, with the use of advanced data analytics techniques. Finally, we argue how the present IDS attack classes can be extended to match the modern attacks and propose three new classes regarding the outgoing network communicatio
SIEM-based detection and mitigation of IoT-botnet DDoS attacks
The Internet of Things (IoT) is becoming an integral part of our daily life including health, environment, homes, military, etc. The enormous growth of IoT in recent years has attracted hackers to take advantage of their computation and communication capabilities to perform different types of attacks. The major concern is that IoT devices have several vulnerabilities that can be easily exploited to form IoT botnets consisting of millions of IoT devices and posing significant threats to Internet security. In this context, DDoS attacks originating from IoT botnets is a major problem in today’s Internet that requires immediate attention. In this paper, we propose a Security Information and Event Management-based IoT botnet DDoS attack detection and mitigation system. This system detects and blocks DDoS attack traffic from compromised IoT devices by monitoring specific packet types including TCP SYN, ICMP and DNS packets originating from these devices. We discuss a prototype implementation of the proposed system and we demonstrate that SIEM based solutions can be configured to accurately identify and block malicious traffic originating from compromised IoT devices
Cybersecurity of Digital Service Chains
This open access book presents the main scientific results from the H2020 GUARD project. The GUARD project aims at filling the current technological gap between software management paradigms and cybersecurity models, the latter still lacking orchestration and agility to effectively address the dynamicity of the former. This book provides a comprehensive review of the main concepts, architectures, algorithms, and non-technical aspects developed during three years of investigation; the description of the Smart Mobility use case developed at the end of the project gives a practical example of how the GUARD platform and related technologies can be deployed in practical scenarios. We expect the book to be interesting for the broad group of researchers, engineers, and professionals daily experiencing the inadequacy of outdated cybersecurity models for modern computing environments and cyber-physical systems
Cybersecurity of Digital Service Chains
This open access book presents the main scientific results from the H2020 GUARD project. The GUARD project aims at filling the current technological gap between software management paradigms and cybersecurity models, the latter still lacking orchestration and agility to effectively address the dynamicity of the former. This book provides a comprehensive review of the main concepts, architectures, algorithms, and non-technical aspects developed during three years of investigation; the description of the Smart Mobility use case developed at the end of the project gives a practical example of how the GUARD platform and related technologies can be deployed in practical scenarios. We expect the book to be interesting for the broad group of researchers, engineers, and professionals daily experiencing the inadequacy of outdated cybersecurity models for modern computing environments and cyber-physical systems
- …