176 research outputs found
An Analysis of Successful SQLIA for Future Evolutionary Prediction
Web applications are a fundamental component of the internet, many interact with backend databases. Securing web applications and their databases from hackers should be a top priority for cybersecurity researchers. Structured Query Language (SQL) injection attacks (SQLIA) constitute a significant threat to web applications. They can hijack the backend databases to steal personally identifiable information (PII), initiate scams, or launch more sophisticated cyberattacks. SQLIA has evolved since its conception in the early 2000s and will continue to do so in the coming years. This paper analyzes past literature and successful SQLIA from specific time periods to identify themes and methods used by security researchers and hackers. By extrapolating and interpreting the themes of both literature and effective SQLIA, trends can be identified, and a clearer understanding of the future of SQL injection can be defined to improve cybersecurity best practices
Analyzing audit trails in a distributed and hybrid intrusion detection platform
Efforts have been made over the last decades in order to design and perfect Intrusion
Detection Systems (IDS). In addition to the widespread use of Intrusion Prevention
Systems (IPS) as perimeter defense devices in systems and networks, various IDS solutions are used together as elements of holistic approaches to cyber security incident detection and prevention, including Network-Intrusion Detection Systems
(NIDS) and Host-Intrusion Detection Systems (HIDS). Nevertheless, specific IDS and
IPS technology face several effectiveness challenges to respond to the increasing scale and complexity of information systems and sophistication of attacks. The use of isolated IDS components, focused on one-dimensional approaches, strongly limits a common analysis based on evidence correlation. Today, most organizations’ cyber-security operations centers still rely on conventional SIEM (Security Information and Event Management) technology. However, SIEM platforms also have significant drawbacks in dealing with heterogeneous and specialized security event-sources, lacking the support for flexible and uniform multi-level analysis of security audit-trails involving distributed and heterogeneous systems.
In this thesis, we propose an auditing solution that leverages on different intrusion
detection components and synergistically combines them in a Distributed and Hybrid IDS (DHIDS) platform, taking advantage of their benefits while overcoming the effectiveness drawbacks of each one. In this approach, security events are detected
by multiple probes forming a pervasive, heterogeneous and distributed monitoring
environment spread over the network, integrating NIDS, HIDS and specialized Honeypot probing systems. Events from those heterogeneous sources are converted to a canonical representation format, and then conveyed through a Publish-Subscribe
middleware to a dedicated logging and auditing system, built on top of an elastic and
scalable document-oriented storage system. The aggregated events can then be queried and matched against suspicious attack signature patterns, by means of a proposed declarative query-language that provides event-correlation semantics
Web attack risk awareness with lessons learned from high interaction honeypots
Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk
A comparative study of teaching forensics at a university degree level
Computer forensics is a relatively young University discipline which has developed strongly in the United States and the United Kingdom but is still in its infancy in continental Europe. The national programmes and courses offered therefore differ in many ways. We report on two recently established degree programmes from two European countries: Great Britain and Germany. We present and compare the design of both programmes and conclude that they cover two complementary and orthogonal aspects of computer forensics education: (a) rigorous practical skills and (b) competence for fundamental research discoveries
Assessing and augmenting SCADA cyber security: a survey of techniques
SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability
A Taxonomy-based Analysis of Attacks on Industrial Control Systems
Most critical infrastructure depends on industrial control and automation systems to manage their processes. However, industrial control and automation systems were found to have many vulnerabilities owing to their design. They were initially designed to operate as air-gapped systems. However, with the evolution and the expansion of the industry, they are increasingly being targeted by attackers. Thus, preventative methods must be implemented to minimize/ prevent ICSs from being compromised by patching the vulnerabilities and addressing possible attack vectors. In order to prepare to defend against forthcoming attacks on critical infrastructure, it is vital to understand how past attacks have been carried out. This study analyzed and cataloged cases of attacks against ICSs to form a taxonomy that can be used as a tool to analyze the nature of ICS attacks. The taxonomy developed by this study can aide interested parties to determine potential attack vectors an attacker may choose, based on the attributes discussed in the study. Moreover, this paper also serves as a resource for the interested parties to understand ICSs
Dempster-Shafer Evidence Combining for (Anti)-Honeypot Technologies
Honeypots are network surveillance architectures designed to resemble easy-to-compromise computer systems. They are deployed to trap hackers in order to help security professionals capture, control, and analyze malicious Internet attacks and other activities of hackers. A botnet is an army of compromised computers controlled by a bot herder and used for illicit financial gain. Botnets have become quite popular in recent Internet attacks. Since honeypots have been deployed in many defense systems, attackers constructing and maintaining botnets are forced to find ways to avoid honeypot traps. In fact, some researchers have even suggested equipping normal machines by misleading evidence so that they appear as honeypots in order to scare away rational attackers. In this paper, we address some aspects related to the problem of honeypot detection by botmasters. In particular, we show that current honeypot architectures and operation limitations may allow attackers to systematically collect, combine, and analyze evidence about the true nature of the machines they compromise. In particular, we show how a systematic technique for evidence combining such as Dempster-Shafer theory can allow botmasters to determine the true nature of compromised machines with a relatively high certainty. The obtained results demonstrate inherent limitations of current honeypot designs. We also aim to draw the attention of security professionals to work on enhancing the discussed features of honeypots in order to prevent them from being abused by botmasters
Security Analysis and Improvement Model for Web-based Applications
Today the web has become a major conduit for information. As the World Wide
Web?s popularity continues to increase, information security on the web has become an
increasing concern. Web information security is related to availability, confidentiality,
and data integrity. According to the reports from http://www.securityfocus.com in May
2006, operating systems account for 9% vulnerability, web-based software systems
account for 61% vulnerability, and other applications account for 30% vulnerability.
In this dissertation, I present a security analysis model using the Markov Process
Model. Risk analysis is conducted using fuzzy logic method and information entropy
theory. In a web-based application system, security risk is most related to the current
states in software systems and hardware systems, and independent of web application
system states in the past. Therefore, the web-based applications can be approximately
modeled by the Markov Process Model. The web-based applications can be conceptually
expressed in the discrete states of (web_client_good; web_server_good,
web_server_vulnerable, web_server_attacked, web_server_security_failed; database_server_good, database_server_vulnerable, database_server_attacked,
database_server_security_failed) as state space in the Markov Chain. The vulnerable
behavior and system response in the web-based applications are analyzed in this
dissertation. The analyses focus on functional availability-related aspects: the probability
of reaching a particular security failed state and the mean time to the security failure of a
system. Vulnerability risk index is classified in three levels as an indicator of the level of
security (low level, high level, and failed level). An illustrative application example is
provided. As the second objective of this dissertation, I propose a security improvement
model for the web-based applications using the GeoIP services in the formal methods. In
the security improvement model, web access is authenticated in role-based access control
using user logins, remote IP addresses, and physical locations as subject credentials to
combine with the requested objects and privilege modes. Access control algorithms are
developed for subjects, objects, and access privileges. A secure implementation
architecture is presented. In summary, the dissertation has developed security analysis
and improvement model for the web-based application. Future work will address Markov
Process Model validation when security data collection becomes easy. Security
improvement model will be evaluated in performance aspect
- …