445 research outputs found
DDoS Attacks with Randomized Traffic Innovation: Botnet Identification Challenges and Strategies
Distributed Denial-of-Service (DDoS) attacks are usually launched through the
, an "army" of compromised nodes hidden in the network. Inferential
tools for DDoS mitigation should accordingly enable an early and reliable
discrimination of the normal users from the compromised ones. Unfortunately,
the recent emergence of attacks performed at the application layer has
multiplied the number of possibilities that a botnet can exploit to conceal its
malicious activities. New challenges arise, which cannot be addressed by simply
borrowing the tools that have been successfully applied so far to earlier DDoS
paradigms. In this work, we offer basically three contributions: we
introduce an abstract model for the aforementioned class of attacks, where the
botnet emulates normal traffic by continually learning admissible patterns from
the environment; we devise an inference algorithm that is shown to
provide a consistent (i.e., converging to the true solution as time progresses)
estimate of the botnet possibly hidden in the network; and we verify the
validity of the proposed inferential strategy over network traces.Comment: Submitted for publicatio
An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)
The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. The related studies for tackling IoT botnets are concerned with either capturing or analyzing IoT botnet samples, using honeypots and sandboxes, respectively. The lack of integration between the two implies that the samples captured by the honeypots must be manually submitted for analysis in sandboxes, introducing a delay during which a botnet may change its operation. Furthermore, the effectiveness of the proposed sandboxes is limited by the potential use of anti-analysis techniques and the inability to identify features for effective detection and identification of IoT botnets. In this paper, we propose and evaluate a novel framework, the IoT-BDA framework, for automated capturing, analysis, identification, and reporting of IoT botnets. The framework consists of honeypots integrated with a novel sandbox that supports a wider range of hardware and software configurations, and can identify indicators of compromise and attack, along with anti-analysis, persistence, and anti-forensics techniques. These features can make botnet detection and analysis, and infection remedy more effective. The framework reports the findings to a blacklist and abuse service to facilitate botnet suspension. The paper also describes the discovered anti-honeypot techniques and the measures applied to reduce the risk of honeypot detection. Over the period of seven months, the framework captured, analyzed, and reported 4077 unique IoT botnet samples. The analysis results show that some IoT botnets used anti-analysis, persistence, and anti-forensics techniques typically seen in traditional botnets
Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data
Recent years have seen the rise of more sophisticated attacks including
advanced persistent threats (APTs) which pose severe risks to organizations and
governments by targeting confidential proprietary information. Additionally,
new malware strains are appearing at a higher rate than ever before. Since many
of these malware are designed to evade existing security products, traditional
defenses deployed by most enterprises today, e.g., anti-virus, firewalls,
intrusion detection systems, often fail at detecting infections at an early
stage.
We address the problem of detecting early-stage infection in an enterprise
setting by proposing a new framework based on belief propagation inspired from
graph theory. Belief propagation can be used either with "seeds" of compromised
hosts or malicious domains (provided by the enterprise security operation
center -- SOC) or without any seeds. In the latter case we develop a detector
of C&C communication particularly tailored to enterprises which can detect a
stealthy compromise of only a single host communicating with the C&C server.
We demonstrate that our techniques perform well on detecting enterprise
infections. We achieve high accuracy with low false detection and false
negative rates on two months of anonymized DNS logs released by Los Alamos
National Lab (LANL), which include APT infection attacks simulated by LANL
domain experts. We also apply our algorithms to 38TB of real-world web proxy
logs collected at the border of a large enterprise. Through careful manual
investigation in collaboration with the enterprise SOC, we show that our
techniques identified hundreds of malicious domains overlooked by
state-of-the-art security products
Discovering Command and Control Channels Using Reinforcement Learning
Command and control (C2) paths for issuing commands to malware are sometimes
the only indicators of its existence within networks. Identifying potential C2
channels is often a manually driven process that involves a deep understanding
of cyber tradecraft. Efforts to improve discovery of these channels through
using a reinforcement learning (RL) based approach that learns to automatically
carry out C2 attack campaigns on large networks, where multiple defense layers
are in place serves to drive efficiency for network operators. In this paper,
we model C2 traffic flow as a three-stage process and formulate it as a Markov
decision process (MDP) with the objective to maximize the number of valuable
hosts whose data is exfiltrated. The approach also specifically models payload
and defense mechanisms such as firewalls which is a novel contribution. The
attack paths learned by the RL agent can in turn help the blue team identify
high-priority vulnerabilities and develop improved defense strategies. The
method is evaluated on a large network with more than a thousand hosts and the
results demonstrate that the agent can effectively learn attack paths while
avoiding firewalls.Comment: SoutheastCon 2023. IEEE, 202
Toward Network-based DDoS Detection in Software-defined Networks
To combat susceptibility of modern computing systems to cyberattack, identifying and disrupting malicious traffic without human intervention is essential. To accomplish this, three main tasks for an effective intrusion detection system have been identified: monitor network traffic, categorize and identify anomalous behavior in near real time, and take appropriate action against the identified threat. This system leverages distributed SDN architecture and the principles of Artificial Immune Systems and Self-Organizing Maps to build a network-based intrusion detection system capable of detecting and terminating DDoS attacks in progress
- …