7,920 research outputs found
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
Fast-Flux Botnet Detection Based on Traffic Response and Search Engines Credit Worthiness
Botnets are considered as the primary threats on the Internet and there have been many research efforts to detect and mitigate them. Today, Botnet uses a DNS technique fast-flux to hide malware sites behind a constantly changing network of compromised hosts. This technique is similar to trustworthy Round Robin DNS technique and Content Delivery Network (CDN). In order to distinguish the normal network traffic from Botnets different techniques are developed with more or less success. The aim of this paper is to improve Botnet detection using an Intrusion Detection System (IDS) or router. A novel classification method for online Botnet detection based on DNS traffic features that distinguish Botnet from CDN based traffic is presented. Botnet features are classified according to the possibility of usage and implementation in an embedded system. Traffic response is analysed as a strong candidate for online detection. Its disadvantage lies in specific areas where CDN acts as a Botnet. A new feature based on search engine hits is proposed to improve the false positive detection. The experimental evaluations show that proposed classification could significantly improve Botnet detection. A procedure is suggested to implement such a system as a part of IDS
X-ray, optical and infrared investigation of the candidate Supergiant Fast X-ray Transient IGR J18462-0223
We report on a broad-band X-ray study (0.5-60 keV) of the poorly known
candidate Supergiant Fast X-ray Transient (SFXT) IGR J18462-0223, and on
optical and near-infrared (NIR) followup observations of field objects. The
out-of-outburst X-ray state has been investigated for the first time with
archival INTEGRAL/IBIS, ASCA, Chandra and Swift/XRT observations. This allowed
us to place stringent 3 sigma upper limits on the soft (0.5-10 keV) and hard
(18-60 keV) X-ray emission of 2.9x10^-13 erg cm^-2 s^-1 and 8x10^-12 erg cm^-2
s^-1, respectively; the source was also detected during an intermediate soft
X-ray state with flux equal to 1.6x10^-11 erg cm^-2 s^-1 (0.5-10 keV). In
addition, we report on the INTEGRAL/IBIS discovery of three fast hard X-ray
flares (18-60 keV) having a duration in the range 1-12 hours: the flaring
behavior was also investigated in soft X-rays (3-10 keV) with archival
INTEGRAL/JEM-X observations. The duty cycle (1.2%) and the dynamic ranges (>
1,380 and > 190 in the energy bands 0.5-10 keV and 18-60 keV, respectively)
were measured for the first time. Archival UKIDSS JHK NIR data, together with
our deep R-band imaging of the field, unveiled a single, very red object inside
the intersection of the Swift/XRT and XMM-Newton error circles: this source has
optical/NIR photometric properties compatible with a very heavily absorbed blue
supergiant located at about 11 kpc, thus being a strong candidate counterpart
for IGR J18462-0223. NIR spectroscopy is advised to confirm the association.
Finally, a hint of a possible orbital period was found at about 2.13 days. If
confirmed by further studies, this would make IGR J18462-0223 the SFXT with the
shortest orbital period among the currently known systems.Comment: accepted for publication in A&A, 9 pages, 7 figures, 2 table
Atmospheric Neutrino Physics with the MACRO detector
We present the measurement of the the flux and angular distribution of
atmospheric muon neutrinos using the MACRO detector. Three different event
topologies are detected in two different energy ranges. High energy neutrinos
(E~80 GeV) via the identification of upward throughgoing muons. Lower energy
neutrinos (E~ 4 GeV) via the upgoing stopping and partially contained downgoing
muons (ID+UGS), or via the partially contained upgoing muons (IU). The measured
flux is reduced with respect to the predictions. For the high energy sample,
globally the flux reduction is and
varies with the zenith angle. The ratio of measured to expected events is
almost constant with the zenith angle for the low energy events, and is for the IU sample, and for the (ID+UGS). All the data sets are
consistent within a scenario of neutrino oscillations, with maximum mixing and
.Comment: 7 pages, 7 figures. Invited talk at 6th Topical Seminar on Neutrino
and AstroParticle Physics, San Miniato, Italy, 17-21 May 199
- …