Evaluation of countermeasure against future malware evolution with deterministic modeling

Recently, machine learning technologies have dramatically evolved. Accordingly, the concept of self-evolving botnets has been introduced, which discover vulnerabilities of hosts by distributed machine learning using the computational resources of infected hosts, and infect other hosts by attacks using the discovered vulnerabilities. The infectability of the self-evolving botnets is too strong compared with conventional botnets, so that such new botnets will become the serious threat to future network society including 5G and IoT environments. In this paper, we consider a volunteer model that discovers unknown vulnerabilities earlier than self-evolving botnets by distributed computing using volunteer hosts’ resources and repairs the vulnerabilities. We propose deterministic modeling for the volunteer model. Through numerical calculations, we evaluate the performance of the volunteer model against self-evolving botnets.This is a product of research which was financially supported by the Kansai University Fund for Supporting Young Scholars, 2018, "Design of anti-malware systems against future malware evolution". This research was partially supported by The Telecommunications Advancement Foundation, Japan.Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC 2019), November 18-21, 2019, Lanzhou, Chin

Game theory and network security: Economic incentives and barriers

Nowadays, the Internet and computer networks play an increasing role in our modern society. However, we also witness new types of security and privacy incidents such as the propagation of malware, the growth of botnets, and denial-of-service (DoS) attacks against business and governments’ websites. Therefore, experts must investigate security solutions to defend against these well-organized and sophisticated adversaries. Instead of designing a defence against a specific attack, game theory attempts to design a quantitative decision framework to determine the possibility of adversaries’ attacks, and suggest defence strategies for the defenders. This thesis illustrates some examples for the potential usefulness of game theory in information systems security. First, we present a game theoretic scenario to study the strategic behavior of two Internet Service Providers (ISPs) who have to decide whether to invest in deploying security technologies that detect and prevent malicious cyber-attacks. In particular, we consider the case where the ISPs can determine malware-infected machines among their subscribers, and their action (i.e., quarantining these infected machines) may well mitigate cyber security incidents. By analyzing the financial incentive for the ISPs to deploy security policy among their subscribers, we find the best action of the ISPs considering their customers’ security awareness and their market shares. We also identify the need for government regulations and incentives in order to better guide the role of ISPs in enhancing the global security of the Internet. Then, we present a game theoretic model for analyzing the dynamic interaction between attackers and defenders as a two-player game with uncertainty while considering multi-level of detection for defence devices configurable by the defender and multi-level of severity for attacks chosen by the attacker. By assuming that higher levels of defence and high level of attack severity are associated with higher levels of investments by the defender and the attacker, respectively, we compute mixed strategy Nash Equilibria for both the attacker and defender considering the cases when the players’ valuation follows a uniform distribution and the case where it follows a truncated normal distribution. We then formulate an n-player game to capture competition among n attackers who aim to successfully attack the same target and analyze the mixed strategy Nash Equilibria in both models. Finally, we consider networks in which the worm propagator and the defender can dynamically decide their optimal propagation rate for the warm and security patches, respectively, considering their associated cost. We combine the propagation process with a game theoretic model as a two-player non-zero sum differential game. Then we formulate the decision problem as a continuous-time optimal control problem and solve it using the Pontryagin’s maximum principle. The obtained result leads to a better understanding of the worm propagator behavior and can be utilized to inhibit the scale of loss resulting from Internet worms

Topology-Aware Vulnerability Mitigation Worms

In very dynamic Information and Communication Technology (ICT) infrastructures, with rapidly growing applications, malicious intrusions have become very sophisticated, effective, and fast. Industries have suffered billions of US dollars losses due only to malicious worm outbreaks. Several calls have been issued by governments and industries to the research community to propose innovative solutions that would help prevent malicious breaches, especially with enterprise networks becoming more complex, large, and volatile. In this thesis we approach self-replicating, self-propagating, and self-contained network programs (i.e. worms) as vulnerability mitigation mechanisms to eliminate threats to networks. These programs provide distinctive features, including: Short distance communication with network nodes, intermittent network node vulnerability probing, and network topology discovery. Such features become necessary, especially for networks with frequent node association and disassociation, dynamically connected links, and where hosts concurrently run multiple operating systems. We propose -- to the best of our knowledge -- the first computer worm that utilize the second layer of the OSI model (Data Link Layer) as its main propagation medium. We name our defensive worm Seawave, a controlled interactive, self-replicating, self-propagating, and self-contained vulnerability mitigation mechanism. We develop, experiment, and evaluate Seawave under different simulation environments that mimic to a large extent enterprise networks. We also propose a threat analysis model to help identify weaknesses, strengths, and threats within and towards our vulnerability mitigation mechanism, followed by a mathematical propagation model to observe Seawave's performance under large scale enterprise networks. We also preliminary propose another vulnerability mitigation worm that utilizes the Link Layer Discovery Protocol (LLDP) for its propagation, along with an evaluation of its performance. In addition, we describe a preliminary taxonomy that rediscovers the relationship between different types of self-replicating programs (i.e. viruses, worms, and botnets) and redefines these programs based on their properties. The taxonomy provides a classification that can be easily applied within the industry and the research community and paves the way for a promising research direction that would consider the defensive side of self-replicating programs

FS-OpenSecurity : A taxonomic modeling of security threats in SDN for future sustainable computing

Peer reviewedPublisher PD

An efficient approach to online bot detection based on a reinforcement learning technique

In recent years, Botnets have been adopted as a popular method used to carry and spread many malicious codes on the Internet. These codes pave the way to conducting many fraudulent activities, including spam mail, distributed denial of service attacks (DDoS) and click fraud. While many Botnets are set up using a centralized communication architecture such as Internet Relay Chat (IRC) and Hypertext Transfer Protocol (HTTP), peer-to-peer (P2P) Botnets can adopt a decentralized architecture using an overlay network for exchanging command and control (C&C) messages, which is a more resilient and robust communication channel infrastructure. Without a centralized point for C&C servers, P2P Botnets are more flexible to defeat countermeasures and detection procedures than traditional centralized Botnets. Several Botnet detection techniques have been proposed, but Botnet detection is still a very challenging task for the Internet security community because Botnets execute attacks stealthily in the dramatically growing volumes of network traffic. However, current Botnet detection schemes face significant problem of efficiency and adaptability. The present study combined a traffic reduction approach with reinforcement learning (RL) method in order to create an online Bot detection system. The proposed framework adopts the idea of RL to improve the system dynamically over time. In addition, the traffic reduction method is used to set up a lightweight and fast online detection method. Moreover, a host feature based on traffic at the connection-level was designed, which can identify Bot host behaviour. Therefore, the proposed technique can potentially be applied to any encrypted network traffic since it depends only on the information obtained from packets header. Therefore, it does not require Deep Packet Inspection (DPI) and cannot be confused with payload encryption techniques. The network traffic reduction technique reduces packets input to the detection system, but the proposed solution achieves good a detection rate of 98.3% as well as a low false positive rate (FPR) of 0.012% in the online evaluation. Comparison with other techniques on the same dataset shows that our strategy outperforms existing methods. The proposed solution was evaluated and tested using real network traffic datasets to increase the validity of the solution

Networks, complexity and internet regulation: scale-free law

No description supplie

On the Generation of Cyber Threat Intelligence: Malware and Network Traffic Analyses

In recent years, malware authors drastically changed their course on the subject of threat design and implementation. Malware authors, namely, hackers or cyber-terrorists perpetrate new forms of cyber-crimes involving more innovative hacking techniques. Being motivated by financial or political reasons, attackers target computer systems ranging from personal computers to organizations’ networks to collect and steal sensitive data as well as blackmail, scam people, or scupper IT infrastructures. Accordingly, IT security experts face new challenges, as they need to counter cyber-threats proactively. The challenge takes a continuous allure of a fight, where cyber-criminals are obsessed by the idea of outsmarting security defenses. As such, security experts have to elaborate an effective strategy to counter cyber-criminals. The generation of cyber-threat intelligence is of a paramount importance as stated in the following quote: “the field is owned by who owns the intelligence”. In this thesis, we address the problem of generating timely and relevant cyber-threat intelligence for the purpose of detection, prevention and mitigation of cyber-attacks. To do so, we initiate a research effort, which falls into: First, we analyze prominent cyber-crime toolkits to grasp the inner-secrets and workings of advanced threats. We dissect prominent malware like Zeus and Mariposa botnets to uncover their underlying techniques used to build a networked army of infected machines. Second, we investigate cyber-crime infrastructures, where we elaborate on the generation of a cyber-threat intelligence for situational awareness. We adapt a graph-theoretic approach to study infrastructures used by malware to perpetrate malicious activities. We build a scoring mechanism based on a page ranking algorithm to measure the badness of infrastructures’ elements, i.e., domains, IPs, domain owners, etc. In addition, we use the min-hashing technique to evaluate the level of sharing among cyber-threat infrastructures during a period of one year. Third, we use machine learning techniques to fingerprint malicious IP traffic. By fingerprinting, we mean detecting malicious network flows and their attribution to malware families. This research effort relies on a ground truth collected from the dynamic analysis of malware samples. Finally, we investigate the generation of cyber-threat intelligence from passive DNS streams. To this end, we design and implement a system that generates anomalies from passive DNS traffic. Due to the tremendous nature of DNS data, we build a system on top of a cluster computing framework, namely, Apache Spark [70]. The integrated analytic system has the ability to detect anomalies observed in DNS records, which are potentially generated by widespread cyber-threats