Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Emerging research directions in computer science : contributions from the young informatics faculty in Karlsruhe

In order to build better human-friendly human-computer interfaces, such interfaces need to be enabled with capabilities to perceive the user, his location, identity, activities and in particular his interaction with others and the machine. Only with these perception capabilities can smart systems ( for example human-friendly robots or smart environments) become posssible. In my research I\u27m thus focusing on the development of novel techniques for the visual perception of humans and their activities, in order to facilitate perceptive multimodal interfaces, humanoid robots and smart environments. My work includes research on person tracking, person identication, recognition of pointing gestures, estimation of head orientation and focus of attention, as well as audio-visual scene and activity analysis. Application areas are humanfriendly humanoid robots, smart environments, content-based image and video analysis, as well as safety- and security-related applications. This article gives a brief overview of my ongoing research activities in these areas

Shadow Honeypots

We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network or service. Traffic that is considered anomalous is processed by a "shadow honeypot" to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular ("production") instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives

Actas da 10ª Conferência sobre Redes de Computadores

Universidade do MinhoCCTCCentro AlgoritmiCisco SystemsIEEE Portugal Sectio

Segmentação de overlays par a par como suporte para memórias tolerantes a intrusões

Dissertação (mestrado) - Universidade Federal de Santa Catarina, Centro Tecnológico, Programa de Pós-Graduação em Engenharia de Automação e Sistemas, Florianópolis, 2012As redes par a par (peer-to-peer, P2P) formam uma arquitetura de sistemas distribuídos que apresenta características de escalabilidade, abertura e dinamismo. Essas redes P2P foram inicialmente popularizadas por aplicações de compartilhamento de arquivos, porém hoje suas características as tornaram a base para construção de aplicações que necessitam de larga escala. Apesar das vantagens das redes P2P, sua grande abertura e dinamismo trazem algumas dificuldades para a construção de certos tipos de aplicações. Entre os principais desafios estão a dificuldade em manter a consistência das informações com a possibilidade de entrada e saída de nós durante a execução e a necessidade de tolerar a participação de nós maliciosos que tem por objetivo corromper o sistema e impedir seu funcionamento. Esses desafios fizeram com que a maioria das aplicações sobre P2P sejam aplicações de armazenamento de informações que sofrem pouca ou nenhuma alteração durante a execução e que são autoverificáveis, isto é, é possível identificar modificações maliciosas ou acidentais pela análise do próprio conteúdo. Dentro desse contexto, a proposta desta dissertação é a especificação de uma infraestrutura para a construção de aplicações arbitrárias, por meio de uma abstração de memória distribuída compartilhada, que tolere a participação de um número de nós maliciosos. A ideia central consiste em aplicar técnicas de Replicação Máquina de Estados (RME) sobre a rede P2P. No entanto, RME apresenta problemas de escala pois o número de mensagens trocadas para coordenar as réplicas é de ordem quadrática. Assim sendo, a proposta é dividir a rede P2P em conjuntos de nós com tamanho limitado, denominados de segmentos, de forma a garantir o desempenho dos protocolos RME. Segmentos são dinâmicos, ou seja, podem aumentar ou diminuir à medida que nós entram e saem do sistema, porém a infraestrutura garante, por meio da união ou divisão de segmentos, que o tamanho permanece dentro dos limites estabelecidos. O sistema foi elaborado como uma pilha de camadas com funcionalidades descritas na forma de operações e propriedades. As operações da segmentação foram implementadas por algoritmos em pseudocódigo, cujo funcionamento correto foi demonstrado em provas de lemas e teoremas. Uma análise crítica dos algoritmos esclareceu limitações e levantou os custos dos mesmos. A fim de demonstrar a expressividade da infraestrutura proposta, um espaço de tuplas foi construído utilizando as operações implementadas.Abstract : Peer-to-peer (P2P) networks form a distributed system architecture that feature good scalability, openness and dynamism. Such networks were first made popular by file-sharing applications, although nowadays these features bacame the basis for the construction of applications that require scalability. Even though P2P networks have some advantages, their openness and dynamism give raise to some difficulties in the construction of certain types of application. Among the most important challenges are the trouble to maintain consistency in face of constant nodes joining and leaving the system, and the need to tolerate the participation of malicious nodes whose purpose is to disrupt the system and to prevent its functioning. These challenges forced that most applications on P2P are storage applications where data is seldom changed and is self-verifying, i.e. it is possible to detect either malicious or accidental modifications by checking the data itself. Within this context, our proposal in this dissertation is the specification of an infrastruture for the construction of arbitrary applications, by means of a shared memory abstraction, that tolerates the participation of a certain number of malicious nodes. The central idea consists of leveraging State Machine Replication (SMR) techniques on top of P2P networks. The problem is SMR has scalability issues as the number of messages exchanged ikn replica coordination is quadratic. Given that, aor proposal is to split the P2P network in sets of limited size, called segments, in a way to ensure the SMR protocolos perform well. Segments are dynamic, i.e. they can grow or shrink as nodes join or leave the system, but the infrastruture guarantees, either by merging or splitting segments, that their size keeps within established limits. The system was designed as a stack of layers whose functionality is defined by a set of operations and its properties. The operations of the segmentation layer were implemented by distributed algorithms written in pseudocode. The correct operation of these algorithms was shown by theorem proofs. Furthermore, a critical analysis of these algorithms clarified limitations and assessed their costs. In order to demonstrate the expressiveness of the proposed infrastructure, a tuple space was built using the implemented operations

Measuring the Semantic Integrity of a Process Self

The focus of the thesis is the definition of a framework to protect a process from attacks against the process self, i.e. attacks that alter the expected behavior of the process, by integrating static analysis and run-time monitoring. The static analysis of the program returns a description of the process self that consists of a context-free grammar, which defines the legal system call traces, and a set of invariants on process variables that hold when a system call is issued. Run-time monitoring assures the semantic integrity of the process by checking that its behavior is coherent with the process self returned by the static analysis. The proposed framework can also cover kernel integrity to protect the process from attacks from the kernel-level. The implementation of the run-time monitoring is based upon introspection, a technique that analyzes the state of a computer to rebuild and check the consistency of kernel or user-level data structures. The ability of observing the run-time values of variables reduces the complexity of the static analysis and increases the amount of information that can be extracted on the run-time behavior of the process. To achieve transparency of the controls for the process while avoiding the introduction of special purpose hardware units that access the memory, the architecture of the run-time monitoring adopts virtualization technology and introduces two virtual machines, the monitored and the introspection virtual machines. This approach increases the overall robustness because a distinct virtual machine, the introspection virtual machine, applies introspection in a transparent way both to verify the kernel integrity and to retrieve the status of the process to check the process self. After presenting the framework and its implementation, the thesis discusses some of its applications to increase the security of a computer network. The first application of the proposed framework is the remote attestation of the semantic integrity of a process. Then, the thesis describes a set of extensions to the framework to protect a process from physical attacks by running an obfuscated version of the process code. Finally, the thesis generalizes the framework to support the efficient sharing of an information infrastructure among users and applications with distinct security and reliability requirements by introducing highly parallel overlays

Dagstuhl News January - December 2006

"Dagstuhl News" is a publication edited especially for the members of the Foundation "Informatikzentrum Schloss Dagstuhl" to thank them for their support. The News give a summary of the scientific work being done in Dagstuhl. Each Dagstuhl Seminar is presented by a small abstract describing the contents and scientific highlights of the seminar as well as the perspectives or challenges of the research topic

Department of Computer Science Activity 1998-2004

This report summarizes much of the research and teaching activity of the Department of Computer Science at Dartmouth College between late 1998 and late 2004. The material for this report was collected as part of the final report for NSF Institutional Infrastructure award EIA-9802068, which funded equipment and technical staff during that six-year period. This equipment and staff supported essentially all of the department\u27s research activity during that period