9,935 research outputs found
Mining and Detecting Connection-Chains in Network Traffic
Summary. A connection-chain refers to the set of connections created by sequentially logging into a series of hosts. Attackers typically use connection chains to indirectly carry their attacks and stay anonymous. In this paper, we proposed a host-based algorithm to detect connection chains by passively monitoring inbound and outbound packets. In particular, we employ concepts from association rule mining in the data mining literature. The proposed approach is first explained in details. We then present our evaluations of the approach in terms of real-time and detection performance. Our experimentations suggest that the algorithm is suitable for real-time operation, because the average processing time per packet is both constant and low. We also show that by appropriately setting underlying parameters we can achieve perfect detection
Intelligent Network-Based Stepping Stone Detection Approach.
This research intends to introduce a new usage of Artificial Intelligent (AI) approaches in Stepping Stone Detection
(SSD) fields of research
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
Adversarial behaviours knowledge area
The technological advancements witnessed by our society in recent decades have brought
improvements in our quality of life, but they have also created a number of opportunities for
attackers to cause harm. Before the Internet revolution, most crime and malicious activity
generally required a victim and a perpetrator to come into physical contact, and this limited
the reach that malicious parties had. Technology has removed the need for physical contact
to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio
NetSentry: A deep learning approach to detecting incipient large-scale network attacks
Machine Learning (ML) techniques are increasingly adopted to tackle
ever-evolving high-profile network attacks, including DDoS, botnet, and
ransomware, due to their unique ability to extract complex patterns hidden in
data streams. These approaches are however routinely validated with data
collected in the same environment, and their performance degrades when deployed
in different network topologies and/or applied on previously unseen traffic, as
we uncover. This suggests malicious/benign behaviors are largely learned
superficially and ML-based Network Intrusion Detection System (NIDS) need
revisiting, to be effective in practice. In this paper we dive into the
mechanics of large-scale network attacks, with a view to understanding how to
use ML for Network Intrusion Detection (NID) in a principled way. We reveal
that, although cyberattacks vary significantly in terms of payloads, vectors
and targets, their early stages, which are critical to successful attack
outcomes, share many similarities and exhibit important temporal correlations.
Therefore, we treat NID as a time-sensitive task and propose NetSentry, perhaps
the first of its kind NIDS that builds on Bidirectional Asymmetric LSTM
(Bi-ALSTM), an original ensemble of sequential neural models, to detect network
threats before they spread. We cross-evaluate NetSentry using two practical
datasets, training on one and testing on the other, and demonstrate F1 score
gains above 33% over the state-of-the-art, as well as up to 3 times higher
rates of detecting attacks such as XSS and web bruteforce. Further, we put
forward a novel data augmentation technique that boosts the generalization
abilities of a broad range of supervised deep learning algorithms, leading to
average F1 score gains above 35%
Modeling sequences and temporal networks with dynamic community structures
In evolving complex systems such as air traffic and social organizations,
collective effects emerge from their many components' dynamic interactions.
While the dynamic interactions can be represented by temporal networks with
nodes and links that change over time, they remain highly complex. It is
therefore often necessary to use methods that extract the temporal networks'
large-scale dynamic community structure. However, such methods are subject to
overfitting or suffer from effects of arbitrary, a priori imposed timescales,
which should instead be extracted from data. Here we simultaneously address
both problems and develop a principled data-driven method that determines
relevant timescales and identifies patterns of dynamics that take place on
networks as well as shape the networks themselves. We base our method on an
arbitrary-order Markov chain model with community structure, and develop a
nonparametric Bayesian inference framework that identifies the simplest such
model that can explain temporal interaction data.Comment: 15 Pages, 6 figures, 2 table
- …