2,231 research outputs found
Non-blind watermarking of network flows
Linking network flows is an important problem in intrusion detection as well
as anonymity. Passive traffic analysis can link flows but requires long periods
of observation to reduce errors. Active traffic analysis, also known as flow
watermarking, allows for better precision and is more scalable. Previous flow
watermarks introduce significant delays to the traffic flow as a side effect of
using a blind detection scheme; this enables attacks that detect and remove the
watermark, while at the same time slowing down legitimate traffic. We propose
the first non-blind approach for flow watermarking, called RAINBOW, that
improves watermark invisibility by inserting delays hundreds of times smaller
than previous blind watermarks, hence reduces the watermark interference on
network flows. We derive and analyze the optimum detectors for RAINBOW as well
as the passive traffic analysis under different traffic models by using
hypothesis testing. Comparing the detection performance of RAINBOW and the
passive approach we observe that both RAINBOW and passive traffic analysis
perform similarly good in the case of uncorrelated traffic, however, the
RAINBOW detector drastically outperforms the optimum passive detector in the
case of correlated network flows. This justifies the use of non-blind
watermarks over passive traffic analysis even though both approaches have
similar scalability constraints. We confirm our analysis by simulating the
detectors and testing them against large traces of real network flows
Solving time gap problems through the optimization of detecting stepping stone algorithm
This paper describes an analysis of detecting stepping stone algorithm to defeat the time gap problem. It is found that current algorithm of detecting stepping stone is not optimized. Several weaknesses are identified and suggestions are proposed to overcome this problem. The suggestions are applied in the improved algorithm. Since the detecting stepping stone is listed as one of the response technique, it is suggested that the improved algorithm should be used as a remedial to the time gap problem
Scalable Wavelet-Based Active Network Stepping Stone Detection
Network intrusions leverage vulnerable hosts as stepping stones to penetrate deeper into a network and mask malicious actions from detection. This research focuses on a novel active watermark technique using Discrete Wavelet Transformations to mark and detect interactive network sessions. This technique is scalable, nearly invisible and resilient to multi-flow attacks. The watermark is simulated using extracted timestamps from the CAIDA 2009 dataset and replicated in a live environment. The simulation results demonstrate that the technique accurately detects the presence of a watermark at a 5% False Positive and False Negative rate for both the extracted timestamps as well as the empirical tcplib distribution. The watermark extraction accuracy is approximately 92%. The live experiment is implemented using the Amazon Elastic Compute Cloud. The client system sends marked and unmarked packets from California to Virginia using stepping stones in Tokyo, Ireland and Oregon. Five trials are conducted using simultaneous watermarked and unmarked samples. The live results are similar to the simulation and provide evidence demonstrating the effectiveness in a live environment to identify stepping stones
zeek-osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection
Intrusion Detection Systems (IDSs) can analyze network traffic for signs of
attacks and intrusions. However, encrypted communication limits their
visibility and sophisticated attackers additionally try to evade their
detection. To overcome these limitations, we extend the scope of Network IDSs
(NIDSs) with additional data from the hosts. For that, we propose the
integrated open-source zeek-osquery platform that combines the Zeek IDS with
the osquery host monitor. Our platform can collect, process, and correlate host
and network data at large scale, e.g., to attribute network flows to processes
and users. The platform can be flexibly extended with own detection scripts
using already correlated, but also additional and dynamically retrieved host
data. A distributed deployment enables it to scale with an arbitrary number of
osquery hosts. Our evaluation results indicate that a single Zeek instance can
manage more than 870 osquery hosts and can attribute more than 96% of TCP
connections to host-side applications and users in real-time.Comment: Accepted for publication at ICT Systems Security and Privacy
Protection (IFIP) SEC 202
Getting the real-time precise round-trip time for stepping stone detection
Stepping stone attacks are often used by network intruders to hide their identities. The Round Trip Times (RTT) between the send packets and corresponding echo packets for the connection chains of stepping stones are critical for detecting such attacks. In this paper, we propose a novel real-time RTT getting algorithm for stepping stones which is based on the estimation of the current RTT value. Our experiments show that it is far more precise than the previous real-time RTT getting algorithms. We also present the probability analysis which shows that our algorithm has a high matching rate and a high accurate rate
Exploratory study to explore the role of ICT in the process of knowledge management in an Indian business environment
In the 21st century and the emergence of a digital economy, knowledge and the knowledge base economy are rapidly growing. To effectively be able to understand the processes involved in the creating, managing and sharing of knowledge management in the business environment is critical to the success of an organization. This study builds on the previous research of the authors on the enablers of knowledge management by identifying the relationship between the enablers of knowledge management and the role played by information communication technologies (ICT) and ICT infrastructure in a business setting. This paper provides the findings of a survey collected from the four major Indian cities (Chennai, Coimbatore, Madurai and Villupuram) regarding their views and opinions about the enablers of knowledge management in business setting. A total of 80 organizations participated in the study with 100 participants in each city. The results show that ICT and ICT infrastructure can play a critical role in the creating, managing and sharing of knowledge in an Indian business environment
Stepping Stone Detection for Tracing Attack Sources in Software-Defined Networks
Stepping stones are compromised hosts in a network which can be used by hackers and other malicious attackers to hide the origin of connections. Attackers hop from one compromised host to another to form a chain of stepping stones before launching attack on the actual victim host. Various timing and content based detection techniques have been proposed in the literature to trace back through a chain of stepping stones in order to identify the attacker. This has naturally led to evasive strategies such as shaping the traffic differently at each hop. The evasive techniques can also be detected.
Our study aims to adapt some of the existing stepping stone detection and anti-evasion techniques to software-defined networks which use network function virtualization. We have implemented the stepping-stone detection techniques in a simulated environment and uses Flow for the traffic monitoring at the switches. We evaluate the detection algorithms on different network topologies and analyze the results to gain insight on the effectiveness of the detection mechanisms. The selected detection techniques work well on relatively high packet sampling rates. However, new solutions will be needed for large SDN networks where the packet sampling rate needs to be lower
Wide spectrum attribution: Using deception for attribution intelligence in cyber attacks
Modern cyber attacks have evolved considerably. The skill level required to conduct
a cyber attack is low. Computing power is cheap, targets are diverse and plentiful.
Point-and-click crimeware kits are widely circulated in the underground economy, while
source code for sophisticated malware such as Stuxnet is available for all to download
and repurpose. Despite decades of research into defensive techniques, such as firewalls,
intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful
cyber attacks continues to increase, as does the number of vulnerabilities identified.
Measures to identify perpetrators, known as attribution, have existed for as long as there
have been cyber attacks. The most actively researched technical attribution techniques
involve the marking and logging of network packets. These techniques are performed
by network devices along the packet journey, which most often requires modification of
existing router hardware and/or software, or the inclusion of additional devices. These
modifications require wide-scale infrastructure changes that are not only complex and
costly, but invoke legal, ethical and governance issues. The usefulness of these techniques
is also often questioned, as attack actors use multiple stepping stones, often innocent
systems that have been compromised, to mask the true source. As such, this thesis
identifies that no publicly known previous work has been deployed on a wide-scale basis
in the Internet infrastructure.
This research investigates the use of an often overlooked tool for attribution: cyber de-
ception. The main contribution of this work is a significant advancement in the field of
deception and honeypots as technical attribution techniques. Specifically, the design and
implementation of two novel honeypot approaches; i) Deception Inside Credential Engine
(DICE), that uses policy and honeytokens to identify adversaries returning from different
origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive
honeynet framework that uses actor-dependent triggers to modify the honeynet envi-
ronment, to engage the adversary, increasing the quantity and diversity of interactions.
The two approaches are based on a systematic review of the technical attribution litera-
ture that was used to derive a set of requirements for honeypots as technical attribution
techniques. Both approaches lead the way for further research in this field
- …