59 research outputs found
New Sequential Methods for Detecting Portscanners
In this paper, we propose new sequential methods for detecting port-scan
attackers which routinely perform random "portscans" of IP addresses to find
vulnerable servers to compromise. In addition to rigorously control the
probability of falsely implicating benign remote hosts as malicious, our method
performs significantly faster than other current solutions. Moreover, our
method guarantees that the maximum amount of observational time is bounded. In
contrast to the previous most effective method, Threshold Random Walk
Algorithm, which is explicit and analytical in nature, our proposed algorithm
involve parameters to be determined by numerical methods. We have developed
computational techniques such as iterative minimax optimization for quick
determination of the parameters of the new detection algorithm. A framework of
multi-valued decision for testing portscanners is also proposed.Comment: 11 pages, 5 figures, the mathematical theory of the detection
algorithm has been presented in SPIE conference
Fingerprinting Internet DNS Amplification DDoS Activities
This work proposes a novel approach to infer and characterize Internet-scale
DNS amplification DDoS attacks by leveraging the darknet space. Complementary
to the pioneer work on inferring Distributed Denial of Service (DDoS)
activities using darknet, this work shows that we can extract DDoS activities
without relying on backscattered analysis. The aim of this work is to extract
cyber security intelligence related to DNS Amplification DDoS activities such
as detection period, attack duration, intensity, packet size, rate and
geo-location in addition to various network-layer and flow-based insights. To
achieve this task, the proposed approach exploits certain DDoS parameters to
detect the attacks. We empirically evaluate the proposed approach using 720 GB
of real darknet data collected from a /13 address space during a recent three
months period. Our analysis reveals that the approach was successful in
inferring significant DNS amplification DDoS activities including the recent
prominent attack that targeted one of the largest anti-spam organizations.
Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS
attacks. Further, the results uncover high-speed and stealthy attempts that
were never previously documented. The case study of the largest DDoS attack in
history lead to a better understanding of the nature and scale of this threat
and can generate inferences that could contribute in detecting, preventing,
assessing, mitigating and even attributing of DNS amplification DDoS
activities.Comment: 5 pages, 2 figure
Alert Correlation through a Multi Components Architecture
Alert correlation is a process that analyzes the raw alerts produced by one or more intrusion detection systems, reduces nonrelevant ones, groups together alerts based on similarity and causality relationships between them and finally makes aconcise and meaningful view of occurring or attempted intrusions. Unfortunately, most correlation approaches use just a few components that aim only specific correlation issues and so cause reduction in correlation rate. This paper uses a general correlation model that has already been presented in [9] and is consisted of a comprehensive set of components. Then some changes are applied in the component that is related to multi-step attack scenario to detect them better and so to improve semantic level of alerts. The results of experiments with DARPA 2000 data set obviously show the effectiveness of the proposed approach.DOI:http://dx.doi.org/10.11591/ijece.v3i4.277
DETECTION OF CYBER ATTACK IN NETWORK USING MACHINE LEARNING TECHNIQUES
Contrasted with the past, improvements in PC and correspondence innovations have given broad and propelled changes. The use of new innovations give incredible advantages to people, organizations, and governments, be that as it may, messes some up against them. For instance, the protection of significant data, security of put away information stages, accessibility of information and so forth. Contingent upon these issues, digital fear based oppression is one of the most significant issues in this day and age. Digital fear, which made a great deal of issues people and establishments, has arrived at a level that could undermine open and nation security by different gatherings, for example, criminal association, proficient people and digital activists. Along these lines, Intrusion Detection Systems (IDS) has been created to maintain a strategic distance from digital assaults. Right now, learning the bolster support vector machine (SVM) calculations were utilized to recognize port sweep endeavors dependent on the new CICIDS2017 dataset with 97.80%, 69.79% precision rates were accomplished individually. Rather than SVM we can introduce some other algorithms like random forest, CNN, ANN where these algorithms can acquire accuracies like SVM β 93.29, CNN β 63.52, Random Forest β 99.93, ANN β 99.11
A Flow Based Horizontal Scan Detection Using Genetic Algorithm Approach
Abstract: An attacker has to "scan" susceptible points of a network before attacking. There are several methods of detection of such behavior which are mostly based on thresholding. As the performance of these methods is highly dependent on the value of threshold, it is crucial to adjust this value appropriately. This adjustment is not always trivial. In this study we proposed a new method to optimize the parameters of the system using genetic algorithms (GA) based on network flows. Subsequently we compared our method with Snort. The results showed a superior performance as measured by the sensitivity index of d"
- β¦