1,167 research outputs found
Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data
Recent years have seen the rise of more sophisticated attacks including
advanced persistent threats (APTs) which pose severe risks to organizations and
governments by targeting confidential proprietary information. Additionally,
new malware strains are appearing at a higher rate than ever before. Since many
of these malware are designed to evade existing security products, traditional
defenses deployed by most enterprises today, e.g., anti-virus, firewalls,
intrusion detection systems, often fail at detecting infections at an early
stage.
We address the problem of detecting early-stage infection in an enterprise
setting by proposing a new framework based on belief propagation inspired from
graph theory. Belief propagation can be used either with "seeds" of compromised
hosts or malicious domains (provided by the enterprise security operation
center -- SOC) or without any seeds. In the latter case we develop a detector
of C&C communication particularly tailored to enterprises which can detect a
stealthy compromise of only a single host communicating with the C&C server.
We demonstrate that our techniques perform well on detecting enterprise
infections. We achieve high accuracy with low false detection and false
negative rates on two months of anonymized DNS logs released by Los Alamos
National Lab (LANL), which include APT infection attacks simulated by LANL
domain experts. We also apply our algorithms to 38TB of real-world web proxy
logs collected at the border of a large enterprise. Through careful manual
investigation in collaboration with the enterprise SOC, we show that our
techniques identified hundreds of malicious domains overlooked by
state-of-the-art security products
Tiresias: Predicting Security Events Through Deep Learning
With the increased complexity of modern computer attacks, there is a need for
defenders not only to detect malicious activity as it happens, but also to
predict the specific steps that will be taken by an adversary when performing
an attack. However this is still an open research problem, and previous
research in predicting malicious events only looked at binary outcomes (e.g.,
whether an attack would happen or not), but not at the specific steps that an
attacker would undertake. To fill this gap we present Tiresias, a system that
leverages Recurrent Neural Networks (RNNs) to predict future events on a
machine, based on previous observations. We test Tiresias on a dataset of 3.4
billion security events collected from a commercial intrusion prevention
system, and show that our approach is effective in predicting the next event
that will occur on a machine with a precision of up to 0.93. We also show that
the models learned by Tiresias are reasonably stable over time, and provide a
mechanism that can identify sudden drops in precision and trigger a retraining
of the system. Finally, we show that the long-term memory typical of RNNs is
key in performing event prediction, rendering simpler methods not up to the
task
Ensuring system integrity and security on limited environment systems
Cyber security threats have rapidly developed in recent years and should also be considered when building or implementing systems that traditionally have not been connected to networks. More and more these systems are getting networked and controlled remotely, which widens their attack surface and lays them open to cyber threats. This means the systems should be able to detect and block malware threats without letting the controls affect daily operations. File integrity monitoring and protection could be one way to protect systems from emerging threats.
The use case for this study is a computer system, that controls medical device. This kind of system does not necessarily have an internet connection and is not connected to a LAN network by default. Ensuring integrity on the system is critical as if the system would be infected by a malware, it could affect to the test results.
This thesis studies what are the feasible ways to ensure system integrity on limited environment systems. Firstly these methods and tools are listed through a literature review. All of the tools are studied how they protect the system integrity. The literature review aims to select methods for further testing through a deductive reasoning. After selecting methods for testing, their implementations are installed to the testing environment. The methods are first tested for performance and then their detection and blocking capability is tested against real life threats.
Finally, this thesis proposes a method which could be implemented to the presented use case. The proposal at the end is based on the conducted tests
FS-OpenSecurity : A taxonomic modeling of security threats in SDN for future sustainable computing
Peer reviewedPublisher PD
Network-based APT profiler
Constant innovation in attack methods presents a significant problem for the security community which struggles to remain current in attack prevention, detection and response. The practice of threat hunting provides a proactive approach to identify and mitigate attacks in real-time before the attackers complete their objective. In this research, I present a matrix of adversary techniques inspired by MITRE’s ATT&CK matrix. This study allows threat hunters to classify the actions of advanced persistent threats (APTs) according to network-based behaviors
A Survey on Botnet Attacks
Devices connected to the Internet are the target of numerous attacks to steal or exploit their resources. As these attacks become widespread (and sophisticated), the first step in protecting your organization is knowing exactly what you are facing. We currently have botnets that are the main source of network attacks such as spam, denial of service (DDoS), click fraud, data theft, Pass the Hash, and RDC attack. With the evolution of technology, we have several solutions to protect against attacks that undermine businesses, governments, individuals, but security attack methods are increasing daily. This study seeks further investigate botnet attacks and also provide a comparison of these attacks, lastly, the survey will create awareness for forthcoming botnet research endeavors
The effects of security protocols on cybercrime at Ahmadu Bello University, Zaria, Nigeria.
Masters Degree. University of KwaZulu-Natal, Durban.The use of Information Communication Technology (ICT) within the educational
sector is increasing rapidly. University systems are becoming increasingly
dependent on computerized information systems (CIS) in order to carry out their
daily routine. Moreover, CIS no longer process staff records and financial data
only, as they once did. Nowadays, universities use CIS to assist in automating
the overall system. This automation includes the use of multiple databases, data
detail periodicity (i.e. gender, race/ethnicity, enrollment, degrees granted, and
program major), record identification (e.g. social security number ‘SSN’), linking
to other databases (i.e. linking unit record data with external databases such as
university and employment data).
The increasing demand and exposure to Internet resources and infrastructure by
individuals and universities have made IT infrastructure easy targets for
cybercriminals who employ sophisticated attacks such as Advanced Persistent
Threats, Distributed Denial of Service attacks and Botnets in order to steal
confidential data, identities of individuals and money. Hence, in order to stay in
business, universities realise that it is imperative to secure vital Information
Systems from easily being exploited by emerging and existing forms of
cybercrimes. This study was conducted to determine and evaluate the various
forms of cybercrimes and their consequences on the university network at
Ahmadu Bello University, Zaria. The study was also aimed at proposing means
of mitigating cybercrimes and their effects on the university network. Hence, an
exploratory research design supported by qualitative research approach was
used in this study. Staff of the Institute of Computing, Information and
Communication technology (ICICT) were interviewed. The findings of the study
present different security measures, and security tools that can be used to
effectively mitigate cybercrimes. It was found that social engineering, denial of
service attacks, website defacement were among the types of cybercrimes
occurring on the university network. It is therefore recommended that behavioural
approach in a form of motivation of staff behaviour, salary increases, and cash
incentive to reduce cybercrime perpetrated by these staff
Insider Threat Detection on the Windows Operating System using Virtual Machine Introspection
Existing insider threat defensive technologies focus on monitoring network traffic or events generated by activities on a user\u27s workstation. This research develops a methodology for signaling potentially malicious insider behavior using virtual machine introspection (VMI). VMI provides a novel means to detect potential malicious insiders because the introspection tools remain transparent and inaccessible to the guest and are extremely difficult to subvert. This research develops a four step methodology for development and validation of malicious insider threat alerting using VMI. Six core use cases are developed along with eighteen supporting scenarios. A malicious attacker taxonomy is used to decompose each scenario to aid identification of observables for monitoring for potentially malicious actions. The effectiveness of the identified observables is validated through the use of two data sets, one containing simulated normal and malicious insider user behavior and the second from a computer network operations exercise. Compiled Memory Analysis Tool - Virtual (CMAT-V) and Xen hypervisor capabilities are leveraged to perform VMI and insider threat detection. Results of the research show the developed methodology is effective in detecting all defined malicious insider scenarios used in this research on Windows guests
Applying Cyber Threat Intelligence to Industrial Control Systems
A cybersecurity initiative known as cyber threat intelligence (CTI) has recently been developed and deployed. The overall goal of this new technology is to help protect network infrastructures. Threat intelligence platforms (TIPs) have also been created to help facilitate CTI effectiveness within organizations. There are many benefits that both can achieve within the information technology (IT) sector. The industrial control system (ICS) sector can also benefit from these technologies as most ICS networks are connected to IT networks. CTI and TIPs become resourceful when using indicators of compromise (IOCs) from known ICS malware attacks and an open source intrusion detection system (IDS). This research shows how these IT-based technologies may help protect ICS. Three known malware attack scenarios are used to showcase its likely deployment. These scenarios are well-documented campaigns that targeted ICS environments and consisted of numerous IOCs. Equipped with this data, critical asset owners can obtain situational awareness on potential attacks and protect their devices with the proper implementation of CTI and TIP technologies
Feature trade-off analysis for reconnaissance detection.
An effective cyber early warning system (CEWS) should pick up threat activity at an early stage, with an emphasis on establishing hypotheses and predictions as well as generating alerts on (unclassified) situations based on preliminary indications. The design and implementation of such early warning systems involve numerous challenges such as generic set of indicators, intelligence gathering, uncertainty reasoning and information fusion. This chapter begins with an understanding of the behaviours of intruders and then related literature is followed by the proposed methodology using a Bayesian inference-based system. It also includes a carefully deployed empirical analysis on a data set labelled for reconnaissance activity. Finally, the chapter concludes with a discussion on results, research challenges and necessary suggestions to move forward in this research line
- …