16,889 research outputs found
Data analytics for modeling and visualizing attack behaviors: A case study on SSH brute force attacks
In this research, we explore a data analytics based approach for modeling and visualizing attack behaviors. To this end, we employ Self-Organizing Map and Association Rule Mining algorithms to analyze and interpret the behaviors of SSH brute force attacks and SSH normal traffic as a case study. The experimental results based on four different data sets show that the patterns extracted and interpreted from the SSH brute force attack data sets are similar to each other but significantly different from those extracted from the SSH normal traffic data sets. The analysis of the attack traffic provides insight into behavior modeling for brute force SSH attacks. Furthermore, this sheds light into how data analytics could help in modeling and visualizing attack behaviors in general in terms of data acquisition and feature extraction
Spatiotemporal Patterns and Predictability of Cyberattacks
Y.C.L. was supported by Air Force Office of Scientific Research (AFOSR) under grant no. FA9550-10-1-0083 and Army Research Office (ARO) under grant no. W911NF-14-1-0504. S.X. was supported by Army Research Office (ARO) under grant no. W911NF-13-1-0141. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.Peer reviewedPublisher PD
Spatiotemporal patterns and predictability of cyberattacks
A relatively unexplored issue in cybersecurity science and engineering is
whether there exist intrinsic patterns of cyberattacks. Conventional wisdom
favors absence of such patterns due to the overwhelming complexity of the
modern cyberspace. Surprisingly, through a detailed analysis of an extensive
data set that records the time-dependent frequencies of attacks over a
relatively wide range of consecutive IP addresses, we successfully uncover
intrinsic spatiotemporal patterns underlying cyberattacks, where the term
"spatio" refers to the IP address space. In particular, we focus on analyzing
{\em macroscopic} properties of the attack traffic flows and identify two main
patterns with distinct spatiotemporal characteristics: deterministic and
stochastic. Strikingly, there are very few sets of major attackers committing
almost all the attacks, since their attack "fingerprints" and target selection
scheme can be unequivocally identified according to the very limited number of
unique spatiotemporal characteristics, each of which only exists on a
consecutive IP region and differs significantly from the others. We utilize a
number of quantitative measures, including the flux-fluctuation law, the Markov
state transition probability matrix, and predictability measures, to
characterize the attack patterns in a comprehensive manner. A general finding
is that the attack patterns possess high degrees of predictability, potentially
paving the way to anticipating and, consequently, mitigating or even preventing
large-scale cyberattacks using macroscopic approaches
Underestimated cost of targeted attacks on complex networks
The robustness of complex networks under targeted attacks is deeply connected
to the resilience of complex systems, i.e., the ability to make appropriate
responses to the attacks. In this article, we investigated the state-of-the-art
targeted node attack algorithms and demonstrate that they become very
inefficient when the cost of the attack is taken into consideration. In this
paper, we made explicit assumption that the cost of removing a node is
proportional to the number of adjacent links that are removed, i.e., higher
degree nodes have higher cost. Finally, for the case when it is possible to
attack links, we propose a simple and efficient edge removal strategy named
Hierarchical Power Iterative Normalized cut (HPI-Ncut).The results on real and
artificial networks show that the HPI-Ncut algorithm outperforms all the node
removal and link removal attack algorithms when the cost of the attack is taken
into consideration. In addition, we show that on sparse networks, the
complexity of this hierarchical power iteration edge removal algorithm is only
.Comment: 14 pages, 7 figure
Fingerprinting Internet DNS Amplification DDoS Activities
This work proposes a novel approach to infer and characterize Internet-scale
DNS amplification DDoS attacks by leveraging the darknet space. Complementary
to the pioneer work on inferring Distributed Denial of Service (DDoS)
activities using darknet, this work shows that we can extract DDoS activities
without relying on backscattered analysis. The aim of this work is to extract
cyber security intelligence related to DNS Amplification DDoS activities such
as detection period, attack duration, intensity, packet size, rate and
geo-location in addition to various network-layer and flow-based insights. To
achieve this task, the proposed approach exploits certain DDoS parameters to
detect the attacks. We empirically evaluate the proposed approach using 720 GB
of real darknet data collected from a /13 address space during a recent three
months period. Our analysis reveals that the approach was successful in
inferring significant DNS amplification DDoS activities including the recent
prominent attack that targeted one of the largest anti-spam organizations.
Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS
attacks. Further, the results uncover high-speed and stealthy attempts that
were never previously documented. The case study of the largest DDoS attack in
history lead to a better understanding of the nature and scale of this threat
and can generate inferences that could contribute in detecting, preventing,
assessing, mitigating and even attributing of DNS amplification DDoS
activities.Comment: 5 pages, 2 figure
- âŠ