20 research outputs found
Reaction to New Security Threat Class
Each new identified security threat class triggers new research and
development efforts by the scientific and professional communities. In this
study, we investigate the rate at which the scientific and professional
communities react to new identified threat classes as it is reflected in the
number of patents, scientific articles and professional publications over a
long period of time. The following threat classes were studied: Phishing; SQL
Injection; BotNet; Distributed Denial of Service; and Advanced Persistent
Threat. Our findings suggest that in most cases it takes a year for the
scientific community and more than two years for industry to react to a new
threat class with patents. Since new products follow patents, it is reasonable
to expect that there will be a window of approximately two to three years in
which no effective product is available to cope with the new threat class
Botnet detection using ensemble classifiers of network flow
Recently, Botnets have become a common tool for implementing and transferring various malicious codes over the Internet. These codes can be used to execute many malicious activities including DDOS attack, send spam, click fraud, and steal data. Therefore, it is necessary to use Modern technologies to reduce this phenomenon and avoid them in advance in order to differentiate the Botnets traffic from normal network traffic. In this work, ensemble classifier algorithms to identify such damaging botnet traffic. We experimented with different ensemble algorithms to compare and analyze their ability to classify the botnet traffic from the normal traffic by selecting distinguishing features of the network traffic. Botnet Detection offers a reliable and cheap style for ensuring transferring integrity and warning the risks before its occurrence
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
Over the last decade botnets survived by adopting a sequence of increasingly
sophisticated strategies to evade detection and take overs, and to monetize
their infrastructure. At the same time, the success of privacy infrastructures
such as Tor opened the door to illegal activities, including botnets,
ransomware, and a marketplace for drugs and contraband. We contend that the
next waves of botnets will extensively subvert privacy infrastructure and
cryptographic mechanisms. In this work we propose to preemptively investigate
the design and mitigation of such botnets. We first, introduce OnionBots, what
we believe will be the next generation of resilient, stealthy botnets.
OnionBots use privacy infrastructures for cyber attacks by completely
decoupling their operation from the infected host IP address and by carrying
traffic that does not leak information about its source, destination, and
nature. Such bots live symbiotically within the privacy infrastructures to
evade detection, measurement, scale estimation, observation, and in general all
IP-based current mitigation techniques. Furthermore, we show that with an
adequate self-healing network maintenance scheme, that is simple to implement,
OnionBots achieve a low diameter and a low degree and are robust to
partitioning under node deletions. We developed a mitigation technique, called
SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and
discuss a set of techniques that can enable subsequent waves of Super
OnionBots. In light of the potential of such botnets, we believe that the
research community should proactively develop detection and mitigation methods
to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure
Controlled DDoS Attack on IPv4/IPv6 Network Using Distributed Computing Infrastructure
The paper focuses on design, background and experimental results of real environment of DDoS attacks. The experimental testbed is based on employment of a tool for IT automation to perform DDoS attacks under monitoring. DDoS attacks are still serious threat in both IPv4 and IPv6 networks and creation of simple tool to test the network for DDoS attack and to allow evaluation of vulnerabilities and DDoS countermeasures of the networks is necessary. In proposed testbed, Ansible orchestration tool is employed to perform and coordinate DDoS attacks. Ansible is a powerful tool and simplifies the implementation of the test environment. Moreover, no special hardware is required for the attacks execution, the testbed uses existing infrastructure in an organization. The case study of implementation of this environment shows straightforwardness to create a testbed comparable with a botnet with ten thousand bots. Furthermore, the experimental results demonstrate the potential of the proposed environment and present the impact of the attacks on particular target servers in IPv4 and IPv6 networks
A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks
In recent years, Botnets have been adopted as a popular method to carry and spread many malicious codes on the Internet. These malicious codes pave the way to execute many fraudulent activities including spam mail, distributed denial-of-service attacks and click fraud. While many Botnets are set up using centralized communication architecture, the peer-to-peer (P2P) Botnets can adopt a decentralized architecture using an overlay network for exchanging command and control data making their detection even more difficult. This work presents a method of P2P Bot detection based on an adaptive multilayer feed-forward neural network in cooperation with decision trees. A classification and regression tree is applied as a feature selection technique to select relevant features. With these features, a multilayer feed-forward neural network training model is created using a resilient back-propagation learning algorithm. A comparison of feature set selection based on the decision tree, principal component analysis and the ReliefF algorithm indicated that the neural network model with features selection based on decision tree has a better identification accuracy along with lower rates of false positives. The usefulness of the proposed approach is demonstrated by conducting experiments on real network traffic datasets. In these experiments, an average detection rate of 99.08 % with false positive rate of 0.75 % was observed
CHID : conditional hybrid intrusion detection system for reducing false positives and resource consumption on malicous datasets
Inspecting packets to detect intrusions faces challenges when coping with a high volume of network traffic. Packet-based detection processes every payload on the wire, which degrades the performance of network intrusion detection system (NIDS). This issue requires an introduction of a flow-based NIDS that reduces the amount of data to be processed by examining aggregated information of related packets.
However, flow-based detection still suffers from the generation of the false positive alerts due to incomplete data input. This study proposed a Conditional Hybrid Intrusion Detection (CHID) by combining the flow-based with packet-based detection. In addition, it is also aimed to improve the resource consumption of the packet-based detection approach. CHID applied attribute wrapper features evaluation algorithms that marked malicious flows for further analysis by the packet-based detection. Input Framework approach was employed for triggering packet flows between the packetbased and flow-based detections. A controlled testbed experiment was conducted to evaluate the performance of detection mechanismâs CHID using datasets obtained from on different traffic rates. The result of the evaluation showed that CHID gains a significant performance improvement in terms of resource consumption and packet drop rate, compared to the default packet-based detection implementation. At a 200 Mbps, CHID in IRC-bot scenario, can reduce 50.6% of memory usage and decreases 18.1% of the CPU utilization without packets drop. CHID approach can mitigate the
false positive rate of flow-based detection and reduce the resource consumption of packet-based detection while preserving detection accuracy. CHID approach can be considered as generic system to be applied for monitoring of intrusion detection systems
Investigation of open resolvers in DNS reflection DDoS attacks
Les serveurs du systĂšme de noms de domaine (DNS) reprĂ©sentent des Ă©lĂ©ments clĂ©s des rĂ©seaux Internet. RĂ©cemment, les attaquants ont profitĂ© de ce service pour lancer des attaques massives de dĂ©ni de service distribuĂ© (DDoS) contre de nombreuses organisations [1, 2, 3]. Ceci est rendu possible grĂące aux diffĂ©rentes vulnĂ©rabilitĂ©s liĂ©es Ă la conception, implantation ou une mauvaise configuration du protocole DNS. Les attaques DDoS amplifiĂ©es par DNS sont des menaces dangereuses pour les utilisateurs dâInternet. Lâobjectif de cette Ă©tude est dâacquĂ©rir une meilleure comprĂ©hension des attaques DDoS amplifiĂ©es par DNS par lâinvestigation des rĂ©solveurs DNS ouverts Ă travers le monde. Dans ce contexte, il est nĂ©cessaire dâadopter une approche en phase prĂ©coce pour dĂ©tecter les rĂ©solveurs DNS ouverts. Cela devient cruciale dans le processus dâenquĂȘte. Dans cette thĂšse, nous nous intĂ©resserons Ă lâutilisation de rĂ©solveurs DNS ouverts dans les attaques DDoS amplifiĂ©es par DNS. Plus prĂ©cisĂ©ment, la principale contribution de notre recherche est la suivante : (i) Nous profilons les rĂ©solveurs DNS ouverts, ce qui implique : dĂ©tecter les rĂ©solveurs ouverts, les localiser, dĂ©tecter leur systĂšme dâexploitation et le type de leur connectivitĂ©, et Ă©tudier le but de leur vivacitĂ©. (ii) Nous effectuons une Ă©valuation de la sĂ©curitĂ© des rĂ©solveurs DNS ouverts et leurs vulnĂ©rabilitĂ©s. De plus, nous discutons les fonctions de sĂ©curitĂ© des rĂ©solveurs DNS, qui fournissent, par inadvertence, les attaquants par la capacitĂ© dâeffectuer des attaques DDoS amplifiĂ©es par DNS. (iii) Nous prĂ©sentons une analyse pour dĂ©montrer lâassociation des rĂ©solveurs DNS ouverts avec les menaces de logiciels malveillants.Domain Name System (DNS) servers represent key components of Internet networks. Recently, attackers have taken advantage of this service to launch massive Distributed Denial of Service (DDoS) attacks against numerous organizations [1, 2, 3]. This is made possible due to the various vulnerabilities linked to the design, implementation or misconfiguration of the DNS protocol. DNS reflection DDoS attacks are harmful threats for internet users. The goal of this study is to gain a better understanding of DNS reflection DDoS attacks through the investigation of DNS open resolvers around the world. In this context, there is a need for an early phase approach to detect and fingerprint DNS open resolvers. This becomes crucial in the process of investigation. In this thesis, we elaborate on the usage of DNS open resolvers in DNS reflection DDoS attacks. More precisely, the main contribution of our research is as follows : (i) We profile DNS open resolvers, which involves : detecting open resolvers, locating them, fingerprinting their operating system, fingerprinting the type of their connectivity, studying the purpose of their liveness. (ii) We conduct an assessment with respect to DNS open resolvers security and their vulnerabilities. Moreover, we discuss the security features that DNS open resolvers are equipped with, which inadvertently provide the capability to the attackers in order to carry out DNS reflection DDoS attacks. (iii) We present an analysis to demonstrate the association of DNS open resolvers with malware threats