220 research outputs found
On Detection of Current and Next-Generation Botnets.
Botnets are one of the most serious security threats to the Internet and its end users. A botnet consists of compromised computers that are remotely coordinated by a botmaster under a
Command and Control (C&C) infrastructure. Driven by financial incentives, botmasters leverage botnets to conduct various cybercrimes such as spamming, phishing, identity theft and
Distributed-Denial-of-Service (DDoS) attacks. There are three main challenges facing botnet detection. First, code obfuscation is widely employed by current botnets, so signature-based detection is insufficient. Second, the C&C
infrastructure of botnets has evolved rapidly. Any detection solution targeting one botnet instance can hardly keep up with this change. Third, the proliferation of powerful smartphones presents a new platform for future botnets. Defense
techniques designed for existing botnets may be outsmarted when botnets invade smartphones.
Recognizing these challenges, this dissertation proposes behavior-based botnet detection solutions at three different levels---the end host, the edge network and the Internet infrastructure---from a small scale to a large scale, and investigates the next-generation botnet targeting smartphones.
It (1) addresses the problem of botnet seeding by devising a per-process containment scheme for end-host systems; (2) proposes a hybrid botnet detection framework for edge networks
utilizing combined host- and network-level information; (3) explores the structural properties of botnet topologies and
measures network components' capabilities of large-scale botnet detection at the Internet infrastructure level; and (4)
presents a proof-of-concept mobile botnet employing SMS messages as the C&C and P2P as the topology to facilitate future research on countermeasures against next-generation
botnets.
The dissertation makes three primary contributions. First, the detection solutions proposed utilize intrinsic and fundamental
behavior of botnets and are immune to malware obfuscation and traffic encryption. Second, the solutions are general enough to identify different types of botnets, not a specific botnet
instance. They can also be extended to counter next-generation botnet threats. Third, the detection solutions function at
multiple levels to meet various detection needs. They each take a different perspective but are highly complementary to each other, forming an integrated botnet detection framework.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/91382/1/gracez_1.pd
Peer-to-Peer Botnets: Analysis and Detection
Attacks such as spamming, distributed denial of service and phishing have become commonplace on the Internet. In the past, attackers would use high bandwidth Internet connection servers to accomplish their tasks. Since desktop users today have high-speed Internet connections, attackers infect users’ desktops and harness their computing power to perform malicious activities over the Internet. As attackers develop new methods to attack from distributed locations as well as avoid being detected, there is a need to develop efficient methods to detect and mitigate this epidemic of infection of hosts on the network. In this project, we aim to analyze the peer-to-peer botnet binary known as Trojan.Peacomm and its variants. Reverse engineering techniques have been used to disassemble the binary and to identify the techniques that the botnet binary uses to spread itself and to make its detection difficult by current scanners. In the process, we establish a framework and methods for malware analysis, which could be used to analyze other bot binaries and malware. Based on our findings we discuss a few techniques to detect and shut down botnets and demonstrated an attack scenario used to disrupt their activity
Delay Performance and Cybersecurity of Smart Grid Infrastructure
To address major challenges to conventional electric grids (e.g., generation diversification and optimal deployment of expensive assets), full visibility and pervasive control over utilities\u27 assets and services are being realized through the integratio
A Lightweight Approach for Improving the Lookup Performance in Kademlia-type Systems
Discovery of nodes and content in large-scale distributed systems is
generally based on Kademlia, today. Understanding Kademlia-type systems to
improve their performance is essential for maintaining a high service quality
for an increased number of participants, particularly when those systems are
adopted by latency-sensitive applications.
This paper contributes to the understanding of Kademlia by studying the
impact of \emph{diversifying} neighbours' identifiers within each routing table
bucket on the lookup performance. We propose a new, yet backward-compatible,
neighbour selection scheme that attempts to maximize the aforementioned
diversity. The scheme does not cause additional overhead except negligible
computations for comparing the diversity of identifiers. We present a
theoretical model for the actual impact of the new scheme on the lookup's hop
count and validate it against simulations of three exemplary Kademlia-type
systems. We also measure the performance gain enabled by a partial deployment
for the scheme in the real KAD system. The results confirm the superiority of
the systems that incorporate our scheme.Comment: 13 pages, 8 figures, conference version 'Diversity Entails
Improvement: A new Neighbour Selection Scheme for Kademlia-type Systems' at
IEEE P2P 201
Secure Distributed Dynamic State Estimation in Wide-Area Smart Grids
Smart grid is a large complex network with a myriad of vulnerabilities,
usually operated in adversarial settings and regulated based on estimated
system states. In this study, we propose a novel highly secure distributed
dynamic state estimation mechanism for wide-area (multi-area) smart grids,
composed of geographically separated subregions, each supervised by a local
control center. We firstly propose a distributed state estimator assuming
regular system operation, that achieves near-optimal performance based on the
local Kalman filters and with the exchange of necessary information between
local centers. To enhance the security, we further propose to (i) protect the
network database and the network communication channels against attacks and
data manipulations via a blockchain (BC)-based system design, where the BC
operates on the peer-to-peer network of local centers, (ii) locally detect the
measurement anomalies in real-time to eliminate their effects on the state
estimation process, and (iii) detect misbehaving (hacked/faulty) local centers
in real-time via a distributed trust management scheme over the network. We
provide theoretical guarantees regarding the false alarm rates of the proposed
detection schemes, where the false alarms can be easily controlled. Numerical
studies illustrate that the proposed mechanism offers reliable state estimation
under regular system operation, timely and accurate detection of anomalies, and
good state recovery performance in case of anomalies
Leveraging Conventional Internet Routing Protocol Behavior to Defeat DDoS and Adverse Networking Conditions
The Internet is a cornerstone of modern society. Yet increasingly devastating attacks against the Internet threaten to undermine the Internet\u27s success at connecting the unconnected. Of all the adversarial campaigns waged against the Internet and the organizations that rely on it, distributed denial of service, or DDoS, tops the list of the most volatile attacks. In recent years, DDoS attacks have been responsible for large swaths of the Internet blacking out, while other attacks have completely overwhelmed key Internet services and websites. Core to the Internet\u27s functionality is the way in which traffic on the Internet gets from one destination to another. The set of rules, or protocol, that defines the way traffic travels the Internet is known as the Border Gateway Protocol, or BGP, the de facto routing protocol on the Internet. Advanced adversaries often target the most used portions of the Internet by flooding the routes benign traffic takes with malicious traffic designed to cause widespread traffic loss to targeted end users and regions. This dissertation focuses on examining the following thesis statement. Rather than seek to redefine the way the Internet works to combat advanced DDoS attacks, we can leverage conventional Internet routing behavior to mitigate modern distributed denial of service attacks.
The research in this work breaks down into a single arc with three independent, but connected thrusts, which demonstrate that the aforementioned thesis is possible, practical, and useful. The first thrust demonstrates that this thesis is possible by building and evaluating Nyx, a system that can protect Internet networks from DDoS using BGP, without an Internet redesign and without cooperation from other networks. This work reveals that Nyx is effective in simulation for protecting Internet networks and end users from the impact of devastating DDoS. The second thrust examines the real-world practicality of Nyx, as well as other systems which rely on real-world BGP behavior. Through a comprehensive set of real-world Internet routing experiments, this second thrust confirms that Nyx works effectively in practice beyond simulation as well as revealing novel insights about the effectiveness of other Internet security defensive and offensive systems. We then follow these experiments by re-evaluating Nyx under the real-world routing constraints we discovered. The third thrust explores the usefulness of Nyx for mitigating DDoS against a crucial industry sector, power generation, by exposing the latent vulnerability of the U.S. power grid to DDoS and how a system such as Nyx can protect electric power utilities. This final thrust finds that the current set of exposed U.S. power facilities are widely vulnerable to DDoS that could induce blackouts, and that Nyx can be leveraged to reduce the impact of these targeted DDoS attacks
Security techniques for sensor systems and the Internet of Things
Sensor systems are becoming pervasive in many domains, and are recently being generalized by the Internet of Things (IoT). This wide deployment, however, presents significant security issues.
We develop security techniques for sensor systems and IoT, addressing all security management phases. Prior to deployment, the nodes need to be hardened. We develop nesCheck, a novel approach that combines static analysis and dynamic checking to efficiently enforce memory safety on TinyOS applications. As security guarantees come at a cost, determining which resources to protect becomes important. Our solution, OptAll, leverages game-theoretic techniques to determine the optimal allocation of security resources in IoT networks, taking into account fixed and variable costs, criticality of different portions of the network, and risk metrics related to a specified security goal.
Monitoring IoT devices and sensors during operation is necessary to detect incidents. We design Kalis, a knowledge-driven intrusion detection technique for IoT that does not target a single protocol or application, and adapts the detection strategy to the network features. As the scale of IoT makes the devices good targets for botnets, we design Heimdall, a whitelist-based anomaly detection technique for detecting and protecting against IoT-based denial of service attacks.
Once our monitoring tools detect an attack, determining its actual cause is crucial to an effective reaction. We design a fine-grained analysis tool for sensor networks that leverages resident packet parameters to determine whether a packet loss attack is node- or link-related and, in the second case, locate the attack source. Moreover, we design a statistical model for determining optimal system thresholds by exploiting packet parameters variances.
With our techniques\u27 diagnosis information, we develop Kinesis, a security incident response system for sensor networks designed to recover from attacks without significant interruption, dynamically selecting response actions while being lightweight in communication and energy overhead
- …