22,282 research outputs found
Threshold Verification Technique for Network Intrusion Detection System
Internet has played a vital role in this modern world, the possibilities and
opportunities offered are limitless. Despite all the hype, Internet services
are liable to intrusion attack that could tamper the confidentiality and
integrity of important information. An attack started with gathering the
information of the attack target, this gathering of information activity can be
done as either fast or slow attack. The defensive measure network administrator
can take to overcome this liability is by introducing Intrusion Detection
Systems (IDSs) in their network. IDS have the capabilities to analyze the
network traffic and recognize incoming and on-going intrusion. Unfortunately
the combination of both modules in real time network traffic slowed down the
detection process. In real time network, early detection of fast attack can
prevent any further attack and reduce the unauthorized access on the targeted
machine. The suitable set of feature selection and the correct threshold value,
add an extra advantage for IDS to detect anomalies in the network. Therefore
this paper discusses a new technique for selecting static threshold value from
a minimum standard features in detecting fast attack from the victim
perspective. In order to increase the confidence of the threshold value the
result is verified using Statistical Process Control (SPC). The implementation
of this approach shows that the threshold selected is suitable for identifying
the fast attack in real time.Comment: 8 Pages, International Journal of Computer Science and Information
Securit
The internet worm
In November 1988 a worm program invaded several thousand UNIX-operated Sun workstations and VAX computers attached to the Research Internet, seriously disrupting service for several days but damaging no files. An analysis of the work's decompiled code revealed a battery of attacks by a knowledgeable insider, and demonstrated a number of security weaknesses. The attack occurred in an open network, and little can be inferred about the vulnerabilities of closed networks used for critical operations. The attack showed that passwork protection procedures need review and strengthening. It showed that sets of mutually trusting computers need to be carefully controlled. Sharp public reaction crystalized into a demand for user awareness and accountability in a networked world
DDoS-Capable IoT Malwares: comparative analysis and Mirai Investigation
The Internet of Things (IoT) revolution has not only carried the astonishing promise to interconnect a whole generation of traditionally “dumb” devices, but also brought to the Internet the menace of billions of badly protected and easily hackable objects. Not surprisingly, this sudden flooding of fresh and insecure devices fueled older threats, such as Distributed Denial of Service (DDoS) attacks. In this paper, we first propose an updated and comprehensive taxonomy of DDoS attacks, together with a number of examples on how this classification maps to real-world attacks. Then, we outline the current situation of DDoS-enabled malwares in IoT networks, highlighting how recent data support our concerns about the growing in popularity of these malwares. Finally, we give a detailed analysis of the general framework and the operating principles of Mirai, the most disruptive DDoS-capable IoT malware seen so far
Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization
Logs are one of the most fundamental resources to any security professional.
It is widely recognized by the government and industry that it is both
beneficial and desirable to share logs for the purpose of security research.
However, the sharing is not happening or not to the degree or magnitude that is
desired. Organizations are reluctant to share logs because of the risk of
exposing sensitive information to potential attackers. We believe this
reluctance remains high because current anonymization techniques are weak and
one-size-fits-all--or better put, one size tries to fit all. We must develop
standards and make anonymization available at varying levels, striking a
balance between privacy and utility. Organizations have different needs and
trust other organizations to different degrees. They must be able to map
multiple anonymization levels with defined risks to the trust levels they share
with (would-be) receivers. It is not until there are industry standards for
multiple levels of anonymization that we will be able to move forward and
achieve the goal of widespread sharing of logs for security researchers.Comment: 17 pages, 1 figur
ATLANTIDES: An Architecture for Alert Verification in Network Intrusion Detection Systems
We present an architecture designed for alert verification (i.e., to reduce false positives) in network intrusion-detection systems. Our technique is based on a systematic (and automatic) anomaly-based analysis of the system output, which provides useful context information regarding the network services. The false positives raised by the NIDS analyzing the incoming traffic (which can be either signature- or anomaly-based) are reduced by correlating them with the output anomalies. We designed our architecture for TCP-based network services which have a client/server architecture (such as HTTP). Benchmarks show a substantial reduction of false positives between 50% and 100%
Recommended from our members
Dark Application Communities
In considering new security paradigms, it is often worthwhile to anticipate the direction and nature of future attack paradigms. We identify a class of attacks based on the idea of a "Dark" Application Community (DAC) - a collection of bots and zombie machines that actively performs binary-level supervision of applications to help an attacker automate the process of finding vulnerabilities. A collection of such hosts can observe and attempt to influence the behavior of automatic defense systems. An attacker can use the DAC as both a test platform for subverting security applications and as a reconnaissance network for exploiting commonly deployed automatic update and early warning systems. An instance of this type of Application Community can host what we call an automorphic worm. An automorphic worm is application-agnostic and vulnerability-generic. Such a worm attempts to remain stealthy by cycling through the portfolio of vulnerabilities that the DAC has identified. We examine the underlying principles of a DAC, which are based on the existing paradigm of using security tools to help violate security
- …