New P2P Botnets Classification And Detection Framework

Botnets is a tool for high-profile cyber-attack. It is a collection of compromised computer infected with advance malware that allows an attacker to remotely control them. Some botnets used Peer to Peer (P2P) protocols and Peer to Peer (P2P) technology to control computers and exploits users. They are known as P2P Botnets. The unification of botnets and P2P technology make it more powerful and robust to be detected. Latest P2P botnets caused crisis and chaos to the network security. In order to deal with the issue, framework is needed to illustrate and explain the modules, terminologies and procedures as an important parts to implement the detection. But, the current P2P botnets detection frameworks are still not comprehensive enough to recognize the emergence of latest P2P botnets that cause financial loss and data damage to the network of the organization. Previous frameworks are incomplete and contained many of limitations which require some improvement. Lower detection rate and higher false alarms increase the failure of botnets detection. Hence, higher false alarm significantly causes ineffectiveness of detection. Due to the issues faced to identify the P2P botnets activities, the main objective of this research is to enhance P2P botnets detection framework using integrated approach. A complete analysis flow is performed to detect and classify the P2P botnets by adopting integrated analyser and integrated analysis. Besides developing a new framework, the research analysis classifies the behaviour of P2P botnets in order to differentiate between the P2P normal and P2P botnets. Through classification, this research introduces a generic P2P attack pattern and P2P behavioural model. Both generic P2P attack pattern and P2P behavioural model are then applied to develop the integrated approach that is used to validate the new P2P botnets detection. In evaluation and validation, the results showed that a new P2P botnets detection framework has effectively obtained high accuracy, high detection rates and lower false alarm. Significantly, the process of finding, identifying, classifying and detecting the P2P botnets is collaborated with Cyber Security Malaysia. Hence, this research introduces an enhancement framework to detect P2P botnets activities and validated by integrated approach that helps the network administrator to identify the existence of P2P botnets

Analysis of Data Mining Tools for Android Malware Detection

There are various data mining tools available to analyze data related android malware detection. However, the problem arises in deciding the most appropriate machine learning techniques or algorithm on particular tools to be implemented on particular data. This research is focusing only on classification techniques. Hence, the objective of this research is to identify the best machine learning technique or algorithm on selected tool for android malware detection. Five techniques: Random Forest, Naive Bayes, Support Vector Machine, Forest, K-Nearest Neighbour and Adaboost are selected and applied in selected tools namely Weka and Orange. The result shows that Adaboost technique in Weka tool and Random Forest technique in Orange tool has obtained accuracy above 80% compare to other techniques. This result provides an option for the researcher on applying technique or algorithm on selected tool when analyzing android malware data

Tracing the P2P Botnets Behaviours via Hybrid Analysis Approach

P2P botnets has become central issue that threatens global network security. The unification of botnets and P2P technology make it more powerful and complicated to detect. P2P botnets generally known with abnormal traffic behaviours may highly impact the networks operation, network security and cause financial losses. In order to detect these P2P botnets, a highly-profile investigation on flow analysis is necessary. We consider hybrid analysis approach that integrate both static analysis and dynamic analysis approach. The hybrid analysis will be used in profiling the P2P behaviours and characteristics. Then, the findings of analysis results will contributes on P2P botnets behaviour pattern that will be used in constructing the general model of P2P botnets behaviour. Through the findings, this paper proposes a general P2P botnets behaviour model. The proposed model will be beneficial to further work on P2P botnets detection techniques

Recognizing P2P Botnets Characteristic Through TCP Distinctive Behaviour

Botnet has been identified as one of the most emerging threats to the Internet users. It has been attracted much attention and gives a big threat in network security. Through the year a number of Botnet variants have been introduced and the most lethal variants are known as peerto- peer (P2P) botnets which able to camouflaging itself as the benign P2P application. This evolution of Botnet variants has made it harder to detect and shut down. Alike any network connection, p2p similarly using TCP to initialize the communication between two parties. Based on this reason, this paper investigates the network traffic characteristics of normal P2P connection and P2P botnets through the TCP connection initialize or received between the bot to the bot master. The proposed mechanism detects and classifies the P2P botnet TCP connection behaviour from the normal P2P network traffic. This can be used for early warning of P2P botnet activities in the network and prevention mechanism

Attack prediction to enhance attack path discovery using improved attack graph

Organizations and governments constantly face potential security attacks. However, the need for next-generation cyber defense has become even more urgent in a day and age when attack surfaces that hackers can exploit have grown at an alarming rate with an increase in the number of connected devices to the Internet. The next-generation cyber defense that relies on predictive analysis is more proactive than existing technologies that rely on intrusion detection. Many approaches with which to detect and predict attacks have been proposed in recent times. One such approach is attack graphs. The primary purpose of an attack graph is to not only predict an attack but its next steps within a network as well. More specifically, an attack graph depicts the paths that an attacker may employ to circumvent network policies by exploiting interdependencies between the vulnerabilities. However, extant attack graphs are plagued with a few issues. Scalability is just one of the main issues that attack graph generation faces. This is because an increase in the number of devices used increases the number of vulnerabilities within a network. This, in turn, increases the complexity as well as the amount of time required to generate an attack graph. At present, existing studies that have used attack graphs to predict the subsequent steps during an attack have manually assigned the attack location for attack graph analysis. In order to overcome this limitation, this present study recommends the use of intelligent agents to reduce reachability time by calculating between the nodes, as well as using the A*prune algorithm to remove useless edges and reduce attack graph complexity. For the attack graph analysis, the random forest algorithm was used to detect, predict, and dynamically ascertain the attack location in the network. The results of the attack graph generation experiment revealed that the A*prune attack graph produced better results than existing attack graphs

Enhanced intrusion detection capabilities via weighted chi-square, discretization and SVM

Anomaly Intrusion Detection Systems (ADSs) identify patterns of network data behaviour to determine whether they are normal or represent an attack using the learning detection model. Much research has been conducted on enhancing ADSs particularly in the area of data mining that focuses on intrusive behaviour detection. Unfortunately, the current detection models such as the support vector machine (SVM) is affected by high dimensional data which limits its ability to accurately classify data. Moreover, the data points which appear similar between intrusive and regular behaviours could be problematic as some innovated attack behaviours may not be detected. To overcome this SVM drawback, we propose a combination of weighted chi-square (WCS) as a feature selection (FS) and a Discretization process (D). The WCS method is used firstly to reduce the dimensionality of data following which the assembled records are transformed into interval values via the D process before the SVM is used to identify groups of samples that behave similarly and dissimilarly such as malicious and non-malicious activities. Experiments were performed with well-known NSL-KDD data sets and the results show that the proposed method namely WCS-D-SVM (weighted chi-square, discretization and support vector machine) significantly improved and enhanced accuracy and detection rates while decreasing the false positives which the single SVM classifier produces

An Analysis Of System Calls Using J48 And JRip For Malware Detection

The evolution of malware possesses serious threat ever since the concept of malware took root in the technology industry.The malicious software which is specifically designed to disrupt,damage,or gain authorized access to a computer system has made a lot of researchers try to develop a new and better technique to detect malware but it is still inaccurate in distinguishing the malware activities and ineffective.To solve the problem,this paper proposed the integrated machine learning methods consist of J48 and JRip in detecting the malware accurately.The integrated classifier algorithm applied to examine,classify and generate rules of the pattern and program behaviour of system call information.The outcome then revealed the integrated classifier of J48 and JRip outperforming the other classifier with 100% detection of attack rate