Knowledge acquisition for autonomic network management in emerging self-organizing architectures

Tesis inédita de la Universidad Complutense de Madrid, Facultad de Informática, Departamento de Ingeniería del Software e Inteligencia Artificial, leída el 19/12/2018Los escenarios de red emergentes estan caracterizados por el acceso intensivo a una amplia gama de servicios y aplicaciones que han incrementado las exigencias de las redes de comunicacion. Los modelos de gestion de red tradicionales se han caracterizado a su vez por una alta dependencia del factor humano para llevar a cabo tareas de configuracion y mantenimiento de la red. Esta situacion se ha hecho menos sostenible en las redes moviles no solo por los costes operacionales y de inversion de capital asociados, sino tambien por la complejidad que estas han adquirido ante la inmersion exponencial de dispositivos moviles. Tales aspectos han motivado el surgimiento de la quinta generacion de redes moviles, caracterizadas por indicadores de desempeño ambiciosos que deben cumplirse para satisfacer los niveles de servicio acordados...Emerging network scenarios are characterized by intensive access to a wide range of services and applications that have increased the demands of communication networks. The traditional network management models have been characterized by a high dependence on the human factor to carry out network configuration and maintenance tasks. This situation has become less sustainable in mobile networks not only due to the associated operational (COPEX) and capital investment costs (CAPEX), but also due to the complexity they have acquired when facing the exponential immersion of mobile devices. These aspects have led to the emergence of the fifth generation of mobile networks, characterized by ambitious performance indicators that must be fulfilled to meet the agreed service levels...Fac. de InformáticaTRUEunpu

Obfuscation of Malicious Behaviors for Thwarting Masquerade Detection Systems Based on Locality Features

In recent years, dynamic user verification has become one of the basic pillars for insider threat detection. From these threats, the research presented in this paper focuses on masquerader attacks, a category of insiders characterized by being intentionally conducted by persons outside the organization that somehow were able to impersonate legitimate users. Consequently, it is assumed that masqueraders are unaware of the protected environment within the targeted organization, so it is expected that they move in a more erratic manner than legitimate users along the compromised systems. This feature makes them susceptible to being discovered by dynamic user verification methods based on user profiling and anomaly-based intrusion detection. However, these approaches are susceptible to evasion through the imitation of the normal legitimate usage of the protected system (mimicry), which is being widely exploited by intruders. In order to contribute to their understanding, as well as anticipating their evolution, the conducted research focuses on the study of mimicry from the standpoint of an uncharted terrain: the masquerade detection based on analyzing locality traits. With this purpose, the problem is widely stated, and a pair of novel obfuscation methods are introduced: locality-based mimicry by action pruning and locality-based mimicry by noise generation. Their modus operandi, effectiveness, and impact are evaluated by a collection of well-known classifiers typically implemented for masquerade detection. The simplicity and effectiveness demonstrated suggest that they entail attack vectors that should be taken into consideration for the proper hardening of real organizations

Steganography Application Using Combination of Movements in a 2D Video Game Platform

Steganography represents the art of hiding information within a harmless medium such as digital images, video, audio, etc. Its purpose is to embed and transmit a message without raising suspicion to a third party or attacker who wishes to obtain that secret information. This research aims to propose a methodology with steganography using as a cover object a 2D platform video game. The experimentation model followed consists of using the combination of horizontal and vertical movements of the enemies by applying the numbering in base 5 or quinary where each character of the message is assigned a quinary digit. In the proposal for improvement the video game is set with 20 enemies per level along the map. The concealment is divided into 3 phases from the choice of the message, allocation of quinary values and generation of the videogame level. Finally, the limitations found will be presented based on experimentation

Detección de intrusiones basada en modelado de red resistente a evasión por técnicas de imitación

Los sistemas de red emergentes han traído consigo nuevas amenazas que han sofisticado sus modos de operación con el fin de pasar inadvertidos por los sistemas de seguridad, lo que ha motivado el desarrollo de sistemas de detección de intrusiones más eficaces y capaces de reconocer comportamientos anómalos. A pesar de la efectividad de estos sistemas, la investigación en este campo revela la necesidad de su adaptación constante a los cambios del entorno operativo como el principal desafío a afrontar. Esta adaptación supone mayores dificultades analíticas, en particular cuando se hace frente a amenazas de evasión mediante métodos de imitación. Dichas amenazas intentan ocultar las acciones maliciosas bajo un patrón estadístico que simula el uso normal de la red, por lo que adquieren una mayor probabilidad de evadir los sistemas defensivos. Con el fin de contribuir a su mitigación, este artículo presenta una estrategia de detección de intrusos resistente a imitación construida sobre la base de los sensores PAYL. La propuesta se basa en construir modelos de uso de la red y, a partir de ellos, analizar los contenidos binarios de la carga útil en busca de patrones atípicos que puedan evidenciar contenidos maliciosos. A diferencia de las propuestas anteriores, esta investigación supera el tradicional fortalecimiento mediante la aleatorización, aprovechando la similitud de paquetes sospechosos entre modelos legítimos y de evasión previamente construidos. Su eficacia fue evaluada en las muestras de tráfico DARPA’99 y UCM 2011, en los que se comprobó su efectividad para reconocer ataques de evasión por imitación.Emerging network systems have brought new threats that have sophisticated their modes of operation in order to go unnoticed by security systems, which has led to the development of more effective intrusion detection systems capable of recognizing anomalous behaviors. Despite the effectiveness of these systems, research in this field reveals the need for their constant adaptation to changes in the operating environment as the main challenge to face. This adaptation involves greater analytical difficulties, particularly when dealing with threats of evasion through imitation methods. These threats try to hide malicious actions under a statistical pattern that simulates the normal use of the network, so they acquire a greater probability of evading defensive systems. In order to contribute to its mitigation, this article presents an imitation-resistant intrusion detection strategy built on the basis of PAYL sensors. The proposal is based on building network usage models and, from them, analyzing the binary contents of the payload in search of atypical patterns that can show malicious content. Unlike previous proposals, this research overcomes the traditional strengthening through randomization, taking advantage of the similarity of suspicious packages to previously constructed legitimate and evasion models. Its effectiveness was evaluated in 1999 DARPA and 2011 UCM traffic samples, in which it was proven effective in recognizing imitation evasion attacks

Benchmark-Based Reference Model for Evaluating Botnet Detection Tools Driven by Traffic-Flow Analytics

Botnets are some of the most recurrent cyber-threats, which take advantage of the wide heterogeneity of endpoint devices at the Edge of the emerging communication environments for enabling the malicious enforcement of fraud and other adversarial tactics, including malware, data leaks or denial of service. There have been significant research advances in the development of accurate botnet detection methods underpinned on supervised analysis but assessing the accuracy and performance of such detection methods requires a clear evaluation model in the pursuit of enforcing proper defensive strategies. In order to contribute to the mitigation of botnets, this paper introduces a novel evaluation scheme grounded on supervised machine learning algorithms that enable the detection and discrimination of different botnets families on real operational environments. The proposal relies on observing, understanding and inferring the behavior of each botnet family based on network indicators measured at flow-level. The assumed evaluation methodology contemplates six phases that allow building a detection model against botnet-related malware distributed through the network, for which five supervised classifiers were instantiated were instantiated for further comparisons—Decision Tree, Random Forest, Naive Bayes Gaussian, Support Vector Machine and K-Neighbors. The experimental validation was performed on two public datasets of real botnet traffic—CIC-AWS-2018 and ISOT HTTP Botnet. Bearing the heterogeneity of the datasets, optimizing the analysis with the Grid Search algorithm led to improve the classification results of the instantiated algorithms. An exhaustive evaluation was carried out demonstrating the adequateness of our proposal which prompted that Random Forest and Decision Tree models are the most suitable for detecting different botnet specimens among the chosen algorithms. They exhibited higher precision rates whilst analyzing a large number of samples with less processing time. The variety of testing scenarios were deeply assessed and reported to set baseline results for future benchmark analysis targeted on flow-based behavioral patterns

EsPADA: Enhanced Payload Analyzer for malware Detection robust against Adversarial threats

The emergent communication technologies landscape has consolidated the anomaly-based intrusion detection paradigm as one of the most prominent solutions able to discover unprecedented malicious traits. It relied on building models of the normal/legitimate activities registered at the protected systems, from them analyzing the incoming observations looking for significant discordances that may reveal misbehaviors. But in the last years, the adversarial machine learning paradigm introduced never-seen-before evasion procedures able to jeopardize the traditional anomaly-based methods, thus entailing one of the major emerging challenges in the cybersecurity landscape. With the aim on contributing to their adaptation against adversarial threats, this paper presents EsPADA (Enhanced Payload Analyzer for malware Detection robust against Adversarial threats), a novel approach built on the grounds of the PAYL sensor family. At the SPARTA Training stage, both normal and adversarial models are constructed according to features extracted by N-gram, which are stored within Counting Bloom Filters (CBF). In this way it is possible to take advantage of both binary-based and spectral-based traffic modeling procedures for malware detection. At Detection stage, the payloads to be analyzed are collected from the protected environment and compared with the usage models previously built at Training. This leads to calculate different scores that allow to discriminate their nature (normal or suspicious) and to assess the labeling coherency, the latest studied for estimating the likelihood of the payload disguising mimicry attacks. The effectiveness of EsPADA was demonstrated on the public datasets DARPA'99 and UCM 2011 by achieving promising preliminarily results

Profits at the dawn of cybercrime-as-a-service

The growing of Information and Communication Technologies (ICT) that has been experienced in recent years, has led to new and more sophisticated ways of doing business. Consequently, worldwide organized criminal groups have been able to adapt their activities to new trends in the area of information security. In this paper the problem of cyber-crime as a profitable business and the model Cybercrime-as-a-service (CaaS) are exposed. For this purpose, the ransomware, which is one of the threats that have generated more profit in the last two years, is analyzed. This kind of malware is able to block assets in the victim systems and blackmail their owners with their deletion, if they fail to pay a ransom. In this sense, a game theory model of the behavior of actors involved in a ransomware attack is proposed. The proposed model describes the extortion process between the attacker and victim and estimates the probability of payment of ransom