Behavior-based anomaly detection on big data

Recently, cyber-targeted attacks such as APT (Advanced Persistent Threat) are rapidly growing as a social and national threat. It is an intelligent cyber-attack that infiltrates the target organization and enterprise clandestinely using various methods and causes considerable damage by making a final attack after long-term and through preparations. These attacks are threatening cyber worlds such as Internet by infecting and attacking the devices on this environment with the malicious code, and by destroying them or gaining their authorities. Detecting these attacks requires collecting and analysing data from various sources (network, host, security equipment, and devices) over the long haul. Therefore, we propose the method that can recognize the cyber-targeted attack and detect the abnormal behavior based on Big Data. The proposed approach analyses faster and precisely various logs and monitoring data using Big Data storage and processing technology. In particular, we evaluated that the suspicious behavior analysis using MapReduce is effective in analysing large-scale behavior monitoring and log data from various sources

Cyber Blackbox for collecting network evidence

In recent years, the hottest topics in the security field are related to the advanced and persistent attacks. As an approach to solve this problem, we propose a cyber blackbox which collects and preserves network traffic on a virtual volume based WORM device, called EvidenceLock to ensure data integrity for security and forensic analysis. As a strategy to retain traffic for long enough periods, we introduce a deduplication method. Also this paper includes a study on the network evidence which is collected and preserved for analyzing the cause of cyber incident. Then, a method is proposed to suggest a starting point for incident analysis to a forensic practitioner who has to investigate on the vast amount of network traffic collected using the cyber blackbox. Experimental results show this approach is effectively able to reduce the amount of data to search by dividing doubtful flows from normal traffic. Finally, we discuss the results with the forensically meaningful point of view and present further works

Distributed and Lightweight Software Assurance in Cellular Broadcasting Handshake and Connection Establishment

With developments in OpenRAN and software-defined radio (SDR), the mobile networking implementations for radio and security control are becoming increasingly software-based. We design and build a lightweight and distributed software assurance scheme, which ensures that a wireless user holds the correct software (version/code) for their wireless networking implementations. Our scheme is distributed (to support the distributed and ad hoc networking that does not utilize the networking-backend infrastructure), lightweight (to support the resource-constrained device operations), modular (to support compatibility with the existing mobile networking protocols), and supports broadcasting (as mobile and wireless networking has broadcasting applications). Our scheme is distinct from the remote code attestation in trusted computing, which requires hardwarebased security and real-time challenge-and-response communications with a centralized trusted server, thus making its deployment prohibitive in the distributed and broadcasting-based mobile networking environments. We design our scheme to be prover-specific and incorporate the Merkle tree for the verification efficiency to make it appropriate for a wireless-broadcasting medium with multiple receivers. In addition to the theoretical design and analysis, we implement our scheme to assure srsRAN (a popular open-source software for cellular technology, including 4G and 5G) and provide a concrete implementation and application instance to highlight our scheme’s modularity, backward compatibility to the existing 4G/5G standardized protocol, and broadcasting support. Our scheme implementation incorporates delivering the proof in the srsRAN-implemented 4G/5G cellular handshake and connection establishment in radio resource control (RRC). We conduct experiments using SDR and various processors to demonstrate the lightweight design and its appropriateness for wireless networking applications. Our results show that the number of hash computations for the proof verification grows logarithmically with the number of software code files being assured and that the verification takes three orders of magnitude less time than the proof generation, while the proof generation overhead itself is negligible compared to the software update period

A study of the relationship of malware detection mechanisms using Artificial Intelligence

Implementation of malware detection using Artificial Intelligence (AI) has emerged as a significant research theme to combat evolving various types of malwares. Researchers implement various detection mechanisms using shallow and deep learning models to counter new malware, and they continue to develop these mechanisms today. However, in the field of malware detection using AI, there are difficulties in collecting data, and it is difficult to compare research content and performance with related studies. Meanwhile, the number of well-organized papers is not sufficient to understand the overall research flow of these related studies. Before starting new research, researchers need to analyze the current state of research in the malware detection field they want to study. Therefore, based on these requirements, we present a summary of the general criteria related to malware detection and a classification table for detection mechanisms. Additionally, we have organized many studies in the field of various types of malware detection so that they can be viewed at a glance. We hope that the provided survey can help new researchers quickly understand the research flow in the field of AI-based malware detection and establish the direction for future research