CBF : A packet filtering method for DDoS attack defense in cloud environment

Distributed Denial-of-Service attack (DDoS) is a major threat for cloud environment. Traditional defending approaches cannot be easily applied in cloud security due to their relatively low efficiency, large storage, to name a few. In view of this challenge, a Confidence-Based Filtering method, named CBF, is investigated for cloud computing environment, in this paper. Concretely speaking, the method is deployed by two periods, i.e., non-attack period and attack period. More specially, legitimate packets are collected at non-attack period, for extracting attribute pairs to generate a nominal profile. With the nominal profile, the CBF method is promoted by calculating the score of a particular packet at attack period, to determine whether to discard it or not. At last, extensive simulations are conducted to evaluate the feasibility of the CBF method. The result shows that CBF has a high scoring speed, a small storage requirement and an acceptable filtering accuracy, making it suitable for real-time filtering in cloud environment.

Predicted packet padding for anonymous web browsing against traffic analysis attacks

Anonymous communication has become a hot research topic in order to meet the increasing demand for web privacy protection. However, there are few such systems which can provide high level anonymity for web browsing. The reason is the current dominant dummy packet padding method for anonymization against traffic analysis attacks. This method inherits huge delay and bandwidth waste, which inhibits its use for web browsing. In this paper, we propose a predicted packet padding strategy to replace the dummy packet padding method for anonymous web browsing systems. The proposed strategy mitigates delay and bandwidth waste significantly on average. We formulated the traffic analysis attack and defense problem, and defined a metric, cost coefficient of anonymization (CCA), to measure the performance of anonymization. We thoroughly analyzed the problem with the characteristics of web browsing and concluded that the proposed strategy is better than the current dummy packet padding strategy in theory. We have conducted extensive experiments on two real world data sets, and the results confirmed the advantage of the proposed method.

Content validity of visual analog scales to assess symptom severity of acute angioedema attacks in adults with hereditary angioedema : an interview study

Background: Hereditary angioedema (HAE) is a rare, debilitating, potentially life-threatening condition characterized by recurrent acute attacks of edema of the skin, face/upper airway, and gastrointestinal and urogenital tracts. During a laryngeal attack, people with HAE may be at risk of suffocation, while other attacks are often associated with intense pain, disfigurement, disability, and/or vomiting. The intensity of some symptoms is known only to the person experiencing them. Thus, interview studies are needed to explore such experience and patient-reported outcome measures (PROMs) are required for systematic assessment of symptoms in the clinical setting and in clinical trials of treatments for acute HAE attacks.

Objective: The aim of this interview study was to assess the content validity and suitability of four visual analog scale (VAS) instruments for use in clinical studies. The VAS instruments were designed to assess symptoms at abdominal, oro-facial-pharyngeal-laryngeal, peripheral, and urogenital attack locations. This is the first known study to report qualitative data about the patient's experience of the rare disorder, HAE.

Methods: Semi-structured exploratory and cognitive debriefing interviews were conducted with 27 adults with a confirmed clinical/laboratory diagnosis of HAE (baseline plasma level of functional plasma protein C1 esterase inhibitor [C1INH] <50% of normal without evidence for acquired angioedema). There were 17 participants from the US and 10 from Italy, with mean age 42.5 (SD 14.5) years, range 18–72 years, mean HAE duration 21.3 (SD 14.1) years, range 1–45 years, 67% female, and 44% VAS-naïve. Experience of acute angioedema attacks was first explored, noting spontaneous mentions by participants of HAE symptomatology. Cognitive debriefing of the VAS instruments was undertaken to assess the suitability, comprehensibility, and relevance of the VAS items. Asymptomatic participants completed the VAS instruments relevant to their angioedema experience, reporting as if they were experiencing an acute angioedema attack at the time. Interviews were conducted in the clinic setting in the US and Italy over an 8-month period.

Results: Participants mentioned spontaneously almost all aspects of acute angioedema attacks covered by the four VAS instruments, thus providing strong support for inclusion of nearly all VAS items, with no important symptoms missing. Predominant symptoms found to be associated with acute angioedema attacks were edema and pain, and there was evidence of varying degrees of disruption to everyday activities supporting the inclusion of an overall severity item reflecting the disabling effects of HAE symptoms. VAS item wording was understood by participants.

Conclusion: This interview study explored and reported the patient experience of HAE attacks. It demonstrated the content validity of the four anatomical location HAE VAS instruments and their suitability for use in clinical trials of recombinant human C1INH (rhC1INH) treatment for ascertaining trial participants' assessments of the severity of acute angioedema symptoms.

Detecting and mitigating HX-DoS attacks against cloud web services

Cyber-Physical Systems allow for the interaction of the cyber world and physical worlds using as a central service called Cloud Web Services. Cloud Web Services can sit well within three models of Cyber- Physical Systems, Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a- Service (IaaS). With any Cyber-Physical system use Cloud Web Services it inherits a security problem, the HX-DoS attack. HX-DoS attack is a combination of HTTP and XML messages that are intentionally sent to flood and destroy the communication channel of the cloud service provider. The relevance of this research is that TCP/IP flood attacks are a common problem and a lot of research to mitigate them has previously been discussed. But HTTP denial of service and XML denial of service problem has only been addressed in a few papers. In this paper, we get closer to closing this gap on this problem with our new defence system called Pre- Decision, Advance Decision, Learning System (ENDER). In our previous experiments using our Cloud Protector, we were successful at detecting and mitigate 91% with a 9% false positive of HX-DoS attack traffic. In this paper, ENDER was able to improve upon this result by being trained and tested on the same data, but with a greater result of 99% detection and 1% false positive.

Zero permission android applications - attacks and defenses

Google advertises the Android permission framework as one of the core security features present on its innovative and flexible mobile platform. The permissions are a means to control access to restricted AP/s and system resources. However, there are Android applications which do not request permissions at all.In this paper, we analyze the repercussions of installing an Android application that does not include any permission and the types of sensitive information that can be accessed by such an application. We found that even app/icaaons with no permissions are able to access sensitive information (such the device ID) and transmit it to third-parties.

Resisting web proxy-based HTTP attacks by temporal and spatial locality behavior

A novel server-side defense scheme is proposed to resist the Web proxy-based distributed denial of service attack. The approach utilizes the temporal and spatial locality to extract the behavior features of the proxy-to-server traffic, which makes the scheme independent of the traffic intensity and frequently varying Web contents. A nonlinear mapping function is introduced to protect weak signals from the interference of infrequent large values. Then, a new hidden semi-Markov model parameterized by Gaussian-mixture and Gamma distributions is proposed to describe the time-varying traffic behavior of Web proxies. The new method reduces the number of parameters to be estimated, and can characterize the dynamic evolution of the proxy-to-server traffic rather than the static statistics. Two diagnosis approaches at different scales are introduced to meet the requirement of both fine-grained and coarse-grained detection. Soft control is a novel attack response method proposed in this work. It converts a suspicious traffic into a relatively normal one by behavior reshaping rather than rudely discarding. This measure can protect the quality of services of legitimate users. The experiments confirm the effectiveness of the proposed scheme.

Developing an empirical algorithm for protecting text-based CAPTCHAs against segmentation attacks

In this paper, we aim to provide an effective and efficient method to generate text-based Captchas which are resilient against segmentation attack. Different to the popular industry practice of using very simple color schemes, we advocate to use multiple colors in our Captchas. We adopt the idea of brush and canvas when coloring our Captchas. Furthermore, we choose to use simple accumulating functions to achieve diffusion on painted colors and DES encryption to achieve a good level of confusion on the brush pattern. To facilitate ordinary users and developers, we propose an empirical algorithm with support of Taguchi method to guarantee the quality of the chosen color schemes. Our proposed methodology has at least three advantages — 1) the settings of color schemes can be fully customized by the user or developer; 2) the quality of selected colors have desirable statistical features that are ensured by Taguchi method; 3) the algorithm can be fully automated into computer programs. Moreover, our included examples and experiments prove the practicality and validity of our algorithm.

Time correlated anomaly detection based on inferences

Anomaly detection techniques are used to find the presence of anomalous activities in a network by comparing traffic data activities against a "normal" baseline. Although it has several advantages which include detection of "zero-day" attacks, the question surrounding absolute definition of systems deviations from its "normal" behaviour is important to reduce the number of false positives in the system. This study proposes a novel multi-agent network-based framework known as Statistical model for Correlation and Detection (SCoDe), an anomaly detection framework that looks for timecorrelated anomalies by leveraging statistical properties of a large network, monitoring the rate of events occurrence based on their intensity. SCoDe is an instantaneous learning-based anomaly detector, practically shifting away from the conventional technique of having a training phase prior to detection. It does acquire its training using the improved extension of Exponential Weighted Moving Average (EWMA) which is proposed in this study. SCoDe does not require any previous knowledge of the network traffic, or network administrators chosen reference window as normal but effectively builds upon the statistical properties from different attributes of the network traffic, to correlate undesirable deviations in order to identify abnormal patterns. The approach is generic as it can be easily modified to fit particular types of problems, with a predefined attribute, and it is highly robust because of the proposed statistical approach. The proposed framework was targeted to detect attacks that increase the number of activities on the network server, examples which include Distributed Denial of Service (DDoS) and, flood and flash-crowd events. This paper provides a mathematical foundation for SCoDe, describing the specific implementation and testing of the approach based on a network log file generated from the cyber range simulation experiment of the industrial partner of this project.

Attacks on humans by Australian Magpies (Cracticus tibicen): Territoriality, brood-defence or testosterone?

Attacks on humans by Australian Magpies (Cracticus tibicen) are a significant human-wildlife conflict in Australia, especially in suburban environments. Remarkably little is known about the phenomenon. In this study, we explored three common hypotheses - territoriality, brood-defence and testosterone - as potential and non-exclusive explanations for aggression directed at people by Magpies living in suburban areas of Brisbane, south-eastern Queensland. The response of 10 pairs of aggressive Magpies to natural levels of human intrusion was compared with that of 10 non-aggressive pairs. Behavioural observations strongly supported the contention that attacks on humans resemble brood-defence and did not support an association with territoriality. The study also found no support for the suggestion that testosterone levels correlated with aggressiveness towards humans: male testosterone peaked immediately before laying and was significantly lower during the maximum period of attacks directed at people. Moreover, there were no differences in the testosterone levels of aggressive and non-aggressive male Magpies. The pattern of testosterone production over a breeding cycle closely resembled that of many other songbirds and appeared not to influence Magpie attacks on humans. © Royal Australasian Ornithologists Union 2010.

Patchwork-based audio watermarking method robust to de-synchronization attacks

This paper presents a patchwork-based audio watermarking method to resist de-synchronization attacks such as pitch-scaling, time-scaling, and jitter attacks. At the embedding stage, the watermarks are embedded into the host audio signal in the discrete cosine transform (DCT) domain. Then, a set of synchronization bits are implanted into the watermarked signal in the logarithmic DCT (LDCT) domain. At the decoding stage, we analyze the received audio signal in the LDCT domain to find the scaling factor imposed by an attack. Then, we modify the received signal to remove the scaling effect, together with the embedded synchronization bits. After that, watermarks are extracted from the modified signal. Simulation results show that at the embedding rate of 10 bps, the proposed method achieves 98.9% detection rate on average under the considered de-synchronization attacks. At the embedding rate of 16 bps, it can still obtain 94.7% detection rate on average. So, the proposed method is much more robust to de-synchronization attacks than other patchwork watermarking methods. Compared with the audio watermarking methods designed for tackling de-synchronization attacks, our method has much higher embedding capacity.