970 resultados para Malicious node detection
Resumo:
Detecting misbehavior (such as transmissions of false information) in vehicular ad hoc networks (VANETs) is a very important problem with wide range of implications, including safety related and congestion avoidance applications. We discuss several limitations of existing misbehavior detection schemes (MDS) designed for VANETs. Most MDS are concerned with detection of malicious nodes. In most situations, vehicles would send wrong information because of selfish reasons of their owners, e.g. for gaining access to a particular lane. It is therefore more important to detect false information than to identify misbehaving nodes. We introduce the concept of data-centric misbehavior detection and propose algorithms which detect false alert messages and misbehaving nodes by observing their actions after sending out the alert messages. With the data-centric MDS, each node can decide whether an information received is correct or false. The decision is based on the consistency of recent messages and new alerts with reported and estimated vehicle positions. No voting or majority decisions is needed, making our MDS resilient to Sybil attacks. After misbehavior is detected, we do not revoke all the secret credentials of misbehaving nodes, as done in most schemes. Instead, we impose fines on misbehaving nodes (administered by the certification authority), discouraging them to act selfishly. This reduces the computation and communication costs involved in revoking all the secret credentials of misbehaving nodes. © 2011 IEEE.
Resumo:
Esta tesis se centra en el análisis de dos aspectos complementarios de la ciberdelincuencia (es decir, el crimen perpetrado a través de la red para ganar dinero). Estos dos aspectos son las máquinas infectadas utilizadas para obtener beneficios económicos de la delincuencia a través de diferentes acciones (como por ejemplo, clickfraud, DDoS, correo no deseado) y la infraestructura de servidores utilizados para gestionar estas máquinas (por ejemplo, C & C, servidores explotadores, servidores de monetización, redirectores). En la primera parte se investiga la exposición a las amenazas de los ordenadores victimas. Para realizar este análisis hemos utilizado los metadatos contenidos en WINE-BR conjunto de datos de Symantec. Este conjunto de datos contiene metadatos de instalación de ficheros ejecutables (por ejemplo, hash del fichero, su editor, fecha de instalación, nombre del fichero, la versión del fichero) proveniente de 8,4 millones de usuarios de Windows. Hemos asociado estos metadatos con las vulnerabilidades en el National Vulnerability Database (NVD) y en el Opens Sourced Vulnerability Database (OSVDB) con el fin de realizar un seguimiento de la decadencia de la vulnerabilidad en el tiempo y observar la rapidez de los usuarios a remiendar sus sistemas y, por tanto, su exposición a posibles ataques. Hemos identificado 3 factores que pueden influir en la actividad de parches de ordenadores victimas: código compartido, el tipo de usuario, exploits. Presentamos 2 nuevos ataques contra el código compartido y un análisis de cómo el conocimiento usuarios y la disponibilidad de exploit influyen en la actividad de aplicación de parches. Para las 80 vulnerabilidades en nuestra base de datos que afectan código compartido entre dos aplicaciones, el tiempo entre el parche libera en las diferentes aplicaciones es hasta 118 das (con una mediana de 11 das) En la segunda parte se proponen nuevas técnicas de sondeo activos para detectar y analizar las infraestructuras de servidores maliciosos. Aprovechamos técnicas de sondaje activo, para detectar servidores maliciosos en el internet. Empezamos con el análisis y la detección de operaciones de servidores explotadores. Como una operación identificamos los servidores que son controlados por las mismas personas y, posiblemente, participan en la misma campaña de infección. Hemos analizado un total de 500 servidores explotadores durante un período de 1 año, donde 2/3 de las operaciones tenían un único servidor y 1/2 por varios servidores. Hemos desarrollado la técnica para detectar servidores explotadores a diferentes tipologías de servidores, (por ejemplo, C & C, servidores de monetización, redirectores) y hemos logrado escala de Internet de sondeo para las distintas categorías de servidores maliciosos. Estas nuevas técnicas se han incorporado en una nueva herramienta llamada CyberProbe. Para detectar estos servidores hemos desarrollado una novedosa técnica llamada Adversarial Fingerprint Generation, que es una metodología para generar un modelo único de solicitud-respuesta para identificar la familia de servidores (es decir, el tipo y la operación que el servidor apartenece). A partir de una fichero de malware y un servidor activo de una determinada familia, CyberProbe puede generar un fingerprint válido para detectar todos los servidores vivos de esa familia. Hemos realizado 11 exploraciones en todo el Internet detectando 151 servidores maliciosos, de estos 151 servidores 75% son desconocidos a bases de datos publicas de servidores maliciosos. Otra cuestión que se plantea mientras se hace la detección de servidores maliciosos es que algunos de estos servidores podrán estar ocultos detrás de un proxy inverso silente. Para identificar la prevalencia de esta configuración de red y mejorar el capacidades de CyberProbe hemos desarrollado RevProbe una nueva herramienta a través del aprovechamiento de leakages en la configuración de la Web proxies inversa puede detectar proxies inversos. RevProbe identifica que el 16% de direcciones IP maliciosas activas analizadas corresponden a proxies inversos, que el 92% de ellos son silenciosos en comparación con 55% para los proxies inversos benignos, y que son utilizado principalmente para equilibrio de carga a través de múltiples servidores. ABSTRACT In this dissertation we investigate two fundamental aspects of cybercrime: the infection of machines used to monetize the crime and the malicious server infrastructures that are used to manage the infected machines. In the first part of this dissertation, we analyze how fast software vendors apply patches to secure client applications, identifying shared code as an important factor in patch deployment. Shared code is code present in multiple programs. When a vulnerability affects shared code the usual linear vulnerability life cycle is not anymore effective to describe how the patch deployment takes place. In this work we show which are the consequences of shared code vulnerabilities and we demonstrate two novel attacks that can be used to exploit this condition. In the second part of this dissertation we analyze malicious server infrastructures, our contributions are: a technique to cluster exploit server operations, a tool named CyberProbe to perform large scale detection of different malicious servers categories, and RevProbe a tool that detects silent reverse proxies. We start by identifying exploit server operations, that are, exploit servers managed by the same people. We investigate a total of 500 exploit servers over a period of more 13 months. We have collected malware from these servers and all the metadata related to the communication with the servers. Thanks to this metadata we have extracted different features to group together servers managed by the same entity (i.e., exploit server operation), we have discovered that 2/3 of the operations have a single server while 1/3 have multiple servers. Next, we present CyberProbe a tool that detects different malicious server types through a novel technique called adversarial fingerprint generation (AFG). The idea behind CyberProbe’s AFG is to run some piece of malware and observe its network communication towards malicious servers. Then it replays this communication to the malicious server and outputs a fingerprint (i.e. a port selection function, a probe generation function and a signature generation function). Once the fingerprint is generated CyberProbe scans the Internet with the fingerprint and finds all the servers of a given family. We have performed a total of 11 Internet wide scans finding 151 new servers starting with 15 seed servers. This gives to CyberProbe a 10 times amplification factor. Moreover we have compared CyberProbe with existing blacklists on the internet finding that only 40% of the server detected by CyberProbe were listed. To enhance the capabilities of CyberProbe we have developed RevProbe, a reverse proxy detection tool that can be integrated with CyberProbe to allow precise detection of silent reverse proxies used to hide malicious servers. RevProbe leverages leakage based detection techniques to detect if a malicious server is hidden behind a silent reverse proxy and the infrastructure of servers behind it. At the core of RevProbe is the analysis of differences in the traffic by interacting with a remote server.
Resumo:
We propose a cost-effective hot event detection system over Sina Weibo platform, currently the dominant microblogging service provider in China. The problem of finding a proper subset of microbloggers under resource constraints is formulated as a mixed-integer problem for which heuristic algorithms are developed to compute approximate solution. Preliminary results show that by tracking about 500 out of 1.6 million candidate microbloggers and processing 15,000 microposts daily, 62% of the hot events can be detected five hours on average earlier than they are published by Weibo.
Resumo:
The analysis of system calls is one method employed by anomaly detection systems to recognise malicious code execution. Similarities can be drawn between this process and the behaviour of certain cells belonging to the human immune system, and can be applied to construct an artificial immune system. A recently developed hypothesis in immunology, the Danger Theory, states that our immune system responds to the presence of intruders through sensing molecules belonging to those invaders, plus signals generated by the host indicating danger and damage. We propose the incorporation of this concept into a responsive intrusion detection system, where behavioural information of the system and running processes is combined with information regarding individual system calls.
Resumo:
The analysis of system calls is one method employed by anomaly detection systems to recognise malicious code execution. Similarities can be drawn between this process and the behaviour of certain cells belonging to the human immune system, and can be applied to construct an artificial immune system. A recently developed hypothesis in immunology, the Danger Theory, states that our immune system responds to the presence of intruders through sensing molecules belonging to those invaders, plus signals generated by the host indicating danger and damage. We propose the incorporation of this concept into a responsive intrusion detection system, where behavioural information of the system and running processes is combined with information regarding individual system calls.
Resumo:
One important issue implied by the finite nature of real-world networks regards the identification of their more external (border) and internal nodes. The present work proposes a formal and objective definition of these properties, founded on the recently introduced concept of node diversity. It is shown that this feature does not exhibit any relevant correlation with several well-established complex networks measurements. A methodology for the identification of the borders of complex networks is described and illustrated with respect to theoretical (geographical and knitted networks) as well as real-world networks (urban and word association networks), yielding interesting results and insights in both cases.
Resumo:
P>Thirty-five lymph node samples were taken from animals with macroscopic lesions consistent with Mycobacterium bovis infection. The animals were identified by postmortem examination in an abattoir in the northwestern region of state of Parana, Brazil. Twenty-two of the animals had previously been found to be tuberculin skin test positive. Tissue samples were decontaminated by Petroff`s method and processed for acid-fast bacilli staining, culture in Stonebrink and Lowenstein-Jensen media and DNA extraction. Lymph node DNA samples were amplified by PCR in the absence and presence (inhibitor controls) of DNA extracted from M. bovis culture. Mycobacterium bovis was identified in 14 (42.4%) lymph node samples by both PCR and by culture. The frequency of PCR-positive results (54.5%) was similar to that of culture-positive results (51.5%, P > 0.05). The percentage of PCR-positive lymph nodes increased from 39.4% (13/33) to 54.5% (18/33) when samples that were initially PCR-negative were reanalysed using 2.5 mu l DNA (two samples) and 1 : 2 diluted DNA (three samples). PCR sensitivity was affected by inhibitors and by the amount of DNA in the clinical samples. Our results indicate that direct detection of M. bovis in lymph nodes by PCR may be a fast and useful tool for bovine tuberculosis epidemic management in the region.
Resumo:
Purpose: We tested whether the combination of 4 established cell cycle regulators (p53, pRB, p21 and p27) could improve the ability to predict clinical outcomes in a large multi-institutional collaboration of patients with pT3-4N0 or pTany Npositive urothelial carcinoma of the bladder. We also assessed whether the combination of molecular markers is superior to any individual biomarker. Materials and Methods: The study comprised 692 patients with pT3-4N0 or pTany Npositive urothelial carcinoma of the bladder treated with radical cystectomy and bilateral lymphadenectomy (median followup 5.3 years). Scoring was performed using advanced cell imaging and color detection software. The base model incorporated patient age, gender, stage, grade, lymphovascular invasion, number of lymph nodes removed, number of positive lymph nodes, concomitant carcinoma in situ and adjuvant chemotherapy. Results: Individual molecular markers did not improve the predictive accuracy for disease recurrence and cancer specific mortality. Combination of all 4 molecular markers into number of altered molecular markers resulted in significantly 1 higher predictive accuracy than any single biomarker (p < 0.001.). Moreover addition of number of altered molecular markers to the base model significantly improved the predictive accuracy for disease recurrence (3.9%, p < 0.001) and cancer specific mortality (4.3%, p < 0.001). Addition of number of altered molecular markers retained statistical significance for improving the prediction of clinical outcomes in the subgroup of patients with pT3N0 (280), pT4N0 (83) and pTany Npositive (329) disease (p < 0.001). Conclusions: While the status of individual molecular markers does not add sufficient value to outcome prediction in patients with advanced urothelial carcinoma of the bladder, combinations of molecular markers may improve molecular staging, prognostication and possibly prediction of response to therapy.
Resumo:
Objectives: The aim was to verify the concordance of CT evaluation among four radiologists (two oral and maxillofacial and two medical radiologists) at the TN (tumour/node) stage and in the follow-up of oral cavity and oropharyngeal cancer patients. The study also compared differences between clinical and CT examinations in determining the TN stage. Methods: The following clinical and tomographic findings of 15 non-treated oral cavity and oropharyngeal cancer patients were compared: tumour size, bone invasion and lymph node metastases. In another 15 patients, who had previously been treated, a clinical and tomographic analysis comparison for the presence of tumoural recurrence, post-therapeutic changes in muscles and lymph node metastases was performed. The concordances of tomographic evaluation between the radiologists were analysed using the kappa index. Results: Significant agreement was verified between all radiologists for the T stage, but not for the N stage. In the group of treated patients, CT disclosed post-therapeutic changes in muscles, tumour recurrence and lymph node metastases, but no concordance for the detection of lymph node metastases was found between radiologists. In the first group, for all radiologists, no concordance was demonstrated between clinical and tomographic staging. CT was effective for delimitating advanced lesions and for detecting lymph node involvement in N0 stage patients. CT revealed two cases of bone invasion not clinically detected. Conclusions: Interprofessional relationships must be stimulated to improve diagnoses, and to promote a multidisciplinary approach to oral cavity and oropharyngeal cancer. Although CT was important in the diagnosis and follow-up of cancer patients, differences between medical and dental analyses should be acknowledged. Dentomaxillofacial Radiology (2010) 39, 140-148. doi: 10.1259/dmfr/69910245
Resumo:
Axillary lymph node status is one of the most powerful prognostic factors for patients with breast cancer and is often critical in stratifying patients into adjuvant treatment regimens. In 203 apparently node-negative cases of breast cancer, a combination of immunohistochemical staining and step-sectioning identified occult metastases in 25% of cases. Ten-year follow-up information is available for these patients. Histologic features of the primary tumor and immunohistochemical staining for estrogen receptor, progesterone receptor, Her-2, and p53 were also evaluated. With multivariate analysis, both occult metastases and higher histologic grade of the primary tumor were independent predictors of disease-free survival. Histologic grade was the only significant independent predictor of overall survival. Estrogen receptor, progesterone receptor, Her-2, and p53 status did not predict the presence of metastases or survival when all tumor types were considered together. Metastases >0.5 mm significantly predicted a poorer disease-free survival when invasive ductal carcinomas were considered alone. Histologic grade was significantly associated with disease-free survival in the premenopausal and perimenopausal patients but not in the postmenopausal patients. The presence of occult metastases approached significance for overall survival in the premenopausal and perimenopausal patients but not in the postmenopausal patients.
Resumo:
In recent years, vehicular cloud computing (VCC) has emerged as a new technology which is being used in wide range of applications in the area of multimedia-based healthcare applications. In VCC, vehicles act as the intelligent machines which can be used to collect and transfer the healthcare data to the local, or global sites for storage, and computation purposes, as vehicles are having comparatively limited storage and computation power for handling the multimedia files. However, due to the dynamic changes in topology, and lack of centralized monitoring points, this information can be altered, or misused. These security breaches can result in disastrous consequences such as-loss of life or financial frauds. Therefore, to address these issues, a learning automata-assisted distributive intrusion detection system is designed based on clustering. Although there exist a number of applications where the proposed scheme can be applied but, we have taken multimedia-based healthcare application for illustration of the proposed scheme. In the proposed scheme, learning automata (LA) are assumed to be stationed on the vehicles which take clustering decisions intelligently and select one of the members of the group as a cluster-head. The cluster-heads then assist in efficient storage and dissemination of information through a cloud-based infrastructure. To secure the proposed scheme from malicious activities, standard cryptographic technique is used in which the auotmaton learns from the environment and takes adaptive decisions for identification of any malicious activity in the network. A reward and penalty is given by the stochastic environment where an automaton performs its actions so that it updates its action probability vector after getting the reinforcement signal from the environment. The proposed scheme was evaluated using extensive simulations on ns-2 with SUMO. The results obtained indicate that the proposed scheme yields an improvement of 10 % in detection rate of malicious nodes when compared with the existing schemes.
Resumo:
IEEE 802.11 is one of the most well-established and widely used standard for wireless LAN. Its Medium Access control (MAC) layer assumes that the devices adhere to the standard’s rules and timers to assure fair access and sharing of the medium. However, wireless cards driver flexibility and configurability make it possible for selfish misbehaving nodes to take advantages over the other well-behaving nodes. The existence of selfish nodes degrades the QoS for the other devices in the network and may increase their energy consumption. In this paper we propose a green solution for selfish misbehavior detection in IEEE 802.11-based wireless networks. The proposed scheme works in two phases: Global phase which detects whether the network contains selfish nodes or not, and Local phase which identifies which node or nodes within the network are selfish. Usually, the network must be frequently examined for selfish nodes during its operation since any node may act selfishly. Our solution is green in the sense that it saves the network resources as it avoids wasting the nodes energy by examining all the individual nodes of being selfish when it is not necessary. The proposed detection algorithm is evaluated using extensive OPNET simulations. The results show that the Global network metric clearly indicates the existence of a selfish node while the Local nodes metric successfully identified the selfish node(s). We also provide mathematical analysis for the selfish misbehaving and derived formulas for the successful channel access probability.
Resumo:
Bacteria of the genus Bartonella are emerging pathogens detected in lymph node biopsies and aspirates probably caused by increased concentration of bacteria. Twenty-three samples of 18 patients with clinical, laboratory and/or epidemiological data suggesting bartonellosis were subjected to three nested amplifications targeting a fragment of the 60-kDa heat shock protein (HSP), the internal transcribed spacer 16S-23S rRNA (ITS) and the cell division (FtsZ) of Bartonella henselae, in order to improve detection in clinical samples. In the first amplification 01, 04 and 05 samples, were positive by HSP (4.3%), FtsZ (17.4%) and ITS (21.7%), respectively. After the second round six positive samples were identified by nested-HSP (26%), eight by nested-ITS (34.8%) and 18 by nested-FtsZ (78.2%), corresponding to 10 peripheral blood samples, five lymph node biopsies, two skin biopsies and one lymph node aspirate. The nested-FtsZ was more sensitive than nested-HSP and nested-ITS (p < 0.0001), enabling the detection of Bartonella henselae DNA in 15 of 18 patients (83.3%). In this study, three nested-PCR that should be specific for Bartonella henselae amplification were developed, but only the nested-FtsZ did not amplify DNA from Bartonella quintana. We conclude that nested amplifications increased detection of B. henselae DNA, and that the nested-FtsZ was the most sensitive and the only specific to B. henselae in different biological samples. As all samples detected by nested-HSP and nested-ITS, were also by nested-FtsZ, we infer that in our series infections were caused by Bartonella henselae. The high number of positive blood samples draws attention to the use of this biological material in the investigation of bartonellosis, regardless of the immune status of patients. This fact is important in the case of critically ill patients and young children to avoid more invasive procedures such as lymph nodes biopsies and aspirates.
