A survey on latest botnet attack and defense

A botnet is a group of compromised computers, which are remotely controlled by hackers to launch various network attacks, such as DDoS attack and information phishing. Botnet has become a popular and productive tool behind many cyber attacks. Recently, the owners of some botnets, such as storm worm, torpig and conflicker, are employing fluxing techniques to evade detection. Therefore, the understanding of their fluxing tricks is critical to the success of defending from botnet attacks. Motivated by this, we survey the latest botnet attacks and defenses in this paper. We begin with introducing the principles of fast fluxing (FF) and domain fluxing (DF), and explain how these techniques were employed by botnet owners to fly under the radar. Furthermore, we investigate the state-of-art research on fluxing detection. We also compare and evaluate those fluxing detection methods by multiple criteria. Finally, we discuss future directions on fighting against botnet based attacks.

Web application protection against SQL injection attack

SQL injection vulnerabilities poses a severe threat to web applications as an SQL Injection Attack (SQLIA) could adopt new obfuscation techniques to evade and thwart countermeasures such as Intrusion Detection Systems (IDS). SQLIA gains access to the back-end database of vulnerable websites, allowing hackers to execute SQL commands in a web application resulting in financial fraud and website defacement. The lack of existing models in providing protections against SQL injection has motivated this paper to present a new and enhanced model against web database intrusions that use SQLIA techniques. In this paper, we propose a novel concept of negative tainting along with SQL keyword analysis for preventing SQLIA and described our that we implemented. We have tested our proposed model on all types of SQLIA techniques by generating SQL queries containing legitimate SQL commands and SQL Injection Attack. Evaluations have been performed using three different applications. The results show that our model protects against 100% of tested attacks before even reaching the database layer.

Using feature selection for intrusion detection system

A good intrusion system gives an accurate and efficient classification results. This ability is an essential functionality to build an intrusion detection system. In this paper, we focused on using various training functions with feature selection to achieve high accurate results. The data we used in our experiments are NSL-KDD. However, the training and testing time to build the model is very high. To address this, we proposed feature selection based on information gain, which can detect several attack types with high accurate result and low false rate. Moreover, we executed experiments to category each of the five classes (probe, denial of service (DoS), user to super-user (U2R), and remote to local (R2L), normal). Our proposed outperform other state-of-art methods.

Distributed denial of service (DDoS) detection by traffic pattern analysis

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.

Unsupervised DRG upcoding detection in healthcare databases

Diagnosis Related Group (DRG) upcoding is an anomaly in healthcare data that costs hundreds of millions of dollars in many developed countries. DRG upcoding is typically detected through resource intensive auditing. As supervised modeling of DRG upcoding is severely constrained by scope and timeliness of past audit data, we propose in this paper an unsupervised algorithm to filter data for potential identification of DRG upcoding. The algorithm has been applied to a hip replacement/revision dataset and a heart-attack dataset. The results are consistent with the assumptions held by domain experts.

Malware detection and prevention system based on multi-stage rules

The continuously rising Internet attacks pose severe challenges to develop an effective Intrusion Detection System (IDS) to detect known and unknown malicious attack. In order to address the problem of detecting known, unknown attacks and identify an attack grouped, the authors provide a new multi stage rules for detecting anomalies in multi-stage rules. The authors used the RIPPER for rule generation, which is capable to create rule sets more quickly and can determine the attack types with smaller numbers of rules. These rules would be efficient to apply for Signature Intrusion Detection System (SIDS) and Anomaly Intrusion Detection System (AIDS).

A recognition tool for transient ischaemic attack

Background: Scoring systems exist to assist rapid identification of acute stroke but not for the more challenging diagnosis of transient ischaemic attack (TIA). Aim: To develop a clinical scoring system to assist with diagnosis of TIA. Methods: We developed and validated a clinical scoring system for identification of TIA patients. Logistic regression analysis was employed. Results: Our development cohort comprised 3216 patients. The scoring system included nine clinically useful predictive variables. After adjustment to reflect the greater seriousness of missing true TIA patients (a 2:1 cost ratio), 97% of TIA and 24% of non-TIA patients were accurately identified. Our results were confirmed during prospective validation. Conclusions: This simple scoring system performs well and could be used to facilitate accurate detection of TIA.

Time correlated anomaly detection based on inferences

Anomaly detection techniques are used to find the presence of anomalous activities in a network by comparing traffic data activities against a "normal" baseline. Although it has several advantages which include detection of "zero-day" attacks, the question surrounding absolute definition of systems deviations from its "normal" behaviour is important to reduce the number of false positives in the system. This study proposes a novel multi-agent network-based framework known as Statistical model for Correlation and Detection (SCoDe), an anomaly detection framework that looks for timecorrelated anomalies by leveraging statistical properties of a large network, monitoring the rate of events occurrence based on their intensity. SCoDe is an instantaneous learning-based anomaly detector, practically shifting away from the conventional technique of having a training phase prior to detection. It does acquire its training using the improved extension of Exponential Weighted Moving Average (EWMA) which is proposed in this study. SCoDe does not require any previous knowledge of the network traffic, or network administrators chosen reference window as normal but effectively builds upon the statistical properties from different attributes of the network traffic, to correlate undesirable deviations in order to identify abnormal patterns. The approach is generic as it can be easily modified to fit particular types of problems, with a predefined attribute, and it is highly robust because of the proposed statistical approach. The proposed framework was targeted to detect attacks that increase the number of activities on the network server, examples which include Distributed Denial of Service (DDoS) and, flood and flash-crowd events. This paper provides a mathematical foundation for SCoDe, describing the specific implementation and testing of the approach based on a network log file generated from the cyber range simulation experiment of the industrial partner of this project.

Malicious code detection architecture inspired by human immune system

Malicious code is a threat to computer systems globally. In this paper, we outline the evolution of malicious code attacks. The threat is evolving, leaving challenges for attackers to improve attack techniques and for researchers and security specialists to improve detection accuracy. We present a novel architecture for an effective defense against malicious code attack, inspired by the human immune system. We introduce two phases of program execution: Adolescent and Mature Phase. The first phase uses a malware profile matching mechanism, whereas the second phase uses a program profile matching mechanism. Both mechanisms are analogous to the innate immune system

Detection on application layer DDoS using random walk model

Application Layer Distributed Denial of Service (ALDDoS) attacks have been increasing rapidly with the growth of Botnets and Ubiquitous computing. Differentiate to the former DDoS attacks, ALDDoS attacks cannot be efficiently detected, as attackers always adopt legitimate requests with real IP address, and the traffic has high similarity to legitimate traffic. In spite of that, we think, the attackers' browsing behavior will have great disparity from that of the legitimate users'. In this paper, we put forward a novel user behavior-based method to detect the application layer asymmetric DDoS attack. We introduce an extended random walk model to describe user browsing behavior and establish the legitimate pattern of browsing sequences. For each incoming browser, we observe his page request sequence and predict subsequent page request sequence based on random walk model. The similarity between the predicted and the observed page request sequence is used as a criterion to measure the legality of the user, and then attacker would be detected based on it. Evaluation results based on real collected data set has demonstrated that our method is very effective in detecting asymmetric ALDDoS attacks. © 2014 IEEE.

Phishing detection and traceback mechanism

 Isredza Rahmi A Hamid’s thesis entitled Phishing Detection and Trackback Mechanism. The thesis investigates detection of phishing attacks through email, novel method to profile the attacker and tracking the attack back to the origin.

Catabolism attack and anabolism defense: a novel attack and traceback mechanism in opportunistic networks

Security is a major challenge in Opportunistic Networks (OppNets) because of its characteristics, such as open medium, dynamic topology, no centralized management and absent clear lines of defense.A packet dropping attack is one of the major security threats in OppNets since neither source nodes nor destination nodes have the knowledge of where or when the packet will be dropped. In this paper, we present a novel attack and traceback mechanism against a special type of packet dropping where the malicious node drops one or more packets and then injects new fake packets instead. We call this novel attack a Catabolism Attack and we call our novel traceback mechanism against this attack Anabolism Defense. Our novel detection and traceback mechanism is very powerful and has very high accuracy. Each node can detect and then traceback the malicious nodes based on a solid and powerful idea that is, hash chain techniques. In our defense techniques we have two stages. The first stage is to detect the attack, and the second stage is to find the malicious nodes. Simulation results show this robust mechanism achieves a very high accuracy and detection rate.

Attack on Chestnut-bellied Euphonia nestlings by army ants

I report some observations of a Chestnut-bellied Euphonia (Euphonia pectoralis) nest in a lowland Atlantic Forest of southeastern Brazil during the early nestling period. During 7.5 hours of observations, the nest was attended 46.3% of the time, 45.6% by the female and 0.7% by the male. Unattended periods lasted 16-38 min. Parents visited the nest most of the time together at 36-59 min intervals. There were 1.06 feeding visits per nestling per hour. The two nestlings in the nest ended up preyed upon by army ants (Labidus praedator, Ecitoninae). The low height of the nest (0.8 m) may have facilitated its detection by the ants.

On data-centric misbehavior detection in VANETs

Detecting misbehavior (such as transmissions of false information) in vehicular ad hoc networks (VANETs) is a very important problem with wide range of implications, including safety related and congestion avoidance applications. We discuss several limitations of existing misbehavior detection schemes (MDS) designed for VANETs. Most MDS are concerned with detection of malicious nodes. In most situations, vehicles would send wrong information because of selfish reasons of their owners, e.g. for gaining access to a particular lane. It is therefore more important to detect false information than to identify misbehaving nodes. We introduce the concept of data-centric misbehavior detection and propose algorithms which detect false alert messages and misbehaving nodes by observing their actions after sending out the alert messages. With the data-centric MDS, each node can decide whether an information received is correct or false. The decision is based on the consistency of recent messages and new alerts with reported and estimated vehicle positions. No voting or majority decisions is needed, making our MDS resilient to Sybil attacks. After misbehavior is detected, we do not revoke all the secret credentials of misbehaving nodes, as done in most schemes. Instead, we impose fines on misbehaving nodes (administered by the certification authority), discouraging them to act selfishly. This reduces the computation and communication costs involved in revoking all the secret credentials of misbehaving nodes. © 2011 IEEE.