Using honeypots to analyse anomalous Internet activities

Monitoring Internet traffic is critical in order to acquire a good understanding of threats to computer and network security and in designing efficient computer security systems. Researchers and network administrators have applied several approaches to monitoring traffic for malicious content. These techniques include monitoring network components, aggregating IDS alerts, and monitoring unused IP address spaces. Another method for monitoring and analyzing malicious traffic, which has been widely tried and accepted, is the use of honeypots. Honeypots are very valuable security resources for gathering artefacts associated with a variety of Internet attack activities. As honeypots run no production services, any contact with them is considered potentially malicious or suspicious by definition. This unique characteristic of the honeypot reduces the amount of collected traffic and makes it a more valuable source of information than other existing techniques. Currently, there is insufficient research in the honeypot data analysis field. To date, most of the work on honeypots has been devoted to the design of new honeypots or optimizing the current ones. Approaches for analyzing data collected from honeypots, especially low-interaction honeypots, are presently immature, while analysis techniques are manual and focus mainly on identifying existing attacks. This research addresses the need for developing more advanced techniques for analyzing Internet traffic data collected from low-interaction honeypots. We believe that characterizing honeypot traffic will improve the security of networks and, if the honeypot data is handled in time, give early signs of new vulnerabilities or breakouts of new automated malicious codes, such as worms. The outcomes of this research include: • Identification of repeated use of attack tools and attack processes through grouping activities that exhibit similar packet inter-arrival time distributions using the cliquing algorithm; • Application of principal component analysis to detect the structure of attackers’ activities present in low-interaction honeypots and to visualize attackers’ behaviors; • Detection of new attacks in low-interaction honeypot traffic through the use of the principal component’s residual space and the square prediction error statistic; • Real-time detection of new attacks using recursive principal component analysis; • A proof of concept implementation for honeypot traffic analysis and real time monitoring.

A malware detection system inspired on the human immune system

Malicious programs (malware) can cause severe damage on computer systems and data. The mechanism that the human immune system uses to detect and protect from organisms that threaten the human body is efficient and can be adapted to detect malware attacks. In this paper we propose a system to perform malware distributed collection, analysis and detection, this last inspired by the human immune system. After collecting malware samples from Internet, they are dynamically analyzed so as to provide execution traces at the operating system level and network flows that are used to create a behavioral model and to generate a detection signature. Those signatures serve as input to a malware detector, acting as the antibodies in the antigen detection process. This allows us to understand the malware attack and aids in the infection removal procedures. © 2012 Springer-Verlag.

Regenerating codes for errors and erasures in distributed storage

Regenerating codes are a class of codes proposed for providing reliability of data and efficient repair of failed nodes in distributed storage systems. In this paper, we address the fundamental problem of handling errors and erasures at the nodes or links, during the data-reconstruction and node-repair operations. We provide explicit regenerating codes that are resilient to errors and erasures, and show that these codes are optimal with respect to storage and bandwidth requirements. As a special case, we also establish the capacity of a class of distributed storage systems in the presence of malicious adversaries. While our code constructions are based on previously constructed Product-Matrix codes, we also provide necessary and sufficient conditions for introducing resilience in any regenerating code.

The utility and challenges of using ICD codes in child maltreatment research : a review of existing literature

Objective: The objectives of this article are to explore the extent to which the International Statistical Classification of Diseases and Related Health Problems (ICD) has been used in child abuse research, to describe how the ICD system has been applied and to assess factors affecting the reliability of ICD coded data in child abuse research.----- Methods: PubMed, CINAHL, PsychInfo and Google Scholar were searched for peer reviewed articles written since 1989 that used ICD as the classification system to identify cases and research child abuse using health databases. Snowballing strategies were also employed by searching the bibliographies of retrieved references to identify relevant associated articles. The papers identified through the search were independently screened by two authors for inclusion, resulting in 47 studies selected for the review. Due to heterogeneity of studies metaanalysis was not performed.----- Results: This paper highlights both utility and limitations of ICD coded data. ICD codes have been widely used to conduct research into child maltreatment in health data systems. The codes appear to be used primarily to determine child maltreatment patterns within identified diagnoses or to identify child maltreatment cases for research.----- Conclusions: A significant impediment to the use of ICD codes in child maltreatment research is the under-ascertainment of child maltreatment by using coded data alone. This is most clearly identified and, to some degree, quantified, in research where data linkage is used. Practice Implications: The importance of improved child maltreatment identification will assist in identifying risk factors and creating programs that can prevent and treat child maltreatment and assist in meeting reporting obligations under the CRC.

The Criminal Codes : Commentary and Materials

This edition has been substantially revised to increase overall clarity and to ensure a balanced examination of the criminal law in the 'Code' states, Queensland and Western Australia. The work has been brought up-to-date in all areas and provides valuable comment on the recent wide-reaching reforms to the law of homicide in Western Australia. Significant developments in both states discussed in this edition include: The abolition of wilful murder and infanticide, and the new definition of murder (WA); The introduction of the new offence of unlawful assault causing death (WA); The abolition of provocation to murder (WA), and whether this excuse still has a part to play (Qld); The reformulation of the excuse of self-defence, and the introduction of excessive self-defence (WA); The creation of offences for drink spiking (Qld and WA); and Current and proposed sentencing considerations (Qld and WA). Fundamental principles of the criminal law are illustrated throughout the book by selected extracts from the Codes and case law, while additional materials foster critical reflection on the law and the need for reform.

Detecting and characterising malicious executable payloads

Buffer overflow vulnerabilities continue to prevail and the sophistication of attacks targeting these vulnerabilities is continuously increasing. As a successful attack of this type has the potential to completely compromise the integrity of the targeted host, early detection is vital. This thesis examines generic approaches for detecting executable payload attacks, without prior knowledge of the implementation of the attack, in such a way that new and previously unseen attacks are detectable. Executable payloads are analysed in detail for attacks targeting the Linux and Windows operating systems executing on an Intel IA-32 architecture. The execution flow of attack payloads are analysed and a generic model of execution is examined. A novel classification scheme for executable attack payloads is presented which allows for characterisation of executable payloads and facilitates vulnerability and threat assessments, and intrusion detection capability assessments for intrusion detection systems. An intrusion detection capability assessment may be utilised to determine whether or not a deployed system is able to detect a specific attack and to identify requirements for intrusion detection functionality for the development of new detection methods. Two novel detection methods are presented capable of detecting new and previously unseen executable attack payloads. The detection methods are capable of identifying and enumerating the executable payload’s interactions with the operating system on the targeted host at the time of compromise. The detection methods are further validated using real world data including executable payload attacks.

The effect of national governance codes on firm disclosure practices : evidence from analyst earnings forecasts

This study examines whether voluntary national governance codes have a significant effect on company disclosure practices. Two direct effects of the codes are expected: 1) an overall improvement in company disclosure practices, which is greater when the codes have a greater emphasis on disclosure; and 2) a leveling out of disclosure practices across companies (i.e., larger improvements in companies that were previously poorer disclosers) due to the codes new comply-or-explain requirements. The codes are also expected to have an indirect effect on disclosure practices through their effect on company governance practices. The results show that the introduction of the codes in eight East Asian countries has been associated with lower analyst forecast error and a leveling out of disclosure practices across companies. The codes are also found to have an indirect effect on company disclosure practices through their effect on board independence. This study shows that a regulatory approach to improving disclosure practices is not always necessary. Voluntary national governance codes are found to have both a significant direct effect and a significant indirect effect on company disclosure practices. In addition, the results indicate that analysts in Asia do react to changes in disclosure practices, so there is an incentive for small companies and family-owned companies to further improve their disclosure practices.

Quality of cause-of-death reporting using ICD-10 drowning codes : a descriptive study of 69 countries

Background: The systematic collection of high-quality mortality data is a prerequisite in designing relevant drowning prevention programmes. This descriptive study aimed to assess the quality (i.e., level of specificity) of cause-of-death reporting using ICD-10 drowning codes across 69 countries.---------- Methods: World Health Organization (WHO) mortality data were extracted for analysis. The proportion of unintentional drowning deaths coded as unspecified at the 3-character level (ICD-10 code W74) and for which the place of occurrence was unspecified at the 4th character (.9) were calculated for each country as indicators of the quality of cause-of-death reporting.---------- Results: In 32 of the 69 countries studied, the percentage of cases of unintentional drowning coded as unspecified at the 3-character level exceeded 50%, and in 19 countries, this percentage exceeded 80%; in contrast, the percentage was lower than 10% in only 10 countries. In 21 of the 56 countries that report 4-character codes, the percentage of unintentional drowning deaths for which the place of occurrence was unspecified at the 4th character exceeded 50%, and in 15 countries, exceeded 90%; in only 14 countries was this percentage lower than 10%.---------- Conclusion: Despite the introduction of more specific subcategories for drowning in the ICD-10, many countries were found to be failing to report sufficiently specific codes in drowning mortality data submitted to the WHO.

Intrusion detection system for encrypted networks using secret-sharing schemes

Secret-sharing schemes describe methods to securely share a secret among a group of participants. A properly constructed secret-sharing scheme guarantees that the share belonging to one participant does not reveal anything about the shares of others or even the secret itself. Besides the obvious feature which is to distribute a secret, secret-sharing schemes have also been used in secure multi-party computations and redundant residue number systems for error correction codes. In this paper, we propose that the secret-sharing scheme be used as a primitive in a Network-based Intrusion Detection System (NIDS) to detect attacks in encrypted networks. Encrypted networks such as Virtual Private Networks (VPNs) fully encrypt network traffic which can include both malicious and non-malicious traffic. Traditional NIDS cannot monitor encrypted traffic. Our work uses a combination of Shamir's secret-sharing scheme and randomised network proxies to enable a traditional NIDS to function normally in a VPN environment. In this paper, we introduce a novel protocol that utilises a secret-sharing scheme to detect attacks in encrypted networks.