Fool me if you can: mimicking attacks and anti-attacks in cyberspace

Botnets have become major engines for malicious activities in cyberspace nowadays. To sustain their botnets and disguise their malicious actions, botnet owners are mimicking legitimate cyber behavior to fly under the radar. This poses a critical challenge in anomaly detection. In this paper, we use web browsing on popular web sites as an example to tackle this problem. First of all, we establish a semi-Markov model for browsing behavior. Based on this model, we find that it is impossible to detect mimicking attacks based on statistics if the number of active bots of the attacking botnet is sufficiently large (no less than the number of active legitimate users). However, we also find it is hard for botnet owners to satisfy the condition to carry out a mimicking attack most of the time. With this new finding, we conclude that mimicking attacks can be discriminated from genuine flash crowds using second order statistical metrics. We define a new fine correntropy metrics and show its effectiveness compared to others. Our real world data set experiments and simulations confirm our theoretical claims. Furthermore, the findings can be widely applied to similar situations in other research fields.

Information theory based detection against network behavior mimicking DDoS attacks

DDoS is a spy-on-spy game between attackers and detectors. Attackers are mimicking network traffic patterns to disable the detection algorithms which are based on these features. It is an open problem of discriminating the mimicking DDoS attacks from massive legitimate network accessing. We observed that the zombies use controlled function(s) to pump attack packages to the victim, therefore, the attack flows to the victim are always share some properties, e.g. packages distribution behaviors, which are not possessed by legitimate flows in a short time period. Based on this observation, once there appear suspicious flows to a server, we start to calculate the distance of the package distribution behavior among the suspicious flows. If the distance is less than a given threshold, then it is a DDoS attack, otherwise, it is a legitimate accessing. Our analysis and the preliminary experiments indicate that the proposed method- can discriminate mimicking flooding attacks from legitimate accessing efficiently and effectively.

Chaos theory based detection against network mimicking DDoS attacks

DDoS attack traffic is difficult to differentiate from legitimate network traffic during transit from the attacker, or zombies, to the victim. In this paper, we use the theory of network self-similarity to differentiate DDoS flooding attack traffic from legitimate self-similar traffic in the network. We observed that DDoS traffic causes a strange attractor to develop in the pattern of network traffic. From this observation, we developed a neural network detector trained by our DDoS prediction algorithm. Our preliminary experiments and analysis indicate that our proposed chaotic model can accurately and effectively detect DDoS attack traffic. Our approach has the potential to not only detect attack traffic during transit, but to also filter it.

Browsing behavior mimicking attacks on popular web sites for large botnets

With the significant growth of botnets, application layer DDoS attacks are much easier to launch using large botnet, and false negative is always a problem for intrusion detection systems in real practice. In this paper, we propose a novel application layer DDoS attack tool, which mimics human browsing behavior following three statistical distributions, the Zipf-like distribution for web page popularity, the Pareto distribution for page request time interval for an individual browser, and the inverse Gaussian distribution for length of browsing path. A Markov model is established for individual bot to generate attack request traffic. Our experiments indicated that the attack traffic that generated by the proposed tool is pretty similar to the real traffic. As a result, the current statistics based detection algorithms will result high false negative rate in general. In order to counter this kind of attacks, we discussed a few preliminary solutions at the end of this paper.

DDoS attack detection at local area networks using information theoretical metrics

DDoS attacks are one of the major threats to Internet services. Sophisticated hackers are mimicking the features of legitimate network events, such as flash crowds, to fly under the radar. This poses great challenges to detect DDoS attacks. In this paper, we propose an attack feature independent DDoS flooding attack detection method at local area networks. We employ flow entropy on local area network routers to supervise the network traffic and raise potential DDoS flooding attack alarms when the flow entropy drops significantly in a short period of time. Furthermore, information distance is employed to differentiate DDoS attacks from flash crowds. In general, the attack traffic of one DDoS flooding attack session is generated by many bots from one botnet, and all of these bots are executing the same attack program. As a result, the similarity among attack traffic should higher than that among flash crowds, which are generated by many random users. Mathematical models have been established for the proposed detection strategies. Analysis based on the models indicates that the proposed methods can raise the alarm for potential DDoS flooding attacks and can differentiate DDoS flooding attacks from flash crowds with conditions. The extensive experiments and simulations confirmed the effectiveness of our proposed detection strategies.

Biology and behaviour of the neotropical ant-mimicking spider Aphantochilus rogersi (Araneae: Aphantochilidae): nesting, maternal care and ontogeny of ant-hunting techniques

Aphantochilus rogersi is an ant-mimicking spider that preys exclusively on cephalotine ants. The spiders oviposit in close proximity to nests of the model ant Zacryptocerus pusillus, and emergent spiderlings tend to remain in the vicinity of natal egg sacs. Females of A. rogersi actively defend their egg sacs against approaching workers of Z. pusillus, but the latter may sometimes destroy the eggs. Feeding specialization on these ants is confirmed by more than 300 observations of young and adult A. rogersi carrying ant corpses in the held. Although A. rogersi possesses several behavioural traits which may reduce the risk of being injured by ants during subjugation, field and laboratory observations showed that social defence by Z. pusillus may cause mutilation to the spiders. Tests in captivity revealed an ontogenetic change in the prey-capture techniques employed by A. rogersi. Early-instar spiderlings can apparently only seize the ant's petiole tightly if they are able to approach the ant from the front. As the ant is paralysed, the spiderling positions itself vertically in relation to the substratum. Larger spiders, on the other hand, attack ants most frequently from behind, and seem better equipped to seize the ant's petiole firmly with their larger chelicerae. Owing to their greater strength, late-instar spiders are able to Lift the struggling ant aloft. The selection of a suitable oviposition site, the mother's ability to defend herself and the eggs from nearby ants, and the capacity to capture and subdue ants safely from emergence to maturity, are regarded as crucial traits inherent in the mimetic and feeding specialization by A. rogersi.

Bit-pattern based integral attack

Integral attacks are well-known to be effective against byte-based block ciphers. In this document, we outline how to launch integral attacks against bit-based block ciphers. This new type of integral attack traces the propagation of the plaintext structure at bit-level by incorporating bit-pattern based notations. The new notation gives the attacker more details about the properties of a structure of cipher blocks. The main difference from ordinary integral attacks is that we look at the pattern the bits in a specific position in the cipher block has through the structure. The bit-pattern based integral attack is applied to Noekeon, Serpent and present reduced up to 5, 6 and 7 rounds, respectively. This includes the first attacks on Noekeon and present using integral cryptanalysis. All attacks manage to recover the full subkey of the final round.

Use of IP addresses for high rate flooding attack detection

High-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) continue to constitute a pernicious threat within the Internet domain. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. Using a proof of concept implementation we have shown how pre-onset IP addresses can be efficiently represented using a bit vector and used to modify a “white list” filter in a firewall as part of the mitigation strategy.

Attack of the creationist reverberators! Or: the end of the world (as we know it)

This special issue of Popular Communication examines the impact of the global financial crisis and recession on differnt aspects of global and regional media and the cultural industries, changing practices of media production, as well as media consumption, and the interplay of economic challenges and technological change.

Parametric differences between a real-world distributed denial-of-service attack and a flash event

Distributed Denial-of-Service (DDoS) attacks continue to be one of the most pernicious threats to the delivery of services over the Internet. Not only are DDoS attacks present in many guises, they are also continuously evolving as new vulnerabilities are exploited. Hence accurate detection of these attacks still remains a challenging problem and a necessity for ensuring high-end network security. An intrinsic challenge in addressing this problem is to effectively distinguish these Denial-of-Service attacks from similar looking Flash Events (FEs) created by legitimate clients. A considerable overlap between the general characteristics of FEs and DDoS attacks makes it difficult to precisely separate these two classes of Internet activity. In this paper we propose parameters which can be used to explicitly distinguish FEs from DDoS attacks and analyse two real-world publicly available datasets to validate our proposal. Our analysis shows that even though FEs appear very similar to DDoS attacks, there are several subtle dissimilarities which can be exploited to separate these two classes of events.

Hypoxia-mimicking mesoporous bioactive glass scaffolds with controllable cobalt ion release for bone tissue engineering

Low oxygen pressure (hypoxia) plays an important role in stimulating angiogenesis; there are, however, few studies to prepare hypoxia-mimicking tissue engineering scaffolds. Mesoporous bioactive glass (MBG) has been developed as scaffolds with excellent osteogenic properties for bone regeneration. Ionic cobalt (Co) is established as a chemical inducer of hypoxia-inducible factor (HIF)-1α, which induces hypoxia-like response. The aim of this study was to develop hypoxia-mimicking MBG scaffolds by incorporating ionic Co2+ into MBG scaffolds and investigate if the addition of Co2+ ions would induce a cellular hypoxic response in such a tissue engineering scaffold system. The composition, microstructure and mesopore properties (specific surface area, nano-pore volume and nano-pore distribution) of Co-containing MBG (Co-MBG) scaffolds were characterized and the cellular effects of Co on the proliferation, differentiation, vascular endothelial growth factor (VEGF) secretion, HIF-1α expression and bone-related gene expression of human bone marrow stromal cells (BMSCs) in MBG scaffolds were systematically investigated. The results showed that low amounts of Co (< 5%) incorporated into MBG scaffolds had no significant cytotoxicity and that their incorporation significantly enhanced VEGF protein secretion, HIF-1α expression, and bone-related gene expression in BMSCs, and also that the Co-MBG scaffolds support BMSC attachment and proliferation. The scaffolds maintain a well-ordered mesopore channel structure and high specific surface area and have the capacity to efficiently deliver antibiotics drugs; in fact, the sustained released of ampicillin by Co-MBG scaffolds gives them excellent anti-bacterial properties. Our results indicate that incorporating cobalt ions into MBG scaffolds is a viable option for preparing hypoxia-mimicking tissue engineering scaffolds and significantly enhanced hypoxia function. The hypoxia-mimicking MBG scaffolds have great potential for bone tissue engineering applications by combining enhanced angiogenesis with already existing osteogenic properties.

Where not to have a Heart Attack in Australia!: The Cardiac ARIA Index

Background/aims: Access to appropriate health care following an acute cardiac event is important for positive outcomes. The aim of the Cardiac ARIA index was to derive an objective, comparable, geographic measure reflecting access to cardiac services across Australia. Methods: Geographic Information Systems (GIS) were used to model a numeric-alpha index based on acute management from onset of symptoms to return to the community. Acute time frames have been calculated to include time for ambulance to arrive, assess and load patient, and travel to facility by road 40–80 kph. Results: The acute phase of the index was modelled into five categories: 1 [24/7 percutaneous cardiac intervention (PCI) ≤1 h]; 2 [24/7 PCI 1–3 h, and PCI less than an additional hour to nearest accident and emergency room (A&E)]: 3 [Nearest A&E ≤3 h (no 24/7 PCI within an extra hour)]: 4 [Nearest A&E 3–12 h (no 24/7 PCI within an extra hour)]: 5 [Nearest A&E 12–24 h (no 24/7 PCI within an extra hour)]. Discharge care was modelled into three categories based on time to a cardiac rehabilitation program, retail pharmacy, pathology services, hospital, GP or remote clinic: (A) all services ≤30 min; (B) >30 min and ≤60 min; (C) >60 min. Examples of the index indicate that the majority of population locations within capital cities were category 1A; Alice Springs and Byron Bay were 3A; and the Northern Territory town of Maningrida had minimal access to cardiac services with an index ranking of 5C. Conclusion: The Cardiac ARIA index provides an invaluable tool to inform appropriate strategies for the use of scarce cardiac resources.

An attack on Iran: the legal basis, or lack thereof

Talk of a possible Israeli strike on Iran’s nuclear facilities has re-ignited debate over the right of self-defence under international law. Some academics, including Anthony D'Amato and Alan Dershowitz, have claimed that an attack on Iran would be a permissible act of self-defence. Others, such as Kevin Jon Heller, argue that such action would be a clear breach of international law. So, who is correct? Would military action against Iran be legal or illegal?