WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Jiang Xie,Shuhao Li,Yongzheng Zhang,Xiaochun Yun,Jia Li

DOI: https://doi.org/10.48550/arXiv.2309.01174

2023-09-03

Networking and Internet Architecture

Abstract:Trojans are one of the most threatening network attacks currently. HTTP-based Trojan, in particular, accounts for a considerable proportion of them. Moreover, as the network environment becomes more complex, HTTP-based Trojan is more concealed than others. At present, many intrusion detection systems (IDSs) are increasingly difficult to effectively detect such Trojan traffic due to the inherent shortcomings of the methods used and the backwardness of training data. Classical anomaly detection and traditional machine learning-based (TML-based) anomaly detection are highly dependent on expert knowledge to extract features artificially, which is difficult to implement in HTTP-based Trojan traffic detection. Deep learning-based (DL-based) anomaly detection has been locally applied to IDSs, but it cannot be transplanted to HTTP-based Trojan traffic detection directly. To solve this problem, in this paper, we propose a neural network detection model (HSTF-Model) based on hierarchical spatiotemporal features of traffic. Meanwhile, we combine deep learning algorithms with expert knowledge through feature encoders and statistical characteristics to improve the self-learning ability of the model. Experiments indicate that F1 of HSTF-Model can reach 99.4% in real traffic. In addition, we present a dataset BTHT consisting of HTTP-based benign and Trojan traffic to facilitate related research in the field.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Xin Ma,Shize Guo,Zhisong Pan,Bin Liu,Kaolin Jiang,Ming Chen,Shijiao Tang

DOI: https://doi.org/10.48550/arXiv.2207.06641

2022-07-14

Abstract:A covert attack method often used by APT organizations is the DNS tunnel, which is used to pass information by constructing C2 networks. And they often use the method of frequently changing domain names and server IP addresses to evade monitoring, which makes it extremely difficult to detect them. However, they carry DNS tunnel information traffic in normal DNS communication, which inevitably brings anomalies in some statistical characteristics of DNS traffic, so that it would provide security personnel with the opportunity to find them. Based on the above considerations, this paper studies the statistical discovery methodology of typical DNS tunnel high-frequency query behavior. Firstly, we analyze the distribution of the DNS domain name length and times and finds that the DNS domain name length and times follow the normal distribution law. Secondly, based on this distribution law, we propose a method for detecting and discovering high-frequency DNS query behaviors of non-single domain names based on the statistical rules of domain name length and frequency and we also give three theorems as theoretical support. Thirdly, we design a sliding window difference scheme based on the above method. Experimental results show that our method has a higher detection rate. At the same time, since our method does not need to construct a data set, it has better practicability in detecting unknown DNS tunnels. This also shows that our detection method based on mathematical models can effectively avoid the dilemma for machine learning methods that must have useful training data sets, and has strong practical significance.

Networking and Internet Architecture

Guangyuan Gao,Weina Niu,Jiacheng Gong,Dujuan Gu,Song Li,Mingxue Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/tifs.2024.3443596

IF: 7.231

2024-08-24

IEEE Transactions on Information Forensics and Security

Abstract:DNS tunnels, due to their versatility and concealment, have become a preferred method for attackers to execute Command and Control (C&C) attacks, posing a significant security threat to terminal devices. Therefore, the efficient and accurate detection of DNS tunnels is important in reducing the economic losses and privacy risks faced by both enterprises and individuals. Despite notable advancements in the research of intelligent detection of DNS tunnels, existing model-based approaches predominantly concentrate on the surface-level features of domain names or packet payloads. This narrow focus leads to low detection accuracy when dealing with unknown DNS tunnel attacks and traffic from wildcard DNS. Furthermore, these methods struggle with accurately identifying DNS tunneling tools, complicating the task of swiftly locating and mitigating malware for analysts. This paper proposes GraphTunnel, a framework based on graph neural networks for detecting DNS tunnels and identifying tunneling tools. It delves into the correlations among DNS resolutions to construct paths that represent the recursive resolution process of DNS. By using central nodes that denote the gateways, these paths are connected and transformed into graph structures. Concurrently, it employs GraphSage to aggregate the features of nodes and their edges in the graph, enabling effective detection of DNS tunnels. Additionally, GraphTunnel utilizes the G2M algorithm to capture the statistical features of nodes in the graph and maps them into grayscale images, which are then processed by a CNN for multi-class identification of DNS tunneling tools. Experimental results demonstrate that in non-wildcard DNS scenarios, GraphTunnel achieves a 100% accuracy in DNS tunnel detection, encompassing unknown DNS tunnels. Even in high false-positive environments caused by wildcard DNS, GraphTunnel maintains an F1-Score of 99.78%. Moreover, GraphTunnel can identify DNS tunneling tools with an accuracy rate exceeding 98.57%, enhancing the rapid mitigation capabilities of emergency responders in dealing with malicious DNS tunnels.

computer science, theory & methods,engineering, electrical & electronic

Yubo He,Yuefei Zhu,Wei Lin

DOI: https://doi.org/10.1088/1742-6596/1187/4/042055

2019-04-01

Journal of Physics: Conference Series

Abstract:Aiming at reducing the high False Negative rate of the existing Trojan horse detection method based on behavior, this paper utilized the sequence characteristics of tunnel Trojan communication extracted from the transport layer and the bi-directional recurrent neural network in deep learning to build a HTTP tunnel Trojan detection model. The experimental result showed that the deep learning-based detection model reduced the false positive rate of normal network traffic and improved the Trojan detection rate. We also found that the deep learning-based detection model reduced the feature selecting and data cleaning process of generating samples and improved the easy-using of the HTTP tunnel Trojan detection model.

Chi-Kuan Chiu,Hsiao-Hsien Chang,Ching-Hao Mao,Te-En Wei

DOI: https://doi.org/10.1109/desec.2018.8625111

2018-12-01

Abstract:Malware and backdoor usually hide their malicious activities to communicate with C&C server through HTTP protocol. Various techniques for stealth are developed which directly leads security system's failure to detect hacker's activities. This paper focuses on profiling fingerprints of browsers running on different client-side host to detect anomaly among outbound HTTP traffics at behavioral and semantic level. Patterns describing fake header are also elaborately designed using graph structure and become significant features in the proposed method for the subsequent detection. Performance of proposed approach are evaluated with data from realistic environment and compare to state-of-the-art. Results show that the proposed method delivers accuracy up to 99%, also for the counterfeit fingerprint's detection it even achieve 100% recall, while the alternative approach totally failed under this scenario.

Yue Wang,Anmin Zhou,Shan Liao,Rongfeng Zheng,Rong Hu,Lei Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108322

IF: 5.493

2021-10-01

Computer Networks

Abstract:<p>Domain Name System (DNS) tunnels, established between the controlled host and master server disguised as the authoritative domain name server, can be used as a secret data communication channel for malicious activities. Owing to the ready evasion of the DNS traffic to bypass the network security mechanism, DNS tunnelling can cause severe damage. Thus, an in-depth and comprehensive understanding of the various detection technologies is of considerable importance when facing this type of threat. However, most of the existing reviews focus on a single aspect of the DNS tunnel detection technologies, such as methods based on machine learning, traffic, and payload analysis. In addition, few studies have conducted comprehensive investigation that includes a sequentially integrated range of literature in this researchfield, or have analysed the latest literature on DNS tunnels. This paper reviews these detection technologies from a novel perspective of rule-based and model-based methods with descriptions and analyses of the DNS-based tools and their corresponding features. To the best of our knowledge, this is the first study to comprehensively discuss and analyse DNS tunnel detection in a novel and specific classification fashion from various aspects in detail, covering almost all the detection methods developed from 2006 to 2020. Furthermore, a comparative analysis of detection methods and several suggestions for future research directions are presented.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Qi Lai,Jie Ling

DOI: https://doi.org/10.1088/1742-6596/1302/2/022074

2019-08-01

Journal of Physics: Conference Series

Abstract:Abstract The anonymous network in protecting user privacy information, but also for the use of criminals, for its illegal acts, and increase the cover monitoring, tracking and obstacle of the government organs forensics, Aiming at the problem of anonymous network, this paper proposes a website fingerprinting attack method for TOR anonymous network. Wavelet transform is introduced to deal with the traffic generated by visiting the website. SVM algorithm is used to learn and generate classifiers, establish fingerprint feature library, and then compare the data generated by the target visiting website with the feature library to confirm its visiting website. In this way, the experimental results show that the average recognition accuracy of target visited websites is 96.7% under all known features of websites, which is superior to literature [17].

GUO Shize,ZHANG Fan,SONG Zhuoxue,ZHAO Ziming,ZHAO Xinjie,WANG Xiaojuan,LUO Xiangyang

DOI: https://doi.org/10.11959/j.issn.2096−109x.2022004

2022-01-01

Abstract:Network attack detection plays a vital role in network security. Existing detection approaches focus on typical attack behaviors, such as Botnets and SQL injection. The widespread use of the SSL/TLS encryption protocol arises some emerging attack strategies against the SSL/TLS protocol. With the network traffic collection environment that built upon the implements of popular SSL/TLS attacks, a network traffic dataset including four SSL/TLS attacks, as well as benign flows was controlled. Considering the problems that limited observability of existing detection and limited separation of the original-flow spatiotemporal domains, a flow spectrum theory was proposed to map the threat behavior in the cyberspace from the original spatiotemporal domain to the transformed domain through the process of “potential change” and obtain the “potential variation spectrum”. The flow spectrum theory is based on a set of separable and observable feature representations to achieve efficient analysis of network flows. The key to the application of flow spectrum theory in actual cyberspace threat behavior detection is to find the potential basis matrix for a specific threat network flow under the condition of a given transformation operator. Since the SSL/TLS protocol has a strong timing relationship and state transition process in the handshake phase, and there are similarities between some SSL/TLS attacks, the detection of SSL/TLS attacks not only needs to consider timing context information, but also needs to consider the high-separation representation of TLS network flows. Based on the flow spectrum theory, the threat template idea was used to extract the potential basis matrix, and the potential basis mapping based on the long-short-term memory unit was used to map the SSL/TLS attack network flow to the flow spectrum domain space. On the self-built SSL/TLS attack network flow data set, the validity of the flow spectrum theory is verified by means of classification performance comparison, potential variation spectrum dimensionality reduction visualization, threat behavior feature weight evaluation, threat behavior spectrum division assessment, and potential variation base matrix heatmap visualization.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Jianhua Yang,Lixin Wang

DOI: https://doi.org/10.3390/electronics13163258

IF: 2.9

2024-08-18

Electronics

Abstract:In the past three decades, stepping-stone intrusion has become a professional and primary way used by intruders to launch their attacks since they can be protected behind a long TCP connection chain. Many different algorithms have been proposed to detect stepping-stone intrusion since 1995. But most algorithms cannot resist intruders' session manipulation. In this paper, we propose a novel approach using the distribution of round-trip time (RTT) of network traffic to detect stepping-stone intrusion. This approach can resist intruders' chaff-perturbation since the round-trip time of network packets can fairly be affected by chaffed packets. The ratio between the standard deviation of the RTTs between Send and Echo packets and the standard deviation of the RTTs between Send and Ack packets can be used to predict if a stepping-stone intrusion exists. The closer to 0 the ratio, the more suspicious a stepping-stone intrusion.

engineering, electrical & electronic,computer science, information systems,physics, applied

Sunghyun Yu,Yoojae Won

DOI: https://doi.org/10.3934/mbe.2023101

Abstract:Privacy protection in computer communication is gaining attention because plaintext transmission without encryption can be eavesdropped on and intercepted. Accordingly, the use of encrypted communication protocols is on the rise, along with the number of cyberattacks exploiting them. Decryption is essential for preventing attacks, but it risks privacy infringement and incurs additional costs. Network fingerprinting techniques are among the best alternatives, but existing techniques are based on information from the TCP/IP stack. They are expected to be less effective because cloud-based and software-defined networks have ambiguous boundaries, and network configurations not dependent on existing IP address schemes increase. Herein, we investigate and analyze the Transport Layer Security (TLS) fingerprinting technique, a technology that can analyze and classify encrypted traffic without decryption while addressing the problems of existing network fingerprinting techniques. Background knowledge and analysis information for each TLS fingerprinting technique is presented herein. We discuss the pros and cons of two groups of techniques, fingerprint collection and artificial intelligence (AI)-based. Regarding fingerprint collection techniques, separate discussions on handshake messages ClientHello/ServerHello, statistics of handshake state transitions, and client responses are provided. For AI-based techniques, discussions on statistical, time series, and graph techniques according to feature engineering are presented. In addition, we discuss hybrid and miscellaneous techniques that combine fingerprint collection with AI techniques. Based on these discussions, we identify the need for a step-by-step analysis and control study of cryptographic traffic to effectively use each technique and present a blueprint.

Johan Mazel,Matthieu Saudrais,Antoine Hervieu

DOI: https://doi.org/10.48550/arXiv.2201.10371

2022-01-25

Cryptography and Security

Abstract:Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunneling protocols however exhibit several weaknesses: their goal is to detect application inside tunnels and not tunnel identification, they exhibit limited protocol coverage (e.g. OpenVPN and Wireguard are not addressed), and both inconsistent features and diverse machine learning techniques which makes performance comparison difficult. Our work makes four contributions that address these limitations and provide further analysis. First, we address OpenVPN and Wireguard. Second, we propose a complete pipeline to detect and classify tunneling protocols and tunneled applications. Third, we present a thorough analysis of the performance of both network traffic metadata features and machine learning techniques. Fourth, we provide a novel analysis of domain generalization regarding background untunneled traffic, and, both domain generalization and adversarial learning regarding Maximum Transmission Unit (MTU).

WANG Ping-hui,ZHENG Qing-hua,NIU Guo-lin,GUAN Xiao-hong,CAI Zhong-min

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.003

2007-01-01

Journal of Communications

Abstract:A slowly port scan detect method was presented based on the statistical traffic features.Two statistical features: the ratio between the number of hosts and ports a host communicates and similarities of the ports set,were selected to denote the traffic features.The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors.The experimental results show that the methods proposed detect port scan behaviors effi-ciently and correctly,it has low false negative and false positive alarm rate compared with the Snort.

Ru Zhang,Wenxin Sun,Jianyi Liu,Jingwen Li,Guan Lei,Han Guo

DOI: https://doi.org/10.48550/arXiv.2010.13978

2020-10-27

Cryptography and Security

Abstract:Advanced Persistent Threat (APT) attack, also known as directed threat attack, refers to the continuous and effective attack activities carried out by an organization on a specific object. They are covert, persistent and targeted, which are difficult to capture by traditional intrusion detection system(IDS). The traffic generated by the APT organization, which is the organization that launch the APT attack, has a high similarity, especially in the Command and Control(C2) stage. The addition of features for APT organizations can effectively improve the accuracy of traffic detection for APT attacks. This paper analyzes the DNS and TCP traffic of the APT attack, and constructs two new features, C2Load_fluct (response packet load fluctuation) and Bad_rate (bad packet rate). The analysis showed APT attacks have obvious statistical laws in these two features. This article combines two new features with common features to classify APT attack traffic. Aiming at the problem of data loss and boundary samples, we improve the Adaptive Synthetic(ADASYN) Sampling Approach and propose the PADASYN algorithm to achieve data balance. A traffic classification scheme is designed based on the AdaBoost algorithm. Experiments show that the classification accuracy of APT attack traffic is improved after adding new features to the two datasets so that 10 DNS features, 11 TCP and HTTP/HTTPS features are used to construct a Features set. On the two datasets, F1-score can reach above 0.98 and 0.94 respectively, which proves that the two new features in this paper are effective for APT traffic detection.

Senmiao Wang,Luli Sun,Sujuan Qin,WenMin Li,Wentao Liu

DOI: https://doi.org/10.1016/j.cose.2022.102818

2022-09-01

Abstract:Nowadays, DNS channel attacks on mobile devices have become a challenging threat. Attackers usually attack mobile devices and steal information with the help of DNS channel. It is difficult for users to detect this kind of attack, especially when attackers covert sensitive information in the DNS response. In this paper, we proposed a method for DNS tunnel detection based on isolated forest for Android. We constructed a framework for mobile devices to collect DNS tunnel traffic. Based on the analysis of DNS tunnel traffic generated on mobile devices, we extracted features based on DNS request and response and constructed the feature set. We proposed a DNS tunnel detector, KRTunnel, for mobile devices. Experiments showed that KRTunnel can identify unseen DNS tunnel traffic with the accuracy of 98.1%.

computer science, information systems

Guang-Lu Sun,Yibo Xue,Yingfei Dong,Dongsheng Wang,Chenglong Li

DOI: https://doi.org/10.1109/GLOCOM.2010.5683649

2010-01-01

Abstract:Classifying encrypted traffic is critical to effective network analysis and management. While traditional payload- based methods are powerless to deal with encrypted traffic, machine learning methods have been proposed to address this issue. However, these methods often bring heavy overhead into the system. In this paper, we propose a hybrid method that combines signature-based methods and statistical analysis methods to address this issue. We first identify SSL/TLS traffic with signature matching methods, and then apply statistical analysis to determine concrete application protocols. Our experimental results show that the proposed method is able to recognize over 99% of SSL/TLS traffic and achieve 94.52% in F-score for protocols identification.

Filippo Sobrero,Beatrice Clavarezza,Daniele Ucci,Federica Bisio

2023-09-22

Abstract:In the very last years, cybersecurity attacks have increased at an unprecedented pace, becoming ever more sophisticated and costly. Their impact has involved both private/public companies and critical infrastructures. At the same time, due to the COVID-19 pandemic, the security perimeters of many organizations expanded, causing an increase of the attack surface exploitable by threat actors through malware and phishing attacks. Given these factors, it is of primary importance to monitor the security perimeter and the events occurring in the monitored network, according to a tested security strategy of detection and response. In this paper, we present a protocol tunneling detector prototype which inspects, in near real time, a company's network traffic using machine learning techniques. Indeed, tunneling attacks allow malicious actors to maximize the time in which their activity remains undetected. The detector monitors unencrypted network flows and extracts features to detect possible occurring attacks and anomalies, by combining machine learning and deep learning. The proposed module can be embedded in any network security monitoring platform able to provide network flow information along with its metadata. The detection capabilities of the implemented prototype have been tested both on benign and malicious datasets. Results show 97.1% overall accuracy and an F1-score equals to 95.6%.

Cryptography and Security