Steffen Haas,Florian Wilkens,Mathias Fischer

DOI: https://doi.org/10.1109/NOMS47738.2020.9110470

2020-03-11

Abstract:Public networks are exposed to port scans from the Internet. Attackers search for vulnerable services they can exploit. In large scan campaigns, attackers often utilize different machines to perform distributed scans, which impedes their detection and might also camouflage the actual goal of the scanning campaign. In this paper, we present a correlation algorithm to detect scans, identify potential relations among them, and reassemble them to larger campaigns. We evaluate our approach on real-world Internet traffic and our results indicate that it can summarize and characterize standalone and distributed scan campaigns based on their tools and intention.

Cryptography and Security

Wei Wei,Yabo Dong,Dongming Lu,Guang Jin

DOI: https://doi.org/10.1007/11758549_8

2006-01-01

Abstract:In legitimate traffic the correlation exists between the outgoing traffic and incoming traffic of a server network because of the request-reply actions in most protocols. When DDoS attacks occur, the attackers send packets with faked source addresses. As a result, the outgoing traffic to the faked addresses does not induce any related incoming traffic. Our main idea is to find changes in the correlation caused by DDoS. We sample network traffics using Extended First Connection Density (EFCD), and express correlation by cross-correlation function. Because network traffic in DDoS-initiating stage is much similar to legitimate traffic, we use fuzzy classification in order to guarantee the accuracy. Experiments show that DDoS traffic can be identified accurately by our algorithm.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

Chuan Sheng,Yu Yao,Lianxiang Zhao,Peng Zeng,Jianming Zhao

DOI: https://doi.org/10.1109/tifs.2024.3359002

IF: 7.231

2024-02-10

IEEE Transactions on Information Forensics and Security

Abstract:As the precursor of cyber-attacks, the campaigns of scanning groups are able to reflect the attack target and attack trend to a great extent, which provide highly valuable threat intelligence for cyber defenders to understand the current cyber security situation. However, how to identify scanning groups in the context of limited information, especially in the absence of relevant threat intelligence, remains a challenging problem. In this paper, we utilize the honeynet as the unique data source to propose a scanning group identification system, Scanner-Hunter, which focuses on identifying scanning groups targeting ICS devices. To better characterize scanning patterns, a novel traffic representation scheme for scanning traffic is proposed, which is composed of a set of feature vectors to describe all the ICS request packets. On this basis, we propose a novel self-expanding multi-class classification (SEMCC) model and the IP prefix judgment, which are deliberately integrated to cope with sophisticated scanning groups. Take the Modbus protocol as an example, we implement a prototype of Scanner-Hunter, and use six years of real-world honeynet datasets to evaluate its performance. The experimental results illustrate its effectiveness and superior performance compared with some popular machine learning methods and existing SOTA scanning group identification methods. In addition, Scanner-Hunter is further leveraged to investigate the group distribution and maliciousness of 506 unknown scanners, and some suspicious attack groups with APT characteristics are analyzed. Furthermore, accurate scanning group information will contribute to revealing potential attack organizations and supporting decision making to prevent or interrupt cyber-attacks in time.

computer science, theory & methods,engineering, electrical & electronic

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

ZHANG Xin-Yu,QING Si-Han,LI Qi,LI Da-Zhi,HE Zhao-Hui

DOI: https://doi.org/10.1360/jos180412

2007-01-01

Journal of Software

Abstract:There are several global detection methods, but they do not apply to local net. A new cooperative approach to automatic detection of worms using local nets is presented in this paper, which is called CWDMLN (coordinated worm detection method based on local nets). This algorithm focuses on scanning worm characteristics in local nets and uses different methods to cope with different worm behaviors, including using honeypots to deceive worms. CWDMLN coordinates these methods to give graded alarms to notify worm attacks. The grades reflect reliability of alarms. Experimental results show that this approach is promising for it can quickly find worm intrusion in local nets and extract unknown worm signatures that can be used for IDS (intrusion detection system) or firewall to prevent more worm threats. This method can also contribute to global worm alarming by scaling.

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

Herbert Maosa,Karim Ouazzane,Mohamed Chahine Ghanem

DOI: https://doi.org/10.3390/network4010004

2023-12-10

Abstract:Intrusion detection systems perform post-compromise detection of security breaches whenever preventive measures such as firewalls do not avert an attack. However, these systems raise a vast number of alerts that must be analysed and triaged by security analysts. This process is largely manual, tedious and time-consuming. Alert correlation is a technique that tries to reduce the number of intrusion alerts by aggregating those that are related in some way. However, the correlation is performed outside the IDS through third-party systems and tools, after the high volume of alerts has already been raised. These other third-party systems add to the complexity of security operations. In this paper, we build on the very researched area of correlation techniques by developing a novel hierarchical event correlation model that promises to reduce the number of alerts issued by an Intrusion Detection System. This is achieved by correlating the events before the IDS classifies them. The proposed model takes the best of features from similarity and graph-based correlation techniques to deliver an ensemble capability not possible by either approach separately. Further, we propose a correlation process for correlation of events rather than alerts as is the case in current art. We further develop our own correlation and clustering algorithm which is tailor-made to the correlation and clustering of network event data. The model is implemented as a proof of concept with experiments run on the DARPA 99 Intrusion detection set. The correlation achieved 87 percent data reduction through aggregation, producing nearly 21000 clusters in about 30 seconds.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Liu Zhi-Jie,Wang Chong-Jun

2010-01-01

Abstract:For the last years intrusion detection system(IDS) has been proved valuable in protecting computer systems against malicious attacks. It works by actively detecting abnormal activities and counter act,be it reporting to the user or taking certain actions automatically. The traditional IDS,however,is defective in that it deals with the detected abnormal activites only individually,bringing serious problems,classical ones of which include massively false alarms and massively repeated low-level alarms. An even more serious problem of the traditional IDS is that it is not effective,if not uselell,when the many individually detected abnormal activites are correlated components of a multi-step indepth intrusion,which is propably the case in nowadays since intrusions have evolved to be intelligent and distributive. To overcome this defect,this paper proposes a method called MSACA(multi-step attack correlating algorithm). As a prerequisite of the method,a knowledge database is provided. The knowledge database composes of the structures of known multi-step correlating attack,meaning that given certain low-level abnormal activites,through the database,we can get information regarding to what kinds of multi-step correlating attacks the given low-level alarms may be part of as well as to which stage they belong. The proposed method firstly gets the needed information of the low-level alarms from the database,secondly tries to form a big picture to reveal the possible threat of the low-level alarms working as a whole,and finally takes counter measures. The proposed method can be implemented in realtime scenarios. This paper also proves the proposed method's effectiveness by experiments.

Zhongmin Wang,Rui Gao,Cong Gao,Yanping Chen,Fengwei Wang,Gao, Rui

DOI: https://doi.org/10.1007/s11277-024-10930-w

IF: 2.017

2024-03-21

Wireless Personal Communications

Abstract:Wireless sensor devices are affected by internal constraints and the external environment, generating abnormal data. Currently, many anomaly detection schemes ignore the correlation between screening nodes, wasting resources due to excessive communication. Therefore, this paper proposes a distributed anomaly detection scheme based on adaptive grouping using the correlation between nodes in wireless sensor networks. Limiting the scope of collaboration between nodes can reduce the waste of resources due to excessive communication. Since the computing resources of sensor nodes are limited, an edge-cloud framework is established. The scheme uses Spatio-temporal correlation and graph theory for wireless sensor networks to determine node groups with solid correlations on the cloud server. Based on the grouping results, anomaly detection is implemented locally. A Bayesian network model is constructed at the node within the group, and outlier detection is realized by inference on nodes. A correlation consistency evaluation method is proposed to improve anomaly detection accuracy to check the data consistency on the cluster head. The proposed scheme is verified by a generated data set and the real data of Intel Berkeley Research Lab. The effectiveness of the proposed method is verified by comparing it with three existing algorithms. Experimental results show that the method improves detection accuracy and reduces false detection.

telecommunications

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Ahmet Aksoy,Luis Valle,Gorkem Kar

DOI: https://doi.org/10.3390/electronics13020293

IF: 2.9

2024-01-10

Electronics

Abstract:The cybersecurity landscape presents daunting challenges, particularly in the face of Denial of Service (DoS) attacks such as DoS Http Unbearable Load King (HULK) attacks and DoS GoldenEye attacks. These malicious tactics are designed to disrupt critical services by overwhelming web servers with malicious requests. In contrast to DoS attacks, there exists nefarious Operating System (OS) scanning, which exploits vulnerabilities in target systems. To provide further context, it is essential to clarify that NMAP, a widely utilized tool for identifying host OSes and vulnerabilities, is not inherently malicious but a dual-use tool with legitimate applications, such as asset inventory services in company networks. Additionally, Domain Name System (DNS) botnets can be incredibly damaging as they harness numerous compromised devices to inundate a target with malicious DNS traffic. This can disrupt online services, leading to downtime, financial losses, and reputational damage. Furthermore, DNS botnets can be used for other malicious activities like data exfiltration, spreading malware, or launching other cyberattacks, making them a versatile tool for cybercriminals. As attackers continually adapt and modify specific attributes to evade detection, our paper introduces an automated detection method that requires no expert input. This innovative approach identifies the distinct characteristics of DNS botnet attacks, DoS HULK attacks, DoS GoldenEye attacks, and OS-Scanning, explicitly using the NMAP tool, even when attackers alter their tactics. By harnessing a representative dataset, our proposed method ensures robust detection of such attacks against varying attack parameters or behavioral shifts. This heightened resilience significantly raises the bar for attackers attempting to conceal their malicious activities. Significantly, our approach delivered outstanding outcomes, with a mid 95% accuracy in categorizing NMAP OS scanning and DNS botnet attacks, and 100% for DoS HULK attacks and DoS GoldenEye attacks, proficiently discerning between malevolent and harmless network packets. Our code and the dataset are made publicly available.

engineering, electrical & electronic,computer science, information systems,physics, applied

Weifeng Zhang,Hua Lu,Baowen Xu,Hongji Yang

2013-01-01

Abstract:Web phishing is becoming an increasingly severe security threat in the web domain. Effective and efficient phishing detection is very important for protecting web users from loss of sensitive private information and even personal properties. One of the keys of phishing detection is to efficiently search the legitimate web page library and to find those page that are the most similar to a suspicious phishing page. Most existing phishing detection methods are focused on text and/or image features and have paid very limited attention to spatial layout characteristics of web pages. In this paper, we propose a novel phishing detection method that makes use of the informative spatial layout characteristics of web pages. In particular, we develop two different options to extract the spatial layout features as rectangle blocks from a given web page. Given two web pages, with their respective spatial layout features, we propose a page similarity definition that takes into account their spatial layout characteristics. Furthermore, we build an R-tree to index all the spatial layout features of a legitimate page library. As a result, phishing detection based on the spatial layout feature similarity is facilitated by relevant spatial queries via the R-tree. A series of simulation experiments are conducted to evaluate our proposals. The results demonstrate that the proposed novel phishing detection method is effective and efficient.

Jian Yang,Qi Zhang,Xiaofeng Jiang,Shuangwu Chen,Feng Yang

DOI: https://doi.org/10.1109/TDSC.2021.3101649

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The volatile, covert and slow multistage attack patterns of Advanced Persistent Threat (APT) present a tricky challenge of APT detection, which are vital for organisations to protect their critical assets. In this article, we aim to develop system that aggregates and uses existing systems’ alerts to detect APTs. In order to achieve this, we propose a causal correlation aided semantic analysis system, called <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> , for detecting the multi-stage threats over a long-time span from existing systems’ alerts. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> is capable of autonomously mining causality between anomalous events, which instructs us in reorganizing the original alerts and in constructing alert-chains. The system further exploits the Latent Dirichlet Allocation (LDA) to model the semantic context of the alert-chains. This LDA model facilitates us to carry out the semantic analysis for capturing the latent attack intent as well as for reconstructing the APT scenario. We use an alert dataset provided by a cyber security company to verify the proposed <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Poirot</small> in terms of the detection accuracy and the capability of attack scenario reconstruction. The experiment results are presented to show the achievable performance of the proposed semantic analysis based APT detection.

Tianyi Yue,Yadong Zhou,Bowen Hu,Zhanbo Xu,Xiaohong Guan,Hao Zhou,Ting Liu

DOI: https://doi.org/10.1109/CASE49439.2021.9551622

2021-01-01

Abstract:Malicious web crawler has been a serious threat to the security and performance of web servers in Internet. Generally, malicious web crawler systematically obtains massive web pages without approval, and may involve the theft of data assets. In this paper, we propose an unsupervised learning based method for detecting malicious web crawler. The method can be divided into three phases. Firstly, the...

Lixin Wang,Jianhua Yang,Xiaohua Xu,Peng-Jun Wan

DOI: https://doi.org/10.1155/2021/6632671

2021-03-03

Wireless Communications and Mobile Computing

Abstract:Intruders on the Internet usually launch network attacks through compromised hosts, called stepping stones, in order to reduce the chance of being detected. With stepping-stone intrusions, an attacker uses tools such as SSH to log in several compromised hosts remotely and create an interactive connection chain and then sends attacking packets to a target system. An effective method to detect such an intrusion is to estimate the length of a connection chain. In this paper, we develop an efficient algorithm to detect stepping-stone intrusion by mining network traffic using the k -means clustering. Existing approaches for connection-chain-based stepping-stone intrusion detection either are not effective or require a large number of TCP packets to be captured and processed and, thus, are not efficient. Our proposed detection algorithm can accurately determine the length of a connection chain without requiring a large number of TCP packets being captured and processed, so it is more efficient. Our proposed detection algorithm is also easier to implement than all existing approaches for stepping-stone intrusion detection. The effectiveness, correctness, and efficiency of our proposed detection algorithm are verified through well-designed network experiments.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lanjia Wang,Haixin Duan,Xing Li

DOI: https://doi.org/10.1007/11602897_21

2005-01-01

Abstract:Detecting and identifying port scans is important for tracking malicious activities at early stage. The previous work mainly focuses on detecting individual scanners, while cares little about their common scan patterns that may imply important security threats against network. In this paper we propose a scan vector model, in which a scanner is represented by a vector that combines different scan features online, such as target ports and scan rate. A center-based clustering algorithm is then used to partition the scan vectors into groups, and provide a condense view of the major scan patterns by a succinct summary of the groups. The experiment on traffic data gathered from two subnets in our campus network shows that our method can accurately identify the major scan patterns without being biased by heavy hitters, meanwhile, possessing simplicity and low computation cost.

Zhendong Wu,Jingjing Wang,Liqin Hu,Zhang Zhang,Han Wu

DOI: https://doi.org/10.1016/j.jnca.2020.102688

IF: 7.574

2020-08-01

Journal of Network and Computer Applications

Abstract:<p>In recent years, with the increase of human activities in cyberspace, intrusion events, such as network penetration, detection and attack, tend to be frequent and hidden. The traditional intrusion detection methods which prefer rules are not enough to deal with the increasingly complex network intrusion flow. However, the generalization ability of intrusion detection system based on classical machine learning method is still insufficient, and the false alarm rate is high. Aiming at this problem, we consider that normal network traffic and intrusion network traffic are obviously different in several semantic dimensions, though the intrusion traffic is more and more covert. Then we propose a new intrusion detection method, named SRDLM, based on semantic re-encoding and deep learning. The SRDLM method re-encodes the semantics of network traffic, increases the distinguish ability of traffic, and enhances the generalization ability of the algorithm by using deep learning technology, thus effectively improving the accuracy and robustness of the algorithm. The accuracy of the SRDLC algorithm for Web character injection network attack detection is over 99%. When detecting the NSL-KDD data set, the average performance is improved by more than 8% compared with the traditional machine learning method.</p>

computer science, interdisciplinary applications, software engineering, hardware & architecture

Hongwei Zhou,Jie Ling

DOI: https://doi.org/10.1088/1742-6596/2589/1/012001

2023-09-26

Journal of Physics Conference Series

Abstract:In response to the challenges posed by the high overhead and low detection efficiency of traditional SDN, a novel approach has been proposed to detect DDoS attacks. This cooperative method leverages information entropy and deep learning techniques to divide the detection task between the data plane and control plane. An advanced CNN-BiLSTM model with batch normalization and attention mechanism is utilized to identify DDoS attack traffic. The results of experiments demonstrate that this method offers superior accuracy, detection rate, and false alarm rate compared to prior approaches. Moreover, the switch-controller collaborative detection method proposed in this research reduces the occupancy rate of CPU, in contrast to the conventional single point detection method.

Suchismita Goswami,Edward J Wegman

DOI: https://doi.org/10.1080/02664763.2019.1634680

2019-06-28

Abstract:Considerable efforts have been made to apply scan statistics in detecting fraudulent or excessive activities in dynamic email networks. However, previous studies are mostly based on the fixed and disjoint windows, and on the assumption of short-term stationarity of the series, which might result in loss of information and error in detecting excessive activities. Here we devise scan statistics with variable and overlapping windows on stationary time series of organizational emails with a two-step process, and use likelihood function to rank the clusters. We initially estimate the log-likelihood ratio to obtain a primary cluster of communications using the Poisson model on email count series, and then extract neighborhood ego subnetworks around the observed primary cluster to obtain more refined cluster by invoking the graph invariant betweenness as the locality statistic using the binomial model. The results were then compared with the non-parametric maximum likelihood estimation method, and the residual analysis of ARMA model fitted to the time series of graph edit distance. We demonstrate that the scan statistics with two-step process is effective in detecting excessive activity in large dynamic social networks.