Spelling suggestions: "subject:"cyberattacks"" "subject:"ciberattacks""
21 |
GAINING MONITORING CAPABILITIES AND INSIGHTS INTO RESPONSES FROM PHISHING DATARaqab, Alah 09 July 2014 (has links)
No description available.
|
22 |
Detection of advanced persistent threat using machine-learning correlation analysisGhafir, Ibrahim, Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K., Aparicio-Navarro, F.J. 24 January 2020 (has links)
Yes / As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain information from the targeted system, which has the potential to cause significant damage and substantial financial loss. The accurate detection and prediction of APT is an ongoing challenge. This work proposes a novel machine learning-based system entitled MLAPT, which can accurately and rapidly detect and predict APT attacks in a systematic way. The MLAPT runs through three main phases: (1) Threat detection, in which eight methods have been developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aims to identify alerts that could be related and belong to a single APT scenario; and (3) Attack prediction, in which a machine learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. MLAPT is experimentally evaluated and the presented system is able to predict APT in its early steps with a prediction accuracy of 84.8%.
|
23 |
BotDet: a system for real time Botnet command and control traffic detectionGhafir, Ibrahim, Prenosil, V., Hammoudeh, M., Baker, T., Jabbar, S., Khalid, S., Jaf, S. 24 January 2020 (has links)
Yes / Over the past decade, the digitization of services transformed the healthcare sector leading to
a sharp rise in cybersecurity threats. Poor cybersecurity in the healthcare sector, coupled with high value
of patient records attracted the attention of hackers. Sophisticated advanced persistent threats and malware
have significantly contributed to increasing risks to the health sector. Many recent attacks are attributed to
the spread of malicious software, e.g., ransomware or bot malware. Machines infected with bot malware can
be used as tools for remote attack or even cryptomining. This paper presents a novel approach, called BotDet,
for botnet Command and Control (C&C) traffic detection to defend against malware attacks in critical
ultrastructure systems. There are two stages in the development of the proposed system: 1) we have developed
four detection modules to detect different possible techniques used in botnet C&C communications and
2) we have designed a correlation framework to reduce the rate of false alarms raised by individual detection
modules. Evaluation results show that BotDet balances the true positive rate and the false positive rate
with 82.3% and 13.6%, respectively. Furthermore, it proves BotDet capability of real time detection.
|
24 |
Anomaly Detection for Control CentersGyamfi, Cliff Oduro 06 1900 (has links)
The control center is a critical location in the power system infrastructure. Decisions regarding the power system’s operation and control are often made from the control center. These control actions are made possible through SCADA communication. This capability however makes the power system vulnerable to cyber attacks. Most of the decisions taken by the control center dwell on the measurement data received from substations. These measurements estimate the state of the power grid. Measurement-based cyber attacks have been well studied to be a major threat to control center operations. Stealthy false data injection attacks are known to evade bad data detection. Due to the limitations with bad data detection at the control center, a lot of approaches have been explored especially in the cyber layer to detect measurement-based attacks. Though helpful, these approaches do not look at the physical layer. This study proposes an anomaly detection system for the control center that operates on the laws of physics. The system also identifies the specific falsified measurement and proposes its estimated measurement value. / United States Department of Energy (DOE)
National Renewable Energy Laboratory (NREL) / Master of Science / Electricity is an essential need for human life. The power grid is one of the most important human inventions that fueled other technological innovations in the industrial revolution. Changing demands in usage have added to its operational complexity. Several modifications have been made to the power grid since its invention to make it robust and operationally safe. Integration of ICT has significantly improved the monitoring and operability of the power grid. Improvements through ICT have also exposed the power grid to cyber vulnerabilities. Since the power system is a critical infrastructure, there is a growing need to keep it secure and operable for the long run. The control center of the power system serves mainly as the decision-making hub of the grid. It operates through a communication link with the various dispersed devices and substations on the grid. This interconnection makes remote control and monitoring decisions possible from the control center. Data from the substations through the control center are also used in electricity markets and economic dispatch. The control center is however susceptible to cyber-attacks, particularly measurement-based attacks. When attackers launch measurement attacks, their goal is to force control actions from the control center that can make the system unstable. They make use of the vulnerabilities in the cyber layer to launch these attacks. They can inject falsified data packets through this link to usurp correct ones upon arrival at the control center. This study looks at an anomaly detection system that can detect falsified measurements at the control center. It will also indicate the specific falsified measurements and provide an estimated value for further analysis.
|
25 |
Cyber Threat Intelligence from Honeypot Data using ElasticsearchAl-Mohannadi, Hamad, Awan, Irfan U., Al Hamar, J., Cullen, Andrea J., Disso, Jules P., Armitage, Lorna 18 May 2018 (has links)
yes / Cyber attacks are increasing in every aspect of daily
life. There are a number of different technologies around to
tackle cyber-attacks, such as Intrusion Detection Systems (IDS),
Intrusion Prevention Systems (IPS), firewalls, switches, routers
etc., which are active round the clock. These systems generate
alerts and prevent cyber attacks. This is not a straightforward
solution however, as IDSs generate a huge volume of alerts that
may or may not be accurate: potentially resulting in a large
number of false positives. In most cases therefore, these alerts
are too many in number to handle. In addition, it is impossible to
prevent cyber-attacks simply by using tools. Instead, it requires
greater intelligence in order to fully understand an adversary’s
motive by analysing various types of Indicator of Compromise
(IoC). Also, it is important for the IT employees to have enough
knowledge to identify true positive attacks and act according to
the incident response process.
In this paper, we have proposed a new threat intelligence
technique which is evaluated by analysing honeypot log data to
identify behaviour of attackers to find attack patterns. To achieve
this goal, we have deployed a honeypot on an AWS cloud to
collect cyber incident log data. The log data is analysed by using
elasticsearch technology namely an ELK (Elasticsearch, Logstash
and Kibana) stack.
|
26 |
Malware Analysis using Profile Hidden Markov Models and Intrusion Detection in a Stream Learning SettingSaradha, R January 2014 (has links) (PDF)
In the last decade, a lot of machine learning and data mining based approaches have been used in the areas of intrusion detection, malware detection and classification and also traffic analysis. In the area of malware analysis, static binary analysis techniques have become increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In prior art, a number of clustering and classification techniques have been used to classify the malwares into families and to also identify new malware families, from the behavior reports. In this thesis, we have analysed in detail about the use of Profile Hidden Markov models for the problem of malware classification and clustering. The advantage of building accurate models with limited examples is very helpful in early detection and modeling of malware families.
The thesis also revisits the learning setting of an Intrusion Detection System that employs machine learning for identifying attacks and normal traffic. It substantiates the suitability of incremental learning setting(or stream based learning setting) for the problem of learning attack patterns in IDS, when large volume of data arrive in a stream. Related to the above problem, an elaborate survey of the IDS that use data mining and machine learning was done. Experimental evaluation and comparison show that in terms of speed and accuracy, the stream based algorithms perform very well as large volumes of data are presented for classification as attack or non-attack patterns. The possibilities for using stream algorithms in different problems in security is elucidated in conclusion.
|
27 |
Web-based prototype for protecting controllers from existing cyber-attacks in an industrial control system / Webbaserad prototyp för att skydda styrsystem från förekommande cyberattacker i ett industriellt kontrollsystemSanyang, Pa January 2020 (has links)
Industrial control system or ICS is a critical part of the infrastructure in society. An example of ICS is the rail networks or energy plants like the nuclear plant. SCADA is an ICS system following a hierarchical structure. Due to the fact that a control system can be very large, monitoring remote through networks is an effective way to do so. But because of digitalization ICS or SCADA systems are vulnerable to cyber attacks that can hijack or intercept network traffic or deny legitimate user services. SCADA protocols (e.g. Modbus, DNP3) that are prone to get attacks due to not being a secure protocol make a SCADA system even more vulnerable to attacks. The paper focuses on how to best protect the network traffic between an HMI as the client and a different controller as the server from attacks. The proposed solution, the prototype, is based on the reverse proxy server setup to protect controllers from the external network traffic. Only the reverse proxy server, or gateway server, can forward a client request to the intended controller. The gateway server, a web-based solution, will be the additional security layer that encrypts the payload in the application layer using TLS version 1.2 by using HTTPS protocol, thereby protect from usual security threats. The prototype went through a penetration testing of MITM (Based on ARP-poisoning), SYN flooding, slow HTTP POST attacks. And the result indicated that the prototype was vulnerable to SYN flooding and the network traffic was intercepted by the MITM. But from the Confidentiality-Integrity-Availability (C.I.A) criteria, the prototype did uphold the integrity and confidentiality due to the TLS security and successful mitigation of certain attacks. The results and suggestions on how to improve the gateway server security were discussed, including that the testing was not comprehensive but that the result is still valuable. In conclusion, more testing in the future would most likely showcase different results, but that will only mean to better the security of the gateway server, the network that the client and gateway server runs in and the physical security of the location where the client and gateway server is located. / Industrial Control System (ICS, sve. Industriella Kontrollsystem) är en kritisk del av infrastrukturen i samhället. Ett exempel på ICS är järnvägsnät eller energianläggningar som kärnkraftverket. SCADA är ett ICS-system som följer en hierarkisk struktur. Eftersom ett kontrollsystem kan täcka stora ytor är fjärrövervakning och fjärrstyrning via nätverk ett effektivt sätt att göra det på. Men på grund av digitalisering är ICS- eller SCADA-system sårbara för cyberattacker som kan kapa nätverkstrafik eller förneka legitima användare från att nå vissa tjänster. SCADA-protokoll (t.ex. Modbus, DNP3) som är benägna att få attacker på grund av att de inte är ett säkert protokoll gör SCADA-system ännu mer sårbart för attacker. Uppsatsen fokuserar huvudsakligen på hur man bäst skyddar nätverkstrafiken mellan en HMI som klient och en annan controller som servern från attacker. Den föreslagna lösningen, prototypen, är baserad på hur en reverse proxy server är uppsatt för att skydda styrenheter från den externa nätverkstrafiken. Endast reverse proxy servern eller gateway-servern kan vidarebefordra en begäran från en klient till den avsedda styrenheten. Gateway-servern, en webbaserad lösning, kommer att vara det extra säkerhetslagret som krypterar nyttolasten (eng. payload) i applikationslagret med TLS version 1.2 med hjä lp av protokollet HTTPS, och därmed skyddar mot de mest förekommande säkerhetshot som vill se och påverka skyddad information. Prototypen genomgick en penetrationstestning av MITM (Baserat på ARP-poisoning), SYN-flooding, slow HTTP POST-attacker. Och resultatet indikerade att prototypen var sårbar för SYN-flooding och nätverkstrafiken avlyssnades genom MITM. Men baserad på kriterierna för C.I.A (sve. Konfidentialitet, Integritet och Tillgänglighet) upprätthöllprototypen integriteten och konfidentialiteten på grund av säkerhetsprotokollen TLSv1.2 och framgångsrika minskningar av vissa attacker. Resultaten och förslag på hur man kan förbättra prototypen diskuterades, inklusive att testningen inte var omfattande men att resultatet fortfarande är värdefullt. Sammanfattningsvis skulle fler tester i framtiden sannolikt visa ett helt annat resultat, men det kommer bara att innebära att förbättra säkerheten för gateway-servern, nätverket som klienten och gateway-servern kör i och den fysiska säkerheten för platsen där klienten och gateway-servern befinner sig inom.
|
28 |
The Rise of China's Hacking Culture: Defining Chinese HackersHowlett, William, IV 01 June 2016 (has links)
China has been home to some of the most prominent hackers and hacker groups of the global community throughout the last decade. In the last ten years, countless attacks globally have been linked to the People’s Republic of China (PRC) or those operating within the PRC. This exploration attempts to investigate the story, ideology, institutions, actions, and motivations of the Chinese hackers collectively, as sub-groups, and as individuals. I will do this using sources ranging from basic news coverage, interviews with experts and industry veterans, secondary reportage, leaked documents from government and private sources, government white papers, legal codes, blogs and microblogs, a wide array of materials from the darker corners of the online world, and many other materials. The work will begin to sketch for the reader some of the general and specific aspects of the shadowy world of cybercrime and hacker culture in China in recent years. One of the most prevalent beliefs is that the Chinese government is in fact the one responsible, whether directly or by sponsor, for cyber-attacks on foreign systems. My careful analysis has revealed is not always the case, or at least more complex than simply labeling the group as a state actor. At the root of these attacks is a social movement of "hacktivists," a patriotic sub-culture of Chinese hackers. It is incorrect to allege that all attacks are performed by state-sponsored individuals or groups, because there are many individuals and groups that are motivated by other factors.
|
29 |
Impact of mobile botnet on long term evolution networks: a distributed denial of service attack perspectiveKitana, Asem 31 March 2021 (has links)
In recent years, the advent of Long Term Evolution (LTE) technology as a prominent
component of 4G networks and future 5G networks, has paved the way for fast and new
mobile web access and application services. With these advantages come some security concerns in terms of attacks that can be launched on such networks. This thesis focuses on the impact of the mobile botnet on LTE networks by implementing a mobile botnet architecture that initiates a Distributed Denial of Service (DDoS) attack. First, in the quest of understanding the mobile botnet behavior, a correlation between the mobile botnet impact and different mobile device mobility models, is established, leading to the study of the impact of the random patterns versus the uniform patterns of movements on the mobile botnet’s behavior under a DDoS attack. Second, the impact of two base transceiver station selection mechanisms on a mobile botnet behavior launching a DDoS attack on a LTE network is studied, the goal being to derive the effect of the attack severity of the mobile botnet. Third, an epidemic SMS-based cellular botnet that uses an epidemic command and control mechanism to initiate a short message services (SMS) phishing attack, is proposed and its threat impact is studied and simulated using three random graphs models. The simulation results obtained reveal that (1) in terms of users’ mobility patterns, the impact of the mobile botnet behavior under a DDoS attack on a victim web server is more pronounced when an asymmetric mobility model is considered compared to a symmetric mobility model; (2) in terms of base transceiver station selection mechanisms, the Distance-Based Model mechanism yields a higher threat impact on the victim server compared to the Signal Power Based Model mechanism; and (3) under the Erdos-and-Reyni Topology, the proposed epidemic SMS-based cellular botnet is shown to be resistant and resilient to random and selective cellular device failures. / Graduate
|
30 |
Honeypot study of threats targeting critical infrastructure / Honeypot studie av cyberhot riktade mot kritisk infrastrukturAlberto Scola, Carlo January 2023 (has links)
Honeypots are systems with the intent of gathering information about potential threats and, at the same time, shifting part of the attention away from the real targets. In industrial control system environments, honeypots play a significant role and can lead to further threat study while distracting potential attackers away from critical physical systems. Low-interaction honeypots are emulated systems that try to recreate a real environment by simulating applications and protocols. These types of honeypots still need improvements to be efficient, and during this thesis work the focus has been on the Conpot open-source ICS honeypot. Due to their nature, low-interaction honeypots are less appealing to potential attackers than high-interaction honeypots since they do not provide the same level of realism and can be easier discovered. Earlier works showed ways to increase the ability to attract more visitors and an improved setup of Conpot has been evaluated. Its results have been analyzed and compared with the default installation. Several advancements have been implemented as well as custom features and working functionalities, such as a customized industrial system design, improved logging, and a web API proxy. The goal of this work is to answer the investigated hypothesis which consists in finding out if an improved version of the low-interaction honeypot can yield more significant results. By evaluating the network traffic received, the outcome has been insightful and showcased a distinguished improvement over the original version of the honeypot. The ICS protocols displayed a more considerable number of interactions along with an increased amount of attacks. In conclusion, further development for the Conpot honeypot is desirable which would largely improve its performance and practicality in real-world deployments. / Honeypots är ett system med avsikten att samla information om potentiella hot och samtidigt avleda uppmärksamheten från de verkliga målen. I industriella kontrollsystemsmiljöer spelar honungskrukor en viktig roll och kan leda till ytterligare hotstudier samtidigt som potentiella angripare distraheras från viktiga fysiska system. Honeypots med låg interaktion är emulerade system som försöker återskapa verkliga miljöer genom att simulera applikationer och protokoll. Dessa typer av honeypots behöver fortfarande förbättringar för att vara effektiva, och under detta examensarbete har fokus legat på Conpot open source ICS honeypots. På grund av designbegränsningar är honeypots med låg interaktion mindre tilltalande för potentiella angripare än honeypots med hög interaktion. Tidigare arbeten har visat sätt att öka möjligheten att locka fler besökare och en förbättrad installation av Conpot har utvärderats och dess resultat har analyserats och jämförts med standardinstallationen. Flera framsteg har implementerats samt anpassade funktioner och fungerande funktioner, såsom en anpassad industriell systemdesign, förbättrad loggning och en webb-API-proxy. Målet med detta arbete är att svara på den undersökta hypotesen som går ut på att ta reda på om en förbättrad version av honungskrukan med låg interaktion kan ge mer signifikanta resultat. Genom att utvärdera den mottagna nätverkstrafiken har resultatet varit insiktsfullt och visat upp en stor förbättring jämfört med den ursprungliga versionen av honeypot. ICS-protokollen visade ett större antal interaktioner tillsammans med en ökad mängd attacker. Sammanfattningsvis är det önskvärt med en vidareutveckling av Conpot honeypot som avsevärt skulle förbättra dess prestanda och praktiska användning i den verkliga världen.
|
Page generated in 0.0386 seconds