Detecting Backdoor

Kao, Cheng-yuan

12 August 2004

Cyber space is like a society. Attacking events happen all the time. No matter what is in the cyber space. We need to do many things to defend our computers and network devices form attackers, for example: update patches, install anti-virus software, firewalls and intrusion detection system. In all kinds of network attacks, it is hard to detect that an attacker install a backdoor after he crack the system. He can do many things by the backdoor, like steal sensitive or secret information. Otherwise, intrusion detection systems are responsible for early warnings, but they usually need to capture all the network packets include the headers and contents to analyze. It costs many overheads for the system. The goal of our research is to detect backdoors correctly, and we only use the network packet headers to analyze.

Network Security

Backdoor

Data Mining

Intrusion Detection

Lightweight Network Intrusion Detection

Chen, Ya-lin

26 July 2005

Exploit codes based on system vulnerabilities are often used by attackers to attack target computers or services. Such exploit programs often send attack packets in the first few packets right after a connection established with the target machine or service. And such attacks are often launched via Telnet service as well. A lightweight network-based intrusion detection system is proposed on detecting such attacks on Telnet traffic. The proposed system filters the first a few packets after each Telnet connection established and only uses partial data of a packet rather than total of it to detect intrusion, i.e. such design makes system load reduced a lot. This research is anomaly detection. The proposed system characterizes the normal traffic behavior and constructs it as a normal model based on the filtered normal traffic. In detection phase, the system examines the deviation of current filtered packet from the normal model via an anomaly score function, i.e. a more deviate packet will receive a higher anomaly score. Finally, we use 1999 DARPA Intrusion Detection Evaluation Data Set which contains 5 days of training data and 10 days of testing data, and 44 attack instances of 16 types of attacks, to evaluate our proposed system. The proposed system has the detection rate of 73% under a low false alarm rate of 2 false alarms per day; 80% for the hard detected attacks which are poorly detected in 1999 DARPA IDEP.

Anomaly Detection

Intrusion Detection

Network Security

A novel approach to detecting covert DNS tunnels using throughput estimation

Himbeault, Michael

22 April 2014

In a world that relies heavily on data, protection of that data and of the motion of that data is of the utmost importance. Covert communication channels attempt to circumvent established methods of control, such as rewalls and proxies, by utilizing non-standard means of getting messages between two endpoints. The Domain Name System (DNS), the system that translates text-based resource names into machine-readable resource records, is a very common and e ective platform upon which covert channels can be built. This work proposes, and demonstrates the e ectiveness of, a novel technique that estimates data transmission throughput over DNS in order to identify the existence of a DNS tunnel against the background noise of legitimate network tra c. The proposed technique is robust in the face of the obfuscation techniques that are able to hide tunnels from existing detection methods.

dns

network security

entropy

covert channels

A Hybrid Framework for Intrusion Detection in Wireless Mesh Networks

Bin Aftab, Muhammad Usama

22 December 2015

Network security is an important domain in the field of computer engineering. Sensitive information flowing across computer networks is vulnerable to potential threats, therefore it is important to ensure their security. Wireless Mesh Networks (WMNs) are self-organized networks deployed in small proximity which have an wireless ad-hoc mesh topology. While they are cost effective and easy to deploy, they are extremely vulnerable to network intrusions due to no central switch or router. However, they can be secured using cryptographic techniques, firewalls or Demilitarized Zones (DMZs). Intrusion Detection Systems (IDSs) are used as a secondary line-of-defence in computer networks from possible intrusions. This thesis proposes a framework for a Hybrid Intrusion Detection System (HIDS) for WMN. / Graduate

wireless

mesh networks

intrusion detection

network security

Discovering U.S. Government Threat Hunting Processes And Improvements

William Pierce Maxam III (15339184)

24 April 2023

<p><strong>INTRODUCTION:</strong> Cyber Threat Hunting (TH) is the activity of looking for potential</p> <p>compromises that other cyber defenses may have missed. These compromises cost organiza-</p> <p>tions an estimated $10M each and an effective Threat Hunt can reduce this cost. TH is a</p> <p>new discipline and processes have not yet been standardized. Most TH teams operate with</p> <p>no defined process. This is a problem as repeatable processes are important for a mature</p> <p>TH team.</p> <p><strong>OBJECTIVES:</strong> This thesis offers a Threat Hunt process as well as lessons learned</p> <p>derived from government TH practice.</p> <p><strong>METHODS:</strong> To achieve this I conducted 12 interviews, 1 hour in length, with govern-</p> <p>ment threat hunters. The transcripts of these interviews were analyzed with process and</p> <p>thematic coding. The coding was validated with a second reviewer.</p> <p><strong>RESULTS:</strong> I present a novel TH process depicting the process followed by government</p> <p>threat hunters. Common challenges and suggested solutions brought up by threat hunters</p> <p>were also enumerated and described. The most common problems were minimal automation</p> <p>and missing measures of TH expertise. Challenges with open questions were also identified.</p> <p>Open questions include: determining how to identify the best data to collect, how to create</p> <p>a specific but not rigid process and how to measure and compare the effectiveness of TH pro-</p> <p>cesses. Finally, subjects also provided features that indicate expertise to TH team members</p> <p>and recommendations on how to best integrate newer members into a TH team.</p> <p><strong>CONCLUSION:</strong> This thesis offers a first look at government TH processes. In the short</p> <p>term, the process recommendations provided in this thesis can be implemented and tested.</p> <p>In the long term, experiments in this sensitive context remain an open challenge.</p>

System and network security

Threat Hunting

Cyberspace Operations

A new approach to designing firewall based on multidimensional matrix

Cheng, Y.Z., Wang, W.P., Min, Geyong, Wang, J.X.

27 November 2013

No / Firewalls are crucial elements to enhance network security by examining the field value of every packet and decide whether to accept or discard the packet according to the firewall policy. However, the design of firewall policies, especially for enterprise networks, is complex and error-prone. This paper aims to propose an effective firewall design method to ensure the consistency, compactness and completeness of firewall rules. Specifically, we develop a new designing model, namely firewall design matrix, and the corresponding construction algorithm for mapping firewall rules to firewall design matrix. A firewall generation algorithm is proposed to generate the target firewall rules that are equivalent to the original ones while maintaining the completeness. Theoretical proof and extensive experiments on both real-world and synthetic firewalls are conducted to evaluate the performance of the proposed method. The results demonstrate that it can achieve a high compression ratio efficiently while maintaining the firewall rules conflict-free. Copyright (c) 2013 John Wiley & Sons, Ltd.

Firewall

; Network security

; Firewall design

; Multidimensional matrix

Optimizations of Battery-Based Intrusion Protection Systems

Nelson, Theresa Michelle

03 June 2008

As time progresses, small mobile devices become more prevalent for both personal and industrial use, providing malicious network users with new and exciting venues for security exploits. Standard security applications, such as Norton Antivirus and MacAfee, require computing power, memory space, and operating system complexity that are not present in small mobile devices. Recently, the Battery-Sensing Intrusion Protection System (B-SIPS) was devised as a means to correct the inability of small mobile devices to protect themselves against network attacks. The B-SIPS application uses smart battery data in conjunction with process and network information to determine whether the mobile device is experiencing a battery depletion attack. Additionally, B-SIPS provides mobile device statistics to system administrators such that they can analyze the state of the wireless network more thoroughly. The research presented in this thesis collaborates with and extends the B-SIPS research through optimizations and validation. Areas of focus include ensuring public acceptance of the application through the implementation of a usability study and verifying that the deployment of the application will not jeopardize the performance of external mobile device applications. Additionally, this thesis describes how GUI optimizations are realized for both the B-SIPS client and CIDE server, how future smart battery hardware implementations are introduced for increased effectiveness with the B-SIPS application, and it discusses how an optimum deployment data transmission period is determined. / Master of Science

intrusion protection system

mobile device

network security

A Meta-Learning based IDS

Zhenyu Wan (18431475)

26 April 2024

<p dir="ltr">As the demand for IoT devices continues to grow, our reliance on networks in daily life increases. Whether we are considering individual users or large multinational companies, networks have become an essential asset for people across various industries. However, this dependence on networks also exposes us to security vulnerabilities when traffic is not adequately filtered. A successful attack on the network could have severe consequences for its users. Therefore, the implementation of a network intrusion detection system (IDS) is crucial to safeguard the well-being of our modern society.</p><p dir="ltr">While AI-based IDS is a new force in the field of intrusion detection, it outperforms some traditional approaches. However, it is not without its flaws. The performance of ML-based IDS decreases when applied to a different dataset than the one it was trained on. This decrease in performance hinders the ML-based IDS's ability to be used in a production environment, as the data generated in a production environment also differs from the data that is used to train the IDS. This paper aims to devise an ML-based IDS that is generalizable to a different environment.</p>

System and network security

IDS

network classification

Discovery of Triggering Relations and Its Applications in Network Security and Android Malware Detection

Zhang, Hao

30 November 2015

An increasing variety of malware, including spyware, worms, and bots, threatens data confidentiality and system integrity on computing devices ranging from backend servers to mobile devices. To address these threats, exacerbated by dynamic network traffic patterns and growing volumes, network security has been undergoing major changes to improve accuracy and scalability in the security analysis techniques. This dissertation addresses the problem of detecting the network anomalies on a single device by inferring the traffic dependence to ensure the root-triggers. In particular, we propose a dependence model for illustrating the network traffic causality. This model depicts the triggering relation of network requests, and thus can be used to reason about the occurrences of network events and pinpoint stealthy malware activities. The triggering relationships can be inferred by means of both rule-based and learning-based approaches. The rule-based approach originates from several heuristic algorithms based on the domain knowledge. The learning-based approach discovers the triggering relationship using a pairwise comparison operation that converts the requests into event pairs with comparable attributes. Machine learning classifiers predict the triggering relationship and further reason about the legitimacy of requests by enforcing their root-triggers. We apply our dependence model on the network traffic from a single host and a mobile device. Evaluated with real-world malware samples and synthetic attacks, our findings confirm that the traffic dependence model provides a significant source of semantic and contextual information that detects zero-day malicious applications. This dissertation also studies the usability of visualizing the traffic causality for domain experts. We design and develop a tool with a visual locality property. It supports different levels of visual based querying and reasoning required for the sensemaking process on complex network data. The significance of this dissertation research is in that it provides deep insights on the dependency of network requests, and leverages structural and semantic information, allowing us to reason about network behaviors and detect stealthy anomalies. / Ph. D.

Network Security

Stealthy Malware

Anomaly Detection

Um sistema para análise ativa de comportamento de firewall. / A system for active analysis of firewall behavior.

Barbosa, Ákio Nogueira

23 October 2006

Devido à importância dos firewalls para proteção de redes de computadores, muito se estuda no sentido do aprimoramento das técnicas de proteção e no desenvolvimento de novas técnicas para serem utilizadas na análise destes. Com enfoque neste tema, esta dissertação trata a respeito da viabilidade da técnica de injeção de pacotes e observação dos resultados para analisar o comportamento de firewalls de rede para a pilha TCP/IP, resultando em uma técnica alternativa para análise de firewalls. Para mostrar a validade da técnica foi proposta uma arquitetura e, como prova de conceito, foi implementado um protótipo do sistema de análise. Foram também efetuados alguns testes. A técnica de injeção de pacotes e observação dos resultados mostrou-se viável para algumas situações. Para outras, são necessárias estudos adicionais para redução da explosão combinatória. / Due to the importance of the firewalls for protection of network computers, a lot of studies has been done in order of the improvement of the protection techniques and in the development of new techniques to be used in the analysis of them. With focus in this theme, this thesis considers the viability of the technique of injection of packages and observation of the results to analyze the behavior of network firewalls for stack TCP/IP, resulting in an alternative technique for analysis of firewalls. To show the validity of the technique an architecture was proposed and, as a concept proof, a prototype of the analysis system was implemented. Also was implemented some tests. The technique of injection of packages and observation of the results reveled viable for some situations. For others, addictionals studies are necessary for reduction of the combinatory explosion.

Análise de firewall

Computer Network Security

Computer network security

Firewall Analysis

Firewall analysis

Segurança de redes de computadores