Characterizing InternetWorm Spatial-Temporal Infection Structures

Wang, Qian

15 October 2010

Since the Morris worm was released in 1988, Internet worms continue to be one of top security threats. For example, the Conficker worm infected 9 to 15 million machines in early 2009 and shut down the service of some critical government and medical networks. Moreover, it constructed a massive peer-to-peer (P2P) botnet. Botnets are zombie networks controlled by attackers setting out coordinated attacks. In recent years, botnets have become the number one threat to the Internet. The objective of this research is to characterize spatial-temporal infection structures of Internet worms, and apply the observations to study P2P-based botnets formed by worm infection. First, we infer temporal characteristics of the Internet worm infection structure, i.e., the host infection time and the worm infection sequence, and thus pinpoint patient zero or initially infected hosts. Specifically, we apply statistical estimation techniques on Darknet observations. We show analytically and empirically that our proposed estimators can significantly improve the inference accuracy. Second, we reveal two key spatial characteristics of the Internet worm infection structure, i.e., the number of children and the generation of the underlying tree topology formed by worm infection. Specifically, we apply probabilistic modeling methods and a sequential growth model. We show analytically and empirically that the number of children has asymptotically a geometric distribution with parameter 0.5, and the generation follows closely a Poisson distribution. Finally, we evaluate bot detection strategies and effects of user defenses in P2P-based botnets formed by worm infection. Specifically, we apply the observations of the number of children and demonstrate analytically and empirically that targeted detection that focuses on the nodes with the largest number of children is an efficient way to expose bots. However, we also point out that future botnets may self-stop scanning to weaken targeted detection, without greatly slowing down the speed of worm infection. We then extend the worm spatial infection structure and show empirically that user defenses, e.g., patching or cleaning, can significantly mitigate the robustness and the effectiveness of P2P-based botnets. To counterattack, we evaluate a simple measure by future botnets that enhances topology robustness through worm re-infection.

Internet worm tomography

Darknet

statistical estimation

host infection time

worm infection sequence

probabilistic modeling

worm infection family tree

botnet topology

detection

user defenses

Les marchés de drogues sur le darkweb : impacts des opérations de perturbation de la police

Gagné, Camille

07 1900

L’émergence des cryptomarchés, ayant mené au développement de nouvelles méthodes de distribution de drogues et autres produits et services illicites (Walsh et Phil, 2011), pose divers défis aux forces de l’ordre. Ces dernières, souhaitant limiter la portée de leurs actions, adoptent habituellement des stratégies similaires à celles utilisées auprès de réseaux de drogues traditionnels (Décary-Hétu et Giommoni, 2016). Toutefois, les différences entre ces marchés et ceux en ligne génèrent des questionnements quant à l’efficacité de ces techniques. Jusqu’à présent, peu d’études s’y sont intéressées, mais celles qui ont été recensées sont effectivement parvenues à des résultats peu enthousiastes. Ces recherches ont conclu que les activités tentées jusqu’à présent par la police n’avaient pas influencé le marché de façon significativement durable (Décary-Hétu et Giommoni, 2016; Van Buskirk, Roxburgh, Farrell et Burns; 2014; Soska et Christin, 2015). Dans cette optique, ce mémoire pose un regard sur l’impact d’une opération policière n’ayant toujours pas été analysée à ce jour, qui, en collaboration avec les services postaux, a mené à une arrestation et à plusieurs saisies en lien avec des vendeurs de cannabis canadiens opérant sur les cryptomarchés. Après avoir analysé les données recueillies selon un modèle d’évaluation d’impact considérant l’offre, la demande et le prix, les résultats démontrent qu’au contraire de ce que nous dicte la littérature, l’opération a eu pour effet de diminuer significativement à long terme certains indicateurs tels que le nombre de transactions, les parts des marchés de transactions, le nombre de vendeurs actifs, les revenus engendrés et les parts de marchés de revenus, le tout au sein du marché de cannabis canadien. Le modèle de prédiction utilisé, se basant sur des analyses de séries chronologiques interrompues (ARIMA), nous a permis de déterminer que l’opération étudiée avait contribué à éviter 2452 transactions sur ce qui était normalement prévu par la tendance pré-intervention, soulignant une baisse considérable de 101%, versus 91% internationalement (différence de 10%) 18 mois après le début de l’intervention. / The emergence of cryptomarkets, which has led to the development of new methods of distributing drugs and other illicit products and services (Walsh and Phil, 2011), poses various challenges to the police. The latter, wishing to limit the scope of their actions, usually adopt strategies similar to those used with traditional drug networks (Décary-Hétu and Giommoni, 2016). However, the differences between these markets and those online raise questions about the effectiveness of these techniques. So far, few studies have focused on that topic, but those that have been identified have achieved unenthusiastic results. This research concluded that the activities attempted to date by the police have not influenced the market in a significantly sustainable manner (Décary-Hétu and Giommoni, 2016, Van Buskirk, Roxburgh, Farrell and Burns, 2014, Soska and Christin, 2015). With this in mind, this Masters thesis looks at the impact of a police operation that has not yet been analyzed, which, in collaboration with the postal services, has made an arrest and several seizures in connection with cryptomarket sellers. After analyzing the data collected according to an impact evaluation model considering supply, demand and price, the results show that, contrary to what the literature dictates, the operation had the effect of reducing significantly long-term indicators such as the number of transactions, shares of trading markets, the number of active sellers, income generated and market share of income, all within the Canadian cannabis market. The prediction model used, based on interrupted time series analyzes (ARIMA), allowed us to determine that the study had avoided 2452 transactions normally planned by the trend before the intervention, showing us a considerable drop of 101%, comparatively to 91% internationally (difference of 10%) 18 months after the beginning of the intervention.

cryptomarchés

darknet

drogue

cannabis

marché

opération policière

perturbation

vendeur

cryptomarket

drug

market

police operation

disruption

seller

Visual tracking systém pro UAV

KOLÁŘ, Michal

January 2018

This master thesis deals with the analysis of the current possibilities for object tracking in the image, based on which is designed a procedure for creating a system capable of tracking an object of interest. Part of this work is designing virtual reality for the needs of implementation of the tracking system, which is finally deployed and tested on a real prototype of unmanned vehicle.