Anomaly detection techniques have the potential to secure web-based applications, although their high false positive rates and poor scalability prevent them from being deployed in practice. Most previous work has addressed part of this challenge by testing the effectiveness (accuracy) of HTTP anomaly detection algorithms, but has ignored their efficiency (or scalability). In this paper, we conduct an evaluation of the performance of anomaly detection algorithms in terms of both their accuracy and scalability. We conducted experiments for Deterministic Finite Automata (DFA) and N-Grams. The results suggest that both algorithms have limitations for practical usage, but DFA exhibit better performance than N-Grams. Several aspects of DFA are identified for further improvements.
{"title":"Comparative Analysis of HTTP Anomaly Detection Algorithms: DFA vs N-Grams","authors":"Li Lin, C. Leckie, C. Zhou","doi":"10.1109/NSS.2010.49","DOIUrl":"https://doi.org/10.1109/NSS.2010.49","url":null,"abstract":"Anomaly detection techniques have the potential to secure web-based applications, although their high false positive rates and poor scalability prevent them from being deployed in practice. Most previous work has addressed part of this challenge by testing the effectiveness (accuracy) of HTTP anomaly detection algorithms, but has ignored their efficiency (or scalability). In this paper, we conduct an evaluation of the performance of anomaly detection algorithms in terms of both their accuracy and scalability. We conducted experiments for Deterministic Finite Automata (DFA) and N-Grams. The results suggest that both algorithms have limitations for practical usage, but DFA exhibit better performance than N-Grams. Several aspects of DFA are identified for further improvements.","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131189821","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Existing security models for RDF use RDF patterns for defining the security policy. This approach leads to a number of security rules which rapidly tends to be unmanageable. In this paper we define a new security model which follows the traditional approach of creating security views, which has long been used by SQL database administrators. Our model first logically distributes RDF data into SPARQL views and then it defines security rules regulating SPARQL access to views. Moreover our model supports rights delegation and dynamic security rules (i.e. rules which can be active or not, depending on the context).
{"title":"A View Based Access Control Model for SPARQL","authors":"A. Gabillon, Léo Letouzey","doi":"10.1109/NSS.2010.35","DOIUrl":"https://doi.org/10.1109/NSS.2010.35","url":null,"abstract":"Existing security models for RDF use RDF patterns for defining the security policy. This approach leads to a number of security rules which rapidly tends to be unmanageable. In this paper we define a new security model which follows the traditional approach of creating security views, which has long been used by SQL database administrators. Our model first logically distributes RDF data into SPARQL views and then it defines security rules regulating SPARQL access to views. Moreover our model supports rights delegation and dynamic security rules (i.e. rules which can be active or not, depending on the context).","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116933918","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In the Internet age, Software security and piracy becomes a more and more important issue. In order to prevent software from piracy and unauthorized modification, various techniques have been developed. Among them is software watermarking which protects software through embedding some secret information into software as an identifier of the ownership of copyright for this software. This paper gives an new algorithm based on stack-state transition graph, watermarks is embed by adding additional code in the executable file, and extracted by recognizing the relationship of stack-state which processed in runtime. Analysis proves that our algorithm is more reliable.
{"title":"A Software Watermarking Algorithm Based on Stack-State Transition Graph","authors":"X. Jinchao, Zeng Guosun","doi":"10.1109/NSS.2010.51","DOIUrl":"https://doi.org/10.1109/NSS.2010.51","url":null,"abstract":"In the Internet age, Software security and piracy becomes a more and more important issue. In order to prevent software from piracy and unauthorized modification, various techniques have been developed. Among them is software watermarking which protects software through embedding some secret information into software as an identifier of the ownership of copyright for this software. This paper gives an new algorithm based on stack-state transition graph, watermarks is embed by adding additional code in the executable file, and extracted by recognizing the relationship of stack-state which processed in runtime. Analysis proves that our algorithm is more reliable.","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129212853","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Intrusion Detection Systems (IDS) are integral components for the detection of malicious code and attacks. Detection methods can be differentiated in signature-based and anomaly-based systems. While the former ones search for well-known patterns which are available in a database, the latter ones build a model of the normal behavior of a network and later on attacks can be detected by measuring significant deviation of the network status against the normal behavior described by the model. Often this requires the availability of the payload of the network packets. If encryption protocols like SSL or SSH are used, searching for attack signatures in the payload is not possible any longer and also the usage of behavior based techniques is limited: Statistical methods like flow evaluation can be used for anomaly detection, but application level attacks hidden in the encrypted traffic can be undetectable. At the moment, only a few systems are designed to cope with encrypted network traffic. Even so, none of these systems can be easily deployed in general because of the need for protocol modifications, special infrastructures or because of high false alarm rates which are not acceptable in a production environment. In this paper, we propose a new IDS for encrypted traffic which identifies command sequences in encrypted network traffic and evaluates the attack possibility of them. The encrypted traffic is clustered and possibilities for different commands are calculated. Based on that, command sequences are analysed. The system evaluates probabilities for commands and command sequences and the likeliness for an attack based on the identified sequences without a decryption of the packets. Because of only using statistical data gathered from the network traffic, the system can be deployed in general. The current prototype of the system focuses on the command evaluation.
{"title":"Command Evaluation in Encrypted Remote Sessions","authors":"Robert Koch, G. Rodosek","doi":"10.1109/NSS.2010.62","DOIUrl":"https://doi.org/10.1109/NSS.2010.62","url":null,"abstract":"Intrusion Detection Systems (IDS) are integral components for the detection of malicious code and attacks. Detection methods can be differentiated in signature-based and anomaly-based systems. While the former ones search for well-known patterns which are available in a database, the latter ones build a model of the normal behavior of a network and later on attacks can be detected by measuring significant deviation of the network status against the normal behavior described by the model. Often this requires the availability of the payload of the network packets. If encryption protocols like SSL or SSH are used, searching for attack signatures in the payload is not possible any longer and also the usage of behavior based techniques is limited: Statistical methods like flow evaluation can be used for anomaly detection, but application level attacks hidden in the encrypted traffic can be undetectable. At the moment, only a few systems are designed to cope with encrypted network traffic. Even so, none of these systems can be easily deployed in general because of the need for protocol modifications, special infrastructures or because of high false alarm rates which are not acceptable in a production environment. In this paper, we propose a new IDS for encrypted traffic which identifies command sequences in encrypted network traffic and evaluates the attack possibility of them. The encrypted traffic is clustered and possibilities for different commands are calculated. Based on that, command sequences are analysed. The system evaluates probabilities for commands and command sequences and the likeliness for an attack based on the identified sequences without a decryption of the packets. Because of only using statistical data gathered from the network traffic, the system can be deployed in general. The current prototype of the system focuses on the command evaluation.","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126005311","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Wael Kanoun, N. Cuppens-Boulahia, F. Cuppens, S. Dubus
With the growth of modern systems and infrastructures, automated and intelligent response systems become the holy grail of the security community. An interesting approach proposes to use dynamic access control policies to specify response policies for such systems. These policies should been forced when an ongoing attack, that threatens the monitored system, is detected. However, existing work do not present a clear methodology to specify the Response policies. In particular, the deactivation issue is not yet tackled. In this paper, we first present how to specify response policies. Second, a risk-aware framework is proposed to activate and deactivate response policies. Hence, the success likelihood of the threat, and the cumulative impact of both of the threat and the response, are all considered.
{"title":"Risk-Aware Framework for Activating and Deactivating Policy-Based Response","authors":"Wael Kanoun, N. Cuppens-Boulahia, F. Cuppens, S. Dubus","doi":"10.1109/NSS.2010.80","DOIUrl":"https://doi.org/10.1109/NSS.2010.80","url":null,"abstract":"With the growth of modern systems and infrastructures, automated and intelligent response systems become the holy grail of the security community. An interesting approach proposes to use dynamic access control policies to specify response policies for such systems. These policies should been forced when an ongoing attack, that threatens the monitored system, is detected. However, existing work do not present a clear methodology to specify the Response policies. In particular, the deactivation issue is not yet tackled. In this paper, we first present how to specify response policies. Second, a risk-aware framework is proposed to activate and deactivate response policies. Hence, the success likelihood of the threat, and the cumulative impact of both of the threat and the response, are all considered.","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121714016","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Stepping stone attacks are often used by network intruders to hide their identities. The Round Trip Times (RTT) between the send packets and corresponding echo packets for the connection chains of stepping stones are critical for detecting such attacks. In this paper, we propose a novel real-time RTT getting algorithm for stepping stones which is based on the estimation of the current RTT value. Our experiments show that it is far more precise than the previous real-time RTT getting algorithms. We also present the probability analysis which shows that our algorithm has a high matching rate and a high accurate rate.
{"title":"Getting the Real-Time Precise Round-Trip Time for Stepping Stone Detection","authors":"Ping Li, Wanlei Zhou, Yini Wang","doi":"10.1109/NSS.2010.36","DOIUrl":"https://doi.org/10.1109/NSS.2010.36","url":null,"abstract":"Stepping stone attacks are often used by network intruders to hide their identities. The Round Trip Times (RTT) between the send packets and corresponding echo packets for the connection chains of stepping stones are critical for detecting such attacks. In this paper, we propose a novel real-time RTT getting algorithm for stepping stones which is based on the estimation of the current RTT value. Our experiments show that it is far more precise than the previous real-time RTT getting algorithms. We also present the probability analysis which shows that our algorithm has a high matching rate and a high accurate rate.","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130050871","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
S. K. A. Khalid, J. Zimmermann, D. Corney, C. Fidge
Type unions, pointer variables and function pointers are a long standing source of subtle security bugs in C program code. Their use can lead to hard-to-diagnose crashes or exploitable vulnerabilities that allow an attacker to attain privileged access over classified data. This paper describes an automatable framework for detecting such weaknesses in C programs statically, where possible, and for generating assertions that will detect them dynamically, in other cases. Exclusively based on analysis of the source code, it identifies required assertions using a type inference system supported by a custom made symbol table. In our preliminary findings, our type system was able to infer the correct type of unions in different scopes, without manual code annotations or rewriting. Whenever an evaluation is not possible or is difficult to resolve, appropriate runtime assertions are formed and inserted into the source code. The approach is demonstrated via a prototype C analysis tool.
{"title":"Automatic Generation of Assertions to Detect Potential Security Vulnerabilities in C Programs That Use Union and Pointer Types","authors":"S. K. A. Khalid, J. Zimmermann, D. Corney, C. Fidge","doi":"10.1109/NSS.2010.63","DOIUrl":"https://doi.org/10.1109/NSS.2010.63","url":null,"abstract":"Type unions, pointer variables and function pointers are a long standing source of subtle security bugs in C program code. Their use can lead to hard-to-diagnose crashes or exploitable vulnerabilities that allow an attacker to attain privileged access over classified data. This paper describes an automatable framework for detecting such weaknesses in C programs statically, where possible, and for generating assertions that will detect them dynamically, in other cases. Exclusively based on analysis of the source code, it identifies required assertions using a type inference system supported by a custom made symbol table. In our preliminary findings, our type system was able to infer the correct type of unions in different scopes, without manual code annotations or rewriting. Whenever an evaluation is not possible or is difficult to resolve, appropriate runtime assertions are formed and inserted into the source code. The approach is demonstrated via a prototype C analysis tool.","PeriodicalId":127173,"journal":{"name":"2010 Fourth International Conference on Network and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133506603","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: