Pub Date : 2016-12-12DOI: 10.1109/AsiaJCIS.2016.23
Rohit Ahuja, Sraban Kumar Mohanty, K. Sakurai
The advent of cloud computing motivates business organizations to migrate their complex data management systems from local servers to cloud servers for scalable and durable resources on pay per use basis. Considering enormous users and large amount of documents at cloud servers, there is a requirement of an access control scheme, which supports fine-grained cum flexible access control along with "Query-Response" mechanism to enable users to efficiently retrieve desired data from cloud servers. In addition, the scheme should support considerable flexibility to revoke system privileges from user, such as to restrict user from sharing or retrieving data or both, i.e., flexible system privilege revocation and most imperatively to preserve the identity of data owner and consumer, while sharing and retrieving data. Most of the access control schemes in cloud computing till date focus on restricting user from accessing data only. In this paper, we propose an identity preserving access control scheme to simultaneously realize the notion of scalability, fine-grained cum flexible access control, efficient data utilization, identity preserving and flexible system privilege revocation. We extend Ciphertext-Policy Attribute-Set-Based Encryption (CPASBE) in a hierarchical structure of users to achieve scalability. In addition, a hybridization of proxy re-encryption andand CP-ASBE is introduced to materialize the concept of CP-ASBE is introduced to materialize the concept of flexible system privilege revocation. Furthermore, we formally prove the security of our proposed scheme based on decisional bilinear Diffie-Hellman assumption. Efficacy of our scheme is depicted by performing comprehensive experiments.
{"title":"An Identity Preserving Access Control Scheme with Flexible System Privilege Revocation in Cloud Computing","authors":"Rohit Ahuja, Sraban Kumar Mohanty, K. Sakurai","doi":"10.1109/AsiaJCIS.2016.23","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.23","url":null,"abstract":"The advent of cloud computing motivates business organizations to migrate their complex data management systems from local servers to cloud servers for scalable and durable resources on pay per use basis. Considering enormous users and large amount of documents at cloud servers, there is a requirement of an access control scheme, which supports fine-grained cum flexible access control along with \"Query-Response\" mechanism to enable users to efficiently retrieve desired data from cloud servers. In addition, the scheme should support considerable flexibility to revoke system privileges from user, such as to restrict user from sharing or retrieving data or both, i.e., flexible system privilege revocation and most imperatively to preserve the identity of data owner and consumer, while sharing and retrieving data. Most of the access control schemes in cloud computing till date focus on restricting user from accessing data only. In this paper, we propose an identity preserving access control scheme to simultaneously realize the notion of scalability, fine-grained cum flexible access control, efficient data utilization, identity preserving and flexible system privilege revocation. We extend Ciphertext-Policy Attribute-Set-Based Encryption (CPASBE) in a hierarchical structure of users to achieve scalability. In addition, a hybridization of proxy re-encryption andand CP-ASBE is introduced to materialize the concept of CP-ASBE is introduced to materialize the concept of flexible system privilege revocation. Furthermore, we formally prove the security of our proposed scheme based on decisional bilinear Diffie-Hellman assumption. Efficacy of our scheme is depicted by performing comprehensive experiments.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-12-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124198211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-04DOI: 10.1109/AsiaJCIS.2016.24
Yuxuan Gao, Yaokai Feng, Junpei Kawamoto, K. Sakurai
DRDoS (Distributed Reflection Denial of Service) attack is a kind of DoS (Denial of Service) attack, in which third-party servers are tricked into sending large amounts of data to the victims. That is, attackers use source address IP spoofing to hide their identity and cause third-parties to send data to the victims as identified by the source address field of the IP packet. This is called reflection because the servers of benign services are tricked into "reflecting" attack traffic to the victims. The most typical existing detection methods of such attacks are designed based on known attacks by protocol and are difficult to detect the unknown ones. According to our investigations, one protocol-independent detection method has been existing, which is based on the assumption that a strong linear relationship exists among the abnormal flows from the reflector to the victim. Moreover, the method is assumed that the all packets from reflectors are attack packets when attacked, which is clearly not reasonable. In this study, we found five features are effective for detecting DRDoS attacks, and we proposed a method to detect DRDoS attacks using these features and machine learning algorithms. Its detection performance is experimentally examined and the experimental result indicates that our proposal is of clearly better detection performance.
DRDoS (Distributed Reflection Denial of Service)攻击是一种DoS (Denial of Service)攻击,通过欺骗第三方服务器向受害者发送大量数据。即攻击者通过源地址IP欺骗来隐藏自己的身份,使第三方根据IP报文的源地址字段来识别攻击者的数据。这被称为反射,因为良性服务的服务器被欺骗,将攻击流量“反射”给受害者。现有最典型的此类攻击检测方法是基于已知的协议攻击设计的,难以检测到未知的攻击。根据我们的研究,一种与协议无关的检测方法已经存在,该方法基于反射器到受害者的异常流之间存在强线性关系的假设。而且,该方法在攻击时假定反射器的所有报文都是攻击报文,这显然是不合理的。在本研究中,我们发现了检测DRDoS攻击有效的五个特征,并提出了一种利用这些特征和机器学习算法检测DRDoS攻击的方法。对其检测性能进行了实验检验,实验结果表明我们的方案具有明显更好的检测性能。
{"title":"A Machine Learning Based Approach for Detecting DRDoS Attacks and Its Performance Evaluation","authors":"Yuxuan Gao, Yaokai Feng, Junpei Kawamoto, K. Sakurai","doi":"10.1109/AsiaJCIS.2016.24","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.24","url":null,"abstract":"DRDoS (Distributed Reflection Denial of Service) attack is a kind of DoS (Denial of Service) attack, in which third-party servers are tricked into sending large amounts of data to the victims. That is, attackers use source address IP spoofing to hide their identity and cause third-parties to send data to the victims as identified by the source address field of the IP packet. This is called reflection because the servers of benign services are tricked into \"reflecting\" attack traffic to the victims. The most typical existing detection methods of such attacks are designed based on known attacks by protocol and are difficult to detect the unknown ones. According to our investigations, one protocol-independent detection method has been existing, which is based on the assumption that a strong linear relationship exists among the abnormal flows from the reflector to the victim. Moreover, the method is assumed that the all packets from reflectors are attack packets when attacked, which is clearly not reasonable. In this study, we found five features are effective for detecting DRDoS attacks, and we proposed a method to detect DRDoS attacks using these features and machine learning algorithms. Its detection performance is experimentally examined and the experimental result indicates that our proposal is of clearly better detection performance.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"113 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134644786","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.25
Markku Vajaranta, Joona Kannisto, J. Harju
Mobile computing devices, industrial control systems, and service provider clouds often need to be connected to each other over wide area networks. However, reliability, quality of services and confidentiality are challenging in such setups. Moreover, isolated appliances and physical equipment face harsh environment conditions. In this paper we explore designing secure layer 2 overlay networks using Software Defined Networking (SDN), and challenges in implementing them with open source tools.
{"title":"Implementation Experiences and Design Challenges for Resilient SDN Based Secure WAN Overlays","authors":"Markku Vajaranta, Joona Kannisto, J. Harju","doi":"10.1109/AsiaJCIS.2016.25","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.25","url":null,"abstract":"Mobile computing devices, industrial control systems, and service provider clouds often need to be connected to each other over wide area networks. However, reliability, quality of services and confidentiality are challenging in such setups. Moreover, isolated appliances and physical equipment face harsh environment conditions. In this paper we explore designing secure layer 2 overlay networks using Software Defined Networking (SDN), and challenges in implementing them with open source tools.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"707 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116107591","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.14
Jia-Rung Yeh, H. Hsiao, Ai-Chun Pang
Live virtual machine (VM) migration is the core technology in elastic cloud computing. With live VM migration, cloud providers can improve resource use and quality of service by adjusting the VM placement on demand. However, live migration is expensive because of high CPU usage and the negative effect on co-located VMs, and frequent live migration thus severely undermines the performance of the cloud. Although existing dynamic allocation schemes are designed to minimize the number of live migrations, this study demonstrated that a denial-of-service adversary can cause excessive live migrations by exploiting dynamic allocation. The attack, which we term migrant attack, deliberately varies the resource usages of a malicious VM to trigger live migration. A crucial feature of the migrant attack is that even if VMs on the same physical machine are perfectly isolated through virtualization, a malicious VM can still affect the availability of the co-located VMs. As proof of concept, we investigated two common VM allocation schemes: load balancing and consolidation. We evaluated the effectiveness of the attack by using both simulations and testbed experiments. We also discuss several potential countermeasures, such as enforcing another layer of isolation between malicious and harmless VMs in dynamic allocation schemes.
{"title":"Migrant Attack: A Multi-resource DoS Attack on Cloud Virtual Machine Migration Schemes","authors":"Jia-Rung Yeh, H. Hsiao, Ai-Chun Pang","doi":"10.1109/AsiaJCIS.2016.14","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.14","url":null,"abstract":"Live virtual machine (VM) migration is the core technology in elastic cloud computing. With live VM migration, cloud providers can improve resource use and quality of service by adjusting the VM placement on demand. However, live migration is expensive because of high CPU usage and the negative effect on co-located VMs, and frequent live migration thus severely undermines the performance of the cloud. Although existing dynamic allocation schemes are designed to minimize the number of live migrations, this study demonstrated that a denial-of-service adversary can cause excessive live migrations by exploiting dynamic allocation. The attack, which we term migrant attack, deliberately varies the resource usages of a malicious VM to trigger live migration. A crucial feature of the migrant attack is that even if VMs on the same physical machine are perfectly isolated through virtualization, a malicious VM can still affect the availability of the co-located VMs. As proof of concept, we investigated two common VM allocation schemes: load balancing and consolidation. We evaluated the effectiveness of the attack by using both simulations and testbed experiments. We also discuss several potential countermeasures, such as enforcing another layer of isolation between malicious and harmless VMs in dynamic allocation schemes.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"98 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123400977","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.28
Ryoichi Isawa, M. Morii, D. Inoue
When an analyst examines the binary of malware to obtain some useful information for defense and mitigation, she is often required to extract its original binary first. Packing is the reason of this. Usually, malware authors pack (encrypt and/or compress) their malware to hinder code analysis, making it necessary for analysts to spend a great deal of time on unpacking. Towards effective malware analysis, this paper presents an automated original-entry-point detector called OEPdet. If the original entry point (OEP) of malware is found after the malware is executed, an analyst can smoothly begin to examine the original binary starting at the OEP. OEPdet takes as input two malware samples to find part of the original binary shared between those samples. It then detects the OEP based on that shared binary. This is based on the fact that many malware samples are often generated with a variety of source code shared with others at function or snippet granularity. The experiments using some malware samples confirm OEPdet is feasible to detect the OEP.
{"title":"Comparing Malware Samples for Unpacking: A Feasibility Study","authors":"Ryoichi Isawa, M. Morii, D. Inoue","doi":"10.1109/AsiaJCIS.2016.28","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.28","url":null,"abstract":"When an analyst examines the binary of malware to obtain some useful information for defense and mitigation, she is often required to extract its original binary first. Packing is the reason of this. Usually, malware authors pack (encrypt and/or compress) their malware to hinder code analysis, making it necessary for analysts to spend a great deal of time on unpacking. Towards effective malware analysis, this paper presents an automated original-entry-point detector called OEPdet. If the original entry point (OEP) of malware is found after the malware is executed, an analyst can smoothly begin to examine the original binary starting at the OEP. OEPdet takes as input two malware samples to find part of the original binary shared between those samples. It then detects the OEP based on that shared binary. This is based on the fact that many malware samples are often generated with a variety of source code shared with others at function or snippet granularity. The experiments using some malware samples confirm OEPdet is feasible to detect the OEP.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114084157","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.22
Chih-Hung Wang, Chien-Ming Wang
The messages can be exchanged in a fair manner if after the protocol, both exchanging parties can simultaneously obtain their desired messages or none of them can get useful information. Since the network communication is time consuming, the major approach for this issue is to develop a off-line trusted third party (off-line TTP) which gets involved into the exchange procedure only if at least one party is dishonest for delivering her/his messages. This paper focuses on a new design for the semi-trusted server that can be easily implemented and eliminates the assumption of private channel between the two parties compared with Franklin and Reiter's approach. Furthermore, this kind of design can also be used for the encrypted message fair exchange in cloud computing environment, that is, if two parties want to exchange the messages stored in cloud with encrypted forms, the TTP then acts as a proxy server to help them by fair re-encryptions of these two ciphertexts in an efficient way.
{"title":"Novel Design of Fair Exchange Protocol for Semi-trusted Server and Its Application in Cloud Environment","authors":"Chih-Hung Wang, Chien-Ming Wang","doi":"10.1109/AsiaJCIS.2016.22","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.22","url":null,"abstract":"The messages can be exchanged in a fair manner if after the protocol, both exchanging parties can simultaneously obtain their desired messages or none of them can get useful information. Since the network communication is time consuming, the major approach for this issue is to develop a off-line trusted third party (off-line TTP) which gets involved into the exchange procedure only if at least one party is dishonest for delivering her/his messages. This paper focuses on a new design for the semi-trusted server that can be easily implemented and eliminates the assumption of private channel between the two parties compared with Franklin and Reiter's approach. Furthermore, this kind of design can also be used for the encrypted message fair exchange in cloud computing environment, that is, if two parties want to exchange the messages stored in cloud with encrypted forms, the TTP then acts as a proxy server to help them by fair re-encryptions of these two ciphertexts in an efficient way.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130426022","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.29
Tao Ban, Takeshi Takahashi, Shanqing Guo, D. Inoue, K. Nakao
In light of the rapid growth of malware threats towards the Android platform, there is a pressing need to develop effective solutions. In this paper we explorate the potential of multi-modal features to enhance the detection accuracy while keep the false alarms low. Examined features include the permissions, Application Programming Interface (API) calls, and meta features such as the category information and Application Package (APK) descriptions. These multi-modal features are coded in a way to facilitate efficient learning and testing with the particular classifiers known as the linear support vector machine (SVM). Experiments show that our proposed method can obtain an accuracy more than 94%, over performing the conventional methods by a large margin. By employing high-performance learning tools, the training and testing can be done in a very time-efficient fashion for large scale and high-dimensional data.
{"title":"Integration of Multi-modal Features for Android Malware Detection Using Linear SVM","authors":"Tao Ban, Takeshi Takahashi, Shanqing Guo, D. Inoue, K. Nakao","doi":"10.1109/AsiaJCIS.2016.29","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.29","url":null,"abstract":"In light of the rapid growth of malware threats towards the Android platform, there is a pressing need to develop effective solutions. In this paper we explorate the potential of multi-modal features to enhance the detection accuracy while keep the false alarms low. Examined features include the permissions, Application Programming Interface (API) calls, and meta features such as the category information and Application Package (APK) descriptions. These multi-modal features are coded in a way to facilitate efficient learning and testing with the particular classifiers known as the linear support vector machine (SVM). Experiments show that our proposed method can obtain an accuracy more than 94%, over performing the conventional methods by a large margin. By employing high-performance learning tools, the training and testing can be done in a very time-efficient fashion for large scale and high-dimensional data.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124825151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.20
W. Kuo, Jyun-Jia Li, Chun-Cheng Wang, Lih-Chyau Wuu, Yu-Chih Huang
Recently, a modified data hiding scheme based on pixel value differencing and improving exploiting modification directions is proposed by Shen and Huang. There are two major contributions in this scheme. One is to enhance the embedding rate and good embedding capacity and the other is an optimization problem used to solve the overflow/ underflow problem. In fact, they propose the similar brute force method to solve overflow/underflow problem in their proposed scheme. To overcome the overflow/underflow problem exactly, we will propose the close form to solve this problem in this paper. Then, an improvement data hiding scheme based on FFEMD (Formula Fully Exploiting Modification Directions) and pixel value differencing method is proposed. According to our analysis, it is not only to keep the advantages of Shen-Huang scheme but also to use the close form to solve the overflow/ underflow problem.
{"title":"An Improvement Data Hiding Scheme Based on Formula Fully Exploiting Modification Directions and Pixel Value Differencing Method","authors":"W. Kuo, Jyun-Jia Li, Chun-Cheng Wang, Lih-Chyau Wuu, Yu-Chih Huang","doi":"10.1109/AsiaJCIS.2016.20","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.20","url":null,"abstract":"Recently, a modified data hiding scheme based on pixel value differencing and improving exploiting modification directions is proposed by Shen and Huang. There are two major contributions in this scheme. One is to enhance the embedding rate and good embedding capacity and the other is an optimization problem used to solve the overflow/ underflow problem. In fact, they propose the similar brute force method to solve overflow/underflow problem in their proposed scheme. To overcome the overflow/underflow problem exactly, we will propose the close form to solve this problem in this paper. Then, an improvement data hiding scheme based on FFEMD (Formula Fully Exploiting Modification Directions) and pixel value differencing method is proposed. According to our analysis, it is not only to keep the advantages of Shen-Huang scheme but also to use the close form to solve the overflow/ underflow problem.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"35 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124947480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.18
Chia-Mei Chen, G. Lai, P. Young
To evade detection, hackers may use a botnet, a set of compromised machines, to attempt to gain the access of a target and the bot machines report the results to the command and control server after the instructed attack has been performed. As the machines which explore or attempt login to the target might be captured and blocked by the defense mechanism installed in the network, the hacker would use another clean zombie machine to login the target using the access information collected by the botnet. Such attack sequence is called "Scouts-and-Commander" joint attack, where scouts take charge of scanning and exploring the vulnerability of a target and commander launches the precise strike using the correct login information provided by scouts. The detection system would consider the access normal, it is hard to identify such collaborative attack. In order to identify the attack sequence, this study correlates network information and system logs to find the attack sequence and identifies the potential scouts and commanders in the early stage before real damage has been done. In this paper, hidden Markov model often used to describe sequential data is adopted to forecast possible joint attacks and to prevent real damage. The experimental results show that the proposed defense mechanism can identify the joint attacks in the early stage efficiently to prevent further damage in the networks.
{"title":"Defense Joint Attacks Based on Stochastic Discrete Sequence Anomaly Detection","authors":"Chia-Mei Chen, G. Lai, P. Young","doi":"10.1109/AsiaJCIS.2016.18","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.18","url":null,"abstract":"To evade detection, hackers may use a botnet, a set of compromised machines, to attempt to gain the access of a target and the bot machines report the results to the command and control server after the instructed attack has been performed. As the machines which explore or attempt login to the target might be captured and blocked by the defense mechanism installed in the network, the hacker would use another clean zombie machine to login the target using the access information collected by the botnet. Such attack sequence is called \"Scouts-and-Commander\" joint attack, where scouts take charge of scanning and exploring the vulnerability of a target and commander launches the precise strike using the correct login information provided by scouts. The detection system would consider the access normal, it is hard to identify such collaborative attack. In order to identify the attack sequence, this study correlates network information and system logs to find the attack sequence and identifies the potential scouts and commanders in the early stage before real damage has been done. In this paper, hidden Markov model often used to describe sequential data is adopted to forecast possible joint attacks and to prevent real damage. The experimental results show that the proposed defense mechanism can identify the joint attacks in the early stage efficiently to prevent further damage in the networks.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133873963","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2016-08-01DOI: 10.1109/AsiaJCIS.2016.32
Satomi Saito, S. Torii, K. Yoshioka, Tsutomu Matsumoto
Web sites have been great diversity because of their purposes and structures today and many web sites are working on hosting services. A hosting service is one of the network services for outsourcing construction and maintenance of the servers. Thus, the web site operators are free from hardware setting and server maintenance. On the other hand, web sites have been exposed to cyber attacks. To counter those web site attacks, hosting service providers should monitor their web sites. However, in many cases, it is difficult for the service providers to analyze such attacks with full information because of contracts about a protection of personal information. As another approach, it is effective to construct server side honeypots and observe malicious access to them. Unfortunately, honeypots could not always observe all type of attacks because of the diversity of web sites. In this paper, we propose a novel approach for keeping up security intelligence and strengthening countermeasures against web attacks on a hosting service. Our approach helps the service providers to protect their customers web sites by combining the analysis of IDS logs and web access logs provided from these sites and dedicated honeypots for observing web attacks. The honeypots keep learning interactions from the actual hosted sites, and attract attackers by mimicking the sites to gain the intelligence on malicious web attacks. We also describe the case study in a hosting service on our university, in which suspicious requests are confirmed to be malicious by our approach.
{"title":"Wamber: Defending Web Sites on Hosting Services with Self-Learning Honeypots","authors":"Satomi Saito, S. Torii, K. Yoshioka, Tsutomu Matsumoto","doi":"10.1109/AsiaJCIS.2016.32","DOIUrl":"https://doi.org/10.1109/AsiaJCIS.2016.32","url":null,"abstract":"Web sites have been great diversity because of their purposes and structures today and many web sites are working on hosting services. A hosting service is one of the network services for outsourcing construction and maintenance of the servers. Thus, the web site operators are free from hardware setting and server maintenance. On the other hand, web sites have been exposed to cyber attacks. To counter those web site attacks, hosting service providers should monitor their web sites. However, in many cases, it is difficult for the service providers to analyze such attacks with full information because of contracts about a protection of personal information. As another approach, it is effective to construct server side honeypots and observe malicious access to them. Unfortunately, honeypots could not always observe all type of attacks because of the diversity of web sites. In this paper, we propose a novel approach for keeping up security intelligence and strengthening countermeasures against web attacks on a hosting service. Our approach helps the service providers to protect their customers web sites by combining the analysis of IDS logs and web access logs provided from these sites and dedicated honeypots for observing web attacks. The honeypots keep learning interactions from the actual hosted sites, and attract attackers by mimicking the sites to gain the intelligence on malicious web attacks. We also describe the case study in a hosting service on our university, in which suspicious requests are confirmed to be malicious by our approach.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"200 1-2","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120921997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: