Anomaly detection in computer networks is an actively researched topic in the field of intrusion detection. The Internet Analysis System (IAS) is a software framework which provides passive probes and centralized backend services to collect purely statistical network data in distributed computer networks. This paper presents an empirical evaluation of the IAS data format for detecting anomalies, caused by attack traffic. This process involved the generation of labeled evaluation data based on the 1999 DARPA Intrusion Detection Evaluation data sets and two different supervised machine learning approaches for the assessment. The results of this evaluation conclude, that the IAS is not a convenient data source for advanced anomaly detection in the scope of our research.
{"title":"Empirical Evaluation of the Internet Analysis System for Application in the Field of Anomaly Detection","authors":"Harald Lampesberger","doi":"10.1109/EC2ND.2010.10","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.10","url":null,"abstract":"Anomaly detection in computer networks is an actively researched topic in the field of intrusion detection. The Internet Analysis System (IAS) is a software framework which provides passive probes and centralized backend services to collect purely statistical network data in distributed computer networks. This paper presents an empirical evaluation of the IAS data format for detecting anomalies, caused by attack traffic. This process involved the generation of labeled evaluation data based on the 1999 DARPA Intrusion Detection Evaluation data sets and two different supervised machine learning approaches for the assessment. The results of this evaluation conclude, that the IAS is not a convenient data source for advanced anomaly detection in the scope of our research.","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114713032","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The widely–used Universal Serial Bus (USB) exposes a physical attack vector which has received comparatively little attention in the past. While most research on device driver vulnerabilities concentrated on wireless protocols, we show that USB device drivers provide the same potential for vulnerabilities but offer a larger attack surface resulting from the universal nature of the USB protocol. To demonstrate the effectiveness of fuzzing USB device drivers, we present our prototypical implementation of a mutation–based, man-in-the-middle USB fuzzing framework based on an emulated environment. We practically applied our framework to fuzz the communication between an Apple iPod device and a WindowsXP system. This way, we found several potential vulnerabilities. This supports our claim that the USB architecture exposes real attack vectors and should be considered when assessing the physical security of computer systems in the future.
{"title":"USB Device Drivers: A Stepping Stone into Your Kernel","authors":"M. Jodeit, Martin Johns","doi":"10.1109/EC2ND.2010.16","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.16","url":null,"abstract":"The widely–used Universal Serial Bus (USB) exposes a physical attack vector which has received comparatively little attention in the past. While most research on device driver vulnerabilities concentrated on wireless protocols, we show that USB device drivers provide the same potential for vulnerabilities but offer a larger attack surface resulting from the universal nature of the USB protocol. To demonstrate the effectiveness of fuzzing USB device drivers, we present our prototypical implementation of a mutation–based, man-in-the-middle USB fuzzing framework based on an emulated environment. We practically applied our framework to fuzz the communication between an Apple iPod device and a WindowsXP system. This way, we found several potential vulnerabilities. This supports our claim that the USB architecture exposes real attack vectors and should be considered when assessing the physical security of computer systems in the future.","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"208 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132014052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We propose an approach in the form of a light weight smart fuzzer to generate string based inputs to detect buffer overflow vulnerability in C code. The approach is based on an evolutionary algorithm which is a combination of genetic algorithm and evolutionary strategies. In this preliminary work we focus on the problem that there are constraints on string inputs that must be satisfied in order to reach the vulnerable statement in the code and we have very little or no knowledge about them. Unlike other similar approaches, our approach is able to generate such inputs without knowing these constraints explicitly. It learns these constraints automatically while generating inputs dynamically by executing the vulnerable program. We provide few empirical results on a benchmarking dataset-Verisec suite of programs.
{"title":"An Evolutionary Computing Approach for Hunting Buffer Overflow Vulnerabilities: A Case of Aiming in Dim Light","authors":"S. Rawat, L. Mounier","doi":"10.1109/EC2ND.2010.14","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.14","url":null,"abstract":"We propose an approach in the form of a light weight smart fuzzer to generate string based inputs to detect buffer overflow vulnerability in C code. The approach is based on an evolutionary algorithm which is a combination of genetic algorithm and evolutionary strategies. In this preliminary work we focus on the problem that there are constraints on string inputs that must be satisfied in order to reach the vulnerable statement in the code and we have very little or no knowledge about them. Unlike other similar approaches, our approach is able to generate such inputs without knowing these constraints explicitly. It learns these constraints automatically while generating inputs dynamically by executing the vulnerable program. We provide few empirical results on a benchmarking dataset-Verisec suite of programs.","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126036880","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
G. Klein, H. Rogge, F. Schneider, Jens Toelle, M. Jahnke, S. Karsch
Even though Intrusion Detection Systems (IDS) are in wide-spread use, the question of how to efficiently initiate responses to detected attacks has been discussed far less often, especially in highly dynamic scenarios such as tactical MANETs. Despite being ???exible and robust in their ability to self-organize, these MANETS are distinctly more susceptible to attacks than their wired counterparts. Especially in military settings such as the interconnection of infantrymen or autonomous robots, remote initiation of countermeasures is critical since local administrative personnel may not be available. In this contribution we present an architecture for response initiation that is specifically tailored to the requirements intrinsic to mobile ad hoc networks in these settings. First we introduce IRMEF (Intrusion Response Message Exchange Format) as a means of specifying and parameterizing responses remotely which is an extension of the IDMEF RFC, an experimental yet well-established and recommended IETF draft for formatting event messages. Response initiation messages are dispatched from a central location via a secure, reliable, and robust communication infrastructure based on SNMPv3. An Authenticated Flooding service ensures that messages are delivered to their destination even while the network is under attack. Locally installed responder components are responsible for the application of the response measure. These mechanisms are designed and implemented explicitly with the limitations in mind which are imposed by the MANET operating environment: For example, resource constraints are taken into account by avoiding bandwidth intensive message formats, and the use of an intelligent ???ooding mechanism ensures resiliency under routing attacks.
{"title":"Response Initiation in Distributed Intrusion Response Systems for Tactical MANETs","authors":"G. Klein, H. Rogge, F. Schneider, Jens Toelle, M. Jahnke, S. Karsch","doi":"10.1109/EC2ND.2010.11","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.11","url":null,"abstract":"Even though Intrusion Detection Systems (IDS) are in wide-spread use, the question of how to efficiently initiate responses to detected attacks has been discussed far less often, especially in highly dynamic scenarios such as tactical MANETs. Despite being ???exible and robust in their ability to self-organize, these MANETS are distinctly more susceptible to attacks than their wired counterparts. Especially in military settings such as the interconnection of infantrymen or autonomous robots, remote initiation of countermeasures is critical since local administrative personnel may not be available. In this contribution we present an architecture for response initiation that is specifically tailored to the requirements intrinsic to mobile ad hoc networks in these settings. First we introduce IRMEF (Intrusion Response Message Exchange Format) as a means of specifying and parameterizing responses remotely which is an extension of the IDMEF RFC, an experimental yet well-established and recommended IETF draft for formatting event messages. Response initiation messages are dispatched from a central location via a secure, reliable, and robust communication infrastructure based on SNMPv3. An Authenticated Flooding service ensures that messages are delivered to their destination even while the network is under attack. Locally installed responder components are responsible for the application of the response measure. These mechanisms are designed and implemented explicitly with the limitations in mind which are imposed by the MANET operating environment: For example, resource constraints are taken into account by avoiding bandwidth intensive message formats, and the use of an intelligent ???ooding mechanism ensures resiliency under routing attacks.","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127697187","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
V. Kemerlis, Vasilis Pappas, G. Portokalidis, A. Keromytis
Data loss incidents, where data of sensitive nature are exposed to the public, have become too frequent and have caused damages of millions of dollars to companies and other organizations. Repeatedly, information leaks occur over the Internet, and half of the time they are accidental, caused by user negligence, misconfiguration of software, or inadequate understanding of an application’s functionality. This paper presents iLeak, a lightweight, modular system for detecting inadvertent information leaks. Unlike previous solutions, iLeak builds on components already present in modern computers. In particular, we employ system tracing facilities and data indexing services, and combine them in a novel way to detect data leaks. Our design consists of three components: uaudits are responsible for capturing the information that exits the system, while Inspectors use the indexing service to identify if the transmitted data belong to files that contain potentially sensitive information. The Trail Gateway handles the communication and synchronization of uaudits and Inspectors. We implemented iLeak on Mac OS X using DTrace and the Spotlight indexing service. Finally, we show that iLeak is indeed lightweight, since it only incurs 4% overhead on protected applications.
由于敏感数据暴露在公众面前,数据丢失事件变得过于频繁,给公司和其他组织造成了数百万美元的损失。在Internet上经常发生信息泄漏,而且有一半的情况是偶然的,是由用户疏忽、软件配置错误或对应用程序功能理解不足造成的。本文介绍了illeak,一个轻量级的模块化系统,用于检测无意的信息泄漏。与以前的解决方案不同,illeak建立在现代计算机中已经存在的组件上。特别是,我们采用系统跟踪工具和数据索引服务,并以一种新颖的方式将它们结合起来检测数据泄漏。我们的设计由三个组件组成:审计人员负责捕获退出系统的信息,而检查人员使用索引服务来识别传输的数据是否属于包含潜在敏感信息的文件。Trail Gateway处理审计人员和检查人员之间的通信和同步。我们使用DTrace和Spotlight索引服务在Mac OS X上实现了illeak。最后,我们展示了illeak确实是轻量级的,因为它只对受保护的应用程序产生4%的开销。
{"title":"iLeak: A Lightweight System for Detecting Inadvertent Information Leaks","authors":"V. Kemerlis, Vasilis Pappas, G. Portokalidis, A. Keromytis","doi":"10.1109/EC2ND.2010.13","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.13","url":null,"abstract":"Data loss incidents, where data of sensitive nature are exposed to the public, have become too frequent and have caused damages of millions of dollars to companies and other organizations. Repeatedly, information leaks occur over the Internet, and half of the time they are accidental, caused by user negligence, misconfiguration of software, or inadequate understanding of an application’s functionality. This paper presents iLeak, a lightweight, modular system for detecting inadvertent information leaks. Unlike previous solutions, iLeak builds on components already present in modern computers. In particular, we employ system tracing facilities and data indexing services, and combine them in a novel way to detect data leaks. Our design consists of three components: uaudits are responsible for capturing the information that exits the system, while Inspectors use the indexing service to identify if the transmitted data belong to files that contain potentially sensitive information. The Trail Gateway handles the communication and synchronization of uaudits and Inspectors. We implemented iLeak on Mac OS X using DTrace and the Spotlight indexing service. Finally, we show that iLeak is indeed lightweight, since it only incurs 4% overhead on protected applications.","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"8 6","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132398298","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Georgios Kontaxis, Iasonas Polakis, S. Antonatos, E. Markatos
Monitoring large chunks of unused IP address space yields interesting observations and useful results. However, the volume and diversity of the collected data makes the extraction of information a challenging task. Additionally, the maintenance of the monitoring infrastructure is another demanding and time-consuming effort. To overcome these problems, we present several visualization techniques that enable users to observe what happens in their unused address space over arbitrary time periods and provide the necessary tools for administrators to monitor their infrastructure. Our approach, which is based on open-source standard technologies, transforms the raw information at the network level and provides a customized and Web-accessible view. In this paper, we present the design, implementation and early experiences of the visualization techniques and tools deployed for the NoAH project, a large-scale honey pot-based infrastructure. Additionally, we provide a traffic analysis of data collected over a six month period of our infrastructure's operation. During the data collection period, we observed that the number of attackers continually increased as did the volume of traffic they generated. Furthermore, interesting patterns for specific types of traffic have been identified, such as the diurnal cycle of the traffic targeting TCP port 445 (Windows Directory Services), the port that receives the largest volume of attack traffic.
{"title":"Experiences and Observations from the NoAH Infrastructure","authors":"Georgios Kontaxis, Iasonas Polakis, S. Antonatos, E. Markatos","doi":"10.1109/EC2ND.2010.12","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.12","url":null,"abstract":"Monitoring large chunks of unused IP address space yields interesting observations and useful results. However, the volume and diversity of the collected data makes the extraction of information a challenging task. Additionally, the maintenance of the monitoring infrastructure is another demanding and time-consuming effort. To overcome these problems, we present several visualization techniques that enable users to observe what happens in their unused address space over arbitrary time periods and provide the necessary tools for administrators to monitor their infrastructure. Our approach, which is based on open-source standard technologies, transforms the raw information at the network level and provides a customized and Web-accessible view. In this paper, we present the design, implementation and early experiences of the visualization techniques and tools deployed for the NoAH project, a large-scale honey pot-based infrastructure. Additionally, we provide a traffic analysis of data collected over a six month period of our infrastructure's operation. During the data collection period, we observed that the number of attackers continually increased as did the volume of traffic they generated. Furthermore, interesting patterns for specific types of traffic have been identified, such as the diurnal cycle of the traffic targeting TCP port 445 (Windows Directory Services), the port that receives the largest volume of attack traffic.","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"140 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115523977","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The web is a crucial source of information nowadays. At the same time, web applications become more and more complex. Therefore, a spontaneous increase in the number of visitors, e.g., based on news reports or events, easily brings a web server in an overload situation. In contrast to the classical model of distributed denial of service (DDoS) attacks, such a so-called flash effect situation is not triggered by a bulk of bots just aiming at hurting the system but by humans with a high interest in the content of the web site itself. While the bots do not stop their attack until told so by their operator, the user try repeatedly to access the site without knowing that the repeated reloads effectively increase the web server's overload. Classical approaches try to distinguish between real user and harmful requests, which is not applicable in this scenario. Simply restricting the number of connections leads to very technical error messages displayed by the users' client software if at all. Therefore, we propose a mean to efficiently block connection attempts and to keep the user informed at the same time. A small subset of HTTP and TCP is state lessly implemented to display simple busy messages or relevant news updates to the end user with only few resources. In this paper we present the protocol subset used and discuss the compatibility problems on the protocol and client software level. Furthermore, we show the results of performance experiments using a prototype implementation.
{"title":"HTTPreject: Handling Overload Situations without Losing the Contact to the User","authors":"J. Schneider, Sebastian Koch","doi":"10.1109/EC2ND.2010.7","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.7","url":null,"abstract":"The web is a crucial source of information nowadays. At the same time, web applications become more and more complex. Therefore, a spontaneous increase in the number of visitors, e.g., based on news reports or events, easily brings a web server in an overload situation. In contrast to the classical model of distributed denial of service (DDoS) attacks, such a so-called flash effect situation is not triggered by a bulk of bots just aiming at hurting the system but by humans with a high interest in the content of the web site itself. While the bots do not stop their attack until told so by their operator, the user try repeatedly to access the site without knowing that the repeated reloads effectively increase the web server's overload. Classical approaches try to distinguish between real user and harmful requests, which is not applicable in this scenario. Simply restricting the number of connections leads to very technical error messages displayed by the users' client software if at all. Therefore, we propose a mean to efficiently block connection attempts and to keep the user informed at the same time. A small subset of HTTP and TCP is state lessly implemented to display simple busy messages or relevant news updates to the end user with only few resources. In this paper we present the protocol subset used and discuss the compatibility problems on the protocol and client software level. Furthermore, we show the results of performance experiments using a prototype implementation.","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"333 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124696035","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pavel Čeleda, Radek Krejcí, Jan Vykopal, Martin Drasar
This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!
本文描述了我们在2009年12月初发现的一个新的僵尸网络。我们基于Net flow的网络监控系统报告了越来越多的Telnet扫描探针。溯源我们已经确定了全球范围内受感染的DSL调制解调器和家用路由器。现在,许多供应商在这类设备中使用Linux。进一步的调查表明,大多数已部署的SoHo(小型办公室/家庭办公室)设备使用默认密码或未打补丁的易受攻击固件。有些设备允许通过Telnet、SSH或web接口进行远程访问。利用弱密码的Linux恶意软件允许快速传播和几乎无限的恶意活动潜力。与传统的面向桌面的恶意软件相比,终端用户几乎没有机会发现僵尸程序感染。我们以查克·诺里斯的名字命名这个僵尸网络,因为它的早期版本包含了字符串[R]anger Killato: in name di Chuck Norris!
{"title":"Embedded Malware - An Analysis of the Chuck Norris Botnet","authors":"Pavel Čeleda, Radek Krejcí, Jan Vykopal, Martin Drasar","doi":"10.1109/EC2ND.2010.15","DOIUrl":"https://doi.org/10.1109/EC2ND.2010.15","url":null,"abstract":"This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris!","PeriodicalId":375908,"journal":{"name":"2010 European Conference on Computer Network Defense","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2010-10-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128971674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: