Anael Bonneton, D. Migault, S. Sénécal, Nizar Kheir
{"title":"DGA Bot Detection with Time Series Decision Trees","authors":"Anael Bonneton, D. Migault, S. Sénécal, Nizar Kheir","doi":"10.1109/BADGERS.2015.016","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.016","url":null,"abstract":"This paper introduces a behavioral model for botnet detection that leverages the Domain Name System (DNS) traffic in large Internet Service Provider (ISP) networks. More particularly, we are interested in botnets that locate and connect to their command and control servers thanks to Domain Generation Algorithms (DGAs). We demonstrate that the DNS traffic generated by hosts belonging to a DGA botnet exhibits discriminative temporal patterns. We show how to build decision tree classifiers to recognize these patterns in very little computation time. The main contribution of this paper is to consider whole time series to represent the temporal behavior of hosts instead of aggregated values computed from the time series. Our experiments are carried out on real world DNS traffic collected from a large ISP.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"89 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133714621","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Papadopoulos, Thanasis Petsas, Giorgos Christou, G. Vasiliadis
{"title":"MAD: A Middleware Framework for Multi-step Attack Detection","authors":"P. Papadopoulos, Thanasis Petsas, Giorgos Christou, G. Vasiliadis","doi":"10.1109/BADGERS.2015.012","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.012","url":null,"abstract":"Signature-based network intrusion detection systems (NIDS) are one of the most popular tools used to detect and stop malicious attacks or unwanted actions. However, as network attacks become more sophisticated and diversified, the accuracy of signature-based NIDS that rely only on live network traffic decreases significantly. Recent research efforts have proposed to archive the raw contents of the network traffic stream to disk, in order to enable later inspection of activity that becomes interesting only in retrospect. Unfortunately, the ever increasing network traffic and capacity make the collection and archiving of multi-gigabit network streams very challenging. In this paper, we review different mechanisms and techniques to efficiently store the captured network traffic to disk. We also propose an architecture that will integrate all these mechanisms into a single middleware platform that will be used by network monitoring applications in order to enhance their functionalities. Our approach will offer the ability to analyze and correlate multiple security activities, as well as, in terms of forensic analysis, to perform post-mortem incident analysis in order to asses the given damage.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"221 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116162137","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The Significant Features of the UNSW-NB15 and the KDD99 Data Sets for Network Intrusion Detection Systems","authors":"Nour Moustafa, J. Slay","doi":"10.1109/BADGERS.2015.014","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.014","url":null,"abstract":"Because of the increase flow of network traffic and its significance to the provision of ubiquitous services, cyberattacks attempt to compromise the security principles of confidentiality, integrity and availability. A Network Intrusion Detection System (NIDS) monitors and detects cyber-attack patterns over networking environments. Network packets consist of a wide variety of features which negatively affects detection of anomalies. These features include some irrelevant or redundant features which reduce the efficiency of detecting attacks, and increase False Alarm Rate (FAR). In this paper, the feature characteristics of the UNSW-NB15 and KDD99 datasets are examined, and the features of the UNSW-NB15 are replicated to the KDD99 data set to measure their effeciency. We apply An Association Rule Mining algorithm as feature selection to generate the strongest features from the two data sets. Some existing classifiers are utilised to evaluate the complexity in terms of accuracy and FAR. The experimental results show that, the original KDD99 attributes are less efficient than the replicated UNSW-NB15 attributes of the KDD99 data set. However, comparing the two data sets, the accuracy of the KDD99 dataset is better than the UNSW-NB 15 dataset, and the FAR of the KDD99 dataset is lower the UNSWNB 15 dataset.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114660620","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Using Bayesian Decision Making to Detect Slow Scans","authors":"I. Shimada, Yu Tsuda, Masashi Eto, D. Inoue","doi":"10.1109/BADGERS.2015.015","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.015","url":null,"abstract":"In a targeted cyberattack, attackers perform a search for vulnerable hosts in the internal network of targeting organization. Then, they try to increase the number of hosts that can be used as stepping stone for further attacks. Attackers would like to perform these activities in hidden from networkbased security appliances such as firewalls and network intrusion detection systems (NIDSs). One of the methods to hide their reconnaissance is a slow scan, which can be search and spread over several months mixed with large-scale normal live traffic. The method is very simple but it is effective to evade general firewalls or NIDSs. In this paper, we focus on a slow scan activities and we propose a simple and an efficient approach to detect a slow scan using Bayesian decision making within live network traffic. Our method enables to detect a slow scan as early as possible and to stop attackers' reconnoitering the internal network quickly.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128021694","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Text-Mining Approach for Estimating Vulnerability Score","authors":"Yasuhiro Yamamoto, Daisuke Miyamoto, M. Nakayama","doi":"10.1109/BADGERS.2015.018","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.018","url":null,"abstract":"This paper develops a method that can automatically estimate the security metrics of documents written in natural language. Currently, security metrics play an important role in assessing the impact and risks of cyberthreats. Security metrics also enable operators to recognize emerging cyberthreats and to prioritize operations in order to mitigate such threats. In this paper, we focus on estimating the ratings in the Common Vulnerability Scoring System by inspecting the threats described in the Common Vulnerability and Exposures dictionary. Our approach employs various techniques for processing natural language, and it uses the descriptions in the dictionary to estimate the base metrics. This paper also extends the algorithm to increase the accuracy of the estimate.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125277760","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ayumu Hirata, Daisuke Miyamoto, M. Nakayama, H. Esaki
{"title":"INTERCEPT+: SDN Support for Live Migration-Based Honeypots","authors":"Ayumu Hirata, Daisuke Miyamoto, M. Nakayama, H. Esaki","doi":"10.1109/BADGERS.2015.013","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.013","url":null,"abstract":"This paper introduces a novel honeypot for web application. Recently, web applications have been the target of numerous cyber attacks. In order to catch up new vulnerabilities in the applications, using a honeypot system is a feasible solution. However, there remains difficulty for developing a lure-able, protect-able, and deception-able honeypot for web applications. In this paper, we present an approach in which attackers will be automatically isolated from the real web server to the honey web server. The key features are employing migration techniques to create a virtual machine as a honey web server, making the honeypot to equip the same memory and storage devices of the real systems, and controlling network traffic with OpenFlow in order to isolate honeypots from the real server. This paper also shows our design and implementation of INTERCEPT+, a component of honeypot systems for web applications.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"20 3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123281422","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
P. Mensah, Grégory Blanc, Kazuya Okada, Daisuke Miyamoto, Y. Kadobayashi
{"title":"AJNA: Anti-phishing JS-based Visual Analysis, to Mitigate Users' Excessive Trust in SSL/TLS","authors":"P. Mensah, Grégory Blanc, Kazuya Okada, Daisuke Miyamoto, Y. Kadobayashi","doi":"10.1109/BADGERS.2015.019","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.019","url":null,"abstract":"HTTPS websites are often considered safe by the users, due to the use of the SSL/TLS protocol. As a consequence phishing web pages delivered via this protocol benefit from that higher level of trust as well. In this paper, we assessed the relevance of heuristics such as the certificate information, the SSL/TLS protocol version and cipher-suite chosen by the servers, in the identification of phishing websites. We concluded that they were not discriminant enough, due to the close profiles of phishing and legitimate sites. Moreover, considering phishing pages hosted on cloud service platform or hacked domains, we identified that the users could easily be fooled by the certificate presented, since it would belong to the rightful owner of the website. Hence, we further examined HTTPS phishing websites hosted on hacked domains, in order to propose a detection method based on their visual identities. Indeed, the presence of a parasitic page on a domain is a disruption to the overall visual coherence of the original site. By designing an intelligent perception system responsible for extracting and comparing these divergent renderings, we were able to spot phishing pages with an accuracy of 87% to 92%.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"75 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134418303","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Iasonas Polakis, Panagiotis Ilia, Zacharias Tzermias, S. Ioannidis, P. Fragopoulou
{"title":"Social Forensics: Searching for Needles in Digital Haystacks","authors":"Iasonas Polakis, Panagiotis Ilia, Zacharias Tzermias, S. Ioannidis, P. Fragopoulou","doi":"10.1109/BADGERS.2015.017","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.017","url":null,"abstract":"The use of online social networks and other digital communication services has become a prevalent activity of everyday life. As such, users' social footprints contain a massive amount of data, including exchanged messages, location information and photographic coverage of events. While digital forensics has been evolving for several years with a focus on recovering and investigating data from digital devices, social forensics is a relatively new field. Nonetheless, law enforcement agencies have realized the significance of employing online user data for solving criminal investigations. However, collecting and analyzing massive amounts of data scattered across multiple services is a challenging task. In this paper, we present our modular framework designed for assisting forensic investigators in all aspects of these procedures. The data collection modules extract the data from a user's social network profiles and communication services, by taking advantage of stored credentials and session cookies. Next, the correlation modules employ various techniques for mapping user profiles from different services to the same user. The visualization component, specifically designed for handling data representing activities and interactions in online social networks, provides dynamic \"viewpoints\" of varying granularity for analyzing data and identifying important pieces of information. We conduct a case study to demonstrate the effectiveness of our system and find that our automated correlation process achieves significant coverage of users across services.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"189 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134040800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Nolan Donoghue, B. Hahn, Helen Xu, Thomas M. Kroeger, David Zage, Rob Johnson
{"title":"Tracking Network Events with Write Optimized Data Structures","authors":"Nolan Donoghue, B. Hahn, Helen Xu, Thomas M. Kroeger, David Zage, Rob Johnson","doi":"10.1109/BADGERS.2015.011","DOIUrl":"https://doi.org/10.1109/BADGERS.2015.011","url":null,"abstract":"Access to network traffic records is an integral part of recognizing and addressing network security breaches. Even with the increasing sophistication of network attacks, basic network events such as connections between two IP addresses play an important role in any network defense. Given the duration of current attacks, long-term data archival is critical but typically very little of the data is ever accessed. Previous work has provided tools and identified the need to trace connections. However, traditional databases raise performance concerns as they are optimized for querying rather than ingestion. The study of write-optimized data structures (WODS) is a new and growing field that provides a novel approach to traditional storage structures (e.g., B-trees). WODS trade minor degradations in query performance for significant gains in the ability to quickly insert more data elements, typically on the order of 10 to 100 times more inserts per second. These efficient, out-of-memory data structures can play a critical role in enabling robust, long-term tracking of network events. In this paper, we present TWIAD, the Write-optimized IP Address Database. TWIAD uses a write-optimized B-tree known as a B\" tree to track all IP address connections in a network traffic stream. Our initial implementation focuses on utilizing lower cost hardware, demonstrating that basic long-term tracking can be done without advanced equipment. We tested TWIAD on a modest desktop system and showed a sustained ingestion rate of about 20,000 inserts per second.","PeriodicalId":150208,"journal":{"name":"2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2015-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121811554","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}