发布求助
文献互助 智能选刊 最新文献

2009 European Conference on Computer Network Defense最新文献

筛选
英文 中文
Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters 使用包内布隆过滤器的自路由拒绝服务抵抗能力
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.14
Christian Esteve Rothenberg, P. Jokela, P. Nikander, M. Sarela, J. Ylitalo
{"title":"Self-Routing Denial-of-Service Resistant Capabilities Using In-packet Bloom Filters","authors":"Christian Esteve Rothenberg, P. Jokela, P. Nikander, M. Sarela, J. Ylitalo","doi":"10.1109/EC2ND.2009.14","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.14","url":null,"abstract":"In this paper, we propose and analyze an in-packet Bloom-filter-based source-routing architecture resistant to Distributed Denial-of-Service attacks. The approach is based on forwarding identifiers that act simultaneously as path designators, i.e. define which path the packet should take, and as capabilities, i.e. effectively allowing the forwarding nodes along the path to enforce a security policy where only explicitly authorized packets are forwarded. The compact representation is based on a small Bloom filter whose candidate elements (i.e. link names) are dynamically computed at packet forwarding time using a loosely synchronized time-based shared secret and additional in-packet flow information (e.g., invariant packet contents). The capabilities are thus expirable and flow-dependent, but do not require any per-flow network state or memory look-ups, which have been traded-off for additional, though amenable, per-packet computation. Our preliminary security analysis suggests that the self-routing capabilities can be an effective building block towards DDoS-resistant network architectures.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114372347","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 60
Walowdac - Analysis of a Peer-to-Peer Botnet Walowdac -点对点僵尸网络的分析
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.10
Ben Stock, Jan Göbel, Markus Engelberth, F. Freiling, Thorsten Holz
{"title":"Walowdac - Analysis of a Peer-to-Peer Botnet","authors":"Ben Stock, Jan Göbel, Markus Engelberth, F. Freiling, Thorsten Holz","doi":"10.1109/EC2ND.2009.10","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.10","url":null,"abstract":"A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our in ltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of cre- dentials from victim machines.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129948912","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 102
Visualization and Explanation of Payload-Based Anomaly Detection 基于有效载荷的异常检测可视化与解释
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.12
Konrad Rieck, P. Laskov
{"title":"Visualization and Explanation of Payload-Based Anomaly Detection","authors":"Konrad Rieck, P. Laskov","doi":"10.1109/EC2ND.2009.12","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.12","url":null,"abstract":"The threat posed by modern network attacks requires novel means for detection of intrusions, as regular signature-based systems fail to cope with the amount and diversity of attacks. Recently, several methods for detection of anomalies in network payloads have been proposed to counteract this threat and identify novel attacks during their initial propagation. However, intrusion detection systems must not only flag malicious events but also provide information needed for assessment of security incidents. Previous work on payload-based anomaly detection has largely ignored this need for explainable decisions. In this paper, we present instruments for visualization and explanation of anomaly detection which can guide the decisions of a security operator. In particular, we propose two techniques: feature differences, for identifying relevant string features of detected anomalies, and feature shading, for highlighting of anomalous contents in network payloads. Both techniques are empirically evaluated using real attacks and network traces, whereby their ability to emphasize typical patterns of attacks is demonstrated.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128449962","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
Gone Rogue: An Analysis of Rogue Security Software Campaigns Gone Rogue:流氓安全软件活动分析
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.8
M. Cova, Corrado Leita, Olivier Thonnard, A. Keromytis, M. Dacier
{"title":"Gone Rogue: An Analysis of Rogue Security Software Campaigns","authors":"M. Cova, Corrado Leita, Olivier Thonnard, A. Keromytis, M. Dacier","doi":"10.1109/EC2ND.2009.8","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.8","url":null,"abstract":"In the past few years, Internet miscreants have developed a number of techniques to defraud and make a hefty profit out of their unsuspecting victims. A troubling, recent example of this trend is cyber-criminals distributing rogue security software, that is malicious programs that,by pretending to be legitimate security tools (e.g., anti-virus or anti-spyware), deceive users into paying a substantial amount of money in exchange for little or no protection.While the technical and economical aspects of rogue security software (e.g., its distribution and monetization mechanisms) are relatively well-understood, much less is known about the campaigns through which this type of malware is distributed, that is what are the underlying techniques and coordinated efforts employed by cyber-criminals to spread their malware.In this paper, we present the techniques we used to analyze rogue security software campaigns, with an emphasis on the infrastructure employed in the campaign and the life-cycle of the clients that they infect.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122274799","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 5
Integrated Detection of Attacks Against Browsers, Web Applications and Databases 集成检测针对浏览器,Web应用程序和数据库的攻击
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.13
C. Criscione, G. Salvaneschi, F. Maggi, S. Zanero
{"title":"Integrated Detection of Attacks Against Browsers, Web Applications and Databases","authors":"C. Criscione, G. Salvaneschi, F. Maggi, S. Zanero","doi":"10.1109/EC2ND.2009.13","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.13","url":null,"abstract":"Anomaly-based techniques were exploited successfully to implement protection mechanisms for various systems. Recently, these approaches have been ported to the web domain under the name of \"web application anomaly detectors\" (or firewalls) with promising results. In particular, those capable of automatically building specifications, or models, of the protected application by observing its traffic (e.g., network packets, system calls, or HTTP requests and responses) are particularly interesting, since they can be deployed with little effort.Typically, the detection accuracy of these systems is significantly influenced by the model building phase (often called training), which clearly depends upon the quality of the observed traffic, which should resemble the normal activity of the protected application and must be also free from attacks. Otherwise, detection may result in significant amounts of false positives (i.e., benign events flagged as anomalous) and negatives (i.e., undetected threats). In this work we describe Masibty, a web application anomaly detector that have some interesting properties. First, it requires the training data not to be attack-free. Secondly, not only it protects the monitored application, it also detects and blocks malicious client-side threats before they are sent to the browser. Third, Masibty intercepts the queries before they are sent to the database, correlates them with the corresponding HTTP requests and blocks those deemed anomalous.Both the accuracy and the performance have been evaluated on real-world web applications with interesting results. The system is almost not influenced by the presence of attacks in the training data and shows only a negligible amount of false positives, although this is paid in terms of a slight performance overhead.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"40 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115797260","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 17
Racewalk: Fast Instruction Frequency Analysis and Classification for Shellcode Detection in Network Flow Racewalk:网络流中Shellcode检测的快速指令频率分析与分类
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.9
D. Gamayunov, Nguyen Thoi Minh Quan, Fedor Sakharov, E. Toroshchin
{"title":"Racewalk: Fast Instruction Frequency Analysis and Classification for Shellcode Detection in Network Flow","authors":"D. Gamayunov, Nguyen Thoi Minh Quan, Fedor Sakharov, E. Toroshchin","doi":"10.1109/EC2ND.2009.9","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.9","url":null,"abstract":"Memory corruption attacks still play a significant role in present cybercrime activities, being one of the keystones for worm, virus propagation and building botnets. Moreover,recent disclosures of widespread networking equipment vulnerabilities show that the problem is unlikely to fade away in the near future. The subject of this paper is NOP-sled detection — one of the approaches for detecting malicious code in network flow. NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. We propose a significant modification of the Stride algorithm which has linear computational complexity and runs over 10 times faster than original Stride and a novel approach for NOP-sled detection using IA-32 instruction frequency analysis and SVM-based classification, which gives significantly less false positives then existing algorithms. Evaluation with Metasploit Framework, CLET,ecl-poly and ADMmutate shows that various NOP-sleds provided by existing shellcode generators have instructionsfrequency peculiarities, which allow to distinguish betweensleds and normal network data with high accuracy whilereducing the false positives rate and operating close to 1Gbps speed.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"20 2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116769233","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
Effectiveness Metrics for Intrusion Detection in Wireless Sensor Networks 无线传感器网络中入侵检测的有效性度量
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.11
A. Stetsko, Vashek Matyás
{"title":"Effectiveness Metrics for Intrusion Detection in Wireless Sensor Networks","authors":"A. Stetsko, Vashek Matyás","doi":"10.1109/EC2ND.2009.11","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.11","url":null,"abstract":"Wireless sensor networks cannot be secured against internal attacker with only cryptographic techniques because their nodes are not physically protected and can be easily captured by the attacker. Therefore, in this work we consider intrusion detection systems that monitor behavior of sensor nodes and detect the malicious ones among them. Our work is exploratory in that we propose metrics for evaluation of these systems. There are evaluation metrics for intrusion detection systems for conventional wired and wireless networks. However, to our best knowledge there is no work that proposes evaluation metrics for intrusion detection systems for wireless sensor networks. We divide the proposed metrics into two groups. In the first group there are metrics for detection techniques without a response mechanism. In the second group there are metrics for detection techniques together with a response mechanism. The proposed metrics will help an administrator of a network to choose the best intrusion detection system from a set of systems or to optimize a configuration of a certain intrusion detection system for a given network with a particular topology, sensor nodes capabilities and anticipated types of attack.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130720880","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
The Dorothy Project: An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization 多萝西项目:用于自动跟踪和活动可视化的开放僵尸网络分析框架
2009 European Conference on Computer Network Defense Pub Date : 2009-11-09 DOI: 10.1109/EC2ND.2009.15
M. Cremonini, M. Riccardi
{"title":"The Dorothy Project: An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization","authors":"M. Cremonini, M. Riccardi","doi":"10.1109/EC2ND.2009.15","DOIUrl":"https://doi.org/10.1109/EC2ND.2009.15","url":null,"abstract":"Botnets, networks of compromised machines remotely controlled and instructed to work in a coordinated fashion, have had an epidemic diffusion over the Internet and represent one of today's most insidious threat. In this paper, we present an open framework called Dorothy that permits to monitor the activity of a botnet. We propose to characterize a botnet behavior through a set of parameters and a graphical representation. In a case study, we infiltrated and monitored a botnet named siwa collecting information about its functional structure, geographical distribution, communication mechanisms, command language and operations.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"20 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125399374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 26
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信