2011 Seventh European Conference on Computer Network Defense最新文献

{"title":"dead.drop: URL-Based Stealthy Messaging","authors":"Georgios Kontaxis, Iasonas Polakis, M. Polychronakis, E. Markatos","doi":"10.1109/EC2ND.2011.15","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.15","url":null,"abstract":"In this paper we propose the use of URLs as a covert channel to relay information between two or more parties. We render our technique practical, in terms of bandwidth, by employing URL-shortening services to form URL chains of hidden information. We discuss the security aspects of this technique and present proof-of-concept implementation details along with measurements that prove the feasibility of our approach.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125853375","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Mitigating Distributed Denial-of-Service Attacks: Application-Defense and Network-Defense Methods","authors":"Zhang Fu","doi":"10.1109/EC2ND.2011.18","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.18","url":null,"abstract":"Summary form only given. Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets. Based on the types of the targets, DDoS attacks can be addressed in two levels: application-level and network-level. Taking the network-based applications into consideration, a weak point is that they commonly open some known communication port(s), making themselves targets for denial of service (DoS) attacks. Considering adversaries that can eavesdrop and launch directed DoS attacks to the applications' open ports, solutions based on pseudorandom port-hopping have been suggested [1], [5], where applications defend the attacks to the communication ports by changing them periodically. As port-hopping needs the communicating parties to \"hop\" in a synchronized manner, these solutions suggest acknowledgment-based protocols between a client-server pair or assume the presence of synchronized clocks. Acknowledgments, if lost, can cause a port to be open for longer time and thus be vulnerable to DoS attacks, time servers for synchronizing clocks can become targets to DoS attack themselves. Following this line of research, in [2] we proposed a solution for port-hopping in the presence of clock-drifts, which are common in networking. The solution basically consists of two algorithms: H O P ER AA and B IG W HEEL. H O P ER AA enables each client to interact with the server independently of the other clients, B IG W HEEL enables a server to communicate with multiple clients in a port-hopping manner, without synchronizing with each client individually, which supports multi-party applications as well. Anti-DDoS solutions in the application-level, such as port-hopping, are ineffective when the DDoS attacks aim to congest the victim's network. Victims may need the help from network-based (i.e. in the router level) solutions to solve the problem. Among the network-based solutions against DDoS attacks, network-capability mechanism is a novel approach [6]. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of-Capability (DoC). In [4] we proposed an algorithm to mitigate DoC attacks. With this algorithm, the legitimate hosts can get service with guaranteed probability. The algorithm divides the server's capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture. Randomization and Bloom filters are used as tools against threats (attacking scenarios). Issues on fault-tolerance and the deployment of the approach proposed were also addressed in [4]. The algorithm is not only suitable for solving DoC problem, but also suitable for general authentication-based solution against DDoS attacks, since legitimate hosts always need to get the secret for generating authenticatio","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"77 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123261532","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The Anti-Social Behavior of Spam","authors":"Farnaz Moradi, T. Olovsson, P. Tsigas","doi":"10.1109/EC2ND.2011.20","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.20","url":null,"abstract":"Spam mitigation strategies that aim at detecting spam on the network level, should classify email senders based on their sending behavior rather than the content of what they send. To achieve this goal, we have performed a social network analysis on a network of email communications. Such a network captures the social communication patterns of email senders and receivers. Our social network analysis on email traffic have revealed that structural properties of networks of email communications differ from other types of interaction and social networks such as online social networks, the web, Internet AS topology, and phone call graphs. The difference is caused by extensive amount of unsolicited email traffic which therefore can be used to discriminate spam senders from legitimate users. Deployment of such social network-based spam detection strategy on a small network device makes it possible to stop spam closer to its source and without inspecting email contents. In this presentation, we will look at the anti-social behavior of spam and how it can be used for detection of spam senders.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114249870","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Adaptive Detection of Covert Communication in HTTP Requests","authors":"Guido Schwenk, Konrad Rieck","doi":"10.1109/EC2ND.2011.12","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.12","url":null,"abstract":"The infection of computer systems with malicious software is an enduring problem of computer security. Avoiding an infection in the first place is a hard task, as computer systems are often vulnerable to a multitude of attacks. However, to explore and control an infected system, an attacker needs to establish a communication channel with the victim. While such a channel can be easily established to an unprotected end host in the Internet, infiltrating a closed network usually requires passing an application-level gateway -- in most cases a web proxy -- which constitutes an ideal spot for detecting and blocking unusual outbound communication. This papers introduces DUMONT, a system for detecting covert outbound HTTP communication passing through a web proxy. DUMONT learns profiles of normal HTTP requests for each user of the proxy and adapts to individual web surfing characteristics. The profiles are inferred from a diverse set of features, covering the structure and content of outbound data, and allowing for automatically identifying tunnels and covert channels as deviations from normality. While this approach does not generally rule out sophisticated covert communication, it significantly improves on state-of-the-art methods and hardens networks against malware proliferation. This capability is demonstrated in an evaluation with 90 days of web traffic, where DUMONT uncovers the communication of malware, tunnels and backdoors with few false alarms.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131354687","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Remote Control of Smart Meters: Friend or Foe?","authors":"M. Costache, Valentin Tudor, M. Almgren, M. Papatriantafilou, C. Saunders","doi":"10.1109/EC2ND.2011.14","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.14","url":null,"abstract":"The traditional electrical grid is transitioning into the smart grid. New equipment is being installed to simplify the process of monitoring and managing the grid, making the system more transparent to use but also introducing new security problems. Smart meters are replacing the traditional electrical utility meters, offering new functionalities such as remote reading, automatic error reporting, and the possibility for remote shutoff. This last feature is studied in this paper through two scenarios where the effects are outlined, both on a theoretical level and through a simulation. In the first scenario, the frequency property of the grid is the target to possibly cause a blackout. In the second scenario, the voltage is driven out of bounds by the adversary.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134323360","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Security in Wireless Sensor Networks","authors":"A. Larsson, P. Tsigas","doi":"10.1109/EC2ND.2011.13","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.13","url":null,"abstract":"A wireless sensor network is a network of small computers, sensor nodes, that can gather information via its sensors, do computations and communicate wirelessly with other sensor nodes. In general a wireless sensor network is an ad hoc network in which the nodes organize themselves without any preexisting infrastructure. Once in the area, the nodes that survived the deployment procedure communicate with the other nodes that happened to end up in its vicinity, and they set up an infrastructure.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124309935","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"IRILD: An Information Retrieval Based Method for Information Leak Detection","authors":"Eleni Gessiou, Q. Vu, S. Ioannidis","doi":"10.1109/EC2ND.2011.21","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.21","url":null,"abstract":"The traditional approach for detecting information leaks is to generate fingerprints of sensitive data, by partitioning and hashing it, and then comparing these fingerprints against outgoing documents. Unfortunately, this approach incurs a high computation cost as every part of document needs to be checked. As a result, it is not applicable to systems with a large number of documents that need to be protected. Additionally, the approach is prone to false positives if the fingerprints are common phrases. In this paper, we propose an improvement for this approach to offer a much faster processing time with less false positives. The core idea of our solution is to eliminate common phrases and non-sensitive phrases from the fingerprinting process. Non-sensitive phrases are identified by looking at available public documents of the organization that we want to protect from information leaks and common phrases are identified with the help of a search engine. In this way, our solution both accelerates leak detection and increases the accuracy of the result. Experiments were conducted on real-world data to prove the efficiency and effectiveness of the proposed solution.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122840323","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MELISSA: Towards Automated Detection of Undesirable User Actions in Critical Infrastructures","authors":"Dina Hadziosmanovic, D. Bolzoni, P. Hartel, S. Etalle","doi":"10.1109/EC2ND.2011.10","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.10","url":null,"abstract":"We address the detection of process-related threats in control systems used in critical infrastructures. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. We use logs to detect anomalous patterns of user actions on process control application. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"66 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132075220","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"On Botnets That Use DNS for Command and Control","authors":"Christian J. Dietrich, C. Rossow, F. Freiling, H. Bos, M. Steen, N. Pohlmann","doi":"10.1109/EC2ND.2011.16","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.16","url":null,"abstract":"We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"330 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123660113","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Rose by Any Other Name or an Insane Root? Adventures in Name Resolution","authors":"H. Vijayakumar, Joshua Schiffman, T. Jaeger","doi":"10.1109/EC2ND.2011.17","DOIUrl":"https://doi.org/10.1109/EC2ND.2011.17","url":null,"abstract":"Namespaces are fundamental to computing systems. Each namespace maps the names that clients use to retrieve resources to the actual resources themselves. However, the indirection that namespaces provide introduces avenues of attack through the name resolution process. Adversaries can trick programs into accessing unintended resources by changing the binding between names and resources and by using names whose target resources are ambiguous. In this paper, we explore whether a unified system approach may be found to prevent many name resolution attacks. For this, we examine attacks on various namespaces and use these to derive invariants to defend against these attacks. Four prior techniques are identified that enforce aspects of name resolution, so we explore how these techniques address the proposed invariants. We find that each of these techniques are incomplete in themselves, but a combination could provide effective enforcement of the invariants. We implement a prototype system that can implement these techniques for the Linux file system namespace, and show that invariant rules specific to each, individual program system call can be enforced with a small overhead (less than 3%), indicating that fine-grained name resolution enforcement may be practical.","PeriodicalId":404689,"journal":{"name":"2011 Seventh European Conference on Computer Network Defense","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133296960","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}