{"title":"基于随机离散序列异常检测的联合攻击防御","authors":"Chia-Mei Chen, G. Lai, P. Young","doi":"10.1109/AsiaJCIS.2016.18","DOIUrl":null,"url":null,"abstract":"To evade detection, hackers may use a botnet, a set of compromised machines, to attempt to gain the access of a target and the bot machines report the results to the command and control server after the instructed attack has been performed. As the machines which explore or attempt login to the target might be captured and blocked by the defense mechanism installed in the network, the hacker would use another clean zombie machine to login the target using the access information collected by the botnet. Such attack sequence is called \"Scouts-and-Commander\" joint attack, where scouts take charge of scanning and exploring the vulnerability of a target and commander launches the precise strike using the correct login information provided by scouts. The detection system would consider the access normal, it is hard to identify such collaborative attack. In order to identify the attack sequence, this study correlates network information and system logs to find the attack sequence and identifies the potential scouts and commanders in the early stage before real damage has been done. In this paper, hidden Markov model often used to describe sequential data is adopted to forecast possible joint attacks and to prevent real damage. The experimental results show that the proposed defense mechanism can identify the joint attacks in the early stage efficiently to prevent further damage in the networks.","PeriodicalId":213242,"journal":{"name":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Defense Joint Attacks Based on Stochastic Discrete Sequence Anomaly Detection\",\"authors\":\"Chia-Mei Chen, G. Lai, P. Young\",\"doi\":\"10.1109/AsiaJCIS.2016.18\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"To evade detection, hackers may use a botnet, a set of compromised machines, to attempt to gain the access of a target and the bot machines report the results to the command and control server after the instructed attack has been performed. As the machines which explore or attempt login to the target might be captured and blocked by the defense mechanism installed in the network, the hacker would use another clean zombie machine to login the target using the access information collected by the botnet. Such attack sequence is called \\\"Scouts-and-Commander\\\" joint attack, where scouts take charge of scanning and exploring the vulnerability of a target and commander launches the precise strike using the correct login information provided by scouts. The detection system would consider the access normal, it is hard to identify such collaborative attack. In order to identify the attack sequence, this study correlates network information and system logs to find the attack sequence and identifies the potential scouts and commanders in the early stage before real damage has been done. In this paper, hidden Markov model often used to describe sequential data is adopted to forecast possible joint attacks and to prevent real damage. The experimental results show that the proposed defense mechanism can identify the joint attacks in the early stage efficiently to prevent further damage in the networks.\",\"PeriodicalId\":213242,\"journal\":{\"name\":\"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)\",\"volume\":\"42 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/AsiaJCIS.2016.18\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 11th Asia Joint Conference on Information Security (AsiaJCIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AsiaJCIS.2016.18","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Defense Joint Attacks Based on Stochastic Discrete Sequence Anomaly Detection
To evade detection, hackers may use a botnet, a set of compromised machines, to attempt to gain the access of a target and the bot machines report the results to the command and control server after the instructed attack has been performed. As the machines which explore or attempt login to the target might be captured and blocked by the defense mechanism installed in the network, the hacker would use another clean zombie machine to login the target using the access information collected by the botnet. Such attack sequence is called "Scouts-and-Commander" joint attack, where scouts take charge of scanning and exploring the vulnerability of a target and commander launches the precise strike using the correct login information provided by scouts. The detection system would consider the access normal, it is hard to identify such collaborative attack. In order to identify the attack sequence, this study correlates network information and system logs to find the attack sequence and identifies the potential scouts and commanders in the early stage before real damage has been done. In this paper, hidden Markov model often used to describe sequential data is adopted to forecast possible joint attacks and to prevent real damage. The experimental results show that the proposed defense mechanism can identify the joint attacks in the early stage efficiently to prevent further damage in the networks.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
