The document summarizes a novel exploit traffic traceback method based on session relationship. It proposes constructing a session relationship model using the correlation of sessions during different stages of exploitation. It then builds a session diagram based on historical traffic and traverses the diagram to find traffic matching the relationship model. Compared to prior methods, it detects early and late traffic simultaneously and is independent of encryption methods, increasing detection rates by 50%.
Intrusion detection system based on web usage miningIJCSEA Journal
This artical present a system developed to find cyber threats automatically based on web usage mining
methods in application layer. This system is an off-line intrusion detection system which includes different
part to detect attacks and as a result helps find different kinds of attacks with different dispersals. In this
study web server access logs used as the input data and after pre-processing, scanners and all identified
attacks will be detected. As the next step, vectors feature from web access logs and parameters sent by
HTTP will derived by three different means and at the end by employment of two clustering algorithms
based on K-Means, anomaly behaviour of data are detached. Tentative results derived from this system
represent that used methods are more applicable than similar systems because this system covers different
kinds of attacks and mostly increase the accuracy and decrease false alarms.
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
To improve network security different steps has been taken as size and importance of the network has
increases day by day. Then chances of a network attacks increases Network is mainly attacked by some
intrusions that are identified by network intrusion detection system. These intrusions are mainly present in data
packets and each packet has to scan for its detection. This paper works to develop a intrusion detection system
which utilizes the identity and signature of the intrusion for identifying different kinds of intrusions. As network
intrusion detection system need to be efficient enough that chance of false alarm generation should be less,
which means identifying as a intrusion but actually it is not an intrusion. Result obtained after analyzing this
system is quite good enough that nearly 90% of true alarms are generated. It detect intrusion for various
services like Dos, SSH, etc by neural network
Performance evaluation of botnet detection using machine learning techniquesIJECEIAES
Cybersecurity is seriously threatened by Botnets, which are controlled networks of compromised computers. The evolving techniques used by botnet operators make it difficult for traditional methods of botnet identification to stay up. Machine learning has become increasingly effective in recent years as a means of identifying and reducing these hazards. The CTU-13 dataset, a frequently used dataset in the field of cybersecurity, is used in this study to offer a machine learning-based method for botnet detection. The suggested methodology makes use of the CTU-13, which is made up of actual network traffic data that was recorded in a network environment that had been attacked by a botnet. The dataset is used to train a variety of machine learning algorithms to categorize network traffic as botnet-related/benign, including decision tree, regression model, naïve Bayes, and neural network model. We employ a number of criteria, such as accuracy, precision, and sensitivity, to measure how well each model performs in categorizing both known and unidentified botnet traffic patterns. Results from experiments show how well the machine learning based approach detects botnet with accuracy. It is potential for use in actual world is demonstrated by the suggested system’s high detection rates and low false positive rates.
Iaetsd a survey on detecting denial-of-service attacksIaetsd Iaetsd
The document describes a system for detecting denial-of-service (DoS) attacks using multivariate correlation analysis (MCA). The system analyzes network traffic characteristics by studying geometric correlations between traffic features. It employs anomaly-based detection to recognize known and unknown attacks by learning patterns of legitimate network traffic. The system first generates traffic records from basic features, then applies MCA using a triangle area approach to determine correlations between features. It generates normal traffic profiles during training and compares individual traffic records to profiles during testing to detect attacks. The system detects attacks at the individual sample level for more accurate classification compared to group-based detection mechanisms.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Secure intrusion detection and countermeasure selection in virtual system usi...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
This document proposes a static analysis approach to detect exploit code within network flows. It aims to distinguish between data and executable code by looking for evidence of meaningful data and control flow patterns within binary code fragments recovered through disassembly, without knowing the exact location of the code. The approach is evaluated on real network trace data and is shown to detect a variety of exploit code, including polymorphic and metamorphic variants. It also automatically generates precise signatures to complement signature-based detection systems.
DDoS Attack Detection on Internet o Things using Unsupervised Algorithmsijfls
The increase in the deployment of IoT networks has improved productivity of humans and organisations. However, IoT networks are increasingly becoming platforms for launching DDoS attacks due to inherent weaker security and resource-constrained nature of IoT devices. This paper focusses on detecting DDoS attack in IoT networks by classifying incoming network packets on the transport layer as either “Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep learning algorithms and two clustering algorithms were independently trained for mitigating DDoS attacks. We lay emphasis on exploitation based DDOS attacks which include TCP SYN-Flood attacks and UDP-Lag attacks. We use Mirai, BASHLITE and CICDDoS2019 dataset in training the algorithms during the experimentation phase. The accuracy score and normalized-mutual-information score are used to quantify the classification performance of the four algorithms. Our results show that the autoencoder performed overall best with the highest accuracy across all the datasets.
Intrusion detection system based on web usage miningIJCSEA Journal
This artical present a system developed to find cyber threats automatically based on web usage mining
methods in application layer. This system is an off-line intrusion detection system which includes different
part to detect attacks and as a result helps find different kinds of attacks with different dispersals. In this
study web server access logs used as the input data and after pre-processing, scanners and all identified
attacks will be detected. As the next step, vectors feature from web access logs and parameters sent by
HTTP will derived by three different means and at the end by employment of two clustering algorithms
based on K-Means, anomaly behaviour of data are detached. Tentative results derived from this system
represent that used methods are more applicable than similar systems because this system covers different
kinds of attacks and mostly increase the accuracy and decrease false alarms.
Intrusion Detection Systems By Anamoly-Based Using Neural NetworkIOSR Journals
To improve network security different steps has been taken as size and importance of the network has
increases day by day. Then chances of a network attacks increases Network is mainly attacked by some
intrusions that are identified by network intrusion detection system. These intrusions are mainly present in data
packets and each packet has to scan for its detection. This paper works to develop a intrusion detection system
which utilizes the identity and signature of the intrusion for identifying different kinds of intrusions. As network
intrusion detection system need to be efficient enough that chance of false alarm generation should be less,
which means identifying as a intrusion but actually it is not an intrusion. Result obtained after analyzing this
system is quite good enough that nearly 90% of true alarms are generated. It detect intrusion for various
services like Dos, SSH, etc by neural network
Performance evaluation of botnet detection using machine learning techniquesIJECEIAES
Cybersecurity is seriously threatened by Botnets, which are controlled networks of compromised computers. The evolving techniques used by botnet operators make it difficult for traditional methods of botnet identification to stay up. Machine learning has become increasingly effective in recent years as a means of identifying and reducing these hazards. The CTU-13 dataset, a frequently used dataset in the field of cybersecurity, is used in this study to offer a machine learning-based method for botnet detection. The suggested methodology makes use of the CTU-13, which is made up of actual network traffic data that was recorded in a network environment that had been attacked by a botnet. The dataset is used to train a variety of machine learning algorithms to categorize network traffic as botnet-related/benign, including decision tree, regression model, naïve Bayes, and neural network model. We employ a number of criteria, such as accuracy, precision, and sensitivity, to measure how well each model performs in categorizing both known and unidentified botnet traffic patterns. Results from experiments show how well the machine learning based approach detects botnet with accuracy. It is potential for use in actual world is demonstrated by the suggested system’s high detection rates and low false positive rates.
Iaetsd a survey on detecting denial-of-service attacksIaetsd Iaetsd
The document describes a system for detecting denial-of-service (DoS) attacks using multivariate correlation analysis (MCA). The system analyzes network traffic characteristics by studying geometric correlations between traffic features. It employs anomaly-based detection to recognize known and unknown attacks by learning patterns of legitimate network traffic. The system first generates traffic records from basic features, then applies MCA using a triangle area approach to determine correlations between features. It generates normal traffic profiles during training and compares individual traffic records to profiles during testing to detect attacks. The system detects attacks at the individual sample level for more accurate classification compared to group-based detection mechanisms.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Secure intrusion detection and countermeasure selection in virtual system usi...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
This document proposes a static analysis approach to detect exploit code within network flows. It aims to distinguish between data and executable code by looking for evidence of meaningful data and control flow patterns within binary code fragments recovered through disassembly, without knowing the exact location of the code. The approach is evaluated on real network trace data and is shown to detect a variety of exploit code, including polymorphic and metamorphic variants. It also automatically generates precise signatures to complement signature-based detection systems.
DDoS Attack Detection on Internet o Things using Unsupervised Algorithmsijfls
The increase in the deployment of IoT networks has improved productivity of humans and organisations. However, IoT networks are increasingly becoming platforms for launching DDoS attacks due to inherent weaker security and resource-constrained nature of IoT devices. This paper focusses on detecting DDoS attack in IoT networks by classifying incoming network packets on the transport layer as either “Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep learning algorithms and two clustering algorithms were independently trained for mitigating DDoS attacks. We lay emphasis on exploitation based DDOS attacks which include TCP SYN-Flood attacks and UDP-Lag attacks. We use Mirai, BASHLITE and CICDDoS2019 dataset in training the algorithms during the experimentation phase. The accuracy score and normalized-mutual-information score are used to quantify the classification performance of the four algorithms. Our results show that the autoencoder performed overall best with the highest accuracy across all the datasets.
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSijfls
The increase in the deployment of IoT networks has improved productivity of humans and organisations.
However, IoT networks are increasingly becoming platforms for launching DDoS attacks due to inherent
weaker security and resource-constrained nature of IoT devices. This paper focusses on detecting DDoS
attack in IoT networks by classifying incoming network packets on the transport layer as either
“Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep
learning algorithms and two clustering algorithms were independently trained for mitigating DDoS
attacks. We lay emphasis on exploitation based DDOS attacks which include TCP SYN-Flood attacks and
UDP-Lag attacks. We use Mirai, BASHLITE and CICDDoS2019 dataset in training the algorithms during
the experimentation phase. The accuracy score and normalized-mutual-information score are used to
quantify the classification performance of the four algorithms. Our results show that the autoencoder
performed overall best with the highest accuracy across all the datasets.
FORTIFICATION OF HYBRID INTRUSION DETECTION SYSTEM USING VARIANTS OF NEURAL ...IJNSA Journal
Intrusion Detection Systems (IDS) form a key part of system defence, where it identifies abnormal
activities happening in a computer system. In recent years different soft computing based techniques have
been proposed for the development of IDS. On the other hand, intrusion detection is not yet a perfect
technology. This has provided an opportunity for data mining to make quite a lot of important
contributions in the field of intrusion detection. In this paper we have proposed a new hybrid technique
by utilizing data mining techniques such as fuzzy C means clustering, Fuzzy neural network / Neurofuzzy and radial basis function(RBF) SVM for fortification of the intrusion detection system. The
proposed technique has five major steps in which, first step is to perform the relevance analysis, and then
input data is clustered using Fuzzy C-means clustering. After that, neuro-fuzzy is trained, such that each
of the data point is trained with the corresponding neuro-fuzzy classifier associated with the cluster.
Subsequently, a vector for SVM classification is formed and in the last step, classification using RBF-
SVM is performed to detect intrusion has happened or not. Data set used is the KDD cup 1999 dataset
and we have used precision, recall, F-measure and accuracy as the evaluation metrics parameters. Our
technique could achieve better accuracy for all types of intrusions. The results of proposed technique are
compared with the other existing techniques. These comparisons proved the effectiveness of our
technique.
Abstraction based intrusion detection in distributed environmentsUltraUploader
This document proposes a hierarchical model to support attack specification and event abstraction in distributed intrusion detection systems. The model involves three concepts: system views provide abstract interfaces of information; signatures specify distributed attacks and events to monitor defined on system views; and view definitions derive information from signature matches and present it through system views. This allows generic signatures to accommodate unknown variants of known attacks and updates abstraction without changing specifications or signatures. The paper then presents a decentralized method for component systems to cooperatively detect distributed attacks by decomposing signatures into detection tasks and having components perform tasks according to dependencies.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
This document proposes a hybrid architecture for a distributed intrusion detection system using multiple agents. The key aspects of the architecture include:
- Using multiple independent tracker agents that monitor hosts and generate reports sent to monitors and storage.
- Monitors analyze activity and compare to signatures to detect known attacks, or send data to anomaly detectors.
- Anomaly and misuse detectors use classification and pattern matching to detect known and unknown attacks.
- An inference module coordinates entities across hosts to classify new attacks using a knowledge base and signature generator.
- A countermeasure module alerts administrators and can take actions like dropping packets in response to detected attacks.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
In order to the rapid growth of the network application, new kinds of network attacks are emerging endlessly. So it is critical to protect the networks from attackers and the Intrusion detection technology becomes popular. Therefore, it is necessary that this security concern must be articulate right from the beginning of the network design and deployment. The intrusion detection technology is the process of identifying network activity that can lead to a compromise of security policy. Lot of work has been done in detection of intruders. But the solutions are not satisfactory. In this paper, we propose a novel Distributed Intrusion Detection System using Multi Agent In order to decrease false alarms and manage misuse and anomaly detects.
A Lightweight Method for Detecting Cyber Attacks in High-traffic Large Networ...IJCNCJournal
Protecting information systems is a difficult and long-term task. The size and traffic intensity of computer networks are diverse and no one protection solution is universal for all cases. A certain solution protects well in the campus network, but it is unlikely to protect well in the service provider's network. A key component of a cyber defence system is a network attack detector. This component needs to be designed to have a good way to scale detection capabilities with network size and traffic intensity beyond the size and intensity of a campus network. From this point of view, this paper aims to build a network attack detection method suitable for the scale of large and high-traffic networks based on machine learning models using clustering techniques and our proposed detection technique. The detection technique is different from outlier detection commonly used in clustering-based anomaly detection applications. The method was evaluated in cases using different feature extraction methods and different clustering algorithms. Experimental results on the NSL-KDD data set are positive with a detection accuracy of over 97%.
A LIGHTWEIGHT METHOD FOR DETECTING CYBER ATTACKS IN HIGH-TRAFFIC LARGE NETWOR...IJCNCJournal
The document proposes a lightweight method for detecting cyberattacks in high-traffic large networks based on clustering techniques. The method clusters network traffic data using algorithms like K-means and DBSCAN. It extracts features from the data using methods like Risk-based Acquisition and Attribute Ratio before clustering. The clusters are then analyzed to detect anomalous clusters that may indicate attacks. This detection technique can scale to large, high-traffic networks by processing data in batches and distributing the workload of analyzing clusters across multiple parallel processes. The method was evaluated on the NSL-KDD dataset and achieved over 97% detection accuracy.
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
This document summarizes a research paper that proposes a new method for identifying denial of service (DoS) attacks using multivariate correlation analysis (MCA). The method involves three main steps: 1) generating basic features from network traffic, 2) using MCA to extract correlations between features and generate triangle area maps, and 3) using an anomaly-based detection mechanism to distinguish attacks from normal traffic based on differences from pre-generated normal profiles. The researchers evaluate their method on the KDD Cup 99 dataset and achieve moderate detection performance. However, they identify issues related to differences in feature scales that reduce detection of some attacks. They propose using statistical normalization to address this.
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...IJNSA Journal
This paper proposes a fault tolerant distributed intrusion detection system architecture that uses mobile agents. The architecture includes a mobile agent platform (MAP) that provides an execution environment for mobile agents (MAs) to run specialized monitoring tasks. When the main IDS server goes down, the MAP on backup client hosts can collectively take over server responsibilities according to priority. MAs dispatch from the MAP to detect intrusions by invoking filter, correlator and interpreter agents. The paper outlines this architecture and discusses directions for implementing an IDS using the MAP, MAs, detection engines and XML data storage. This approach aims to improve scalability, platform independence and reliability over other IDS models.
IRJET - A Secure Approach for Intruder Detection using BacktrackingIRJET Journal
This document summarizes a research paper that proposes a secure approach for intruder detection using backtracking. The approach detects intruders by analyzing network traffic and matching it to known attack patterns. If an abnormal behavior or attack is identified, an alert is sent to the administrator. When messages are sent between nodes, the receiver uses backtracking to check the transaction history and identify any differences in node keys that could indicate an intruder. This helps track down the intruder by analyzing previous transactions in the network.
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMIJNSA Journal
Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have
become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion
Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99
benchmark dataset and obtained reasonable detection rate.
Distributed Denial of Service (DDoS) attack is the most severe cyber-attack that
affects the availability of critical applications. The attackers identify the weakness in
the machines and compromise them to involve in the flooding attack. During the
DDOS attack generation, they also gain access to secret information. These
computers are then used to wage a DDoS Attack in host’s computer. Through many
security measures have been taken in order to stop DDOS Attack to be protect our
data, the attackers have developed new techniques and attack methodology. Hence it
is very important that instead of reacting to new attacks, it is necessary to build a
complete DDoS solution that will defend all types of DDoS attacks. So, the
researchers must understand the cyber space and methods utilized to block the DDoS
attacks. The proposed system provides a unique method to detect DDoS attack using
Splunk. We propose two methods for prevention of DDoS attack. One is using
Randomly generated Captchas and other one is using Linux bash script to prevent
DDoS attack by automatically blocking IP of the client, who is sending multiple
request at a time.
USE OF MARKOV CHAIN FOR EARLY DETECTING DDOS ATTACKSIJNSA Journal
DDoS has a variety of types of mixed attacks. Botnet attackers can chain different types of DDoS attacks to confuse cybersecurity defenders. In this article, the attack type can be represented as the state of the model. Considering the attack type, we use this model to calculate the final attack probability. The final attack probability is then converted into one prediction vector, and the incoming attacks can be detected early before IDS issues an alert. The experiment results have shown that the prediction model that can make multi-vector DDoS detection and analysis easier.
Malicious activities (malcodes) are self replicating
malware and a major security threat in a network environment.
Timely detection and system alert flags are very essential to
prevent rapid malcodes spreading in the network. The difficulty
in detecting malcodes is that they evolve over time. Despite the fact
that signature-based tools, are generally used to secure systems,
signature-based malcode detectors neglect to recognize muddled
and beforehand concealed malcode executables. Automatic signature
generation systems has likewise been use to address the issue
of malcodes, yet there are many works required for good detection.
Base on the behavior way of malcodes, a behavior approach is
required for such detection. Specifically, we require a dynamic
investigation and behavior Rule Base system that distinguishes
malcodes without erroneously block legitimate traffic or increase
false alarms. This paper proposed and discussed the approach
using Machine learning and Indicators of Compromise (IOC) to
analyze intrusion in a network, to identify the cause of the attack
and to provide future detection. This paper proposed the use of
behaviour malware analysis framework to analyze intrusion data,
apply clustering algorithm on the analyzed data and generate IOC
from the clustered data for IOCRule, which will be implemented
into Snort Intrusion Detection System (IDS) for malicious code
detection.
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
This document discusses integrating attack graphs with intrusion detection systems to help identify complex multi-stage attacks. It proposes an architecture where an intrusion detection system detects alerts and stores them in a database. A vulnerability scanner identifies vulnerabilities, and an attack graph generator uses the alerts and vulnerabilities to generate and update an attack graph. A tool then analyzes the alerts and attack graph to highlight detected intrusions on the graph. The goal is to help administrators better understand the progression of attacks by visualizing how alerts may be related across different stages of an attack. As a proof of concept, the paper implements this using SNORT for intrusion detection, NESSUS for vulnerability scanning, and MULVAL for attack graph generation.
COPYRIGHTThis thesis is copyright materials protected under the .docxvoversbyobersby
COPYRIGHT
This thesis is copyright materials protected under the Berne Convection, the copyright Act 1999 and other international and national enactments in that behalf, on intellectual property. It may not be reproduced by any means in full or in part except for short extracts in fair dealing so for research or private study, critical scholarly review or discourse with acknowledgment, with written permission of the Dean School of Graduate Studies on behalf of both the author and XXX XXX University.ABSTRACT
With Fast growing internet world the risk of intrusion has also increased, as a result Intrusion Detection System (IDS) is the admired key research field. IDS are used to identify any suspicious activity or patterns in the network or machine, which endeavors the security features or compromise the machine. IDS majorly use all the features of the data. It is a keen observation that all the features are not of equal relevance for the detection of attacks. Moreover every feature does not contribute in enhancing the system performance significantly. The main aim of the work done is to develop an efficient denial of service network intrusion classification model. The specific objectives included: to analyse existing literature in intrusion detection systems; what are the techniques used to model IDS, types of network attacks, performance of various machine learning tools, how are network intrusion detection systems assessed; to find out top network traffic attributes that can be used to model denial of service intrusion detection; to develop a machine learning model for detection of denial of service network intrusion.Methods: The research design was experimental and data was collected by simulation using NSL-KDD dataset. By implementing Correlation Feature Selection (CFS) mechanism using three search algorithms, a smallest set of features is selected with all the features that are selected very frequently. Findings: The smallest subset of features chosen is the most nominal among all the feature subset found. Further, the performances using Artificial neural networks(ANN), decision trees, Support Vector Machines (SVM) and K-Nearest Neighbour (KNN) classifiers is compared for 7 subsets found by filter model and 41 attributes. Results: The outcome indicates a remarkable improvement in the performance metrics used for comparison of the two classifiers. The results show that using 17/18 selected features improves DOS types classification accuracies as compared to using the 41 features in the NSL-KDD dataset. It was further observed that using an ensemble of three classifiers with decision fusion performs better as compared to using a single classifier for DOS type’s classification. Among machine learning tools experimented, ANN achieved best classification accuracies followed by SVM and DT. KNN registered the lowest classification accuracies. Application: The proposed work with such an improved detection rate and lesser classification time and lar.
A Survey on Hidden Markov Model (HMM) Based Intention Prediction Techniques IJERA Editor
The extensive use of virtualization in implementing cloud infrastructure brings unrivaled security concerns for
cloud tenants or customers and introduces an additional layer that itself must be completely configured and
secured. Intruders can exploit the large amount of cloud resources for their attacks.
This paper discusses two approaches In the first three features namely ongoing attacks, autonomic prevention
actions, and risk measure are Integrated to our Autonomic Cloud Intrusion Detection Framework (ACIDF) as
most of the current security technologies do not provide the essential security features for cloud systems such as
early warnings about future ongoing attacks, autonomic prevention actions, and risk measure. The early
warnings are signaled through a new finite State Hidden Markov prediction model that captures the interaction
between the attackers and cloud assets. The risk assessment model measures the potential impact of a threat on
assets given its occurrence probability. The estimated risk of each security alert is updated dynamically as the
alert is correlated to prior ones. This enables the adaptive risk metric to evaluate the cloud’s overall security
state. The prediction system raises early warnings about potential attacks to the autonomic component,
controller. Thus, the controller can take proactive corrective actions before the attacks pose a serious security
risk to the system.
In another Attack Sequence Detection (ASD) approach as Tasks from different users may be performed on the
same machine. Therefore, one primary security concern is whether user data is secure in cloud. On the other
hand, hacker may facilitate cloud computing to launch larger range of attack, such as a request of port scan in
cloud with multiple virtual machines executing such malicious action. In addition, hacker may perform a
sequence of attacks in order to compromise his target system in cloud, for example, evading an easy-to-exploit
machine in a cloud and then using the previous compromised to attack the target. Such attack plan may be
stealthy or inside the computing environment, so intrusion detection system or firewall has difficulty to identify
it.
A Survey on Hidden Markov Model (HMM) Based Intention Prediction TechniquesIJERA Editor
This document summarizes a research paper on using hidden Markov models to predict security threats and attacks in cloud computing systems. It discusses two approaches: 1) Integrating ongoing attack detection, automatic prevention actions, and risk measurement into an autonomic cloud intrusion detection framework using a hidden Markov prediction model. 2) Using hidden Markov models to detect sequences of anomalous behaviors in system logs that may indicate an attack plan over a period of time. The document provides background on hidden Markov models and how they can be applied to modeling threat sequences and states in a cloud system to provide early warnings of potential attacks.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
Home security is of paramount importance in today's world, where we rely more on technology, home
security is crucial. Using technology to make homes safer and easier to control from anywhere is
important. Home security is important for the occupant’s safety. In this paper, we came up with a low cost,
AI based model home security system. The system has a user-friendly interface, allowing users to start
model training and face detection with simple keyboard commands. Our goal is to introduce an innovative
home security system using facial recognition technology. Unlike traditional systems, this system trains
and saves images of friends and family members. The system scans this folder to recognize familiar faces
and provides real-time monitoring. If an unfamiliar face is detected, it promptly sends an email alert,
ensuring a proactive response to potential security threats.
In the era of data-driven warfare, the integration of big data and machine learning (ML) techniques has
become paramount for enhancing defence capabilities. This research report delves into the applications of
big data and ML in the defence sector, exploring their potential to revolutionize intelligence gathering,
strategic decision-making, and operational efficiency. By leveraging vast amounts of data and advanced
algorithms, these technologies offer unprecedented opportunities for threat detection, predictive analysis,
and optimized resource allocation. However, their adoption also raises critical concerns regarding data
privacy, ethical implications, and the potential for misuse. This report aims to provide a comprehensive
understanding of the current state of big data and ML in defence, while examining the challenges and
ethical considerations that must be addressed to ensure responsible and effective implementation.
More Related Content
Similar to A Novel Exploit Traffic Traceback Method Based on Session Relationship
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSijfls
The increase in the deployment of IoT networks has improved productivity of humans and organisations.
However, IoT networks are increasingly becoming platforms for launching DDoS attacks due to inherent
weaker security and resource-constrained nature of IoT devices. This paper focusses on detecting DDoS
attack in IoT networks by classifying incoming network packets on the transport layer as either
“Suspicious” or “Benign” using unsupervised machine learning algorithms. In this work, two deep
learning algorithms and two clustering algorithms were independently trained for mitigating DDoS
attacks. We lay emphasis on exploitation based DDOS attacks which include TCP SYN-Flood attacks and
UDP-Lag attacks. We use Mirai, BASHLITE and CICDDoS2019 dataset in training the algorithms during
the experimentation phase. The accuracy score and normalized-mutual-information score are used to
quantify the classification performance of the four algorithms. Our results show that the autoencoder
performed overall best with the highest accuracy across all the datasets.
FORTIFICATION OF HYBRID INTRUSION DETECTION SYSTEM USING VARIANTS OF NEURAL ...IJNSA Journal
Intrusion Detection Systems (IDS) form a key part of system defence, where it identifies abnormal
activities happening in a computer system. In recent years different soft computing based techniques have
been proposed for the development of IDS. On the other hand, intrusion detection is not yet a perfect
technology. This has provided an opportunity for data mining to make quite a lot of important
contributions in the field of intrusion detection. In this paper we have proposed a new hybrid technique
by utilizing data mining techniques such as fuzzy C means clustering, Fuzzy neural network / Neurofuzzy and radial basis function(RBF) SVM for fortification of the intrusion detection system. The
proposed technique has five major steps in which, first step is to perform the relevance analysis, and then
input data is clustered using Fuzzy C-means clustering. After that, neuro-fuzzy is trained, such that each
of the data point is trained with the corresponding neuro-fuzzy classifier associated with the cluster.
Subsequently, a vector for SVM classification is formed and in the last step, classification using RBF-
SVM is performed to detect intrusion has happened or not. Data set used is the KDD cup 1999 dataset
and we have used precision, recall, F-measure and accuracy as the evaluation metrics parameters. Our
technique could achieve better accuracy for all types of intrusions. The results of proposed technique are
compared with the other existing techniques. These comparisons proved the effectiveness of our
technique.
Abstraction based intrusion detection in distributed environmentsUltraUploader
This document proposes a hierarchical model to support attack specification and event abstraction in distributed intrusion detection systems. The model involves three concepts: system views provide abstract interfaces of information; signatures specify distributed attacks and events to monitor defined on system views; and view definitions derive information from signature matches and present it through system views. This allows generic signatures to accommodate unknown variants of known attacks and updates abstraction without changing specifications or signatures. The paper then presents a decentralized method for component systems to cooperatively detect distributed attacks by decomposing signatures into detection tasks and having components perform tasks according to dependencies.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
This document proposes a hybrid architecture for a distributed intrusion detection system using multiple agents. The key aspects of the architecture include:
- Using multiple independent tracker agents that monitor hosts and generate reports sent to monitors and storage.
- Monitors analyze activity and compare to signatures to detect known attacks, or send data to anomaly detectors.
- Anomaly and misuse detectors use classification and pattern matching to detect known and unknown attacks.
- An inference module coordinates entities across hosts to classify new attacks using a knowledge base and signature generator.
- A countermeasure module alerts administrators and can take actions like dropping packets in response to detected attacks.
HYBRID ARCHITECTURE FOR DISTRIBUTED INTRUSION DETECTION SYSTEM IN WIRELESS NE...IJNSA Journal
In order to the rapid growth of the network application, new kinds of network attacks are emerging endlessly. So it is critical to protect the networks from attackers and the Intrusion detection technology becomes popular. Therefore, it is necessary that this security concern must be articulate right from the beginning of the network design and deployment. The intrusion detection technology is the process of identifying network activity that can lead to a compromise of security policy. Lot of work has been done in detection of intruders. But the solutions are not satisfactory. In this paper, we propose a novel Distributed Intrusion Detection System using Multi Agent In order to decrease false alarms and manage misuse and anomaly detects.
A Lightweight Method for Detecting Cyber Attacks in High-traffic Large Networ...IJCNCJournal
Protecting information systems is a difficult and long-term task. The size and traffic intensity of computer networks are diverse and no one protection solution is universal for all cases. A certain solution protects well in the campus network, but it is unlikely to protect well in the service provider's network. A key component of a cyber defence system is a network attack detector. This component needs to be designed to have a good way to scale detection capabilities with network size and traffic intensity beyond the size and intensity of a campus network. From this point of view, this paper aims to build a network attack detection method suitable for the scale of large and high-traffic networks based on machine learning models using clustering techniques and our proposed detection technique. The detection technique is different from outlier detection commonly used in clustering-based anomaly detection applications. The method was evaluated in cases using different feature extraction methods and different clustering algorithms. Experimental results on the NSL-KDD data set are positive with a detection accuracy of over 97%.
A LIGHTWEIGHT METHOD FOR DETECTING CYBER ATTACKS IN HIGH-TRAFFIC LARGE NETWOR...IJCNCJournal
The document proposes a lightweight method for detecting cyberattacks in high-traffic large networks based on clustering techniques. The method clusters network traffic data using algorithms like K-means and DBSCAN. It extracts features from the data using methods like Risk-based Acquisition and Attribute Ratio before clustering. The clusters are then analyzed to detect anomalous clusters that may indicate attacks. This detection technique can scale to large, high-traffic networks by processing data in batches and distributing the workload of analyzing clusters across multiple parallel processes. The method was evaluated on the NSL-KDD dataset and achieved over 97% detection accuracy.
A New Way of Identifying DOS Attack Using Multivariate Correlation Analysisijceronline
This document summarizes a research paper that proposes a new method for identifying denial of service (DoS) attacks using multivariate correlation analysis (MCA). The method involves three main steps: 1) generating basic features from network traffic, 2) using MCA to extract correlations between features and generate triangle area maps, and 3) using an anomaly-based detection mechanism to distinguish attacks from normal traffic based on differences from pre-generated normal profiles. The researchers evaluate their method on the KDD Cup 99 dataset and achieve moderate detection performance. However, they identify issues related to differences in feature scales that reduce detection of some attacks. They propose using statistical normalization to address this.
Architecture for Intrusion Detection System with Fault Tolerance Using Mobile...IJNSA Journal
This paper proposes a fault tolerant distributed intrusion detection system architecture that uses mobile agents. The architecture includes a mobile agent platform (MAP) that provides an execution environment for mobile agents (MAs) to run specialized monitoring tasks. When the main IDS server goes down, the MAP on backup client hosts can collectively take over server responsibilities according to priority. MAs dispatch from the MAP to detect intrusions by invoking filter, correlator and interpreter agents. The paper outlines this architecture and discusses directions for implementing an IDS using the MAP, MAs, detection engines and XML data storage. This approach aims to improve scalability, platform independence and reliability over other IDS models.
IRJET - A Secure Approach for Intruder Detection using BacktrackingIRJET Journal
This document summarizes a research paper that proposes a secure approach for intruder detection using backtracking. The approach detects intruders by analyzing network traffic and matching it to known attack patterns. If an abnormal behavior or attack is identified, an alert is sent to the administrator. When messages are sent between nodes, the receiver uses backtracking to check the transaction history and identify any differences in node keys that could indicate an intruder. This helps track down the intruder by analyzing previous transactions in the network.
AN IMPLEMENTATION OF INTRUSION DETECTION SYSTEM USING GENETIC ALGORITHMIJNSA Journal
Nowadays it is very important to maintain a high level security to ensure safe and trusted communication of information between various organizations. But secured data communication over internet and any other network is always under threat of intrusions and misuses. So Intrusion Detection Systems have
become a needful component in terms of computer and network security. There are various approaches being utilized in intrusion detections, but unfortunately any of the systems so far is not completely flawless. So, the quest of betterment continues. In this progression, here we present an Intrusion
Detection System (IDS), by applying genetic algorithm (GA) to efficiently detect various types of network intrusions. Parameters and evolution processes for GA are discussed in details and implemented. This approach uses evolution theory to information evolution in order to filter the traffic data and thus reduce the complexity. To implement and measure the performance of our system we used the KDD99
benchmark dataset and obtained reasonable detection rate.
Distributed Denial of Service (DDoS) attack is the most severe cyber-attack that
affects the availability of critical applications. The attackers identify the weakness in
the machines and compromise them to involve in the flooding attack. During the
DDOS attack generation, they also gain access to secret information. These
computers are then used to wage a DDoS Attack in host’s computer. Through many
security measures have been taken in order to stop DDOS Attack to be protect our
data, the attackers have developed new techniques and attack methodology. Hence it
is very important that instead of reacting to new attacks, it is necessary to build a
complete DDoS solution that will defend all types of DDoS attacks. So, the
researchers must understand the cyber space and methods utilized to block the DDoS
attacks. The proposed system provides a unique method to detect DDoS attack using
Splunk. We propose two methods for prevention of DDoS attack. One is using
Randomly generated Captchas and other one is using Linux bash script to prevent
DDoS attack by automatically blocking IP of the client, who is sending multiple
request at a time.
USE OF MARKOV CHAIN FOR EARLY DETECTING DDOS ATTACKSIJNSA Journal
DDoS has a variety of types of mixed attacks. Botnet attackers can chain different types of DDoS attacks to confuse cybersecurity defenders. In this article, the attack type can be represented as the state of the model. Considering the attack type, we use this model to calculate the final attack probability. The final attack probability is then converted into one prediction vector, and the incoming attacks can be detected early before IDS issues an alert. The experiment results have shown that the prediction model that can make multi-vector DDoS detection and analysis easier.
Malicious activities (malcodes) are self replicating
malware and a major security threat in a network environment.
Timely detection and system alert flags are very essential to
prevent rapid malcodes spreading in the network. The difficulty
in detecting malcodes is that they evolve over time. Despite the fact
that signature-based tools, are generally used to secure systems,
signature-based malcode detectors neglect to recognize muddled
and beforehand concealed malcode executables. Automatic signature
generation systems has likewise been use to address the issue
of malcodes, yet there are many works required for good detection.
Base on the behavior way of malcodes, a behavior approach is
required for such detection. Specifically, we require a dynamic
investigation and behavior Rule Base system that distinguishes
malcodes without erroneously block legitimate traffic or increase
false alarms. This paper proposed and discussed the approach
using Machine learning and Indicators of Compromise (IOC) to
analyze intrusion in a network, to identify the cause of the attack
and to provide future detection. This paper proposed the use of
behaviour malware analysis framework to analyze intrusion data,
apply clustering algorithm on the analyzed data and generate IOC
from the clustered data for IOCRule, which will be implemented
into Snort Intrusion Detection System (IDS) for malicious code
detection.
Application of Attack Graphs in Intrusion Detection Systems: An ImplementationCSCJournals
This document discusses integrating attack graphs with intrusion detection systems to help identify complex multi-stage attacks. It proposes an architecture where an intrusion detection system detects alerts and stores them in a database. A vulnerability scanner identifies vulnerabilities, and an attack graph generator uses the alerts and vulnerabilities to generate and update an attack graph. A tool then analyzes the alerts and attack graph to highlight detected intrusions on the graph. The goal is to help administrators better understand the progression of attacks by visualizing how alerts may be related across different stages of an attack. As a proof of concept, the paper implements this using SNORT for intrusion detection, NESSUS for vulnerability scanning, and MULVAL for attack graph generation.
COPYRIGHTThis thesis is copyright materials protected under the .docxvoversbyobersby
COPYRIGHT
This thesis is copyright materials protected under the Berne Convection, the copyright Act 1999 and other international and national enactments in that behalf, on intellectual property. It may not be reproduced by any means in full or in part except for short extracts in fair dealing so for research or private study, critical scholarly review or discourse with acknowledgment, with written permission of the Dean School of Graduate Studies on behalf of both the author and XXX XXX University.ABSTRACT
With Fast growing internet world the risk of intrusion has also increased, as a result Intrusion Detection System (IDS) is the admired key research field. IDS are used to identify any suspicious activity or patterns in the network or machine, which endeavors the security features or compromise the machine. IDS majorly use all the features of the data. It is a keen observation that all the features are not of equal relevance for the detection of attacks. Moreover every feature does not contribute in enhancing the system performance significantly. The main aim of the work done is to develop an efficient denial of service network intrusion classification model. The specific objectives included: to analyse existing literature in intrusion detection systems; what are the techniques used to model IDS, types of network attacks, performance of various machine learning tools, how are network intrusion detection systems assessed; to find out top network traffic attributes that can be used to model denial of service intrusion detection; to develop a machine learning model for detection of denial of service network intrusion.Methods: The research design was experimental and data was collected by simulation using NSL-KDD dataset. By implementing Correlation Feature Selection (CFS) mechanism using three search algorithms, a smallest set of features is selected with all the features that are selected very frequently. Findings: The smallest subset of features chosen is the most nominal among all the feature subset found. Further, the performances using Artificial neural networks(ANN), decision trees, Support Vector Machines (SVM) and K-Nearest Neighbour (KNN) classifiers is compared for 7 subsets found by filter model and 41 attributes. Results: The outcome indicates a remarkable improvement in the performance metrics used for comparison of the two classifiers. The results show that using 17/18 selected features improves DOS types classification accuracies as compared to using the 41 features in the NSL-KDD dataset. It was further observed that using an ensemble of three classifiers with decision fusion performs better as compared to using a single classifier for DOS type’s classification. Among machine learning tools experimented, ANN achieved best classification accuracies followed by SVM and DT. KNN registered the lowest classification accuracies. Application: The proposed work with such an improved detection rate and lesser classification time and lar.
A Survey on Hidden Markov Model (HMM) Based Intention Prediction Techniques IJERA Editor
The extensive use of virtualization in implementing cloud infrastructure brings unrivaled security concerns for
cloud tenants or customers and introduces an additional layer that itself must be completely configured and
secured. Intruders can exploit the large amount of cloud resources for their attacks.
This paper discusses two approaches In the first three features namely ongoing attacks, autonomic prevention
actions, and risk measure are Integrated to our Autonomic Cloud Intrusion Detection Framework (ACIDF) as
most of the current security technologies do not provide the essential security features for cloud systems such as
early warnings about future ongoing attacks, autonomic prevention actions, and risk measure. The early
warnings are signaled through a new finite State Hidden Markov prediction model that captures the interaction
between the attackers and cloud assets. The risk assessment model measures the potential impact of a threat on
assets given its occurrence probability. The estimated risk of each security alert is updated dynamically as the
alert is correlated to prior ones. This enables the adaptive risk metric to evaluate the cloud’s overall security
state. The prediction system raises early warnings about potential attacks to the autonomic component,
controller. Thus, the controller can take proactive corrective actions before the attacks pose a serious security
risk to the system.
In another Attack Sequence Detection (ASD) approach as Tasks from different users may be performed on the
same machine. Therefore, one primary security concern is whether user data is secure in cloud. On the other
hand, hacker may facilitate cloud computing to launch larger range of attack, such as a request of port scan in
cloud with multiple virtual machines executing such malicious action. In addition, hacker may perform a
sequence of attacks in order to compromise his target system in cloud, for example, evading an easy-to-exploit
machine in a cloud and then using the previous compromised to attack the target. Such attack plan may be
stealthy or inside the computing environment, so intrusion detection system or firewall has difficulty to identify
it.
A Survey on Hidden Markov Model (HMM) Based Intention Prediction TechniquesIJERA Editor
This document summarizes a research paper on using hidden Markov models to predict security threats and attacks in cloud computing systems. It discusses two approaches: 1) Integrating ongoing attack detection, automatic prevention actions, and risk measurement into an autonomic cloud intrusion detection framework using a hidden Markov prediction model. 2) Using hidden Markov models to detect sequences of anomalous behaviors in system logs that may indicate an attack plan over a period of time. The document provides background on hidden Markov models and how they can be applied to modeling threat sequences and states in a cloud system to provide early warnings of potential attacks.
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
IEEE 2014 DOTNET PARALLEL DISTRIBUTED PROJECTS A system-for-denial-of-service...IEEEMEMTECHSTUDENTPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09666155510, 09849539085 or mail us - ieeefinalsemprojects@gmail.com-Visit Our Website: www.finalyearprojects.org
Similar to A Novel Exploit Traffic Traceback Method Based on Session Relationship (20)
Home security is of paramount importance in today's world, where we rely more on technology, home
security is crucial. Using technology to make homes safer and easier to control from anywhere is
important. Home security is important for the occupant’s safety. In this paper, we came up with a low cost,
AI based model home security system. The system has a user-friendly interface, allowing users to start
model training and face detection with simple keyboard commands. Our goal is to introduce an innovative
home security system using facial recognition technology. Unlike traditional systems, this system trains
and saves images of friends and family members. The system scans this folder to recognize familiar faces
and provides real-time monitoring. If an unfamiliar face is detected, it promptly sends an email alert,
ensuring a proactive response to potential security threats.
In the era of data-driven warfare, the integration of big data and machine learning (ML) techniques has
become paramount for enhancing defence capabilities. This research report delves into the applications of
big data and ML in the defence sector, exploring their potential to revolutionize intelligence gathering,
strategic decision-making, and operational efficiency. By leveraging vast amounts of data and advanced
algorithms, these technologies offer unprecedented opportunities for threat detection, predictive analysis,
and optimized resource allocation. However, their adoption also raises critical concerns regarding data
privacy, ethical implications, and the potential for misuse. This report aims to provide a comprehensive
understanding of the current state of big data and ML in defence, while examining the challenges and
ethical considerations that must be addressed to ensure responsible and effective implementation.
Cloud Computing, being one of the most recent innovative developments of the IT world, has been
instrumental not just to the success of SMEs but, through their productivity and innovative contribution to
the economy, has even made a remarkable contribution to the economic growth of the United States. To
this end, the study focuses on how cloud computing technology has impacted economic growth through
SMEs in the United States. Relevant literature connected to the variables of interest in this study was
reviewed, and secondary data was generated and utilized in the analysis section of this paper. The findings
of this paper revealed that there have been meaningful contributions that the usage of virtualization has
made in the commercial dealings of small firms in the United States, and this has also been reflected in the
economic growth of the country. This paper further revealed that as important as cloud-based software is,
some SMEs are still skeptical about how it can help improve their business and increase their bottom line
and hence have failed to adopt it. Apart from the SMEs, some notable large firms in different industries,
including information and educational services, have adopted cloud computing technology and hence
contributed to the economic growth of the United States. Lastly, findings from our inferential statistics
revealed that no discernible change has occurred in innovation between small and big businesses in the
adoption of cloud computing. Both categories of businesses adopt cloud computing in the same way, and
their contribution to the American economy has no significant difference in the usage of virtualization.
Energy-constrained Wireless Sensor Networks (WSNs) have garnered significant research interest in
recent years. Multiple-Input Multiple-Output (MIMO), or Cooperative MIMO, represents a specialized
application of MIMO technology within WSNs. This approach operates effectively, especially in
challenging and resource-constrained environments. By facilitating collaboration among sensor nodes,
Cooperative MIMO enhances reliability, coverage, and energy efficiency in WSN deployments.
Consequently, MIMO finds application in diverse WSN scenarios, spanning environmental monitoring,
industrial automation, and healthcare applications.
The AIRCC's International Journal of Computer Science and Information Technology (IJCSIT) is devoted to fields of Computer Science and Information Systems. The IJCSIT is a open access peer-reviewed scientific journal published in electronic form as well as print form. The mission of this journal is to publish original contributions in its field in order to propagate knowledge amongst its readers and to be a reference publication. IJCSIT publishes original research papers and review papers, as well as auxiliary material such as: research papers, case studies, technical reports etc.
With growing, Car parking increases with the number of car users. With the increased use of smartphones
and their applications, users prefer mobile phone-based solutions. This paper proposes the Smart Parking
Management System (SPMS) that depends on Arduino parts, Android applications, and based on IoT. This
gave the client the ability to check available parking spaces and reserve a parking spot. IR sensors are
utilized to know if a car park space is allowed. Its area data are transmitted using the WI-FI module to the
server and are recovered by the mobile application which offers many options attractively and with no cost
to users and lets the user check reservation details. With IoT technology, the smart parking system can be
connected wirelessly to easily track available locations.
Welcome to AIRCC's International Journal of Computer Science and Information Technology (IJCSIT), your gateway to the latest advancements in the dynamic fields of Computer Science and Information Systems.
Computer-Assisted Language Learning (CALL) are computer-based tutoring systems that deal with
linguistic skills. Adding intelligence in such systems is mainly based on using Natural Language
Processing (NLP) tools to diagnose student errors, especially in language grammar. However, most such
systems do not consider the modeling of student competence in linguistic skills, especially for the Arabic
language. In this paper, we will deal with basic grammar concepts of the Arabic language taught for the
fourth grade of the elementary school in Egypt. This is through Arabic Grammar Trainer (AGTrainer)
which is an Intelligent CALL. The implemented system (AGTrainer) trains the students through different
questions that deal with the different concepts and have different difficulty levels. Constraint-based student
modeling (CBSM) technique is used as a short-term student model. CBSM is used to define in small grain
level the different grammar skills through the defined skill structures. The main contribution of this paper
is the hierarchal representation of the system's basic grammar skills as domain knowledge. That
representation is used as a mechanism for efficiently checking constraints to model the student knowledge
and diagnose the student errors and identify their cause. In addition, satisfying constraints and the number
of trails the student takes for answering each question and fuzzy logic decision system are used to
determine the student learning level for each lesson as a long-term model. The results of the evaluation
showed the system's effectiveness in learning in addition to the satisfaction of students and teachers with its
features and abilities.
In the realm of computer security, the importance of efficient and reliable user authentication methods has
become increasingly critical. This paper examines the potential of mouse movement dynamics as a
consistent metric for continuous authentication. By analysing user mouse movement patterns in two
contrasting gaming scenarios, "Team Fortress" and "Poly Bridge," we investigate the distinctive
behavioral patterns inherent in high-intensity and low-intensity UI interactions. The study extends beyond
conventional methodologies by employing a range of machine learning models. These models are carefully
selected to assess their effectiveness in capturing and interpreting the subtleties of user behavior as
reflected in their mouse movements. This multifaceted approach allows for a more nuanced and
comprehensive understanding of user interaction patterns. Our findings reveal that mouse movement
dynamics can serve as a reliable indicator for continuous user authentication. The diverse machine
learning models employed in this study demonstrate competent performance in user verification, marking
an improvement over previous methods used in this field. This research contributes to the ongoing efforts to
enhance computer security and highlights the potential of leveraging user behavior, specifically mouse
dynamics, in developing robust authentication systems.
The AIRCC's International Journal of Computer Science and Information Technology (IJCSIT) is devoted to fields of Computer Science and Information Systems. The IJCSIT is a open access peer-reviewed scientific journal published in electronic form as well as print form. The mission of this journal is to publish original contributions in its field in order to propagate knowledge amongst its readers and to be a reference publication.
Image segmentation and classification tasks in computer vision have proven to be highly effective using neural networks, specifically Convolutional Neural Networks (CNNs). These tasks have numerous
practical applications, such as in medical imaging, autonomous driving, and surveillance. CNNs are capable
of learning complex features directly from images and achieving outstanding performance across several
datasets. In this work, we have utilized three different datasets to investigate the efficacy of various preprocessing and classification techniques in accurssedately segmenting and classifying different structures
within the MRI and natural images. We have utilized both sample gradient and Canny Edge Detection
methods for pre-processing, and K-means clustering have been applied to segment the images. Image
augmentation improves the size and diversity of datasets for training the models for image classification
The AIRCC's International Journal of Computer Science and Information Technology (IJCSIT) is devoted to fields of Computer Science and Information Systems. The IJCSIT is a open access peer-reviewed scientific journal published in electronic form as well as print form. The mission of this journal is to publish original contributions in its field in order to propagate knowledge amongst its readers and to be a reference publication.
This research aims to further understanding in the field of continuous authentication using behavioural
biometrics. We are contributing a novel dataset that encompasses the gesture data of 15 users playing
Minecraft with a Samsung Tablet, each for a duration of 15 minutes. Utilizing this dataset, we employed
machine learning (ML) binary classifiers, being Random Forest (RF), K-Nearest Neighbors (KNN), and
Support Vector Classifier (SVC), to determine the authenticity of specific user actions. Our most robust
model was SVC, which achieved an average accuracy of approximately 90%, demonstrating that touch
dynamics can effectively distinguish users. However, further studies are needed to make it viable option
for authentication systems. You can access our dataset at the following
link:https://github.com/AuthenTech2023/authentech-repo
This paper discusses the capabilities and limitations of GPT-3 (0), a state-of-the-art language model, in the
context of text understanding. We begin by describing the architecture and training process of GPT-3, and
provide an overview of its impressive performance across a wide range of natural language processing
tasks, such as language translation, question-answering, and text completion. Throughout this research
project, a summarizing tool was also created to help us retrieve content from any types of document,
specifically IELTS (0) Reading Test data in this project. We also aimed to improve the accuracy of the
summarizing, as well as question-answering capabilities of GPT-3 (0) via long text
In the realm of computer security, the importance of efficient and reliable user authentication methods has
become increasingly critical. This paper examines the potential of mouse movement dynamics as a
consistent metric for continuous authentication. By analysing user mouse movement patterns in two
contrasting gaming scenarios, "Team Fortress" and "Poly Bridge," we investigate the distinctive
behavioral patterns inherent in high-intensity and low-intensity UI interactions. The study extends beyond
conventional methodologies by employing a range of machine learning models. These models are carefully
selected to assess their effectiveness in capturing and interpreting the subtleties of user behavior as
reflected in their mouse movements. This multifaceted approach allows for a more nuanced and
comprehensive understanding of user interaction patterns. Our findings reveal that mouse movement
dynamics can serve as a reliable indicator for continuous user authentication. The diverse machine
learning models employed in this study demonstrate competent performance in user verification, marking
an improvement over previous methods used in this field. This research contributes to the ongoing efforts to
enhance computer security and highlights the potential of leveraging user behavior, specifically mouse
dynamics, in developing robust authentication systems.
Image segmentation and classification tasks in computer vision have proven to be highly effective using neural networks, specifically Convolutional Neural Networks (CNNs). These tasks have numerous
practical applications, such as in medical imaging, autonomous driving, and surveillance. CNNs are capable
of learning complex features directly from images and achieving outstanding performance across several
datasets. In this work, we have utilized three different datasets to investigate the efficacy of various preprocessing and classification techniques in accurssedately segmenting and classifying different structures
within the MRI and natural images. We have utilized both sample gradient and Canny Edge Detection
methods for pre-processing, and K-means clustering have been applied to segment the images. Image
augmentation improves the size and diversity of datasets for training the models for image classification.
This work highlights transfer learning’s effectiveness in image classification using CNNs and VGG 16 that
provides insights into the selection of pre-trained models and hyper parameters for optimal performance.
We have proposed a comprehensive approach for image segmentation and classification, incorporating preprocessing techniques, the K-means algorithm for segmentation, and employing deep learning models such
as CNN and VGG 16 for classification.
- The document presents 6 different models for defining foot size in Tunisia: 2 statistical models, 2 neural network models using unsupervised learning, and 2 models combining neural networks and fuzzy logic.
- The statistical models (SM and SHM) are based on applying statistical equations to morphological foot data.
- The neural network models (MSK and MHSK) use self-organizing Kohonen maps to cluster foot data and model full and half sizes.
- The fuzzy neural network models (MSFK and MHSFK) incorporate fuzzy logic into the neural network learning process to better account for uncertainty in foot sizes.
The security of Electric Vehicle (EV) charging has gained momentum after the increase in the EV adoption
in the past few years. Mobile applications have been integrated into EV charging systems that mainly use a
cloud-based platform to host their services and data. Like many complex systems, cloud systems are
susceptible to cyberattacks if proper measures are not taken by the organization to secure them. In this
paper, we explore the security of key components in the EV charging infrastructure, including the mobile
application and its cloud service. We conducted an experiment that initiated a Man in the Middle attack
between an EV app and its cloud services. Our results showed that it is possible to launch attacks against
the connected infrastructure by taking advantage of vulnerabilities that may have substantial economic and
operational ramifications on the EV charging ecosystem. We conclude by providing mitigation suggestions
and future research directions.
The AIRCC's International Journal of Computer Science and Information Technology (IJCSIT) is devoted to fields of Computer Science and Information Systems. The IJCSIT is a open access peer-reviewed scientific journal published in electronic form as well as print form. The mission of this journal is to publish original contributions in its field in order to propagate knowledge amongst its readers and to be a reference publication.
The AIRCC's International Journal of Computer Science and Information Technology (IJCSIT) is devoted to fields of Computer Science and Information Systems. The IJCSIT is a open access peer-reviewed scientific journal published in electronic form as well as print form. The mission of this journal is to publish original contributions in its field in order to propagate knowledge amongst its readers and to be a reference publication.
A high-Speed Communication System is based on the Design of a Bi-NoC Router, ...DharmaBanothu
The Network on Chip (NoC) has emerged as an effective
solution for intercommunication infrastructure within System on
Chip (SoC) designs, overcoming the limitations of traditional
methods that face significant bottlenecks. However, the complexity
of NoC design presents numerous challenges related to
performance metrics such as scalability, latency, power
consumption, and signal integrity. This project addresses the
issues within the router's memory unit and proposes an enhanced
memory structure. To achieve efficient data transfer, FIFO buffers
are implemented in distributed RAM and virtual channels for
FPGA-based NoC. The project introduces advanced FIFO-based
memory units within the NoC router, assessing their performance
in a Bi-directional NoC (Bi-NoC) configuration. The primary
objective is to reduce the router's workload while enhancing the
FIFO internal structure. To further improve data transfer speed,
a Bi-NoC with a self-configurable intercommunication channel is
suggested. Simulation and synthesis results demonstrate
guaranteed throughput, predictable latency, and equitable
network access, showing significant improvement over previous
designs
Determination of Equivalent Circuit parameters and performance characteristic...pvpriya2
Includes the testing of induction motor to draw the circle diagram of induction motor with step wise procedure and calculation for the same. Also explains the working and application of Induction generator
Open Channel Flow: fluid flow with a free surfaceIndrajeet sahu
Open Channel Flow: This topic focuses on fluid flow with a free surface, such as in rivers, canals, and drainage ditches. Key concepts include the classification of flow types (steady vs. unsteady, uniform vs. non-uniform), hydraulic radius, flow resistance, Manning's equation, critical flow conditions, and energy and momentum principles. It also covers flow measurement techniques, gradually varied flow analysis, and the design of open channels. Understanding these principles is vital for effective water resource management and engineering applications.
Accident detection system project report.pdfKamal Acharya
The Rapid growth of technology and infrastructure has made our lives easier. The
advent of technology has also increased the traffic hazards and the road accidents take place
frequently which causes huge loss of life and property because of the poor emergency facilities.
Many lives could have been saved if emergency service could get accident information and
reach in time. Our project will provide an optimum solution to this draw back. A piezo electric
sensor can be used as a crash or rollover detector of the vehicle during and after a crash. With
signals from a piezo electric sensor, a severe accident can be recognized. According to this
project when a vehicle meets with an accident immediately piezo electric sensor will detect the
signal or if a car rolls over. Then with the help of GSM module and GPS module, the location
will be sent to the emergency contact. Then after conforming the location necessary action will
be taken. If the person meets with a small accident or if there is no serious threat to anyone’s
life, then the alert message can be terminated by the driver by a switch provided in order to
avoid wasting the valuable time of the medical rescue team.
Levelised Cost of Hydrogen (LCOH) Calculator ManualMassimo Talia
The aim of this manual is to explain the
methodology behind the Levelized Cost of
Hydrogen (LCOH) calculator. Moreover, this
manual also demonstrates how the calculator
can be used for estimating the expenses associated with hydrogen production in Europe
using low-temperature electrolysis considering different sources of electricity
Digital Twins Computer Networking Paper Presentation.pptxaryanpankaj78
A Digital Twin in computer networking is a virtual representation of a physical network, used to simulate, analyze, and optimize network performance and reliability. It leverages real-time data to enhance network management, predict issues, and improve decision-making processes.
Applications of artificial Intelligence in Mechanical Engineering.pdfAtif Razi
Historically, mechanical engineering has relied heavily on human expertise and empirical methods to solve complex problems. With the introduction of computer-aided design (CAD) and finite element analysis (FEA), the field took its first steps towards digitization. These tools allowed engineers to simulate and analyze mechanical systems with greater accuracy and efficiency. However, the sheer volume of data generated by modern engineering systems and the increasing complexity of these systems have necessitated more advanced analytical tools, paving the way for AI.
AI offers the capability to process vast amounts of data, identify patterns, and make predictions with a level of speed and accuracy unattainable by traditional methods. This has profound implications for mechanical engineering, enabling more efficient design processes, predictive maintenance strategies, and optimized manufacturing operations. AI-driven tools can learn from historical data, adapt to new information, and continuously improve their performance, making them invaluable in tackling the multifaceted challenges of modern mechanical engineering.
Build the Next Generation of Apps with the Einstein 1 Platform.
Rejoignez Philippe Ozil pour une session de workshops qui vous guidera à travers les détails de la plateforme Einstein 1, l'importance des données pour la création d'applications d'intelligence artificielle et les différents outils et technologies que Salesforce propose pour vous apporter tous les bénéfices de l'IA.
Sri Guru Hargobind Ji - Bandi Chor Guru.pdfBalvir Singh
Sri Guru Hargobind Ji (19 June 1595 - 3 March 1644) is revered as the Sixth Nanak.
• On 25 May 1606 Guru Arjan nominated his son Sri Hargobind Ji as his successor. Shortly
afterwards, Guru Arjan was arrested, tortured and killed by order of the Mogul Emperor
Jahangir.
• Guru Hargobind's succession ceremony took place on 24 June 1606. He was barely
eleven years old when he became 6th Guru.
• As ordered by Guru Arjan Dev Ji, he put on two swords, one indicated his spiritual
authority (PIRI) and the other, his temporal authority (MIRI). He thus for the first time
initiated military tradition in the Sikh faith to resist religious persecution, protect
people’s freedom and independence to practice religion by choice. He transformed
Sikhs to be Saints and Soldier.
• He had a long tenure as Guru, lasting 37 years, 9 months and 3 days
A Novel Exploit Traffic Traceback Method Based on Session Relationship
1. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
DOI: 10.5121/ijcsit.2023.15301 1
A NOVEL EXPLOIT TRAFFIC TRACEBACK METHOD
BASED ON SESSION RELATIONSHIP
Yajing Liu, Ruijie Cai *, Xiaokang Yin and Shengli Liu
State Key Laboratory of Mathematical Engineering and Advanced Computing,
Zhengzhou 450001, China.
ABSTRACT
Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant
threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current
methods usually only target a single stage with an incomplete causal relationship and depend on the
payload content, causing attacker easily avoids detection by encrypting traffic and other means. We
propose a traffic traceback method of vulnerability exploitation to solve the above problems based on
session relation. First, we construct the session relationship model using the session correlation of
different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally,
we traverse the session diagram to find the traffic conforming to the session relationship model. Compared
with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased
by 50%, independent of traffic encryption methods.
KEYWORDS
Exploit, Malicious Traffic Detection, Session Relationship, Traffic Analysis
1. INTRODUCTION
As software features continue to grow, so do the size of code and the number of security holes.
Attackers can use vulnerabilities to steal information, upgrade permissions, or even directly
control the operating system, posing a serious threat to network security. Therefore, it is
necessary to propose an exploit detection method.
To discover exploit behaviour, researchers proposed a series of detection methods for exploits[1]-
[12]. At present, there are two types of detection technologies for exploits: host-based detection
method and traffic-based detection method. Host-based detection methods often require detection
tools to be deployed on the host system and require high system permissions. The traffic-based
detection method is characterized by a large amount of data, rich information, and ease of
operation. It can be deployed in offline mode through port mirroring and only requires traffic
analysis. Therefore, this paper focuses on traffic-based detection methods. As early as 2007,
Polychronakis et al. [8] proposed a heuristic Detection method by using a complete processor
simulator to detect polymorphic shellcode in Network Intrusion Detection System (NIDS). But
unknown shellcode cannot be detected. Borders et al. [9] proposed Spector, a traffic load analysis
engine, which uses symbolic execution technology to extract meaningful API calls in shellcode
and generate the underlying disassembly code. In 2019, Kanemoto et al. [10] proposed an attack
detection method based on code simulation technology, combined with IDS rules to detect
whether remote shellcode attacks are successful. In 2020, Pratomo et al. [11] proposed Blatta, a
method of detecting early exploit traffic by using a cyclic neural network. The main idea is to
detect the first 400 bytes of the application layer and identify exploit traffic according to
2. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
2
shellcodecharacteristic bytes. In addition, Pratomo et al. [12] proposed a low-rate attack detection
method based on fine-grained network intelligence analysis, which detects attacks through
unsupervised learning of application layer information. However, the above traffic-based exploit
detection technologies are mostly based on the idea of load characteristic pattern matching.
shellcode characteristic code in traffic is used to detect exploits, which can be easily avoided and
cannot detect encrypted traffic.
In 2022, Trofti et al. proposed a traffic detection method for vulnerability exploitation tools. This
approach treats a network flow as a weighted directed interaction between a pair of nodes and
proposes a simple method that can be used to use connectivity graph features in unsupervised
anomaly detection algorithms. However, this method can only detect the traffic in the late stage
of vulnerability exploitation, and cannot construct a complete causal relationship.
To solve the above problems, we present a novel exploit traffic traceback method. First, we
construct the session relationship model using the session correlation in different stages of
vulnerability exploitation. Second, we build a session graph based on historical traffic. Finally,
we traverse the session graph to find the traffic that fits the session relationship model. The main
contributions are as follows:
(1) We propose a detection model based on session relationship, which can detect the whole
process of vulnerability exploitation traffic when the target's IP address is known;
(2) We propose SRG-ETDetector, a traffic traceback method based on the session
relationship. Unlike the existing methods, SRG-ETDetector is according to the idea of
causal association, which can not only detect the early and late traffic of vulnerability
exploitation simultaneously but also has nothing to do with the traffic encryption method.
(3)We simulate ten vulnerability exploitation, and the result shows that the detection rate of
our method is increased by 50% compared with Blatta, using a recurrent neural network to
detect early attack traffic, and the detection results are independent of the specific cause of
the exploited vulnerability and the traffic encryption method.
We organize the rest of this paper as follows. Section 2 introduces the definitions and categories
of vulnerability exploitation, shellcode, and their relationship. We propose a novel exploit traffic
detection method SRG-ETDetector in Section 3. In Section 4, we evaluate the performance of
ETDetecor in detecting vulnerability exploitation traffic compared with the state-of-the-art work.
It concludes in Section 5.
2. BACKGROUND
We first introduce the concepts related to vulnerability exploitation and classify common
vulnerability exploitation behaviour, and point out that our research objective is code execution
vulnerability exploitation. Secondly, shellcode-related concepts are introduced and classified
according to function. Finally, we introduce the concepts related to reverse shell and classify
reverse shell methods.
2.1. Vulnerability Exploitation Definition and Classification
Vulnerability exploitation is the behaviour that an attacker can access or destroy system data
under unauthorized circumstances by taking advantage of the lack of consideration in the design
of computer protocols, software, or hardware, or the flaws in the system security policy. As we
3. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
3
all know, attackers usually exploit the vulnerability to obtain the target device system control
rights or to destroy the target device system availability. Specifically, it can be divided into the
following five types.
(1) Code execution vulnerability exploitation. A code execution attack means that the attacker
uses the vulnerability of the application program to execute the code that implements
malicious functions by constructing special command strings.
(2) Authentication bypass vulnerability exploitation. An authentication bypass attack means
that the attacker uses the vulnerabilities in the login and identity authentication process of
the system to avoid the system authentication process, and logs on to the system as a legal
user without authentication information such as account and password.
(3) Privilege escalation vulnerability exploitation. A privilege escalation attack means that the
attacker uses the vulnerability to bypass the system Settings, perform file operations, and
set system information and other operations with higher privileges.
(4) Data leakage vulnerability exploitation. Data leakage attack refers to the attacker using
system vulnerabilities to view, copy, steal, modify, and other illegal operations on legal
user data without permission.
(5) Denial of service vulnerability exploitation. Unlike the above four attacks, denial of
service attacks do not aim to gain system permissions, but to prevent or weaken the
authorized use of the network, system, or application by exhausting system resources such
as CPU, memory, bandwidth, or disk space.
From the perspective of attack chain [14], the correlation of the above five types of vulnerability
exploitation behaviours is shown in Figure 1 Illustration of the five vulnerability exploitation
associations. As can be seen from Figure 2, a code execution attack is the most important
prerequisite and necessary attack path of the other four attack behaviours, so it is the most
important to study the vulnerability exploitation traffic detection method for the purpose of a
code execution attack. Therefore, this paper focuses on code execution vulnerability exploitation
as the research object.
Figure 1. Illustration of the five vulnerability exploitation associations
2.2. Shellcode Definition and Classification
Shellcode refers to a code fragment with certain functions used in the code execution
vulnerabilities exploitation [15], which can achieve various functions according to the needs of
attackers, including modifying system Settings, starting shell interface, establishing remote
sessions, etc.
4. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
4
Shellcode has diversified as the battle between attack and defence escalates. Cheng et al. [16] In
terms of function, the shellcode is divided into four types: Execute Command (EC), Bind Shell
(BS), Reverse Shell (RS), and Executable Download and Execute (ED).
Due to Intranet isolation and other reasons, the reverse shell is widely used in actual exploit
scenarios [17]. Therefore, we mainly analyse the malicious behaviour generated after the loading
of the Reverse Shell (RS) class shellcode, namely, reverse shell.
2.3. Reverse Shell Definition And Classification
Stipovic et al. [18] defined a reverse shell as a piece of malicious code, whose function is to
establish a TCP connection from the controlled end to the control terminal and download the
payload to achieve permission upgrade.
There are many ways to implement reverse shell attacks in real applications, but their essence is
inseparable from network communication. Based on the types of communication protocols,
reverse shells can be divided into UDP-based reverse shells, ICMP-based reverse shells,
TCPbased reverse shells, and HTTP/HTTPS-based reverse shells. Since the network intrusion
detection system (NIDS) usually intercepts UDP and ICMP packets, the reverse shell based on
HTTP/HTTPS is mostly non-real-time interaction, so the reverse shell based on TCP is more
widely used in actual attack scenarios [19]. Therefore, this paper studies the reverse shell based
on the TCP protocol.
According to whether the content of the traffic load is visible, reverse shells based on TCP
protocol are divided into the encrypted shell and non-encrypted shell. According to the type of
shell returned, it can be divided into system shell, and other advanced shells, such as Meterpreter
[20]. Therefore, according to the different types of traffic encryption and the types of shell
returned, reverse shells based on TCP protocol can be subdivided into four categories, namely
non-encryption system shells, encryption system shells, non-encryption advanced shells, and
encryption advanced shells.
3. METHOD
This chapter proposes a vulnerability exploitation detection model based on traffic behaviour.
Firstly, the whole process of vulnerability exploitation was divided into stages according to the
relevant actors of the attack payload, and the possible malicious behaviours and their
corresponding traffic communication behaviour characteristics in each stage were analysed.
Secondly, the malicious behaviour correlation between adjacent stages and the corresponding
traffic session correlation characteristics were analysed. Then, based on the above characteristics,
a vulnerability exploitation detection model based on traffic behaviour analysis was proposed.
The model consists of two parts. The first part is responsible for locating the target IP address,
and the second part detects the whole process traffic of vulnerability exploitation based on
individual session characteristics and session relationships. Finally, we analyse the practical
application of the model.
3.1. Vulnerability Exploitation Behaviours Analysis
In this section, according to the attack steps, we divide the whole exploit process into payload
generation phase, payload delivery phase and payload execution phase, and analyse the behaviour
of each phase respectively.
5. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
5
3.1.1. Behaviours Analysis During Payload Generation
Generating the payload is the first step in any exploit. In this phase, the actor is the attacker, and
the included attack steps are shown in Figure 2. Firstly, the attacker collects vulnerability related
information of the target device through vulnerability scanning and other methods, writes
shellcode according to the vulnerability type and trigger principle, and writes code segments that
need to be executed through the vulnerability exploitation according to the attack purpose, and
combines them into the attack payload, namely payload. The payload is then encoded, encrypted,
and so on. Typically, generating payloads is a local activity, meaning that there is no interaction
between the attacker and the target device that is reflected in the traffic. Although the attacker has
the action of scanning the target device for vulnerabilities in this stage, usually, this stage belongs
to the period when the attacker unilaterally collects target intelligence, and does not involve the
interaction behaviours directly related to vulnerability exploitation. Since the payload generation
phase and the latter two phases are not necessarily tightly coupled in time, only the payload
delivery phase and payload execution phase are considered for the time being when detecting the
vulnerability exploitation traffic.
Figure 2. Illustration of attacker’s behaviours during payload generation
3.1.2. Behaviours Analysis During Payload Delivery
Once the payload is generated, we move on to the payload delivery phase. In this stage, the actor
is also the attacker. The main goal of the attacker is to send the payload to the target device,
which is mainly achieved by two ways.
(1) Passive delivery, mainly represented by social engineering, which is characterized by
various forms of carriers and strong stealth, but the attack effect depends on the target
user's artificial choice and has uncertainty.
(2) Active delivery: the attacker has mastered the port opening status of the target device, then
he actively establishes a session, and sends payload-bearing packets to the target device.
In this paper, we ignore the impact of social engineering, and focus on the case where the
attacker actively accesses the port to deliver the attack payload. Its behaviour is shown in Figure
3.
6. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
6
Figure 3. Illustration of attacker’s behaviours during payload delivery
Firstly, the attacker will obtain the port opening information of the target device through port
scanning and other means to prepare for the later establishment of network session connection.
After gathering enough intelligence, the attacker sends packets containing shellcode and exploit
code to the target device in turn. It is important to note that the shellcode and the attack code are
not necessarily sent together.
Taking the SMB remote code execution vulnerability CVE-2017-7494 as an example, there is a
sequence in which packets are sent.
Firstly, the attacker always initiated TCP connection actively, accessed the 445 port of the target
device, determined the version number of SMB protocol, and then anonymously logged in.
Through path traversal and other methods, the physical path of the shared directory of Samba
server was exploded, and whether the dynamic link library file containing malicious code could
be written was explored. Finally, the SMB protocol vulnerability function is_known_pipename()
does not check the special characters in the name of the anonymous pipe to load the dynamic link
library file using the name, so as to run malicious code to achieve the purpose of the attack. And
the packet containing malicious code may not be delivered in one time. Generally, for exploit
tools such as Metasploit, there are three types of attack payloads: single, stager, and stage,
depending on how they are delivered and run. The single is transmitted to the target device at one
time and can run independently. stager, on the other hand, is a transporter and is only responsible
for establishing a new connection between the target device and the attacker so that subsequent
attack payloads, called stages, can be delivered to the target device. The Stage is the actual
malicious code used to accomplish the purpose of the attack. The advantage of this method is that
it allows the attacker to use a smaller attack payload to load the actual malicious code, and makes
the communication mechanism and the final execution phase independent of each other, so there
is no need to copy the code, which can avoid the detection of anti-virus software on the target
device and improve the probability of successful execution of malicious code.
In terms of traffic, this phase may involve multiple sessions. First, the initial session is initiated
by the attacker to deliver shellcode and the first part of the attack payload to the target device.
After the vulnerability is successfully triggered by the shellcode, the first part of the attack
7. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
7
payload is run, usually by creating a new session with the goal of transmitting further attack
payloads.
3.1.3. Behaviours Analysis During Payload Execution
After the payload is delivered to the target device, the payload execution phase begins. The main
purpose of the attacker in this phase is to wait for the execution result of the attack code, and the
main body of the behaviour is converted from the attacker to the target device. The flow of its
behaviour is shown in Figure 4.
Figure 4. Illustration of target’s behaviours during payload delivery
This phase is the most important step of vulnerability exploitation and determines whether a
vulnerability exploitation is successful or not. In the payload delivery phase, after the attacker
initiates the first connection to the target device and sends the first attack payload, the target
device receives the packet containing shellcode and parses its contents. If the vulnerability is
successfully triggered, the malicious code following the shellcode is executed. For code
execution exploits, the first piece of malicious code after the shellcode usually establishes a new
connection between the target device and the attacker. In the Intranet environment, the new
connection is usually made by the way of the target device connecting back, which is easy to
break through the firewall and other protection products. In the case of segmented attack
payloads, the malicious code sent along with the shellcode is called a stager, or transporter, and is
responsible for connecting back to the attacker, establishing a new connection, and delivering the
actual code for the attack, the stage, to the target device. When the last stage is run on the target
device, the execution result is returned to the attacker, which represents the successful
completion of the exploit. Combined with the analysis of the attacker's behaviours in the delivery
phase of payload in Section 3.1.2, it is not difficult to see that the delivery phase and the
execution phase of payload are only different in the behaviour subject and have a certain
temporal relationship. However, the behaviour of the attacker transmitting the payload in
segments and the behaviour of the target device running the payload are tightly coupled, and the
two phases occur alternately until the last part of the malicious code is executed. Therefore, it is
also tightly coupled on traffic sessions.
In terms of traffic, similar to the payload delivery phase, this phase may also involve more than
one session. First, the initial session is initiated by the attacker to deliver shellcode and the first
part of the attack payload to the target device. After the vulnerability is successfully triggered by
the shellcode, the first part of the attack payload is run, usually by creating a new session with the
8. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
8
goal of transmitting further attack payloads. The specific characteristics of the different sessions
in this phase and their relationship analysis are given in Section 3.2.
3.2. Session Relationship Analysis of Vulnerability Exploitation
According to the two conditions "whether the final instructions are executed on the target
machine immediately after the vulnerability is triggered" ("final instructions" refers to a series of
operations performed by the attacker to achieve persistence in subsequent stages, such as
downloading trojans, backdoors to the target machine, etc.) and "whether the target needs to
communicate with other terminals besides the attacker ", The session relationship of the last two
attack stages of vulnerability exploitation is roughly divided into four categories, and "execute
download Trojan command" is taken as an example to illustrate, where the attacker is A, the
target device is B, and other devices are C.
Considering the reverse shell type shellcode, which is mainly studied in this paper, the possible
session combinations for vulnerability exploitation are shown in Table 1.
For the first and fourth cases, since only one session is involved and multiple phases are included
in the session, whether the session is suspicious traffic can be determined by analysing the data
flow direction segmentation, packet length segmentation, etc.
However, in the case of multiple sessions, it is necessary to locate the traffic sessions in the
whole process of vulnerability exploitation through the characteristics of session node
association, session establishment time sequence, session establishment direction, session data
flow direction, packet direction sequence, packet payload length and size distribution, etc. The
comparison table contains 12 session relationships in the case of multiple sessions.
Table 1. 12 possible session combinations for vulnerability exploitation
Index
Session
number
Session
relationship
Session 1 function Session 2
function
Session 3
function
Reverse
shell
1 1 A-B
Send & execute
payload - - √
2 2 A-B, B-A Send payload
Execute
payload - ×
3 2 A-B, B-C Send payload
Execute
payload - ×
4 1 A-B
Send & execute
payload,
reverse shell
- - √,A-B
5 2 A-B, B-A
Send payload,
reverse shell
Execute
payload - √,A-B
6 2 A-B, B-C
Send payload,
reverse shell
Execute
payload - √,A-B
7 2 A-B, B-A Send payload
Reverse shell
& execute
payload
- √,B-A
8 2 A-B, B-C Send payload
Reverse shell
& execute
payload
- √,B-C
9. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
9
9 3
A-B, B-A, B-
A Send payload Reverse shell
Execute
payload √,B-A
10 3
A-B, B-A, B-
C Send payload Reverse shell
Execute
payload √,B-A
11 3
A-B, B-C, B-
A Send payload Reverse shell
Execute
payload √,B-C
12 3
A-B, B-C, B-
D Send payload Reverse shell
Execute
payload √,B-C
3.3. An Exploit Traffic Detection Model Based on Session Relationship
According to the content of Section 3.1 and 3.2, combined with the idea of "abductive causation
by effect", we propose a novel exploit traffic detection model based on traffic behaviour analysis.
Define that in time T, the set of all IP addresses appearing is I, and the set of all ports is P. The
session relation is constructed as a graph 𝐺 = (𝑉, 𝐸, 𝐹), where V is the node set and the elements
in the node set 𝑣𝑖 = (𝑖𝑝_𝑖, 𝑝𝑜𝑟𝑡_𝑖, 𝑓𝑙𝑎𝑔), 𝑖𝑝_𝑖 ∈ 𝐼, 𝑝𝑜𝑟𝑡_𝑖 ∈ 𝑃, 𝑓𝑙𝑎𝑔 ∈ {1,0}. The 𝑓𝑙𝑎𝑔 is the flag
bit; the default value is 0. If in the preliminary detection, node vi is the controlled target device,
that is, the target machine, then the flag bit 𝑓𝑙𝑎𝑔 = 1. E is the edge set, and the elements in the
edge set 𝑒 = (𝑣𝑖, 𝑣𝑗). F is the session feature set, and the elements in the session feature set 𝑓𝑖 =
(𝑖, 𝑑𝑖𝑟, 𝑝_𝑛𝑢𝑚, 𝑝_𝑑𝑖𝑟_𝑙𝑖𝑠𝑡, 𝑝_𝑏𝑦𝑡𝑒𝑠_𝑟𝑎𝑡𝑒, 𝑝_𝑙𝑒𝑛_𝑙𝑖𝑠𝑡), where 𝑖 is the session sequence number,𝑖𝑟
is the session setup direction, 𝑝_𝑛𝑢𝑚 is the number of data packets, and 𝑓𝑖 is the number of data
packets. 𝑝_𝑑𝑖𝑟_𝑙𝑖𝑠𝑡 represents the packet direction sequence, 𝑝_𝑏𝑦𝑡𝑒𝑠_𝑟𝑎𝑡𝑒 represents the
upload/download ratio, and 𝑝_𝑙𝑒𝑛_𝑙𝑖𝑠𝑡 represents the packet length sequence.
The detection model is shown in Figure 5. Firstly, the traffic passing through the port in time T is
captured, and then the traffic is cut and stored in the form of sessions to filter out empty ACK
packets. Finally, the infected target device is located by detecting malicious traffic sessions
during the execution of payload. Then, the timestamp of the first SYN packet of the malicious
traffic session "triple handshake" during the payload execution phase is extracted, and the
historical traffic before this time is backtracked. According to the session relationship described
in Section 3.2, the traffic sessions in the whole process of vulnerability exploitation are located
through the characteristics such as the association of session nodes, the time sequence of session
establishment, the direction of session establishment, the direction of session data flow, the
sequence of packet direction, and the distribution of packet payload length and size, and the
integrated alarm information is output.
Different from the existing detection methods, the detection model proposed in this paper is
based on the idea of "causal association", and takes the result of vulnerability exploitation as the
breakthrough point. It can not only detect the malicious traffic generated in the late stage of
vulnerability exploitation, but also detect the traffic in the whole process of vulnerability
exploitation according to the session relationship. Since the detection basis of this model is the
session relationship characteristics of different stages of attack, as long as the specific analysis of
each stage of attack behaviour is carried out, the session relationship is summarized, and on this
basis the current session relationship graph model is extended, theoretically any kind of
multistage attack traffic can be detected.
In practical applications, considering that one of the main purposes of code execution
vulnerability exploitation is to obtain system control rights, and due to the restrictions of security
devices such as firewalls, reverse shell has become a common control means for attackers, so
detecting reverse shell traffic can be used as an entry point to locate target machines. Namely, the
first part can be implemented by the reverse shell traffic detection method. The second part
10. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
10
includes session classification, session relation graph construction and suspicious session
localization. The session classification is carried out according to the segmentation of the session
data stream, which can be realized by combining the sequence segmentation algorithm with the
clustering algorithm. Session relationship graph construction and suspicious session localization
can be implemented by graph models.
Figure 5. Vulnerability exploitation traffic detection model based on traffic behaviour
3.4. Framework of SRG-ETDetection
We propose a code execution vulnerability exploitation detection method based on session
relations, SRG-ETDetetcion, and the overall framework is shown in Figure 6, which includes
four modules including data preprocessing, reverse shell detection, session classification, and
vulnerability exploitation traffic detection. This section describes the functions and
implementation details of each module in detail.
11. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
11
Figure 6. The framework of SRG-ETDection
(1) Data preprocessing module
The specific workflow of this module is shown in Figure 24. Firstly, the collected raw traffic was
parsed by the traffic processing tool SplitCap.exe, and the TCP data bidirectional flow was
merged into a complete communication session according to the five-tuple < source IP, source
port, destination IP, destination port, protocol >. Then, the first SYN packet and other packets
whose payload length is greater than 0 in the TCP connection establishment phase are filtered
out, and the information of each packet such as quintuple, timestamp and payload length is
extracted. On this basis, the packet interval sequence, packet length sequence and packet
direction sequence of each session are obtained, and the related work is implemented by
Algorithm 1. See Table 2 for the pseudocode of Algorithm 1.
Table 2. Data preprocessing module Algorithm 1 pseudocode
Algorithm 1:
Input: session_j
Output: delt_j, len_j, dir_j for packet_i;
packet_i in session_j; i++:
if packet_i.TCP.SYN=0 & packet_i.TCP.len=0:
pass;
else:
delt_j.append(packet_i_delt);
len_j.append(packet_i_len);
dir_j.append(packet_i_dir).
(2) Reverse shell detection module
The purpose of detecting reverse shell traffic is to confirm the target device, so it is independent
of the specific method of detecting reverse shells. Due to the detection effect, deployment
method, detection efficiency and other reasons, we choose Metasploit reverse shell traffic
detection method proposed in literature [13] to realize reverse shell traffic detection, and then
locate the target device.
12. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
12
(3) Vulnerability exploitation traffic detection module
The module includes session classification sub-module, feature extraction sub-module, and
anomaly detection sub-module.
Among them, the session classification sub-module is responsible for dividing the sessions into
three categories: normal traffic, suspicious single session and suspicious multiple session
according to the data flow and packet length segmentation, which are stored in different folders
respectively. It is convenient for subsequent feature extraction and anomaly detection. The key of
the session classification sub-module is to segment the data packets in the session according to
the arrival time, that is, to segment the time series of the session data packets, which is realized
by Algorithm 2, and the relevant pseudocode is shown in Table 3.
Table 3. Session classification module Algorithm 2 pseudocode
Algorithm 2:
Input: time serie T,max_error
Output: Seg_TS
For i=1; i<length(T);i++:
Seg_TS=concat(Seg_TS, create_seg-moment(T[i:i+1])); For i=1;
i<length(Seg_TS);i++:
Merge_cost(i)=calculate_error([merge(Seg_TS(i). Seg_TS(i+1))])
While(min(merge_cost)<max_error):
index=min(merge_cost);
Seg_TS(index)=merge(Seg_TS(index),Seg_TS(index+1)); delete(Seg_TS(index+1));
Merge_cost(index-1)=calculate_error(merge(Seg_TS(index-1),Seg_TS(index)));
Merge_cost(index)=calculate_error(merge(Seg_TS(index),Seg_TS(index+1))).
The feature extraction sub-module extracts session features and builds a session relationship
graph, which is stored in matrix form for anomaly detection.
The anomaly detection sub-module is responsible for traversing the session relationship graph
constructed by the feature extraction module. According to the 12 session combination situations
summarized in Section 3.2, it traces back the traffic at the early stage of vulnerability
exploitation, integrates all the current suspicious session information, and uses the bi-selecting K-
means algorithm to hierarchical process the traffic and visualize the attack process. To visually
show the traffic behaviour characteristics of the whole process of vulnerability exploitation.
4. EXPERIMENTS AND RESULTS
This chapter first introduces the general framework of our method and describes the functions
and implementation details of all modules in detail. Then, we simulated ten vulnerability
exploitation experiments. Compared with Blatta, a method based on a recurrent neural network to
detect early exploit traffic. Results show that the detection rate of the proposed method is greatly
improved, and the detection effect is not affected by the specific causes of vulnerabilities
exploited and traffic encryption methods.
4.1. Data Set
Since the vulnerability exploitation traffic in the public data set usually only consists of shellcode
delivery phase sessions, and the detection of our method relies on shellcode execution results,
13. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
13
namely reverse shell session detection, it cannot be verified by exploit traffic in the public data
set.
Therefore, in the end, we selected the traffic generated by the artificial reverse shell experiments
to train the decision tree model and conducted ten code execution loophole exploit reverse shell
experiments using the Metasploit penetration test framework. We collect the traffic generated in
the process for tests and select the laboratory exit traffic as the background traffic. See Table 4
for related vulnerability numbers and reverse shell methods. Among them, the traffic data using
the Meterpreter module in Metasploit has a unique encapsulation format, which cannot directly
obtain meaningful information in the payload content. Therefore, in the verification experiment,
regardless of whether the traffic uses SSH and other encryption protocols, the traffic is
considered encrypted traffic.
Table 4. Description of experimental data set
index scenario Network behaviours Traffic type and quantity
1
Normal users
surfing the
Internet
Browse the web
SSH login
Transfer file
Remote desktop
Background traffic
(38512)
2
Unencrypted
reverse shell
Metasploit modules unencrypted
system shell
Unencrypted reverse
shell traffic (77)
3
Encrypted
reverse shell
Metasploit module encryption
system shell, Meterpreter
advanced shell
Encrypted reverse shell
traffic (39)
4.2. Comparison Method
The questions answered in this section are:
RQ1: Can SRG-ETDetector detect both the shellcode delivery phase and shellcode exploitation
phase traffic?
RQ2: Are the results of SRG-ETDetector interpretable?
In order to answer RQ1, experiment 1 is conducted in this paper. Firstly, the attacker is simulated
to exploit the vulnerability ten times of code execution and reverse the malicious behaviour of the
shell. Then, the traffic is collected and mixed with the normal Internet access traffic of users in
the data set in Section 4.1. When selecting the comparison method, considering that the detection
objective of this paper is to discover code execution vulnerability exploitation behaviour through
traffic, among the existing detection methods described in the introduction, the ones that are
closest to the detection objective of this paper are literature [11], and literature [11] is also the
most recent. Therefore, the detection results of code execution vulnerability exploit traffic were
compared with the results of the literature [11].
In order to answer RQ2, experiment 2 is conducted in this paper. Based on the bi-selecting
Kmeans algorithm, hierarchical analysis is carried out on exploit using two-stage traffic, and
visual processing is carried out on exploit using two-stage session traffic respectively, so as to
14. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
14
visually show the behaviour characteristics of traffic transmission in the process of code
execution vulnerability exploit, so as to prove the interpretability of test results.
4.3. Evaluation Criteria
In this section, the detection rate of encrypted traffic, non-encrypted traffic, and all vulnerability
exploitation traffic is used to evaluate the performance of our method. The higher the detection
rate, the lower the probability of code execution vulnerability exploitation behaviour escaping
detection, that is, the better the detection method effect.
Within the defined time 𝑇, the total number of occurrences of code execution vulnerability
exploitation behaviour is 𝑁, where the number of occurrences under traffic encryption condition
is denoted as 𝑁_𝑐𝑟𝑦𝑝𝑡𝑒𝑑, and the number of occurrences without encryption is denoted as
𝑁_𝑛𝑜𝑛𝑐𝑟𝑦𝑝𝑡𝑒𝑑. The number of code execution vulnerability exploitation behaviours detected is
𝑀, where the number of encrypted traffic is denoted as 𝑀_𝑐𝑟𝑦𝑝𝑡𝑒𝑑 and the number of
nonencrypted traffic is denoted as 𝑀_𝑛𝑜𝑛𝑐𝑟𝑦𝑝𝑡𝑒𝑑. The three detection rates are defined as
follows.
4.4. Results Analysis
4.4.1. Comparison of Detection Results of Ten Code Execution Vulnerabilities Exploitation
Reverse Shell Traffic
Experiments 1 is to compare the effect of code execution vulnerabilities detection in ten actual
application scenarios. The vulnerability types used in the experiment include remote command
execution vulnerability and buffer overflow vulnerability and the reverse shell includes both
encrypted and non-encrypted types. To verify the detection effect of the method in this paper on
encrypted traffic, four kinds of reverse shell encrypted traffic are included in the experiment. The
implementation methods include encrypting "one-sentence reverse shell" traffic through
OpenSSL, encrypting traffic through SSL and RC4-related modules in Metasploit, and the traffic
of the Meterpreter session shell is also invisible in plain text. In different periods of the day, the
target machine that normally communicates with the network is used for code execution
vulnerabilities to make it reverse shell. At the same time, Wireshark is run to collect all the traffic
passing through the target machine during the experiment for detection, as shown in Table 4. To
exclude the influence of the target operating system type on the detection effect, the two target
operating systems used in the experiment were Windows XP and Kali 2017. Finally, the results
of the detection of code execution vulnerabilities using reverse shell traffic are shown in Table 5.
15. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
15
Table 5. Comparison of detection results of ten vulnerability exploitation attacks
index
Vulnerability types and CVE number, and
the specific ways to get a reverse
shell
encrypted
Whether the exploit traffic is
detected
Blatta[11]
SRG-
ETDetetcor
1
Remote code execution vulnerability,
CVE-2021-22205, Bash × √ √
2
Buffer overflow vulnerability, MS17010,
Python × √ √
3
Remote code execution vulnerability,
CVE-2020-17530,
Perl+OpenSSL
√ √ √
4
Remote code execution vulnerability,
CVE-2019-15107,
linux/x64/shell/reverse_tcp
× √ √
5
Buffer overflow vulnerability, MS17-010,
windows/shell_reverse_tcp × √ √
6
Buffer overflow vulnerability, CVE-2017-
7494,
python/shell_reverse_tcp_ssl
√ × √
7
Remote code execution vulnerability,
CVE-2019-0708,
windows/Meterpreter/reverse_tcp
√ × √
8
Buffer overflow vulnerability, CVE-2017-
7494,
linux/x64/Meterpreter/reverse_tcp
√ × √
9
Remote code execution vulnerability,
CVE-2019-0708,
windows/Meterpreter/reverse_http
√ × ×
10
Remote code execution vulnerability,
CVE-2019-0708,
windows/Meterpreter/reverse_tcp_rc4
√ × √
The experimental results show that only 5 exploits of code execution were detected in literature
[11], while the method in this paper detected 9 exploits, and rate_total increased by 40%. For the
four exploits under the condition that the traffic is not encrypted, the corresponding traffic can be
detected in literature [11] and the method in this paper, and there is no significant difference in
the rate_noncryped index. However, for the 6 times of code execution vulnerability exploitation
under traffic encryption conditions, only 1 time was detected in literature [11], while the method
in this paper detected 5 times, and rate_crypted increased by about 66.7%. This is because the
method in literature [11] detects based on traffic load. In the case of unencrypted traffic, plaintext
features of shellcode in the load can be extracted; however, in the case of encrypted traffic, the
content of the payload is invisible, and effective information cannot be extracted effectively, so
encrypted traffic cannot be detected. However, the method in this paper extracts traffic behaviour
characteristics independent of load content. Even under the condition of traffic encryption, as
long as the TCP protocol is used, the traffic communication behaviour characteristics conform to
the law, and it can be effectively detected.
16. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
16
According to Table 5, the ninth vulnerability exploitation was not detected by either method.
Through the analysis, the time code execution exploit reverse module is Windows/Meterpreter
shell attack/reverse_http. The basic function implemented by this module is similar to the
Windows/Meterpreter/reverse_tcp module, that is, the Windows target machine returns the
Meterpreter session shell, but the former implements communication based on TCP protocol,
while the latter implements communication based on HTTP protocol. In terms of traffic, the
former is a TCP long connection initiated by the target machine. The latter is multiple HTTP
short connections initiated by the target machine. The reverse shell detection method adopted in
literature [13] is suitable for reverse shell traffic at the transport layer based on TCP protocol.
Reverse shell traffic based on HTTP protocol communication is fundamentally different from it
in session, so it cannot be used to detect it. Since the ultimate purpose of detecting reverse shell
traffic in this paper is to locate the target machine, there is no restriction on the specific methods
to achieve reverse shell traffic detection. Therefore, for the reverse shell traffic implemented by
HTTP/HTTPS protocol, supplementary experiments were carried out by combining with some
existing vulnerabilities and using tool traffic detection methods. The results show that as long as
the reverse shell traffic can be detected and the target machine can detect the whole process of
vulnerability exploitation traffic according to the session relationship, there is no significant
impact on the detection results. Therefore, in practical applications, accurate positioning of the
target machine can be realized in combination with the detection methods of reverse shell against
other protocols, to realize the detection of vulnerability exploitation traffic.
4.4.2. The Vulnerability Exploits the Traffic Stratification Results
Experiment 2 is to stratify the detected code execution vulnerability exploitation traffic using the
bisecting K-means algorithm and visualize the code execution vulnerability exploitation traffic,
thus further proving the interpretability of the classifier. The preset number of clusters in the
biselecting K-means algorithm is set to 4, and the two-phase traffic of buffer overflow
vulnerability CVE-2017-7494 reverse shell is stratified, and the results are shown in Figure 7 and
Figure 8 respectively.
Figure 7 shows the traffic stratification results of the shellcode delivery phase. In the shellcode
delivery phase, the main purpose of the attacker is to transmit the shellcode to the target. The data
packets sent by the attacker are mostly concentrated in the early stage of the session, the packet
length is large, and the data flows to the target. Correspond to the blue, green, and purple clusters
in Figure 7. At this time, the target passively receives the shellcode, so there are only response
packets. Response packet payloads are typically shorter compared to shellcode, corresponding to
the yellow clusters in Figure 7.
17. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
17
Figure 7. The traffic stratification results in the shellcode delivery phase
Figure 8 shows the hierarchical result of reverse shell traffic for the python/shell_reverse_tcp_ssl
module. During the shellcode execution phase, the target returns the encryption shell. In the
session establishment phase, the data packets of both sides interact frequently, and the length of
the data packets is symmetric because the encryption protocol is negotiated. This process is very
transient and corresponds to the yellow cluster in Figure 8. After the reverse shell is successful,
the attacker usually executes the command to obtain the target information, and the overall data
flow to the attack side. Usually, the packets carrying commands are short in length and relatively
scattered. However, the target machine needs to return the corresponding execution results
according to different commands, so the length of the data packets carrying the execution results
is different, corresponding to the green cluster, blue cluster, and purple cluster above the X-axis
in Figure 8.
Figure 8. The traffic stratification results in the shellcode execution phase
5. CONCLUSIONS
This paper proposes SRG-ETDetector, an exploit traffic detection method based on session
relationship graph analysis. Compared with the existing exploit traffic detection methods based
18. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
18
on pattern matching of the payload, SRG-ETDetector can accurately detect the exploit session
according to the effect of shellcode execution, independent of the specific cause of vulnerability
and traffic encryption methods. It is a pity that our method is currently applicable to detecting
code execution vulnerability exploits with traffic for the whole phase. We plan to analyse other
exploit behaviours to expand the application scope of our method and realize real-time detection
in the future.
ACKNOWLEDGEMENTS
The authors would like to thank everyone, just everyone!
REFERENCES
[1] D. Kong, D. Tian, Q. Pan, P. Liu, and D. Wu, “Semantic aware attribution analysis of remote
exploits,” Security and Communication Networks, vol. 6, no. 7, pp. 818–832, 2012.
[2] J. Wu, A. Arrott, and F. C. Colon Osorio, “Protection against remote code execution exploits of
popular applications in windows,” 2014 9th International Conference on Malicious and Unwanted
Software: The Americas (MALWARE), 2014.
[3] P. Parrend, J. Navarro, F. Guigou, A. Deruyver, and P. Collet, “Foundations and applications of
Artificial Intelligence for Zero-day and multi-step attack detection,” EURASIP Journal on
Information Security, vol. 2018, no. 1, 2018.
[4] Homoliak, M. Teknös, M. Ochoa, D. Breitenbacher, S. Hosseini, and P. Hanacek, “Improving
network intrusion detection classifiers by non-payload-based exploit-independent obfuscations: An
adversarial approach,” ICST Transactions on Security and Safety, vol. 5, no. 17, p. 156245, 2019.
[5] L. Chen, S. Sultana, and R. Sahita, “HeNet: A deep learning approach on Intel® processor trace for
effective exploit detection,” 2018 IEEE Security and Privacy Workshops (SPW), 2018.
[6] S. Biswas, M. M. H. K. Sajal, T. Afrin, T. Bhuiyan & M. M. Hassan1, (2018) "A study on remote
code execution vulnerability in web applications", International Conference on Cyber Security and
Computer Science (ICONCS’18), 2018.
[7] F. M. Mokbal, W. Dan, A. Imran, L. Jiuchuan, F. Akhtar, and W. Xiaoxi, “MLPXSS: An integrated
XSS-Based Attack Detection Scheme in web applications using multilayer perceptron technique,”
IEEE Access, vol. 7, pp. 100567–100580, 2019.
[8] M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos, “Network-level polymorphic shellcode
detection using emulation,” Journal in Computer Virology, vol. 2, no. 4, pp. 257–274, 2006.
[9] K. Borders, A. Prakash, and M. Zielinski, “Spector: Automatically analyzing Shell Code,”
TwentyThird Annual Computer Security Applications Conference (ACSAC 2007), 2007.
[10] Y. Kanemoto, K. Aoki, M. Iwamura, J. Miyoshi, D. Kotani, H. Takakura, and Y. Okabe, “Detecting
successful attacks from ids alerts based on emulation of Remote Shellcodes,” 2019 IEEE 43rd
Annual Computer Software and Applications Conference (COMPSAC), 2019.
[11] B. A. Pratomo, P. Burnap, and G. Theodorakopoulos, “Blatta: Early exploit detection on network
traffic with recurrent neural networks,” Security and Communication Networks, vol. 2020, pp. 1–
15, 2020.
[12] B. Pratomo, “Low-rate attack detection with intelligent fine-grained network analysis,” dissertation,
2020.
[13] P. Irofti, A. Patrascu, and A. I. Hiji, “Unsupervised abnormal traffic detection through topological
flow analysis,” 2022 14th International Conference on Communications (COMM), 2022.
[14] T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” Communications in Computer and
Information Science, pp. 438–452, 2015.
[15] J. C. Foster, M. Price, and S. McClure, Sockets, Shellcode, porting & coding: Reverse
engineering exploits and tool coding for security professionals. Rockland: Syngress Pub., 2005.
[16] T.-H. Cheng, Y.-D. Lin, Y.-C. Lai, and P.-C. Lin, “Evasion techniques: Sneaking through your
intrusion detection/prevention systems,” IEEE Communications Surveys & Tutorials, vol. 14,
no. 4, pp. 1011–1020, 2012.
19. International Journal of Computer Science & Information Technology (IJCSIT) Vol 15, No 3, June 2023
19
[17] H. A. Noman, Q. Al-Maatouk, and S. A. Noman, “Design and implementation of a security analysis
tool that detects and eliminates code caves in windows applications,” 2021 International Conference
on Data Analytics for Business and Industry (ICDABI), 2021.
[18] I. Stipovic , “Antiforensic techniques deployed by custom developed malware in evading anti-virus
detection,” https://arxiv.org/abs/1906.10625, 2019.
[19] C. Leka, C. Ntantogian, S. Karagiannis, E. Magkos, and V. S. Verykios, “A comparative analysis of
VirusTotal and desktop antivirus detection capabilities,” 2022 13th International Conference on
Information, Intelligence, Systems & Applications (IISA), 2022.
[20] M. Denis, C. Zena, and T. Hayajneh, “Penetration testing: Concepts, attack methods, and defense
strategies,” 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT),
2016.
AUTHORS
Yajing Liu (1998-), female, master candidate, Cyberspace Security Academy, Information
Engineering University. The research fields include malicious traffic detection and machine
learning.
Ruijie Cai (1990-), male, master, lecturer of Cyberspace Security Academy, Information
Engineering University. The research fields include network security, binary code analysis,
and vulnerability mining.
Xiaokang Yin (1993-), male, Ph.D., Cyberspace Security Academy, Information
Engineering University. The research fields include network security, binary code analysis,
and machine learning.
Shengli Liu (1973-), male, Ph.D., professor and doctoral supervisor of Cyberspace Security
Academy, Information Engineering University. The research fields include network attack
detection and network infrastructure security.