This document describes a PhD thesis that focuses on developing host-based and network-based anomaly detectors for HTTP attacks. Specifically, it presents three contributions: (1) McPAD, a multiple classifier system for network-based payload anomaly detection; (2) HMMPayl, which uses hidden Markov models for payload analysis; and (3) HMM-Web, which analyzes request URIs for host-based anomaly detection. The thesis evaluates the performance of these approaches on detection rate, false positive rate, and area under the ROC curve.
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
FluxBuster is a system for the early detection of malicious flux networks through large-scale passive DNS traffic analysis. It works by (1) aggregating DNS messages from sensors to obtain mappings of domains to IP addresses, (2) prefiltering domains unlikely to be flux, (3) clustering related domains based on resolved IP overlaps, and (4) training a supervised classifier on labeled clusters to identify new flux and non-flux clusters. Evaluation showed it can detect previously unknown flux networks days or weeks before appearing in blacklists, with a low false positive rate.
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
This document discusses network forensics and packet analysis. It provides an introduction to network forensics methodology and considerations for network-based digital evidence. This includes challenges like volatility, scattering of evidence across multiple sources, and encryption. The document also discusses the scope and role of network forensics, including standards for evidence acquisition, storage, analysis, and forensic readiness. Finally, it provides tips and examples for using Wireshark to analyze network traffic and identify abnormal packets through built-in features and example packet capture files.
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
Henrik Strøm discusses IPv6 security from an attacker's perspective. He outlines 6 points on how attackers can exploit IPv6 vulnerabilities, including using IPv6 to bypass IPv4 access controls when on a local network, spoofing router advertisements to hijack traffic, using tunneling to enable inbound and outbound connectivity, and launching denial of service attacks. He recommends network administrators decide how to implement IPv6 security, monitor for IPv6 traffic, harden clients and servers, and filter all types of IPv6 tunneling. Further reading suggests there is still significant work needed on IPv6 firewalling and many IPv4 issues have been transferred to IPv6.
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
The document discusses IPv6 first hop security features like DHCP snooping and dynamic ARP inspection for IPv6. It provides an overview of the security issues with IPv6 neighbor discovery such as router advertisements being sent without authentication, allowing for man-in-the-middle attacks and denial of service. It then describes various IPv6 first hop security features that can help mitigate these issues, such as RA guard, DHCP guard, and IPv6 neighbor discovery inspection.
This document provides information about a presentation on network packet analysis and file carving techniques. The presenter is introduced as a security researcher and systems administrator with experience in networking and security consulting. An overview of the presentation outlines the assumed knowledge, tools that will be used including Wireshark and Network Miner, and the methodology of pattern matching, identifying conversations, exporting data, and drawing conclusions. Additional resources on sample packet captures and further reading are also referenced.
[CB18] Discover traces of attackers from the remains of disposable attack inf...CODE BLUE
In order to detect malicious activities, we often make use of blacklists. The blacklists are useful, however malicious domain names in the blacklists can be considered static threat intelligence after we receive them. On the other hand, the behavior of the malicious domain names depends on adversaries. Advanced cyber adversaries often change their attack infrastructure in a short time in order to avoid tracking. In the extreme cases, the malicious domain names expire soon after we receive them from the blacklists.
Previous studies have paid attention to the determination problem for unidentified domain names. Once some unidentified domain name prove to be malicious, operators simply register the malicious domain names with their blacklists and wait for updates.
We have already presented our research regarding “Detection index learning based on cyber threat intelligence and its application” and continue to concentrate on an effective utilization of known threat intelligence. In this presentation, we will present an extended framework for examining indicators based on Domain Name System (DNS) actively and passively. In short, for malicious domain names from blacklists, while we make query regarding the domain names (Active DNS), we learn the history of the domain names from the point of view of DNS for both the survival and disposable domain names (Passive DNS). Then we make opinion, for example, we guess that some malicious domain name continue to be used, on the other hand, other one disappears soon then we recommend that you have to prepare for the next malicious activities. Based on the extended framework, we implement our indicator diagnosis system. We will show several case studies regarding the diagnosis results.
This document discusses security considerations for IPv6. It notes that default IPv6 subnets have 264 addresses, making network scanning impractical. ICMPv6 limits ping responses to limit reconnaissance. IPv6 uses multicast for functionality replaced by broadcast in IPv4, preventing amplification attacks. Privacy extensions for IPv6 addresses inhibit device tracking but complicate internal network management. Overall, best practices for securing IPv4 against worms, sniffing and other attacks also apply to IPv6.
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Paladion Networks
FluxBuster is a system for the early detection of malicious flux networks through large-scale passive DNS traffic analysis. It works by (1) aggregating DNS messages from sensors to obtain mappings of domains to IP addresses, (2) prefiltering domains unlikely to be flux, (3) clustering related domains based on resolved IP overlaps, and (4) training a supervised classifier on labeled clusters to identify new flux and non-flux clusters. Evaluation showed it can detect previously unknown flux networks days or weeks before appearing in blacklists, with a low false positive rate.
(130511) #fitalk network forensics and its role and scopeINSIGHT FORENSIC
This document discusses network forensics and packet analysis. It provides an introduction to network forensics methodology and considerations for network-based digital evidence. This includes challenges like volatility, scattering of evidence across multiple sources, and encryption. The document also discusses the scope and role of network forensics, including standards for evidence acquisition, storage, analysis, and forensic readiness. Finally, it provides tips and examples for using Wireshark to analyze network traffic and identify abnormal packets through built-in features and example packet capture files.
Henrik Strøm - IPv6 from the attacker's perspectiveIKT-Norge
Henrik Strøm discusses IPv6 security from an attacker's perspective. He outlines 6 points on how attackers can exploit IPv6 vulnerabilities, including using IPv6 to bypass IPv4 access controls when on a local network, spoofing router advertisements to hijack traffic, using tunneling to enable inbound and outbound connectivity, and launching denial of service attacks. He recommends network administrators decide how to implement IPv6 security, monitor for IPv6 traffic, harden clients and servers, and filter all types of IPv6 tunneling. Further reading suggests there is still significant work needed on IPv6 firewalling and many IPv4 issues have been transferred to IPv6.
Eric Vyncke - Layer-2 security, ipv6 norwayIKT-Norge
The document discusses IPv6 first hop security features like DHCP snooping and dynamic ARP inspection for IPv6. It provides an overview of the security issues with IPv6 neighbor discovery such as router advertisements being sent without authentication, allowing for man-in-the-middle attacks and denial of service. It then describes various IPv6 first hop security features that can help mitigate these issues, such as RA guard, DHCP guard, and IPv6 neighbor discovery inspection.
This document provides information about a presentation on network packet analysis and file carving techniques. The presenter is introduced as a security researcher and systems administrator with experience in networking and security consulting. An overview of the presentation outlines the assumed knowledge, tools that will be used including Wireshark and Network Miner, and the methodology of pattern matching, identifying conversations, exporting data, and drawing conclusions. Additional resources on sample packet captures and further reading are also referenced.
[CB18] Discover traces of attackers from the remains of disposable attack inf...CODE BLUE
In order to detect malicious activities, we often make use of blacklists. The blacklists are useful, however malicious domain names in the blacklists can be considered static threat intelligence after we receive them. On the other hand, the behavior of the malicious domain names depends on adversaries. Advanced cyber adversaries often change their attack infrastructure in a short time in order to avoid tracking. In the extreme cases, the malicious domain names expire soon after we receive them from the blacklists.
Previous studies have paid attention to the determination problem for unidentified domain names. Once some unidentified domain name prove to be malicious, operators simply register the malicious domain names with their blacklists and wait for updates.
We have already presented our research regarding “Detection index learning based on cyber threat intelligence and its application” and continue to concentrate on an effective utilization of known threat intelligence. In this presentation, we will present an extended framework for examining indicators based on Domain Name System (DNS) actively and passively. In short, for malicious domain names from blacklists, while we make query regarding the domain names (Active DNS), we learn the history of the domain names from the point of view of DNS for both the survival and disposable domain names (Passive DNS). Then we make opinion, for example, we guess that some malicious domain name continue to be used, on the other hand, other one disappears soon then we recommend that you have to prepare for the next malicious activities. Based on the extended framework, we implement our indicator diagnosis system. We will show several case studies regarding the diagnosis results.
This document discusses security considerations for IPv6. It notes that default IPv6 subnets have 264 addresses, making network scanning impractical. ICMPv6 limits ping responses to limit reconnaissance. IPv6 uses multicast for functionality replaced by broadcast in IPv4, preventing amplification attacks. Privacy extensions for IPv6 addresses inhibit device tracking but complicate internal network management. Overall, best practices for securing IPv4 against worms, sniffing and other attacks also apply to IPv6.
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
Betrouwbaar DNS en BGP4 spelen een belangrijke rol bij het veilig afhandelen van Internet verkeer. Bij diverse gerenommeerde instanties (Netherlabs, SIDN Labs en NLnet Labs) zijn veilige versies hiervan ontwikkeld, welke nog dagelijks worden verbeterd. In deze presentatie worden de belangrijkste ontwikkelingen tegen het licht gehouden.
Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.
This document provides an overview of network sniffing and packet analysis using Wireshark. It discusses why sniffing is useful for understanding network activity, troubleshooting issues, and performing computer forensics. The document outlines topics like the basic techniques of sniffing, an introduction to Wireshark and its features, analyzing common network protocols, and examples of case studies sniffing could be used for. It emphasizes that patience is a prerequisite and encourages interactive discussion.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
The automatic detection of applications associated with network traffic is an essential step for network security and traffic engineering. Unfortunately, simple port-based classification methods are not always efficient and systematic analysis of packet payloads is too slow. Most recent research proposals use flow statistics to classify traffic flows once they are finished, which limit their applicability for online classification. In this paper, we evaluate the feasibility of application identification at the beginning of a TCP connection. Based on an analysis of packet traces collected on eight different networks, we find that it is possible to distinguish the behavior of an application from the observation of the size and the direction of the first few packets of the TCP connection. We apply three techniques to cluster TCP connections: K-Means, Gaussian Mixture Model and spectral clustering. Resulting clusters are used together with assignment and labeling heuristics to design classifiers. We evaluate these classifiers on different packet traces. Our results show that the first four packets of a TCP connection are sufficient to classify known applications with an accuracy over 90% and to identify new applications as unknown with a probability of 60%.
This document provides an agenda for a two-day course on network monitoring and forensics. Day one will cover network forensics, including an introduction to forensic data types like PCAP (full packet capture) and flow data. It will discuss what these data types look like, how to interpret them, and how to obtain them. Day two will recap PCAP and flow data, then cover working with logs and alerts, including how to consolidate these sources and use SIEM tools. It will conclude by discussing how to implement a network monitoring solution. The goal is to provide students with an understanding of network forensic data gathering and concepts needed for network forensics investigations.
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
APNIC Senior Network Analyst/Technical Trainer Warren Finch presents on packet analysis for network security at the MMIX Peering Forum and MMNOG 2020 in Yangon, Myanmar, from 13 to 17 January 2020.
This is a Brief overview of what Vulnerability and Penetration Testing are in the Information Technology Security. The focus is on the issues that always arise within a Security Network. How you as an IT can identify or notice activity of any the Attacks from Hackers or unknown Individual that are a Client.
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.
Gabriel Paues - IPv6 address planning + making the case for WHYIKT-Norge
The document discusses planning for IPv6 addressing and deployment, providing tips and examples for allocating IPv6 addresses within a /48 assignment in a hierarchical manner using subnets of /64 to simplify administration and support techniques that rely on a consistent subnet size, as well as enabling IPv6 services gradually on servers without initially exposing them to IPv6 DNS records. It also addresses common objections to IPv6 deployment and provides strategies for getting started with IPv6.
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
Join us as we step through the reverse engineering of CryptoLocker, identifying important functionality and weaknesses. We'll demonstrate how we were able to use this information to help protect our customers months ago, the weaknesses that the Department of Justice took advantage of, and how you can do the same for other types of malware down the line.
This summary provides the key details from the document in 3 sentences:
The document proposes cryptographic schemes for searching encrypted data that allow an untrusted server to perform searches without revealing data confidentiality. The schemes are provably secure, efficient requiring a linear number of cipher operations proportional to document length, and introduce minimal overhead making them practical to use. The techniques support controlled searching, hidden queries, and query isolation while providing provable secrecy and correctness of search results.
There are a number of different kinds of tools for collecting information about the thoughts and beliefs that different groups have about your organization.
Passive ip traceback disclosing the locations of ip spoofers from path backscShakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level.
Investigation about the Chinese Great Cannon and information about Great Firewall as introduction.
Deny of Service attack to Github repositories.
This repositories contain information about how can broke the Great Firewall
Passive ip traceback disclosing the locations of ip spoofers from path backsc...Pvrtechnologies Nellore
Passive IP traceback (PIT) is a novel solution that can identify the locations of IP spoofers without deploying additional mechanisms. PIT analyzes Internet Control Message Protocol (ICMP) error messages, called path backscatter, that are generated and sent by routers when they fail to forward spoofing packets due to reasons like exceeding time-to-live (TTL). By tracking path backscatter messages based on topology and routing information, PIT can disclose locations closer to the spoofers. The paper demonstrates PIT's processes and effectiveness, and applies it to a path backscatter dataset to find spoofers in specific autonomous systems. PIT provides a useful mechanism to trace spoofers before an Internet-level traceback system is deployed.
ICANN 50: Name Collision Occurrence Management FrameworkICANN
The document discusses name collision occurrence management and ICANN's proposed framework. It provides background on name collisions and the development process. It summarizes the JAS report, SSAC advice, and ICANN's proposed requirements for registries. The proposal incorporates inputs from various parties and aligns with most SSAC recommendations. It proposes continuous controlled interruption rather than rolling interruptions. The next step is for the NGPC to consider ICANN's proposal.
Ariu - Workshop on Applications of Pattern AnalysisPluribus One
1) Traditionally, IDS have used signatures to detect known attacks but cannot find new attacks. Anomaly detection uses a statistical model of normal patterns and flags deviations, enabling detection of zero-day attacks.
2) Previous work analyzing the byte distribution in HTTP payloads had limitations due to high-dimensional feature spaces and coarse payload representations.
3) The document proposes HMMPayl, which applies HMM to HTTP payload analysis for anomaly detection, achieving increased classification accuracy over previous solutions and enabling use of multiple classifier systems and reduced computational costs.
The document summarizes the author's PhD thesis on detecting web-based attacks. It outlines the research, which includes contributions to client-side and server-side web security. For client-side security, the thesis presents Flux Buster, a framework for passive detection of malicious fast flux service networks through analysis of recursive DNS traces. For server-side security, it introduces Web Guardian, a framework for detecting attacks against web applications using hidden Markov models. The document also reviews current internet threats, including vulnerabilities in the world wide web, common gateway interface, and both client-side and server-side web security.
HMM-Web: a framework for the detection of attacks against Web applicationsPluribus One
Nowadays, the web-based architecture is the most frequently used for a wide range of internet services, as it allows to easily access and manage information and software on remote machines. The input of web applications is made up of queries, i.e. sequences of pairs attribute←value. A wide range of attacks exploits web application vulnerabilities, typically derived from input validation flaws. In this work we propose a new formulation of query analysis through Hidden Markov Models (HMM) and show that HMM are effective in detecting a wide range of either known or unknown attacks on web applications. In addition, despite previous works, we explicitly address the problem related to the presence of noise (i.e., attacks) in the training set. Finally, we show that performance can be increased when a sequence of symbols is modelled by an ensemble of HMM. Experimental results on real world data, show the effectiveness of the proposed system in terms of very high detection rates and low false alarm rates.
HSB - Secure DNS en BGP ontwikkelingen - Benno OvereinderSplend
Betrouwbaar DNS en BGP4 spelen een belangrijke rol bij het veilig afhandelen van Internet verkeer. Bij diverse gerenommeerde instanties (Netherlabs, SIDN Labs en NLnet Labs) zijn veilige versies hiervan ontwikkeld, welke nog dagelijks worden verbeterd. In deze presentatie worden de belangrijkste ontwikkelingen tegen het licht gehouden.
Advanced Persistent Threat (APT) attacks are highly organised and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns.
This document provides an overview of network sniffing and packet analysis using Wireshark. It discusses why sniffing is useful for understanding network activity, troubleshooting issues, and performing computer forensics. The document outlines topics like the basic techniques of sniffing, an introduction to Wireshark and its features, analyzing common network protocols, and examples of case studies sniffing could be used for. It emphasizes that patience is a prerequisite and encourages interactive discussion.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
The automatic detection of applications associated with network traffic is an essential step for network security and traffic engineering. Unfortunately, simple port-based classification methods are not always efficient and systematic analysis of packet payloads is too slow. Most recent research proposals use flow statistics to classify traffic flows once they are finished, which limit their applicability for online classification. In this paper, we evaluate the feasibility of application identification at the beginning of a TCP connection. Based on an analysis of packet traces collected on eight different networks, we find that it is possible to distinguish the behavior of an application from the observation of the size and the direction of the first few packets of the TCP connection. We apply three techniques to cluster TCP connections: K-Means, Gaussian Mixture Model and spectral clustering. Resulting clusters are used together with assignment and labeling heuristics to design classifiers. We evaluate these classifiers on different packet traces. Our results show that the first four packets of a TCP connection are sufficient to classify known applications with an accuracy over 90% and to identify new applications as unknown with a probability of 60%.
This document provides an agenda for a two-day course on network monitoring and forensics. Day one will cover network forensics, including an introduction to forensic data types like PCAP (full packet capture) and flow data. It will discuss what these data types look like, how to interpret them, and how to obtain them. Day two will recap PCAP and flow data, then cover working with logs and alerts, including how to consolidate these sources and use SIEM tools. It will conclude by discussing how to implement a network monitoring solution. The goal is to provide students with an understanding of network forensic data gathering and concepts needed for network forensics investigations.
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
APNIC Senior Network Analyst/Technical Trainer Warren Finch presents on packet analysis for network security at the MMIX Peering Forum and MMNOG 2020 in Yangon, Myanmar, from 13 to 17 January 2020.
This is a Brief overview of what Vulnerability and Penetration Testing are in the Information Technology Security. The focus is on the issues that always arise within a Security Network. How you as an IT can identify or notice activity of any the Attacks from Hackers or unknown Individual that are a Client.
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5sixdub
This document discusses how threat actors can abuse third-party services like social media, cloud storage, and communication platforms to establish command and control (C2) infrastructure and exfiltrate data. It provides examples of real-world adversary campaigns that have leveraged services like Twitter, GitHub, Yahoo Mail, Dropbox, Google Forms, and others. The document argues that detecting such abuse is challenging as it can mimic normal user behavior, but outlines approaches like analyzing network flows, process correlations, and anomalies to help identify compromised systems communicating with third parties for malicious purposes. Detecting these threats requires collecting and correlating diverse endpoint and network data sources.
Gabriel Paues - IPv6 address planning + making the case for WHYIKT-Norge
The document discusses planning for IPv6 addressing and deployment, providing tips and examples for allocating IPv6 addresses within a /48 assignment in a hierarchical manner using subnets of /64 to simplify administration and support techniques that rely on a consistent subnet size, as well as enabling IPv6 services gradually on servers without initially exposing them to IPv6 DNS records. It also addresses common objections to IPv6 deployment and provides strategies for getting started with IPv6.
Reverse Engineering Malware: A look inside Operation TovarLancope, Inc.
Join us as we step through the reverse engineering of CryptoLocker, identifying important functionality and weaknesses. We'll demonstrate how we were able to use this information to help protect our customers months ago, the weaknesses that the Department of Justice took advantage of, and how you can do the same for other types of malware down the line.
This summary provides the key details from the document in 3 sentences:
The document proposes cryptographic schemes for searching encrypted data that allow an untrusted server to perform searches without revealing data confidentiality. The schemes are provably secure, efficient requiring a linear number of cipher operations proportional to document length, and introduce minimal overhead making them practical to use. The techniques support controlled searching, hidden queries, and query isolation while providing provable secrecy and correctness of search results.
There are a number of different kinds of tools for collecting information about the thoughts and beliefs that different groups have about your organization.
Passive ip traceback disclosing the locations of ip spoofers from path backscShakas Technologies
It is long known attackers may use forged source IP address to conceal their real locations. To capture the spoofers, a number of IP traceback mechanisms have been proposed. However, due to the challenges of deployment, there has been not a widely adopted IP traceback solution, at least at the Internet level.
Investigation about the Chinese Great Cannon and information about Great Firewall as introduction.
Deny of Service attack to Github repositories.
This repositories contain information about how can broke the Great Firewall
Passive ip traceback disclosing the locations of ip spoofers from path backsc...Pvrtechnologies Nellore
Passive IP traceback (PIT) is a novel solution that can identify the locations of IP spoofers without deploying additional mechanisms. PIT analyzes Internet Control Message Protocol (ICMP) error messages, called path backscatter, that are generated and sent by routers when they fail to forward spoofing packets due to reasons like exceeding time-to-live (TTL). By tracking path backscatter messages based on topology and routing information, PIT can disclose locations closer to the spoofers. The paper demonstrates PIT's processes and effectiveness, and applies it to a path backscatter dataset to find spoofers in specific autonomous systems. PIT provides a useful mechanism to trace spoofers before an Internet-level traceback system is deployed.
ICANN 50: Name Collision Occurrence Management FrameworkICANN
The document discusses name collision occurrence management and ICANN's proposed framework. It provides background on name collisions and the development process. It summarizes the JAS report, SSAC advice, and ICANN's proposed requirements for registries. The proposal incorporates inputs from various parties and aligns with most SSAC recommendations. It proposes continuous controlled interruption rather than rolling interruptions. The next step is for the NGPC to consider ICANN's proposal.
Ariu - Workshop on Applications of Pattern AnalysisPluribus One
1) Traditionally, IDS have used signatures to detect known attacks but cannot find new attacks. Anomaly detection uses a statistical model of normal patterns and flags deviations, enabling detection of zero-day attacks.
2) Previous work analyzing the byte distribution in HTTP payloads had limitations due to high-dimensional feature spaces and coarse payload representations.
3) The document proposes HMMPayl, which applies HMM to HTTP payload analysis for anomaly detection, achieving increased classification accuracy over previous solutions and enabling use of multiple classifier systems and reduced computational costs.
The document summarizes the author's PhD thesis on detecting web-based attacks. It outlines the research, which includes contributions to client-side and server-side web security. For client-side security, the thesis presents Flux Buster, a framework for passive detection of malicious fast flux service networks through analysis of recursive DNS traces. For server-side security, it introduces Web Guardian, a framework for detecting attacks against web applications using hidden Markov models. The document also reviews current internet threats, including vulnerabilities in the world wide web, common gateway interface, and both client-side and server-side web security.
HMM-Web: a framework for the detection of attacks against Web applicationsPluribus One
Nowadays, the web-based architecture is the most frequently used for a wide range of internet services, as it allows to easily access and manage information and software on remote machines. The input of web applications is made up of queries, i.e. sequences of pairs attribute←value. A wide range of attacks exploits web application vulnerabilities, typically derived from input validation flaws. In this work we propose a new formulation of query analysis through Hidden Markov Models (HMM) and show that HMM are effective in detecting a wide range of either known or unknown attacks on web applications. In addition, despite previous works, we explicitly address the problem related to the presence of noise (i.e., attacks) in the training set. Finally, we show that performance can be increased when a sequence of symbols is modelled by an ensemble of HMM. Experimental results on real world data, show the effectiveness of the proposed system in terms of very high detection rates and low false alarm rates.
Design of robust classifiers for adversarial environments - Systems, Man, and...Pluribus One
This document summarizes a presentation on designing robust classifiers for adversarial environments given at the 2011 IEEE International Conference on Systems, Man, and Cybernetics. The presentation introduces an approach to model potential attacks at test time using a probabilistic model of the data distribution under attack. This model is then used to design classifiers that are more robust to attacks. Experimental results on biometric identity verification and spam filtering show that the proposed approach can increase classifier security against attacks while maintaining accuracy.
This document discusses adaptive biometric systems based on template update paradigms. It provides background on biometric systems and the problems of intra-class variations affecting template representativeness over time. Standard solutions like using multiple templates or modalities are noted. The goal of the PhD study is to formulate the taxonomy of current template update methods, analyze their pros and cons, and propose novel solutions. Specifically, it will experimentally analyze and compare the performance of self-update and co-update methods in controlled and uncontrolled environments. Initial results show co-update more effectively lowers equal error rates than self-update when capturing variations from unlabeled samples in uncontrolled conditions.
Secure Kernel Machines against Evasion AttacksPluribus One
This document summarizes research on developing more secure machine learning classifiers. It discusses how gradient-based and surrogate model approaches can be used to evade existing classifiers. The researchers then propose several techniques for building more robust classifiers, including using infinity-norm regularization, cost-sensitive learning, and modifying kernel parameters. Experiments on handwritten digit and spam filtering datasets show the proposed approaches improve security against evasion attacks compared to standard support vector machines.
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Pluribus One
Many modern face verification algorithms use a small set of reference templates to save memory and computa- tional resources. However, both the reference templates and the combination of the corresponding matching scores are heuristically chosen. In this paper, we propose a well- principled approach, named sparse support faces, that can outperform state-of-the-art methods both in terms of recog- nition accuracy and number of required face templates, by jointly learning an optimal combination of matching scores and the corresponding subset of face templates. For each client, our method learns a support vector machine using the given matching algorithm as the kernel function, and de- termines a set of reference templates, that we call support faces, corresponding to its support vectors. It then dras- tically reduces the number of templates, without affecting recognition accuracy, by learning a set of virtual faces as well-principled transformations of the initial support faces. The use of a very small set of support face templates makes the decisions of our approach also easily interpretable for designers and end users of the face verification system.
Battista Biggio @ MCS 2015, June 29 - July 1, Guenzburg, Germany: "1.5-class ...Pluribus One
Pattern classifiers have been widely used in adversarial settings like spam and malware detection, although they have not been originally designed to cope with intelligent attackers that manipulate data at test time to evade detection.
While a number of adversary-aware learning algorithms have been proposed, they are computationally demanding and aim to counter specific kinds of adversarial data manipulation.
In this work, we overcome these limitations by proposing a multiple classifier system capable of improving security against evasion attacks at test time by learning a decision function that more tightly encloses the legitimate samples in feature space, without significantly compromising accuracy in the absence of attack. Since we combine a set of one-class and two-class classifiers to this end, we name our approach one-and-a-half-class (1.5C) classification. Our proposal is general and it can be used to improve the security of any classifier against evasion attacks at test time, as shown by the reported experiments on spam and malware detection.
Ariu - Workshop on Multiple Classifier Systems - 2011Pluribus One
The document proposes a modular architecture for analyzing HTTP payloads using multiple classifiers to detect anomalies and intrusions. It trains ensembles of hidden Markov models on different lines of HTTP payloads like the request line, host, and user agent. The HMM outputs are then used as features for a one-class classifier to classify the full payload. The approach is evaluated on real traffic datasets and shown to outperform similar systems with high detection rates and fast computation.
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Pluribus One
This document discusses the security of feature selection algorithms against training data poisoning attacks. It presents a framework to evaluate this, including models of the attacker's goal, knowledge, and capabilities. Experiments show that LASSO feature selection is vulnerable to poisoning attacks, which can significantly affect the selected features. The research aims to better understand these risks and develop more secure feature selection methods.
Machine Learning under Attack: Vulnerability Exploitation and Security MeasuresPluribus One
This document summarizes research on machine learning security and adversarial attacks. It describes how machine learning systems are increasingly being used for consumer applications, but this opens them up to new security risks from skilled attackers. The document outlines different types of adversarial attacks against machine learning, including evasion attacks that aim to evade detection and poisoning attacks that aim to compromise a system's availability. It also discusses approaches for systematically evaluating the security of pattern classification systems against bounded adversaries.
This document provides an introduction to hidden Markov models (HMMs). It explains what HMMs are, where they are used, and why they are useful. Key aspects of HMMs covered include the Markov chain process, notation used in HMMs, an example of applying an HMM to temperature data, and the three main problems HMMs are used to solve: scoring observation sequences, finding optimal state sequences, and training a model. The document also outlines the forward, backward, and other algorithms used to efficiently solve these three problems.
This document provides an overview of a distributed sniffing and scanning project. It discusses:
1) Collecting network information from multiple points using sniffers and scanners placed on different machines.
2) Analyzing the collected information both centrally on a server and distributed across communicating machines.
3) Using the information to detect irregular network activity and vulnerabilities, and inform network administrators.
The document considers advantages and disadvantages of centralized and distributed approaches. It also outlines the general architecture of the project, which involves Java clients and servers to distribute commands to sniffing and scanning tools, and analysis of the collected data.
Routers play an important role in cyber forensics investigations. During an investigation, an analyst should gather evidence from routers to help determine the source of an attack. This includes examining router logs, configurations, and volatile memory to find artifacts left by attackers. Log files may contain source IP addresses and protocols used. Configurations should be collected but not reset to avoid destroying evidence. Commands like "show access list" and "show users" can provide clues about hacker activity on the router. Properly documenting the chain of custody of all router evidence is crucial for the investigation.
For your final step, you will synthesize the previous steps and laShainaBoling829
For your final step, you will synthesize the previous steps and labs to summarize the major findings from this project.
Specifically, you will prepare a technical report that summarizes your findings including:
1. Provide a table of common ports for protocols we studied. Discuss how security devices can be used to within a larger network to control subnets and devices within those subnets.
2. Discuss network diagnostic tools you used in this lab. Summarize their functionality and describe specifically how you used each tool. Discuss the results you used to assist in both the discovery phase and protocol analysis of the sites you analyzed. What tools impressed you the most and would be most useful for an analyst to employ in the daily activities? What other functionality do you think would be useful to cyber operations analysts?
3. Research and discuss the ethical use of these tools. For example, if you discover a serious vulnerability, what you should you do? What communications should you have with site owners prior to conducting vulnerability scans?
The report should include a title page, table of contents, list of tables and figures (as applicable), content organized into sections. Be sure to properly cite your sources throughout, and include a list of references, formatted in accordance with APA style.
Final Technical Report
31 January 2022
Llyjerylmye Amos
COP 620 Project 1 Final Technical Report
Well-known ports range from 0 to 1023, and are assigned by Internet Assigned Numbers Authority
(IANA) base on the default services that are associated with the assigned ports. Administrators may
obfuscate services that are running on well-known ports by configuring services to be utilized on unused
ephemeral ports. However, the default configuration of well-known ports allow tech savvy personnel
and software vendors to speak a common language when configuring networking devices, information
systems (IS)s and or software applications. Within this lesson, 22-SSH, 23- Telnet, 25-SMTP, 53-DNS, 80-
HTTP, 110-POP3 and 443-HTTPS were the common ports and protocols that were reviewed, table 1.
Port Protocol
22 SSH
23 Telnet
25 SMTP
53 DNS
80 HTTP
110 POP3
443 HTTPS
Table 1. Common ports studies.
Firewalls are the most common network security devices installed on information systems (IS).
According to Cisco (n.d.), “a firewall is a network security device that monitors incoming and outgoing
network traffic and decides whether to allow or block specific traffic based on a defined set of security
rules”. Security rules may be applied to specific ISs, host-based firewalls, or to the entire network,
network-based firewalls to scan emails, hard drives for malware or to allow traffic on certain sections of
the subnet. Firewalls are also categorized into specific type such as, proxy firewalls, stateful inspection
firewalls, unified threat management firewalls, next-generation firewalls (NGFW), ...
This document discusses various tools that can be used for network troubleshooting. It describes command line tools like ping and traceroute that provide basic network reachability information. It also discusses using the command line or web interfaces of network devices to check metrics like packet counts, errors, and CPU utilization. Protocol analyzers like Wireshark are mentioned as tools to analyze packets and protocols. SNMP tools that monitor network elements using SNMP are also discussed. Specialized tools like NetFlow that provide traffic statistics are covered. The document provides a high-level overview of different classes of tools available for network troubleshooting.
The document discusses distributed tracing at Pinterest. It provides an overview of distributed tracing, describes the motivation and architecture of Pinterest's tracing system called PinTrace, and discusses challenges faced and lessons learned. PinTrace collects trace data from services using instrumentation and sends it to a collector via a Kafka pipeline. This allows PinTrace to provide insights into request flows and performance bottlenecks across Pinterest's microservices. Key challenges included ensuring data quality, scaling the infrastructure, and user education on tracing.
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
The document discusses advanced persistent threats (APTs) and methods for fighting them using open source tools. It describes the characteristics of APTs and provides examples like the GhostNet and Aurora attacks. It also analyzes the Trojan.Hydraq used in Aurora. The key to fighting APTs is centralizing and correlating security data. Effective countermeasures include log monitoring, integrity monitoring, IDS/IPS, and analyzing suspicious network traffic and files to build a behavior matrix.
This document discusses network flow analysis of traffic data from the Internet2 Abilene network. It provides an overview of Netflow data collection and analysis techniques, along with some preliminary results. Future work is proposed to further examine the dynamics, structure, and anomalies within the large-scale network flow data.
This document discusses network flow analysis of traffic data from the Internet2 Abilene network. It provides an overview of Netflow data collection and analysis techniques, along with some preliminary results. Future work is proposed to further analyze the dynamics, structure, and anomalies within the large-scale network flow data.
This project aims to analyze and emulate anomaly detection techniques for low-rate TCP denial of service attacks using the DETERLab testbed. The researchers plan to design an extensive anomaly checkpoint detection methodology. They propose a modified likelihood ratio algorithm to detect changes in network traffic statistics. The algorithm will be tested on legitimate and attack traffic in DETERLab while analyzing detection statistics and congestion windows. Results will help evaluate the ability to rapidly detect attacks while limiting false alarms.
Network intrusion detection uses deep learning to analyze network traffic logs and detect anomalous activity that could indicate hackers. The logs are preprocessed and fed into a neural network to be analyzed in batches on a GPU cluster. The trained model can then detect intrusions in new incoming log data from multiple sources in real-time and help network administrators find malicious traffic on the network.
This document discusses passive network monitoring methodology. It describes passive monitoring as a non-intrusive approach that measures real-time network traffic without increasing traffic loads. Passive monitoring provides high security, detailed monitoring of all network activity, and cannot be detected by other network tools. The document outlines useful features of passive monitoring for various users and applications including bandwidth monitoring, troubleshooting, security monitoring, and protocol analysis.
The document discusses APIs required for fault localization and root cause analysis (RCA) in network functions virtualization (NFV) environments. It describes a fault localization system that uses various APIs to obtain information sources like events, alarms, logs and configurations, and perform analysis using system models. Example use cases are provided to illustrate how the fault localization system and required APIs could work to identify the root cause of issues like a physical switch being down.
This slide deck covers Networking Fundamentals, Various Penetration testing standards, OWASP TOP 10 Vulnerabilities of Web Application and the Lab Setup required for Penetration testing.
This document discusses using data mining techniques to classify and detect internet worms. It proposes a model that preprocesses network packet data to extract features, then uses three data mining algorithms (Random Forest, Decision Tree, Bayesian Network) to classify the data as normal, worm, or other network attacks. The model was able to detect internet worms with over 99% accuracy and less than 1% false alarm rate when classifying test data, outperforming Bayesian Network. In general, the document evaluates using machine learning for network-based internet worm detection.
Internet Worm Classification and Detection using Data Mining Techniquesiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
Network Security: Experiment of Network Health Analysis At An ISPCSCJournals
This paper presents the findings of an analysis performed at an internet service provider. Based on netflow data collected and analyzed using nfdump, it helped assess how healthy is the network of an Internet Service Providers (ISP). The findings have been instrumental in reflection about reshaping the network architecture. And they have also demonstrated the need for consistent monitoring system.
Next-gen Network Telemetry is Within Your Packets: In-band OAMFrank Brockners
While troubleshooting or planning, did you ever wish to get full insight into which paths *all* your packets take in your network or were you ever asked to prove that your traffic really follows the path you specified by service chaining or traffic engineering? We approach this problem by adding meta-data to *all* packets - "In-band OAM for IPv6" and "path/service-chain verification" are the associated technologies. In-band OAM adds forwarding path information and other information/stats to every data packet - as opposed to relying on probe packets, which is the traditional method that tools like ping or traceroute use. In-band OAM information can either be accessed directly on the router or be available via Netflow. The presentation introduces in-band OAM as a technology and discuss a series of use-cases and deployment scenarios, ranging from proving that all packets traverse a specific path and troubleshooting forwarding issues in networks which use ECMP, over simple approaches to deriving the network traffic matrix, or trend analysis on network parameters such as delay or packet loss, to using iOAM as a tool to optimize forwarding in your network. The technology discussion is complemented references to demos (using Cisco IOS, FD.io/VPP, OpenDaylight Controller etc.) which showcase this new technology at work.
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
Distributed tracing allows requests to be tracked across multiple services in a distributed system. The Jaeger distributed tracing system was used with the HOTROD sample application to visualize and analyze the request flow. Key aspects like latency bottlenecks and non-parallel processing were identified. Traditional logs lack the request context provided by distributed tracing.
Wild Patterns: A Half-day Tutorial on Adversarial Machine Learning - 2019 Int...Pluribus One
Slides of the tutorial held by Battista Biggio, University of Cagliari and Pluribus One Srl, during "2019 International Summer School on Machine Learning and Security (MLS)"
WILD PATTERNS - Introduction to Adversarial Machine Learning - ITASEC 2019Pluribus One
1) Adversarial machine learning studies machine learning systems that operate in adversarial settings such as spam filtering, where the data source is non-neutral and can deliberately attempt to reduce classifier performance.
2) Deep learning models were found to be susceptible to adversarial examples, which are imperceptibly perturbed inputs that cause models to make incorrect predictions.
3) Studies have shown that adversarial examples generated in a digital environment can still fool models when inputs are acquired through a physical system like a camera, indicating these attacks pose a real-world threat.
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Pluribus One
This document discusses research into generating adversarial examples to attack the vision system of the iCub humanoid robot. The researchers were able to craft perturbed images that were misclassified by the robot despite being visually indistinguishable from the originals. They developed gradient-based optimization attacks to target specific misclassifications or induce any misclassification. Potential countermeasures include rejecting inputs that fall in the "blind spots" far from the training data. However, deep learning features are unstable, with small pixel changes mapping to large changes in the deep space. Future work aims to address this instability issue.
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Pluribus One
Learning and recognition of secure patterns is a well-known problem in nature. Mimicry and camouflage are widely-spread techniques in the arms race between predators and preys. All of the information acquired by our senses is therefore not necessarily secure or reliable. In machine learning and pattern recognition systems, we have started investigating these issues only recently, with the goal of learning to discriminate between secure and hostile patterns. This phenomenon has been especially observed in the context of adversarial settings like biometric recognition, malware detection and spam filtering, in which data can be adversely manipulated by humans to undermine the outcomes of an automatic analysis. As current pattern recognition methods are not natively designed to deal with the intrinsic, adversarial nature of these problems, they exhibit specific vulnerabilities that an adversary may exploit either to mislead learning or to avoid detection. Identifying these vulnerabilities and analyzing the impact of the corresponding attacks on pattern classifiers is one of the main open issues in the novel research field of adversarial machine learning.
In the first part of this talk, I introduce a general framework that encompasses and unifies previous work in the field, allowing one to systematically evaluate classifier security against different, potential attacks. As an example of application of this framework, in the second part of the talk, I discuss evasion attacks, where malicious samples are manipulated at test time to avoid detection. I then show how carefully-designed poisoning attacks can mislead learning of support vector machines by manipulating a small fraction of their training data, and how to poison adaptive biometric verification systems to compromise the biometric templates (face images) of the enrolled clients. Finally, I briefly discuss our ongoing work on attacks against clustering algorithms, and sketch some possible future research directions.
Clustering algorithms have become a popular tool in computer security to analyze the behavior of malware variants, identify novel malware families, and generate signatures for antivirus systems.
However, the suitability of clustering algorithms for security-sensitive settings has been recently questioned by showing that they can be significantly compromised if an attacker can exercise some control over the input data.
In this paper, we revisit this problem by focusing on behavioral malware clustering approaches, and investigate whether and to what extent an attacker may be able to subvert these approaches through a careful injection of samples with poisoning behavior.
To this end, we present a case study on Malheur, an open-source tool for behavioral malware clustering. Our experiments not only demonstrate that this tool is vulnerable to poisoning attacks, but also that it can be significantly compromised even if the attacker can only inject a very small percentage of attacks into the input data. As a remedy, we discuss possible countermeasures and highlight the need for more secure clustering algorithms.
Battista Biggio @ S+SSPR2014, Joensuu, Finland -- Poisoning Complete-Linkage ...Pluribus One
The document discusses poisoning attacks against complete-linkage hierarchical clustering. It introduces hierarchical clustering and describes how attackers can add poisoned samples to compromise the clustering output. The paper evaluates different attack strategies on real and artificial datasets, finding that even random attacks can be effective at poisoning the clusters, while extensions of greedy approaches generally perform best. Future work to develop defenses for clustering algorithms against adversarial inputs is discussed.
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Pluribus One
Clustering algorithms have been increasingly adopted in security applications to spot dangerous or illicit activities.
However, they have not been originally devised to deal with deliberate attack attempts that may aim to subvert the clustering process itself. Whether clustering can be safely adopted in such settings remains thus questionable.
In this work we propose a general framework that allows one to identify potential attacks against clustering algorithms, and to evaluate their impact, by making specific assumptions on the adversary's goal, knowledge of the attacked system, and capabilities of manipulating the input data. We show that an attacker may significantly poison the whole clustering process by adding a relatively small percentage of attack samples to the input data, and that some attack samples may be obfuscated to be hidden within some existing clusters.
We present a case study on single-linkage hierarchical clustering, and report experiments on clustering of malware samples and handwritten digits.
Battista Biggio @ ECML PKDD 2013 - Evasion attacks against machine learning a...Pluribus One
This document summarizes research on evasion attacks against machine learning systems at test time. The researchers propose a framework for evaluating the security of machine learning algorithms against evasion attacks. They model the adversary's goal, knowledge, capabilities, and attack strategy as an optimization problem. Using this framework, they evaluate gradient-descent evasion attacks against systems like spam filters and malware detectors. They show that machine learning classifiers can be vulnerable, even when the adversary has limited knowledge. The researchers explore techniques like bounding the adversary and adding a "mimicry" component to attacks to improve evasion effectiveness.
Battista Biggio @ ICML2012: "Poisoning attacks against support vector machines"Pluribus One
This document discusses poisoning attacks against support vector machines. The goal of poisoning attacks is to mislead machine learning systems by injecting malicious data points into the training set. The paper proposes an approach to maximize classification error on a validation set by calculating the gradient of the hinge loss with respect to the poisoned point. Experiments on MNIST data show that a single poisoned point can significantly increase error rates. The authors note that real attacks may be less effective and discuss how to improve SVM robustness to poisoning attacks.
This PhD thesis by Zahid Akhtar examines the security of multimodal biometric systems against spoof attacks. It aims to evaluate the robustness of these systems to real spoof attacks, validate assumptions about the "worst-case" spoofing scenario, and develop methods to assess security without fabricating fake traits. Experiments are conducted on systems using face and fingerprint biometrics under various spoof attacks, and results show multimodal systems can be compromised by attacking a single trait, while the worst-case scenario does not always reflect real attacks.
Robustness of multimodal biometric verification systems under realistic spoof...Pluribus One
The document presents research on evaluating the robustness of multi-modal biometric verification systems against spoofing attacks. It discusses experiments conducted using fake fingerprints and faces to spoof a system using fingerprint and face matchers. The results show that the common assumption that fake scores follow a worst-case distribution may not always hold, and score fusion rules designed under this assumption could paradoxically reduce a system's robustness against realistic spoofing attacks. More accurate modeling of fake score distributions is needed.
Support Vector Machines Under Adversarial Label Noise (ACML 2011) - Battista ...Pluribus One
The document summarizes research on making support vector machines (SVMs) more robust to adversarial label noise. It discusses how adversaries can intentionally flip labels in training data to undermine SVMs. The researchers propose a label noise robust SVM that learns from an expected kernel matrix to be less sensitive to label flips. Experiments on several datasets show their approach maintains higher accuracy than standard SVMs when the training data contains adversarial or random label noise. In conclusions, they discuss further investigating the properties and parameter selection for their kernel correction method.
Understanding the risk factors of learning in adversarial environmentsPluribus One
This document summarizes research on developing a theoretical foundation for robust machine learning classifiers that can provide assurances against adversarial manipulation. It proposes measuring a classifier's robustness based on how much its decision boundary rotates under small perturbations to the training data (contamination). For linear classifiers, robustness can be quantified as the expected angular change between the classifier's weight vectors trained on clean vs. contaminated data. This provides an intuitive way to compare learning algorithms and inform the development of more robust algorithms.
The document summarizes a multi-clue approach for detecting photo-based face spoofing attacks in face recognition systems. It fuses analysis of both static visual characteristics and video clues, such as motion and eye blinking. For static analysis, it extracts several visual representations from frames to compute scores. Video analysis examines motion and blinks. The scores are fused using different combination methods depending on the level of detected motion. Experimental results on a standard spoofing database show the fused approach is more effective and robust than static analysis alone, especially for higher quality spoofing attacks.
Ariu - Workshop on Artificial Intelligence and Security - 2011Pluribus One
This document discusses applying machine learning to computer forensics. It provides a brief history of computer security and computer forensics research. It then discusses how machine learning can be useful for computer forensics given the complexity of digital investigations and large amounts of data. The document acknowledges limitations of current computer forensics machine learning research and provides guidelines for improving tools by incorporating an investigator's knowledge and prioritizing results.
Ariu - Workshop on Applications of Pattern Analysis 2010 - PosterPluribus One
This document summarizes an application of Hidden Markov Models (HMMs) to analyze HTTP payloads:
1. An HMM is used to associate a probability to each sequence of bytes in an HTTP payload and obtain an overall probability for the payload.
2. Real HTTP payload data collected from various sources on the internet is used to train the HMM.
3. The trained HMM can then be used to detect anomalies in new HTTP payloads by flagging payloads with significantly different probabilities as potential attacks or malware.
Ariu - Workshop on Multiple Classifier Systems 2011Pluribus One
The document proposes a modular architecture for analyzing HTTP payloads using multiple classifiers to detect anomalies and intrusions. It trains ensembles of hidden Markov models on different lines of HTTP payloads like the request line, host, and user agent. The HMM outputs are then used as features for a one-class classifier to classify the full payload. The approach is evaluated on real traffic datasets and shown to outperform similar systems with high detection rates while being computationally efficient.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
Ariu - Ph.D. Defense Slides
1. DRIEI PhD Program in Electronic and Computer Engineering
PhD School in Information Engineering
Host and Network based Anomaly
Detectors for HTTP A8acks
By Advisor
Davide Ariu Prof. Giorgio Giacinto
Pattern Recognition and Applications Group
Department of Electrical and Electronic Engineering
University of Cagliari, Italy
2. Outline
• Web Applica6ons
– Mo@va@ons
– Overview
• Intrusion Detec6on Systems
– Network vs. Host‐based IDS
– Signature Based IDS
– Anomaly‐based IDS
• Network Based IDS: Payload Analysis
– State of Art
– Contribu6on #1: McPAD
– Contribu6on #2: HMMPayl
• Host Based IDS: Request URI Analysis
– Contribu6on #3: HMM-Web
• Conclusions
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 2
3. Web Applica6ons Security
Mo6va6ons
• More than 200,000,000 of sites (January 2010)1
– A lot of sensi@ve data sent everyday over the newtork
• Cybercriminals interested in sensi6ve data:
– E.g. Credit Card Numbers
– E.g. Bank Account Creden6als
– E.g. Iden66es theXs. The full iden@ty of a European ci@zen might be quite interes@ng for a
terrorist since the free circula@on within European Union Countries.
• Vulnerabili6es on Web Applica6ons
– More than 50% of vulnerabili@es discovered during the first half of 2009 affected Web Applica@ons2
1 Source: Netcra'.com
2 Source: X‐Force Mid‐year report 2009
March 5, 2010 Host and based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 3
4. Web Applica6ons
Overview
HTTP Request
HTTP Payload
GET /pra/index.php?lang=eng HTTP/1.1 Request URI
Host: prag.diee.unica.it
User-Agent: Mozilla/5.0
Headers
Connection: keep-alive
Accept-Encoding: gzip,deflate
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 4
5. Intrusion Detec6on Systems
Network vs Host‐based IDS
• Based on the source of data being audited IDS
can be classified in:
• Network‐based IDS
– Monitor the network ac@vity
– A single IDS can monitor an en@re network
• Host‐based IDS
– Analyze the ac@vity of a specific Host
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 5
6. Intrusion Detec6on Systems
Signature‐based IDS
• Signature (or misuse) based systems
– Each a8ack is described by one or more signatures
• E.g. A certain sequence of bytes is found within a payload
• E.g. An applica@on receives a certain input value
• Troubles:
– Signatures can be extracted only from known a8acks
• Vulnerable to zero‐days (that is never seen before) a8acks
– A signature is ineffec@ve against variants of the same
a8ack (polymorphism)
– It is difficult to keep up with the large number of a8acks
that appear every day
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 6
7. Intrusion Detec6on Systems
Anomaly‐based IDS
• Anomaly based IDS rely on a model of the normal
behavior of the resource to be protected
• A normal behavior of a resource is “a set of
characteris,cs that are observed during its
normal opera,on”.
• Advantages:
– Both known and unknown a8acks can be detected
• Anomaly‐based IDS can face up with zero‐days a8acks
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 7
8. Intrusion Detec6on Systems
Performance Evalua6on
• IDS are usually evaluated in terms of:
– Detec6on Rate (or True Posi6ve Rate)
• The percentage of A8acks Detected
– False Posi6ve (or Alarm) Rate
• The percentage of legi@mate pa8erns wrongly classified as
a8acks
– Area Under the ROC Curve
• It allows to evaluate the IDS for all the possible opera@ng
points
• We considered a Par6al AUC (AUCp) obtained with
maximum false posi@ve rate 0.1
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 8
10. Network Based IDS
Payload Analysis
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 10
11. Payload Analysis
Ra6onale
• The assump6on behind IDS based on payload
sta@s@cs is that normal and aPack payloads
have different distribu6ons of bytes.
• APacks can be detected if they make payload
sta@s@cs deviate from those of the normal
traffic.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 11
12. Payload Analysis
Mo6va6ons
A normal payload
GET /pra/ita/home.php HTTP/1.1
Host: prag.diee.unica.it
Connection: Keep-alive
Accept: text/*, text/html
Accept-Encoding: compress, gzip
Accept-Language: it, en-gb
Long Request Buffer Overflow aPack
HEAD / aaaaaaa…aaaaaaaaaaaa
URL Decoding Error aPack
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
Host: www
Connection: close
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 12
13. Payload Analysis
Mo6va6ons
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 13
14. State of Art: PAYL1
• PAYL is based on the n‐gram analysis, a technique that
was proposed to solve text classifica@on problems2:
– A sliding window of width n runs over the payload
– The occurrences of n‐grams are counted and their rela6ve frequencies
are calculated
– Example n=1
4 3 3 1 3 4 2 3 3 4 1-gram
– Example n=2
4 3 3 1 3 4 2 3 3 4 2-gram
1Wang et al., “Anomalous Payload‐based Network Intrusion Detec6on”, RAID Int. Symposium, 2004.
2Damashek, “Gauging similarity with n‐Grams: Language‐independent Categoriza6on of Text”, Science, 1995.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 14
15. State of Art: PAYL
• PAYL is quite effec@ve but:
– A value of n=1 doesn’t take into account the structure
of the payload
• It might be quite simple for an a8acker to mimic
distribu@ons of 1‐grams1
• It is difficult to detect a8acks that slightly modify the
sta@s@cs of the payload
– To model the structure of the payload a value of n>=2
must be considered
• Since the payload is represented in a feature space of size
256n a value of n bigger than 2 can’t be used
1Fogla et al. “Polymorphic Blending APack”, USENIX Security Symposium, 2006.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 15
16. Original Contribu6on n°1
McPAD1
Mul@ple Classifiers Payload Anomaly Detector
1R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, W. Lee. McPAD: A Mul,ple classifier system
for accurate payload‐based anomaly detec,on. Computer Networks, 2009.
Special Issue on Traffic Classifica@on and Its Applica@ons to Modern Networks
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 16
17. McPAD
Mul6ple Classifiers Payload Anomaly Detector
• IDEA: The n‐gram analysis can be approximated using n‐1
classifiers each one of which works into a feature space of size
2562
• We calculate rela@ve frequencies of pairs of bytes from 0 to ν
posi6ons away from each other (2‐ν‐gram analysis)
• Example: ν = 2 (equivalent to a 4‐gram)
2-0-gram 4 3 3 1 3 4 2 3 3 4
• = ν+2
n
• +1 feat. Spaces
ν
2-1-gram 4 3 3 1 3 4 2 3 3 4 • clustering
A
algorithm is applied
2-2-gram 4 3 3 1 3 4 2 3 3 4
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 17
18. McPAD
Scheme
McPAD
SVM 1
SVM 2
Feature Extrac6on
PAYLOAD MCS label
and Reduc6on
SVM k
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 18
19. McPAD
Experimental Setup
• Legi@mate traffic
– 7 days of HTTP request toward the web server of the
College of Compu@ng at Georgia Tech (GT).
– 5 days or HTTP request from the DARPA dataset
• A8acks
– 66 Generic HTTP A8acks (Shellcode,DoS, Informa@on
Leakage, etc.)
– 11 Shell‐code A8acks
– 96 polymorphic a8acks generated with CLET
– 6339 Polymorphic Blending A8acks (PBA1)
1Fogla et al. “Polymorphic Blending APack”, USENIX Security Symposium, 2006.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 19
20. McPAD
Experimental Results
Very low false posi6ve rate
Payl (1-gram) McPAD
Detection Rate
Detection Rate
False Positive Rate False Positive Rate
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 20
21. McPAD
Experimental Results: MCS Benefits
The AUCp increases with the number of classifiers
Shell‐code APacks Generic APacks
AUCp
AUCp
Number of Models Number of Models
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 21
22. McPAD
Experimental Results: Increased Bayesian DR
Payl (1-gram) McPAD
Detection Rate
Detection Rate
False Positive Rate False Positive Rate
• xelsson provided a defini@on of Bayesian Detec6on Rate1
A
2 ⋅10−5 P(A | I)
P(I | A) =
2 ⋅10−5 P(A | I) + 0.99998 ⋅ P(A |¬I) False Posi@ve
1Axelsson S., “The base‐rate fallacy and the difficul6 of Intrusion Detec6on”, ACM TSSEC, 2000.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 22
€
23. McPAD
Weakness
• The 2‐ν‐gram analysis only allows for an
approximate representa@on of n‐grams.
Ques6on
– Is there any algorithm that has the same
expressive power of the n‐gram analysis but
doesn’t suffer from the same limita@ons in terms
of computa@onal cost?
Answer
– Yes, we can use Hidden Markov Models
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 23
24. Original Contribu6on n°2
HMMPayl1
Hidden Markov Models for the Analysis of the HTTP
Payload
1D. Ariu, G. Giacinto, R. Tronci. HMMPayl: an Intrusion Detec,on System based on
Hidden Markov Models. SubmiPed to Computers and Security, Elsevier, 2010.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 24
25. HMMPayl
Hidden Markov Models for Payload Analysis
• IDEA: We can consider an n‐gram as a
sequence and model it using HMM.
• Using the HMM we can associate a probability
to each sequence extracted from the payload.
• Star@ng from the probabili@es associated to all
the sequence extracted from the payload we
can obtain an overall probability for it.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 25
26. HMMPayl
A simple example
• E.g. Given a toy payload (with a window width = 5)
2 1 2 0 0 1 2 1 0 2
Sequence 1 2 1 2 0 0
0.62 Probability of
Sequence 2 1 2 0 0 1 the payload
0.65
Sequence 3 1 2 0 0 1 0.67
HMM = 0.66
Sequence 4 1 2 0 0 1 0.70
Sequence 5 1 2 0 0 1 0.68
Sequence 6 1 2 0 0 1 0.64
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 26
27. HMMPayl
Scheme
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 27
28. HMMPayl
Experimental Setup
• Legi@mate traffic
– 7 days of HTTP requests toward the web server of the College of
Compu@ng at Georgia Tech (GT)
– 6 days of HTTP requests toward the web server of our
department (DIEE)
– 5 days or HTTP request from the DARPA dataset
• A8acks
– 66 Generic HTTP A8acks (Shellcode,DoS, Informa@on Leakage,
etc.)
– 11 Shell‐code A8acks
– 96 polymorphic a8acks generated with CLET
– 38 Cross Site Scrip@ng (XSS) and SQL‐Injec6on A8acks
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 28
29. HMMPayl
Experimental Results
AUCp increased respect to McPAD
Generic APacks
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 29
30. HMMPayl
Experimental Results: Classifiers (Ideal) Selec6on1
1R. Tronci, G. Giacinto, F. Roli, “Dynamic score selec,on for fusion on mul,ple biometric matchers”, ICIAP 2007
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 30
31. HMMPayl
Experimental Results: Sequences Sampling
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 31
32. Host Based IDS
Analysis of the Request‐URI
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 32
33. Original Contribu6on n°3
HMM‐Web1
Hidden Markov Models for Web Applica@ons Protec@on
1I. Corona, D. Ariu, G. Giacinto. HMM‐Web: A framework for the detec,on of aEacks
against web applica,ons. IEEE Interna@onal Conference on Communica@ons, Dreden,
2009.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 33
34. Analysis of the Request URI
Mo6va6ons
• With the Request URI input arguments can be
provided to the Web Applica6on
– Input arguments are provided as aPribute‐value pairs
• Normal requests should be generated clicking
somewhere in a web page
– The posi@on of a8ributes in the request depends on the
hyperlink
• An aPribute can’t receive whatever value
– A model of the values that an a8ribute can receive is necessary
– It is important to dis@nguish between alphabe@c‐characters,
digits and meta‐characters.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 34
35. HMM‐Web
Scheme
GET /search.php?cat=32&key=hmm HTTP/1.1
Module: index.php
HMM‐Web
Module: search.php
Module: list.php
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 35
36. HMM‐Web
Scheme
GET /search.php?cat=32&key=hmm HTTP/1.1
Module: index.php
HMM Ensemble
cat-key
Sequence of APributes
HMM Ensemble
3-2
Cat APribute Value
HMM Ensemble
h-m-m
Key APribute Value
Module: search.php
Module: list.php
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 36
37. Experimental Results
Effec6veness of aPributes’ codifica6on
The curve on the right has been obtained using the codifica6on proposed by Kruegel et al. In “A mul,model approach to the
detec,on of web‐based aEacks”, Computer Networks, 2005.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 37
38. Conclusions ‐ 1
• With this research we addressed the problem of
protec6ng web applica6ons
• We proposed Network‐based IDS that offer
protec@ons against a wide range of aPacks
• We proposed an IDS (McPAD) that achieved both
high classifica6on accuracy and robustness
against a8empts of evasion
• We proposed an IDS (HMMPayl) that realizes a
very accurate model of the payload
outperforming previously proposed approaches
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 38
39. Conclusion ‐ 2
• We shown that Mul6ple Classifiers are useful
to increase both the classifica6on accuracy
and the robustness against aPempts of
evasion
• We proposed also a Host‐Based solu6on
(HMM-Web) to model the input provided to
web applica@ons.
March 5, 2010 Host and Network based Anomaly Detectors for HTTP APacks ‐ Davide Ariu 39