approachstealthy

ISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4988DEFENDINGSTEALTHYMODEATTACKBYLIVEDETECTIONANDADOPTABLELEARNINGTECHNIQUEMr.
N.
Aravindhu,G.
Vaishnavi,D.
MaheswariSenoirAssistantProfessor,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaABSTRACT:Thisworkemployeescompletestoppingofthebotnetattackmadebybotmaster.
TheattackismadebypassingthecodewordcommentsbyDNSbasedstealthymodecommandandcontrolchannelfromonesystemtoanothersystemtohijacktheserver.
Usuallywecanabletoidentifytheattackonlyaftertheattackhasbeenmadebythebotmaster.
ButbyusingBotnetTrackingTool(BTT)wecankeeptrackofthecodewordbeingused.
TheattackispreventedbymakinguseoftheBotnetTrackingTool(BTT).
Wecontinuouslymonitortheattackmadebythebotmasterandthebots.
Theattackisconcurrentlycheckedinthedatabaseforthepre-definedcodewordandiftheattackhasbeenfounditwouldbestoppedfromfurtherattack.
Ifsupposethenewcodewordisfoundduringtheattackthatcodewordwouldbestoredinthedatabasefutureuseandthenisolatesthem.
Itdoesnotallowuntilaproperauthorizationismadeandclarifiesthemnotasbotmaster.
Keywords:Networksecurity,codewords,DNSsecurity,botnetdetection,botnettrackingtool(BTT),commandandcontrol.
1.
INTRODUCTIONNetworksecuritystartswithauthentication,usuallywithausernameandapassword.
Thisrequiresonedetailauthenticationtheusernameandthepassword—thisisalsocalledasone-factorauthentication.
Withthetwo-factorauthentication-theuserhasused(e.
g.
asecuritytokenordongle,anATMcardoramobilephone);andwith3-factorauthenticationtheuseralsousedfingerprintorretinalscan.
Whenitisauthenticating,afirewallenforcesaccesspoliciessuchastheserviceswhichareallowsthenetworkuserstoaccessthenetwork.
Theeffectivenessofpreventingtheunauthorizedaccess,thiscomponentmayfailtocheckpotentiallyharmfulcontentsuchascomputerwormsorTrojansbeingtransmittedoverthenetwork.
Anti-virussoftwareoranintrusionpreventionsystem(IPS)helpdetectandinhibittheactionofsuchmalware.
Ananomaly-basedintrusiondetectionsystemmayalsomonitorthenetworkandtrafficfornetworkmaybeloggedforauditpurposesandforlaterhigh-levelanalysis.
Communicationbetweentwohostsusinganetworkmaybeencryptedtomaintainprivacy[1].
Ageneralconceptincludingasspecialcasesuchattributesasreliability,availability,safety,integrity,maintainability,etcSecuritybringsinconcernsforconfidentiality,inadditiontoavailabilityandintegrityBasicdefinitionsaregivenfirstTheyarethencommentedupon,andsupplementedbyadditionaldefinitions,whichaddressthethreatstodependabilityandsecurity(faults,errors,failures),theirattributes,andthemeansfortheirachievement(faultprevention,faulttolerance,faultremoval,faultforecasting)Theaimistoexplicateasetofgeneralconcepts,ofrelevanceacrossawiderangeofsituationsand,therefore,helpingcommunicationandcooperationamonganumberofscientificandtechnicalcommunities,includingonesthatareconcentratingonparticulartypesofsystem,ofsystemfailures,orofcausesofsystemfailures[3].
Thetermbotisshortforrobot.
Criminalsdistributemalicioussoftware(alsoknownasmalware)thatcanturnyourcomputerintoabot(alsoknownasazombie).
Whenthisoccurs,yourcomputercanperformautomatedtasksovertheInternet,withoutyouknowingit.
Criminalstypicallyusebotstoinfectlargenumbersofcomputers.
Thesecomputersformanetwork,orabotnet.
Criminalsusebotnetstosendoutspamemailmessages,spreadISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4989viruses,attackcomputersandservers,andcommitotherkindsofcrimeandfraud.
Ifyourcomputerbecomespartofabotnet,yourcomputermightslowdownandyoumightinadvertentlybehelpingcriminals.
2.
RELATEDWORK2.
1FINDINGMALICIOUSDOMAINSUSINGPASSIVEDNSANALYSISInthispaper,weintroduceEXPOSURE,asystemthatemployslarge-scale,passiveDNSanalysistechniquestodetectdomainsthatareinvolvedinmaliciousactivity.
Weuse15featuresthatweextractfromtheDNStrafficthatallowustocharacterizedifferentpropertiesofDNSnamesandthewaysthattheyarequeried.
Ourexperimentswithalarge,real-worlddatasetconsistingof100billionDNSrequests,andareal-lifedeploymentfortwoweeksinanISPshowthatourapproachisscalableandthatweareabletoautomaticallyidentifyunknownmaliciousdomainsthataremisusedinavarietyofmaliciousactivity(suchasforbotnetcommandandcontrol,spamming,andphishing)[4].
2.
2DETECTIONOFDNSANOMALIESUSINGFLOWDATAANALYSISThispaperdescribesalgorithmsusedtomonitoranddetectcertaintypesofattackstotheDNSinfrastructureusingflowdata.
Ourmethodologyisbasedonalgorithmsthatdonotrelyonknownsignatureattackvectors.
Theeffectivenessofoursolutionisillustratedwithrealandsimulatedtrafficexamples.
Inoneexample,wewereabletodetectatunnelingattackwellbeforetheappearanceofpublicreportsofit[5].
3.
EXISTINGSYSTEMInitiallyanattackbythebotmasterismadeandtheaftertheattacktheyhaveidentifiedthatanattackhasbeenmade.
Theyhavecheckedexperimentalevaluationmakesuseofatwo-month-long4.
6-GBcampusnetworkdatasetand1milliondomainnamesobtainedfromalexa.
com.
TheyhaveconcludedthattheDNS-basedstealthycommandand-controlchannel(inparticular,thecodewordmode)canbeverypowerfulforattackers,showingtheneedforfurtherresearchbydefendersinthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
inthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
Theyhavebeenabletoidentifyitonlyaftertheattackhasbeenmade.
.
Botnetcommand-and-control(C&C)channelusedbybotsandbotmastertocommunicatewitheachother,e.
g.
,forbotstoreceiveattackcommandsandmodifyfrombotmaster,astolendata.
AC&Cchannelforabotnetneedstobereliableone.
ManybotmasterusedtheInternetRelayChatprotocol(IRC)orHTTPserverstosendinformation.
Botnetoperatorscontinuouslyexplorenewstealthycommunicationmechanismstoevadedetection.
HTTP-basedcommandandcontrolisdifficulttodistinguishthelegitimatewebtraffic.
WedonotallowbotstosubmitDNSqueriestoeradicatedetection.
WeonlyallowbotstoeitherpiggybacktheirquerieswithlegitimateDNSqueriesfromtthehost,orfollowaquerydistribution.
OurimplementationusesthePythonModularDNSServer(pymds)andadesignedplug-intorespondtoDNSrequests.
PyMDSimplementsthefullDNSprotocolwhileallowingtheusertoimplementaprogrammaticanddynamicbackendtocreatetheDNSrecordsreturned.
Insteadofreturningrecordsfromastaticfile,PyMDSallowedforthedecodingofcodewordsandthegenerationofappropriateresponses.
Toevaluatethepiggybackquerystrategy,ourdatasetisatwo-month-longnetworktraceobtainedfromauniversityandcollectedwiththeIPAudittool.
Astaticapproachistohaveabotmastercreateanorderedlistofdomainnamesandpackthelistinmalwarecodeforbottolookup,whichissametotheuseofaone-timepasswordpadforauthentication.
Botnetshavebeentousesubdirectoriesfordirectcommunication,However,foraDNS-tunneling-basedchannel,subdirectoryapproachdoesnotapply,asthebotmasterdoesnotrunawebserverandtheISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4990communicationisbasedsolelyondomainnamesystems.
Consideringthatbotnetsoftenusethird-leveldomainsinsteadofsubdirectories,Dagonproposedtousetheratiobetweensecond-leveldomains(SLDs)andthird-leveldomains(3LDs)toidentifybotnettraffic.
DNS-basedstealthymessagingsystemsthatrequiresdeeppacketinspectionandstatisticalanalysis.
Deeppacketinspectionexaminespacketpayloadbeyondthepacketheader.
Specifically,wequantitativelyanalyzetheprobabilitydistributionsof(bot's)DNS-packetcontent.
.
.
3.
1DRAWBACKSINEXISTINGSYSTEMAbletoidentifyabotmasteronlyafteranattackhasbeenmade.
Itcannotpreventorpredictanattacksotheycan'tprotectit.
DidnotcheckitinLive.
BotMastercannotbecaughtredhanded.
4.
PROPOSEDSYSTEMItusesstochasticimplementationofmarkovschainlinkanalysisalgorithmtocorrelatewithhistoryindatabase.
Thismethodisusedtostorethenewattackwhichisdetectedlivelyduringprocessintothedatabase.
AdiscreteMarkovchainmodelcanbedefinedbythetuple.
Scorrespondstothestatespace,Aisamatrixrepresentingtransitionprobabilitiesfromonestatetoanother.
λistheinitialprobabilitydistributionofthestatesinS.
ThefundamentalpropertyofMarkovmodelisthedependencyonthepreviousstate.
Ifthevectors[t]denotestheprobabilityvectorforallthestatesattime't',then:Ifthereare'n'statesinourMarkovchain,thenthematrixoftransitionprobabilitiesAisofsizenxn.
Markovchainscanbeappliedtoweblinksequencemodeling.
Inthisformulation,aMarkovstatecancorrespondtoanyofthefollowing:URI/URLHTTPrequestAction(suchasadatabaseupdate,orsendingemail)ThematrixAcanbeestimatedusingmanymethods.
Withoutlossofgenerality,themaximumlikelihoodprincipleisappliedinthispapertoestimateAandλ.
EachofthematrixA[s,s']canbeestimatedasfollows:C(s,s')isthecountofthenumberoftimess'followssinthetrainingdata.
AlthoughMarkovchainshavebeentraditionallyusedtocharacterizeasymptoticpropertiesofrandomvariables,weutilizethetransitionmatrixtoestimateshort-termlinkpredictions.
AnelementofthematrixA,sayA[s,s']canbeinterpretedastheprobabilityoftransitioningfromstatestos'inonestep.
SimilarlyanelementofA*Awilldenotetheprobabilityoftransitioningfromonestatetoanotherintwosteps,andsoon.
Giventhe"linkhistory"oftheuserL(t-k),L(t-k+1).
.
.
.
L(t-1),wecanrepresenteachlinkasavectorwithaprobability1atthatstateforthattime(denotedbyi(t-k),i(t-k+1).
.
.
i(t-1)).
TheMarkovChainmodelsestimationoftheprobabilityofbeinginastateattime't'isshowninequation4.
TheMarkovianassumptioncanbevariedinavarietyofways.
Inourproblemoflinkprediction,wehavetheuser'shistoryavailable;however,aprobabilityISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4991distributioncanbecreatedaboutwhichofthepreviouslinksare"goodpredictors"ofthenextlink.
ThereforeweproposevaianctsoftheMarkovprocesstoaccommodateweightingofmorethanonehistorystate.
Inthefollowingequations,wecanseetheateachofthepreviouslinksareusedtopredictthefuturelinksandcombinedinavarietyofways.
ItisworthnotingthatratherthancomputeA*Aandhigherpowersofthetransitionmatrix,theseaybedirectlyestimatedusingthetrainingdata.
Inpractice,thestateprobablilityvectors(t)canbenormalizedandthresholdedinordertoselectalistof"probablelinks/stated"thatheuserwillchoose.
4.
1BOTNETTRACKINGTOOLBotnettrackingtoolisimpliedtodetectthebotnetattacklivelyinthenetwork.
Thistoolisusedtoreviewtheprocesswhichisgoingon.
Inthisthedetectionofanyattackwillbedetected.
Itusesmachineadoptablelearningtechniqueforpreventionofforthcomingattacks.
Thismethodisusedtosaycompletelyabouttheattackwhichischeckedwiththedatabasethatitisanattackornot.
Ifitisanattackthenitwillbestoppedfromfurtherprocess.
Ifitisfoundthatitisnotanattackthenitallowsittodotheprocess.
Someofthemostsuccessfuldeeplearningmethodsinvolveartificialneuralnetworks.
DeepLearningNeuralNetworksdatebackatleasttothe1980NeocognitronbyKunihikoFukushima.
Itisinspiredbythe1959biologicalmodelproposedbyNobellaureateDavidH.
Hubel&TorstenWiesel,whofoundtwotypesofcellsinthevisualprimarycortex:simplecellsandcomplexcells.
Manyartificialneuralnetworkscanbeviewedascascadingmodelsofcelltypesinspiredbythesebiologicalobservations.
Withtheadventoftheback-propagationalgorithm,manyresearcherstriedtotrainsuperviseddeepartificialneuralnetworksfromscratch,initiallywithlittlesuccess.
SeppHochreiter'sdiplomathesisof1991formallyidentifiedthereasonforthisfailureinthe"vanishinggradientproblem,"whichnotonlyaffectmany-layeredfeedforwardnetworks,butalsorecurrentneuralnetworks.
Thelatteraretrainedbyunfoldingtheintoverydeepfeedforwardnetworks,whereanewlayeriscreatedforeachtimestepofaninputsequenceprocessedbythenetwork.
Aserrorspropagatefromlayertolayer,theyshrinkexponentiallywiththenumberoflayers.
Toovercomethisproblem,severalmethodswereproposed.
OneisJurgenSchmidhuber'smulti-levelhierarchyofnetworks(1992)pre-trainedonelevelatatimethroughunsupervisedlearning,fine-tunedthroughbackpropagation.
Hereeachlevellearnsacompressedrepresentationoftheobservationsthatisfedtothenextlevel.
Anothermethodisthelongshorttermmemory(LSTM)networkof1997byHochreiter&Schmidhuber.
In2009,deepmultidimensionalLSTMnetworksdemonstratedthepowerofdeeplearningwithmanynonlinearlayers,bywinningthreeICDAR2009competitionsinconnectedhandwritingrecognition,withoutanypriorknowledgeaboutthethreedifferentlanguagestobelearned.
Whathasattractedthemostinterestinneuralnetworksisthepossibilityoflearning.
Givenaspecifictasktosolve,andaclassoffunctionsF,learningmeansusingasetofobservationstofindwhichsolvesthetaskinsomeoptimalsense.
TheentailsdefiningacostfunctionC:F->IRsuchthat,fortheoptimalsolution,-i.
e.
,noISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4992solutionhasacostlessthanthecostoftheoptimalsolution(seeMathematicaloptimization).
ThecostfunctionCisanimportantconceptinlearning,asitisameasureofhowfarawayaparticularsolutionisfromanoptimalsolutiontotheproblemtobesolved.
Learningalgorithmsearchthroughthesolutionspacetofindafunctionthathasthecost.
smallestpossible.
4.
2ADVANTAGESOFPROPOSEDSYSTEMAbletoidentifybotmasterbeforeanattackismade.
CanbeinLiveNetwork.
Trackingtoolcanidentifiesthewholechainofnetworkinvolvedinattack.
Toolcreatedwhichwillisolatethebotmasterandwouldnotbeallowedtobeexecutedatanytime.
5.
CONCLUSIONBotnettrackingtoolexperimentedbygivingattackingcodewordedmessagesthroughthebotsnetworksothatserverwilllivelydetectthestatusofthesystemsthatareincommunicationandthosesystemsalsowillbeundersurveillance.
Databasehistorywillbecomparedwiththecodedmessagessoastopreventanyattackingkeywordssenttoanysecureddatabase.
Itdynamicallyupdatesthecurrentattacktakesplacebylearningthenewtechniqueapplied.
5.
ACKNOWLEDGMENTSOurthankstotheexpertswhohavecontributedtowardsdevelopmentofthetemplate.
REFERENCES[1]http://en.
wikipedia.
org/wiki/Network_securityDing,W.
andMarchionini,G.
1997AStudyonVideoBrowsingStrategies.
TechnicalReport.
UniversityofMarylandatCollegePark.
[2]http://dl.
acm.
org/citation.
cfmid=1026492Tavel,P.
2007ModelingandSimulationDesign.
AKPetersLtd.
[3]http://65.
54.
113.
26/Publication/1436760Forman,G.
2003.
Anextensiveempiricalstudyoffeatureselectionmetricsfortextclassification.
J.
Mach.
Learn.
Res.
3(Mar.
2003),1289-1305.
[4]L.
Bilge,E.
Kirda,C.
Kruegel,andM.
Balduzzi,"Exposure:FindingMaliciousDomainsUsingPassiveDNSAnalysis,"Proc.
18thAnn.
NetworkandDistributedSystemSecuritySymp.
(NDSS),Feb.
2011.
[5]A.
Karasaridis,K.
S.
Meier-Hellstern,andD.
A.
Hoeflin,"DetectionofDNSAnomaliesUsingFlowDataAnalysis,"Proc.
IEEEGlobeCom,2006.
[6]C.
J.
Dietrich,C.
Rossow,F.
C.
Freiling,H.
Bos,M.
vanSteen,andN.
Pohlmann,"OnBotnetsthatUseDNSforCommandandControl,"Proc.
EuropeanConf.
ComputerNetworkDefense,Sept.
2011.
[7]E.
Kartaltepe,J.
Morales,S.
Xu,andR.
Sandhu,"SocialNetwork-BasedBotnetCommand-and-Control:EmergingThreatsandCountermeasures,"Proc.
EighthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS).
[8]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10).
[9]P.
Butler,K.
Xu,andD.
Yao,"QuantitativelyAnalyzingStealthyCommunicationChannels,"Proc.
NinthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS'11).
[10]G.
Ollmann,"BotnetCommunicationTopologies:UnderstandingtheIntricaciesofBotnetCommand-andControl,"https://www.
damballa.
com/downloads/r_pubs/WP_BotnetCommunications_Primer.
pdf,2013.
[11]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10),pp.
48-61,2010.
[12]http://www.
microsoft.
com/security/resources/botnet-whatis.
aspx