approachstealthy

stealthy  时间:2021-01-12  阅读:()
ISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4988DEFENDINGSTEALTHYMODEATTACKBYLIVEDETECTIONANDADOPTABLELEARNINGTECHNIQUEMr.
N.
Aravindhu,G.
Vaishnavi,D.
MaheswariSenoirAssistantProfessor,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaABSTRACT:Thisworkemployeescompletestoppingofthebotnetattackmadebybotmaster.
TheattackismadebypassingthecodewordcommentsbyDNSbasedstealthymodecommandandcontrolchannelfromonesystemtoanothersystemtohijacktheserver.
Usuallywecanabletoidentifytheattackonlyaftertheattackhasbeenmadebythebotmaster.
ButbyusingBotnetTrackingTool(BTT)wecankeeptrackofthecodewordbeingused.
TheattackispreventedbymakinguseoftheBotnetTrackingTool(BTT).
Wecontinuouslymonitortheattackmadebythebotmasterandthebots.
Theattackisconcurrentlycheckedinthedatabaseforthepre-definedcodewordandiftheattackhasbeenfounditwouldbestoppedfromfurtherattack.
Ifsupposethenewcodewordisfoundduringtheattackthatcodewordwouldbestoredinthedatabasefutureuseandthenisolatesthem.
Itdoesnotallowuntilaproperauthorizationismadeandclarifiesthemnotasbotmaster.
Keywords:Networksecurity,codewords,DNSsecurity,botnetdetection,botnettrackingtool(BTT),commandandcontrol.
1.
INTRODUCTIONNetworksecuritystartswithauthentication,usuallywithausernameandapassword.
Thisrequiresonedetailauthenticationtheusernameandthepassword—thisisalsocalledasone-factorauthentication.
Withthetwo-factorauthentication-theuserhasused(e.
g.
asecuritytokenordongle,anATMcardoramobilephone);andwith3-factorauthenticationtheuseralsousedfingerprintorretinalscan.
Whenitisauthenticating,afirewallenforcesaccesspoliciessuchastheserviceswhichareallowsthenetworkuserstoaccessthenetwork.
Theeffectivenessofpreventingtheunauthorizedaccess,thiscomponentmayfailtocheckpotentiallyharmfulcontentsuchascomputerwormsorTrojansbeingtransmittedoverthenetwork.
Anti-virussoftwareoranintrusionpreventionsystem(IPS)helpdetectandinhibittheactionofsuchmalware.
Ananomaly-basedintrusiondetectionsystemmayalsomonitorthenetworkandtrafficfornetworkmaybeloggedforauditpurposesandforlaterhigh-levelanalysis.
Communicationbetweentwohostsusinganetworkmaybeencryptedtomaintainprivacy[1].
Ageneralconceptincludingasspecialcasesuchattributesasreliability,availability,safety,integrity,maintainability,etcSecuritybringsinconcernsforconfidentiality,inadditiontoavailabilityandintegrityBasicdefinitionsaregivenfirstTheyarethencommentedupon,andsupplementedbyadditionaldefinitions,whichaddressthethreatstodependabilityandsecurity(faults,errors,failures),theirattributes,andthemeansfortheirachievement(faultprevention,faulttolerance,faultremoval,faultforecasting)Theaimistoexplicateasetofgeneralconcepts,ofrelevanceacrossawiderangeofsituationsand,therefore,helpingcommunicationandcooperationamonganumberofscientificandtechnicalcommunities,includingonesthatareconcentratingonparticulartypesofsystem,ofsystemfailures,orofcausesofsystemfailures[3].
Thetermbotisshortforrobot.
Criminalsdistributemalicioussoftware(alsoknownasmalware)thatcanturnyourcomputerintoabot(alsoknownasazombie).
Whenthisoccurs,yourcomputercanperformautomatedtasksovertheInternet,withoutyouknowingit.
Criminalstypicallyusebotstoinfectlargenumbersofcomputers.
Thesecomputersformanetwork,orabotnet.
Criminalsusebotnetstosendoutspamemailmessages,spreadISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4989viruses,attackcomputersandservers,andcommitotherkindsofcrimeandfraud.
Ifyourcomputerbecomespartofabotnet,yourcomputermightslowdownandyoumightinadvertentlybehelpingcriminals.
2.
RELATEDWORK2.
1FINDINGMALICIOUSDOMAINSUSINGPASSIVEDNSANALYSISInthispaper,weintroduceEXPOSURE,asystemthatemployslarge-scale,passiveDNSanalysistechniquestodetectdomainsthatareinvolvedinmaliciousactivity.
Weuse15featuresthatweextractfromtheDNStrafficthatallowustocharacterizedifferentpropertiesofDNSnamesandthewaysthattheyarequeried.
Ourexperimentswithalarge,real-worlddatasetconsistingof100billionDNSrequests,andareal-lifedeploymentfortwoweeksinanISPshowthatourapproachisscalableandthatweareabletoautomaticallyidentifyunknownmaliciousdomainsthataremisusedinavarietyofmaliciousactivity(suchasforbotnetcommandandcontrol,spamming,andphishing)[4].
2.
2DETECTIONOFDNSANOMALIESUSINGFLOWDATAANALYSISThispaperdescribesalgorithmsusedtomonitoranddetectcertaintypesofattackstotheDNSinfrastructureusingflowdata.
Ourmethodologyisbasedonalgorithmsthatdonotrelyonknownsignatureattackvectors.
Theeffectivenessofoursolutionisillustratedwithrealandsimulatedtrafficexamples.
Inoneexample,wewereabletodetectatunnelingattackwellbeforetheappearanceofpublicreportsofit[5].
3.
EXISTINGSYSTEMInitiallyanattackbythebotmasterismadeandtheaftertheattacktheyhaveidentifiedthatanattackhasbeenmade.
Theyhavecheckedexperimentalevaluationmakesuseofatwo-month-long4.
6-GBcampusnetworkdatasetand1milliondomainnamesobtainedfromalexa.
com.
TheyhaveconcludedthattheDNS-basedstealthycommandand-controlchannel(inparticular,thecodewordmode)canbeverypowerfulforattackers,showingtheneedforfurtherresearchbydefendersinthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
inthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
Theyhavebeenabletoidentifyitonlyaftertheattackhasbeenmade.
.
Botnetcommand-and-control(C&C)channelusedbybotsandbotmastertocommunicatewitheachother,e.
g.
,forbotstoreceiveattackcommandsandmodifyfrombotmaster,astolendata.
AC&Cchannelforabotnetneedstobereliableone.
ManybotmasterusedtheInternetRelayChatprotocol(IRC)orHTTPserverstosendinformation.
Botnetoperatorscontinuouslyexplorenewstealthycommunicationmechanismstoevadedetection.
HTTP-basedcommandandcontrolisdifficulttodistinguishthelegitimatewebtraffic.
WedonotallowbotstosubmitDNSqueriestoeradicatedetection.
WeonlyallowbotstoeitherpiggybacktheirquerieswithlegitimateDNSqueriesfromtthehost,orfollowaquerydistribution.
OurimplementationusesthePythonModularDNSServer(pymds)andadesignedplug-intorespondtoDNSrequests.
PyMDSimplementsthefullDNSprotocolwhileallowingtheusertoimplementaprogrammaticanddynamicbackendtocreatetheDNSrecordsreturned.
Insteadofreturningrecordsfromastaticfile,PyMDSallowedforthedecodingofcodewordsandthegenerationofappropriateresponses.
Toevaluatethepiggybackquerystrategy,ourdatasetisatwo-month-longnetworktraceobtainedfromauniversityandcollectedwiththeIPAudittool.
Astaticapproachistohaveabotmastercreateanorderedlistofdomainnamesandpackthelistinmalwarecodeforbottolookup,whichissametotheuseofaone-timepasswordpadforauthentication.
Botnetshavebeentousesubdirectoriesfordirectcommunication,However,foraDNS-tunneling-basedchannel,subdirectoryapproachdoesnotapply,asthebotmasterdoesnotrunawebserverandtheISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4990communicationisbasedsolelyondomainnamesystems.
Consideringthatbotnetsoftenusethird-leveldomainsinsteadofsubdirectories,Dagonproposedtousetheratiobetweensecond-leveldomains(SLDs)andthird-leveldomains(3LDs)toidentifybotnettraffic.
DNS-basedstealthymessagingsystemsthatrequiresdeeppacketinspectionandstatisticalanalysis.
Deeppacketinspectionexaminespacketpayloadbeyondthepacketheader.
Specifically,wequantitativelyanalyzetheprobabilitydistributionsof(bot's)DNS-packetcontent.
.
.
3.
1DRAWBACKSINEXISTINGSYSTEMAbletoidentifyabotmasteronlyafteranattackhasbeenmade.
Itcannotpreventorpredictanattacksotheycan'tprotectit.
DidnotcheckitinLive.
BotMastercannotbecaughtredhanded.
4.
PROPOSEDSYSTEMItusesstochasticimplementationofmarkovschainlinkanalysisalgorithmtocorrelatewithhistoryindatabase.
Thismethodisusedtostorethenewattackwhichisdetectedlivelyduringprocessintothedatabase.
AdiscreteMarkovchainmodelcanbedefinedbythetuple.
Scorrespondstothestatespace,Aisamatrixrepresentingtransitionprobabilitiesfromonestatetoanother.
λistheinitialprobabilitydistributionofthestatesinS.
ThefundamentalpropertyofMarkovmodelisthedependencyonthepreviousstate.
Ifthevectors[t]denotestheprobabilityvectorforallthestatesattime't',then:Ifthereare'n'statesinourMarkovchain,thenthematrixoftransitionprobabilitiesAisofsizenxn.
Markovchainscanbeappliedtoweblinksequencemodeling.
Inthisformulation,aMarkovstatecancorrespondtoanyofthefollowing:URI/URLHTTPrequestAction(suchasadatabaseupdate,orsendingemail)ThematrixAcanbeestimatedusingmanymethods.
Withoutlossofgenerality,themaximumlikelihoodprincipleisappliedinthispapertoestimateAandλ.
EachofthematrixA[s,s']canbeestimatedasfollows:C(s,s')isthecountofthenumberoftimess'followssinthetrainingdata.
AlthoughMarkovchainshavebeentraditionallyusedtocharacterizeasymptoticpropertiesofrandomvariables,weutilizethetransitionmatrixtoestimateshort-termlinkpredictions.
AnelementofthematrixA,sayA[s,s']canbeinterpretedastheprobabilityoftransitioningfromstatestos'inonestep.
SimilarlyanelementofA*Awilldenotetheprobabilityoftransitioningfromonestatetoanotherintwosteps,andsoon.
Giventhe"linkhistory"oftheuserL(t-k),L(t-k+1).
.
.
.
L(t-1),wecanrepresenteachlinkasavectorwithaprobability1atthatstateforthattime(denotedbyi(t-k),i(t-k+1).
.
.
i(t-1)).
TheMarkovChainmodelsestimationoftheprobabilityofbeinginastateattime't'isshowninequation4.
TheMarkovianassumptioncanbevariedinavarietyofways.
Inourproblemoflinkprediction,wehavetheuser'shistoryavailable;however,aprobabilityISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4991distributioncanbecreatedaboutwhichofthepreviouslinksare"goodpredictors"ofthenextlink.
ThereforeweproposevaianctsoftheMarkovprocesstoaccommodateweightingofmorethanonehistorystate.
Inthefollowingequations,wecanseetheateachofthepreviouslinksareusedtopredictthefuturelinksandcombinedinavarietyofways.
ItisworthnotingthatratherthancomputeA*Aandhigherpowersofthetransitionmatrix,theseaybedirectlyestimatedusingthetrainingdata.
Inpractice,thestateprobablilityvectors(t)canbenormalizedandthresholdedinordertoselectalistof"probablelinks/stated"thatheuserwillchoose.
4.
1BOTNETTRACKINGTOOLBotnettrackingtoolisimpliedtodetectthebotnetattacklivelyinthenetwork.
Thistoolisusedtoreviewtheprocesswhichisgoingon.
Inthisthedetectionofanyattackwillbedetected.
Itusesmachineadoptablelearningtechniqueforpreventionofforthcomingattacks.
Thismethodisusedtosaycompletelyabouttheattackwhichischeckedwiththedatabasethatitisanattackornot.
Ifitisanattackthenitwillbestoppedfromfurtherprocess.
Ifitisfoundthatitisnotanattackthenitallowsittodotheprocess.
Someofthemostsuccessfuldeeplearningmethodsinvolveartificialneuralnetworks.
DeepLearningNeuralNetworksdatebackatleasttothe1980NeocognitronbyKunihikoFukushima.
Itisinspiredbythe1959biologicalmodelproposedbyNobellaureateDavidH.
Hubel&TorstenWiesel,whofoundtwotypesofcellsinthevisualprimarycortex:simplecellsandcomplexcells.
Manyartificialneuralnetworkscanbeviewedascascadingmodelsofcelltypesinspiredbythesebiologicalobservations.
Withtheadventoftheback-propagationalgorithm,manyresearcherstriedtotrainsuperviseddeepartificialneuralnetworksfromscratch,initiallywithlittlesuccess.
SeppHochreiter'sdiplomathesisof1991formallyidentifiedthereasonforthisfailureinthe"vanishinggradientproblem,"whichnotonlyaffectmany-layeredfeedforwardnetworks,butalsorecurrentneuralnetworks.
Thelatteraretrainedbyunfoldingtheintoverydeepfeedforwardnetworks,whereanewlayeriscreatedforeachtimestepofaninputsequenceprocessedbythenetwork.
Aserrorspropagatefromlayertolayer,theyshrinkexponentiallywiththenumberoflayers.
Toovercomethisproblem,severalmethodswereproposed.
OneisJurgenSchmidhuber'smulti-levelhierarchyofnetworks(1992)pre-trainedonelevelatatimethroughunsupervisedlearning,fine-tunedthroughbackpropagation.
Hereeachlevellearnsacompressedrepresentationoftheobservationsthatisfedtothenextlevel.
Anothermethodisthelongshorttermmemory(LSTM)networkof1997byHochreiter&Schmidhuber.
In2009,deepmultidimensionalLSTMnetworksdemonstratedthepowerofdeeplearningwithmanynonlinearlayers,bywinningthreeICDAR2009competitionsinconnectedhandwritingrecognition,withoutanypriorknowledgeaboutthethreedifferentlanguagestobelearned.
Whathasattractedthemostinterestinneuralnetworksisthepossibilityoflearning.
Givenaspecifictasktosolve,andaclassoffunctionsF,learningmeansusingasetofobservationstofindwhichsolvesthetaskinsomeoptimalsense.
TheentailsdefiningacostfunctionC:F->IRsuchthat,fortheoptimalsolution,-i.
e.
,noISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4992solutionhasacostlessthanthecostoftheoptimalsolution(seeMathematicaloptimization).
ThecostfunctionCisanimportantconceptinlearning,asitisameasureofhowfarawayaparticularsolutionisfromanoptimalsolutiontotheproblemtobesolved.
Learningalgorithmsearchthroughthesolutionspacetofindafunctionthathasthecost.
smallestpossible.
4.
2ADVANTAGESOFPROPOSEDSYSTEMAbletoidentifybotmasterbeforeanattackismade.
CanbeinLiveNetwork.
Trackingtoolcanidentifiesthewholechainofnetworkinvolvedinattack.
Toolcreatedwhichwillisolatethebotmasterandwouldnotbeallowedtobeexecutedatanytime.
5.
CONCLUSIONBotnettrackingtoolexperimentedbygivingattackingcodewordedmessagesthroughthebotsnetworksothatserverwilllivelydetectthestatusofthesystemsthatareincommunicationandthosesystemsalsowillbeundersurveillance.
Databasehistorywillbecomparedwiththecodedmessagessoastopreventanyattackingkeywordssenttoanysecureddatabase.
Itdynamicallyupdatesthecurrentattacktakesplacebylearningthenewtechniqueapplied.
5.
ACKNOWLEDGMENTSOurthankstotheexpertswhohavecontributedtowardsdevelopmentofthetemplate.
REFERENCES[1]http://en.
wikipedia.
org/wiki/Network_securityDing,W.
andMarchionini,G.
1997AStudyonVideoBrowsingStrategies.
TechnicalReport.
UniversityofMarylandatCollegePark.
[2]http://dl.
acm.
org/citation.
cfmid=1026492Tavel,P.
2007ModelingandSimulationDesign.
AKPetersLtd.
[3]http://65.
54.
113.
26/Publication/1436760Forman,G.
2003.
Anextensiveempiricalstudyoffeatureselectionmetricsfortextclassification.
J.
Mach.
Learn.
Res.
3(Mar.
2003),1289-1305.
[4]L.
Bilge,E.
Kirda,C.
Kruegel,andM.
Balduzzi,"Exposure:FindingMaliciousDomainsUsingPassiveDNSAnalysis,"Proc.
18thAnn.
NetworkandDistributedSystemSecuritySymp.
(NDSS),Feb.
2011.
[5]A.
Karasaridis,K.
S.
Meier-Hellstern,andD.
A.
Hoeflin,"DetectionofDNSAnomaliesUsingFlowDataAnalysis,"Proc.
IEEEGlobeCom,2006.
[6]C.
J.
Dietrich,C.
Rossow,F.
C.
Freiling,H.
Bos,M.
vanSteen,andN.
Pohlmann,"OnBotnetsthatUseDNSforCommandandControl,"Proc.
EuropeanConf.
ComputerNetworkDefense,Sept.
2011.
[7]E.
Kartaltepe,J.
Morales,S.
Xu,andR.
Sandhu,"SocialNetwork-BasedBotnetCommand-and-Control:EmergingThreatsandCountermeasures,"Proc.
EighthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS).
[8]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10).
[9]P.
Butler,K.
Xu,andD.
Yao,"QuantitativelyAnalyzingStealthyCommunicationChannels,"Proc.
NinthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS'11).
[10]G.
Ollmann,"BotnetCommunicationTopologies:UnderstandingtheIntricaciesofBotnetCommand-andControl,"https://www.
damballa.
com/downloads/r_pubs/WP_BotnetCommunications_Primer.
pdf,2013.
[11]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10),pp.
48-61,2010.
[12]http://www.
microsoft.
com/security/resources/botnet-whatis.
aspx

PhotonVPS:$4/月,KVM-2GB/30GB/2TB/洛杉矶&达拉斯&芝加哥等

很久没有分享PhotonVPS的消息,最近看到商家VPS主机套餐有一些更新所以分享下。这是一家成立于2008年的国外VPS服务商,Psychz机房旗下的站点,主要提供VPS和独立服务器等,数据中心包括美国洛杉矶、达拉斯、芝加哥、阿什本等。目前,商家针对Cloud VPS提供8折优惠码,优惠后最低2G内存套餐每月4美元起。下面列出几款主机配置信息。CPU:1core内存:2GB硬盘:30GB NVm...

SunthyCloud阿里云国际版分销商注册教程,即可PayPal信用卡分销商服务器

阿里云国际版注册认证教程-免绑卡-免实名买服务器安全、便宜、可靠、良心,支持人民币充值,提供代理折扣简介SunthyCloud成立于2015年,是阿里云国际版正规战略级渠道商,也是阿里云国际版最大的分销商,专业为全球企业客户提供阿里云国际版开户注册、认证、充值等服务,通过SunthyCloud开通阿里云国际版只需要一个邮箱,不需要PayPal信用卡就可以帮你开通、充值、新购、续费阿里云国际版,服务...

CloudCone:洛杉矶MC机房KVM月付1.99美元起,支持支付宝/PayPal

CloudCone是一家成立于2017年的国外VPS主机商,提供独立服务器租用和VPS主机,其中VPS基于KVM架构,多个不同系列,譬如常规VPS、大硬盘VPS等等,数据中心在洛杉矶MC机房。商家2021年Flash Sale活动继续,最低每月1.99美元,支持7天退款到账户,支持使用PayPal或者支付宝付款,先充值后下单的方式。下面列出几款VPS主机配置信息。CPU:1core内存:768MB...

stealthy为你推荐
租用虚拟主机想做网站租用虚拟主机谁能推荐我一下哪家的稳定,价格便宜。免费注册域名如何注册免费域名me域名注册.me是什么域名查询ip怎么查询IP地址网站空间域名网站空间,域名,操作php虚拟空间php虚拟主机空间如何连接mysqljsp虚拟空间自己组建jsp虚拟主机运营,技术方面有哪些要求?国内最好的虚拟主机国内虚拟主机哪家的好?虚拟主机管理系统大家都用的是什么虚拟主机管理系统?分享一下虚拟主机管理系统虚拟主机管理系统那一家好?
asp网站空间 最新代理服务器地址 中国域名网 联通c套餐 bbr 韩国空间 12306抢票攻略 panel1 java虚拟主机 秒杀汇 t云 免费网络 lamp的音标 cdn网站加速 免费稳定空间 1美元 谷歌搜索打不开 美国主机侦探 forwarder 中美互联网论坛 更多