approachstealthy
stealthy 时间:2021-01-12 阅读:(
)
ISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4988DEFENDINGSTEALTHYMODEATTACKBYLIVEDETECTIONANDADOPTABLELEARNINGTECHNIQUEMr.
N.
Aravindhu,G.
Vaishnavi,D.
MaheswariSenoirAssistantProfessor,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaABSTRACT:Thisworkemployeescompletestoppingofthebotnetattackmadebybotmaster.
TheattackismadebypassingthecodewordcommentsbyDNSbasedstealthymodecommandandcontrolchannelfromonesystemtoanothersystemtohijacktheserver.
Usuallywecanabletoidentifytheattackonlyaftertheattackhasbeenmadebythebotmaster.
ButbyusingBotnetTrackingTool(BTT)wecankeeptrackofthecodewordbeingused.
TheattackispreventedbymakinguseoftheBotnetTrackingTool(BTT).
Wecontinuouslymonitortheattackmadebythebotmasterandthebots.
Theattackisconcurrentlycheckedinthedatabaseforthepre-definedcodewordandiftheattackhasbeenfounditwouldbestoppedfromfurtherattack.
Ifsupposethenewcodewordisfoundduringtheattackthatcodewordwouldbestoredinthedatabasefutureuseandthenisolatesthem.
Itdoesnotallowuntilaproperauthorizationismadeandclarifiesthemnotasbotmaster.
Keywords:Networksecurity,codewords,DNSsecurity,botnetdetection,botnettrackingtool(BTT),commandandcontrol.
1.
INTRODUCTIONNetworksecuritystartswithauthentication,usuallywithausernameandapassword.
Thisrequiresonedetailauthenticationtheusernameandthepassword—thisisalsocalledasone-factorauthentication.
Withthetwo-factorauthentication-theuserhasused(e.
g.
asecuritytokenordongle,anATMcardoramobilephone);andwith3-factorauthenticationtheuseralsousedfingerprintorretinalscan.
Whenitisauthenticating,afirewallenforcesaccesspoliciessuchastheserviceswhichareallowsthenetworkuserstoaccessthenetwork.
Theeffectivenessofpreventingtheunauthorizedaccess,thiscomponentmayfailtocheckpotentiallyharmfulcontentsuchascomputerwormsorTrojansbeingtransmittedoverthenetwork.
Anti-virussoftwareoranintrusionpreventionsystem(IPS)helpdetectandinhibittheactionofsuchmalware.
Ananomaly-basedintrusiondetectionsystemmayalsomonitorthenetworkandtrafficfornetworkmaybeloggedforauditpurposesandforlaterhigh-levelanalysis.
Communicationbetweentwohostsusinganetworkmaybeencryptedtomaintainprivacy[1].
Ageneralconceptincludingasspecialcasesuchattributesasreliability,availability,safety,integrity,maintainability,etcSecuritybringsinconcernsforconfidentiality,inadditiontoavailabilityandintegrityBasicdefinitionsaregivenfirstTheyarethencommentedupon,andsupplementedbyadditionaldefinitions,whichaddressthethreatstodependabilityandsecurity(faults,errors,failures),theirattributes,andthemeansfortheirachievement(faultprevention,faulttolerance,faultremoval,faultforecasting)Theaimistoexplicateasetofgeneralconcepts,ofrelevanceacrossawiderangeofsituationsand,therefore,helpingcommunicationandcooperationamonganumberofscientificandtechnicalcommunities,includingonesthatareconcentratingonparticulartypesofsystem,ofsystemfailures,orofcausesofsystemfailures[3].
Thetermbotisshortforrobot.
Criminalsdistributemalicioussoftware(alsoknownasmalware)thatcanturnyourcomputerintoabot(alsoknownasazombie).
Whenthisoccurs,yourcomputercanperformautomatedtasksovertheInternet,withoutyouknowingit.
Criminalstypicallyusebotstoinfectlargenumbersofcomputers.
Thesecomputersformanetwork,orabotnet.
Criminalsusebotnetstosendoutspamemailmessages,spreadISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4989viruses,attackcomputersandservers,andcommitotherkindsofcrimeandfraud.
Ifyourcomputerbecomespartofabotnet,yourcomputermightslowdownandyoumightinadvertentlybehelpingcriminals.
2.
RELATEDWORK2.
1FINDINGMALICIOUSDOMAINSUSINGPASSIVEDNSANALYSISInthispaper,weintroduceEXPOSURE,asystemthatemployslarge-scale,passiveDNSanalysistechniquestodetectdomainsthatareinvolvedinmaliciousactivity.
Weuse15featuresthatweextractfromtheDNStrafficthatallowustocharacterizedifferentpropertiesofDNSnamesandthewaysthattheyarequeried.
Ourexperimentswithalarge,real-worlddatasetconsistingof100billionDNSrequests,andareal-lifedeploymentfortwoweeksinanISPshowthatourapproachisscalableandthatweareabletoautomaticallyidentifyunknownmaliciousdomainsthataremisusedinavarietyofmaliciousactivity(suchasforbotnetcommandandcontrol,spamming,andphishing)[4].
2.
2DETECTIONOFDNSANOMALIESUSINGFLOWDATAANALYSISThispaperdescribesalgorithmsusedtomonitoranddetectcertaintypesofattackstotheDNSinfrastructureusingflowdata.
Ourmethodologyisbasedonalgorithmsthatdonotrelyonknownsignatureattackvectors.
Theeffectivenessofoursolutionisillustratedwithrealandsimulatedtrafficexamples.
Inoneexample,wewereabletodetectatunnelingattackwellbeforetheappearanceofpublicreportsofit[5].
3.
EXISTINGSYSTEMInitiallyanattackbythebotmasterismadeandtheaftertheattacktheyhaveidentifiedthatanattackhasbeenmade.
Theyhavecheckedexperimentalevaluationmakesuseofatwo-month-long4.
6-GBcampusnetworkdatasetand1milliondomainnamesobtainedfromalexa.
com.
TheyhaveconcludedthattheDNS-basedstealthycommandand-controlchannel(inparticular,thecodewordmode)canbeverypowerfulforattackers,showingtheneedforfurtherresearchbydefendersinthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
inthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
Theyhavebeenabletoidentifyitonlyaftertheattackhasbeenmade.
.
Botnetcommand-and-control(C&C)channelusedbybotsandbotmastertocommunicatewitheachother,e.
g.
,forbotstoreceiveattackcommandsandmodifyfrombotmaster,astolendata.
AC&Cchannelforabotnetneedstobereliableone.
ManybotmasterusedtheInternetRelayChatprotocol(IRC)orHTTPserverstosendinformation.
Botnetoperatorscontinuouslyexplorenewstealthycommunicationmechanismstoevadedetection.
HTTP-basedcommandandcontrolisdifficulttodistinguishthelegitimatewebtraffic.
WedonotallowbotstosubmitDNSqueriestoeradicatedetection.
WeonlyallowbotstoeitherpiggybacktheirquerieswithlegitimateDNSqueriesfromtthehost,orfollowaquerydistribution.
OurimplementationusesthePythonModularDNSServer(pymds)andadesignedplug-intorespondtoDNSrequests.
PyMDSimplementsthefullDNSprotocolwhileallowingtheusertoimplementaprogrammaticanddynamicbackendtocreatetheDNSrecordsreturned.
Insteadofreturningrecordsfromastaticfile,PyMDSallowedforthedecodingofcodewordsandthegenerationofappropriateresponses.
Toevaluatethepiggybackquerystrategy,ourdatasetisatwo-month-longnetworktraceobtainedfromauniversityandcollectedwiththeIPAudittool.
Astaticapproachistohaveabotmastercreateanorderedlistofdomainnamesandpackthelistinmalwarecodeforbottolookup,whichissametotheuseofaone-timepasswordpadforauthentication.
Botnetshavebeentousesubdirectoriesfordirectcommunication,However,foraDNS-tunneling-basedchannel,subdirectoryapproachdoesnotapply,asthebotmasterdoesnotrunawebserverandtheISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4990communicationisbasedsolelyondomainnamesystems.
Consideringthatbotnetsoftenusethird-leveldomainsinsteadofsubdirectories,Dagonproposedtousetheratiobetweensecond-leveldomains(SLDs)andthird-leveldomains(3LDs)toidentifybotnettraffic.
DNS-basedstealthymessagingsystemsthatrequiresdeeppacketinspectionandstatisticalanalysis.
Deeppacketinspectionexaminespacketpayloadbeyondthepacketheader.
Specifically,wequantitativelyanalyzetheprobabilitydistributionsof(bot's)DNS-packetcontent.
.
.
3.
1DRAWBACKSINEXISTINGSYSTEMAbletoidentifyabotmasteronlyafteranattackhasbeenmade.
Itcannotpreventorpredictanattacksotheycan'tprotectit.
DidnotcheckitinLive.
BotMastercannotbecaughtredhanded.
4.
PROPOSEDSYSTEMItusesstochasticimplementationofmarkovschainlinkanalysisalgorithmtocorrelatewithhistoryindatabase.
Thismethodisusedtostorethenewattackwhichisdetectedlivelyduringprocessintothedatabase.
AdiscreteMarkovchainmodelcanbedefinedbythetuple.
Scorrespondstothestatespace,Aisamatrixrepresentingtransitionprobabilitiesfromonestatetoanother.
λistheinitialprobabilitydistributionofthestatesinS.
ThefundamentalpropertyofMarkovmodelisthedependencyonthepreviousstate.
Ifthevectors[t]denotestheprobabilityvectorforallthestatesattime't',then:Ifthereare'n'statesinourMarkovchain,thenthematrixoftransitionprobabilitiesAisofsizenxn.
Markovchainscanbeappliedtoweblinksequencemodeling.
Inthisformulation,aMarkovstatecancorrespondtoanyofthefollowing:URI/URLHTTPrequestAction(suchasadatabaseupdate,orsendingemail)ThematrixAcanbeestimatedusingmanymethods.
Withoutlossofgenerality,themaximumlikelihoodprincipleisappliedinthispapertoestimateAandλ.
EachofthematrixA[s,s']canbeestimatedasfollows:C(s,s')isthecountofthenumberoftimess'followssinthetrainingdata.
AlthoughMarkovchainshavebeentraditionallyusedtocharacterizeasymptoticpropertiesofrandomvariables,weutilizethetransitionmatrixtoestimateshort-termlinkpredictions.
AnelementofthematrixA,sayA[s,s']canbeinterpretedastheprobabilityoftransitioningfromstatestos'inonestep.
SimilarlyanelementofA*Awilldenotetheprobabilityoftransitioningfromonestatetoanotherintwosteps,andsoon.
Giventhe"linkhistory"oftheuserL(t-k),L(t-k+1).
.
.
.
L(t-1),wecanrepresenteachlinkasavectorwithaprobability1atthatstateforthattime(denotedbyi(t-k),i(t-k+1).
.
.
i(t-1)).
TheMarkovChainmodelsestimationoftheprobabilityofbeinginastateattime't'isshowninequation4.
TheMarkovianassumptioncanbevariedinavarietyofways.
Inourproblemoflinkprediction,wehavetheuser'shistoryavailable;however,aprobabilityISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4991distributioncanbecreatedaboutwhichofthepreviouslinksare"goodpredictors"ofthenextlink.
ThereforeweproposevaianctsoftheMarkovprocesstoaccommodateweightingofmorethanonehistorystate.
Inthefollowingequations,wecanseetheateachofthepreviouslinksareusedtopredictthefuturelinksandcombinedinavarietyofways.
ItisworthnotingthatratherthancomputeA*Aandhigherpowersofthetransitionmatrix,theseaybedirectlyestimatedusingthetrainingdata.
Inpractice,thestateprobablilityvectors(t)canbenormalizedandthresholdedinordertoselectalistof"probablelinks/stated"thatheuserwillchoose.
4.
1BOTNETTRACKINGTOOLBotnettrackingtoolisimpliedtodetectthebotnetattacklivelyinthenetwork.
Thistoolisusedtoreviewtheprocesswhichisgoingon.
Inthisthedetectionofanyattackwillbedetected.
Itusesmachineadoptablelearningtechniqueforpreventionofforthcomingattacks.
Thismethodisusedtosaycompletelyabouttheattackwhichischeckedwiththedatabasethatitisanattackornot.
Ifitisanattackthenitwillbestoppedfromfurtherprocess.
Ifitisfoundthatitisnotanattackthenitallowsittodotheprocess.
Someofthemostsuccessfuldeeplearningmethodsinvolveartificialneuralnetworks.
DeepLearningNeuralNetworksdatebackatleasttothe1980NeocognitronbyKunihikoFukushima.
Itisinspiredbythe1959biologicalmodelproposedbyNobellaureateDavidH.
Hubel&TorstenWiesel,whofoundtwotypesofcellsinthevisualprimarycortex:simplecellsandcomplexcells.
Manyartificialneuralnetworkscanbeviewedascascadingmodelsofcelltypesinspiredbythesebiologicalobservations.
Withtheadventoftheback-propagationalgorithm,manyresearcherstriedtotrainsuperviseddeepartificialneuralnetworksfromscratch,initiallywithlittlesuccess.
SeppHochreiter'sdiplomathesisof1991formallyidentifiedthereasonforthisfailureinthe"vanishinggradientproblem,"whichnotonlyaffectmany-layeredfeedforwardnetworks,butalsorecurrentneuralnetworks.
Thelatteraretrainedbyunfoldingtheintoverydeepfeedforwardnetworks,whereanewlayeriscreatedforeachtimestepofaninputsequenceprocessedbythenetwork.
Aserrorspropagatefromlayertolayer,theyshrinkexponentiallywiththenumberoflayers.
Toovercomethisproblem,severalmethodswereproposed.
OneisJurgenSchmidhuber'smulti-levelhierarchyofnetworks(1992)pre-trainedonelevelatatimethroughunsupervisedlearning,fine-tunedthroughbackpropagation.
Hereeachlevellearnsacompressedrepresentationoftheobservationsthatisfedtothenextlevel.
Anothermethodisthelongshorttermmemory(LSTM)networkof1997byHochreiter&Schmidhuber.
In2009,deepmultidimensionalLSTMnetworksdemonstratedthepowerofdeeplearningwithmanynonlinearlayers,bywinningthreeICDAR2009competitionsinconnectedhandwritingrecognition,withoutanypriorknowledgeaboutthethreedifferentlanguagestobelearned.
Whathasattractedthemostinterestinneuralnetworksisthepossibilityoflearning.
Givenaspecifictasktosolve,andaclassoffunctionsF,learningmeansusingasetofobservationstofindwhichsolvesthetaskinsomeoptimalsense.
TheentailsdefiningacostfunctionC:F->IRsuchthat,fortheoptimalsolution,-i.
e.
,noISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4992solutionhasacostlessthanthecostoftheoptimalsolution(seeMathematicaloptimization).
ThecostfunctionCisanimportantconceptinlearning,asitisameasureofhowfarawayaparticularsolutionisfromanoptimalsolutiontotheproblemtobesolved.
Learningalgorithmsearchthroughthesolutionspacetofindafunctionthathasthecost.
smallestpossible.
4.
2ADVANTAGESOFPROPOSEDSYSTEMAbletoidentifybotmasterbeforeanattackismade.
CanbeinLiveNetwork.
Trackingtoolcanidentifiesthewholechainofnetworkinvolvedinattack.
Toolcreatedwhichwillisolatethebotmasterandwouldnotbeallowedtobeexecutedatanytime.
5.
CONCLUSIONBotnettrackingtoolexperimentedbygivingattackingcodewordedmessagesthroughthebotsnetworksothatserverwilllivelydetectthestatusofthesystemsthatareincommunicationandthosesystemsalsowillbeundersurveillance.
Databasehistorywillbecomparedwiththecodedmessagessoastopreventanyattackingkeywordssenttoanysecureddatabase.
Itdynamicallyupdatesthecurrentattacktakesplacebylearningthenewtechniqueapplied.
5.
ACKNOWLEDGMENTSOurthankstotheexpertswhohavecontributedtowardsdevelopmentofthetemplate.
REFERENCES[1]http://en.
wikipedia.
org/wiki/Network_securityDing,W.
andMarchionini,G.
1997AStudyonVideoBrowsingStrategies.
TechnicalReport.
UniversityofMarylandatCollegePark.
[2]http://dl.
acm.
org/citation.
cfmid=1026492Tavel,P.
2007ModelingandSimulationDesign.
AKPetersLtd.
[3]http://65.
54.
113.
26/Publication/1436760Forman,G.
2003.
Anextensiveempiricalstudyoffeatureselectionmetricsfortextclassification.
J.
Mach.
Learn.
Res.
3(Mar.
2003),1289-1305.
[4]L.
Bilge,E.
Kirda,C.
Kruegel,andM.
Balduzzi,"Exposure:FindingMaliciousDomainsUsingPassiveDNSAnalysis,"Proc.
18thAnn.
NetworkandDistributedSystemSecuritySymp.
(NDSS),Feb.
2011.
[5]A.
Karasaridis,K.
S.
Meier-Hellstern,andD.
A.
Hoeflin,"DetectionofDNSAnomaliesUsingFlowDataAnalysis,"Proc.
IEEEGlobeCom,2006.
[6]C.
J.
Dietrich,C.
Rossow,F.
C.
Freiling,H.
Bos,M.
vanSteen,andN.
Pohlmann,"OnBotnetsthatUseDNSforCommandandControl,"Proc.
EuropeanConf.
ComputerNetworkDefense,Sept.
2011.
[7]E.
Kartaltepe,J.
Morales,S.
Xu,andR.
Sandhu,"SocialNetwork-BasedBotnetCommand-and-Control:EmergingThreatsandCountermeasures,"Proc.
EighthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS).
[8]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10).
[9]P.
Butler,K.
Xu,andD.
Yao,"QuantitativelyAnalyzingStealthyCommunicationChannels,"Proc.
NinthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS'11).
[10]G.
Ollmann,"BotnetCommunicationTopologies:UnderstandingtheIntricaciesofBotnetCommand-andControl,"https://www.
damballa.
com/downloads/r_pubs/WP_BotnetCommunications_Primer.
pdf,2013.
[11]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10),pp.
48-61,2010.
[12]http://www.
microsoft.
com/security/resources/botnet-whatis.
aspx
Digital-vm是一家成立于2019年的国外主机商,商家提供VPS和独立服务器租用业务,其中VPS基于KVM架构,提供1-10Gbps带宽,数据中心可选包括美国洛杉矶、日本、新加坡、挪威、西班牙、丹麦、荷兰、英国等8个地区机房;除了VPS主机外,商家还提供日本、新加坡独立服务器,同样可选1-10Gbps带宽,最低每月仅80美元起。下面列出两款独立服务器配置信息。配置一 $80/月CPU:E3-...
搬瓦工今天正式对外开卖荷兰阿姆斯特丹机房走联通AS9929高端线路的VPS,官方标注为“NL - China Unicom Amsterdam(ENUL_9)”,三网都走联通高端网络,即使是在欧洲,国内访问也就是飞快。搬瓦工的依旧是10Gbps带宽,可以在美国cn2 gia、日本软银与荷兰AS9929之间免费切换。官方网站:https://bwh81.net优惠码:BWH3HYATVBJW,节约6...
Digital-VM商家的暑期活动促销,这个商家提供有多个数据中心独立服务器、VPS主机产品。最低配置月付80美元,支持带宽、流量和IP的自定义配置。Digital-VM,是2019年新成立的商家,主要从事日本东京、新加坡、美国洛杉矶、荷兰阿姆斯特丹、西班牙马德里、挪威奥斯陆、丹麦哥本哈根数据中心的KVM架构VPS产品销售,分为大硬盘型(1Gbps带宽端口、分配较大的硬盘)和大带宽型(10Gbps...
stealthy为你推荐
虚拟主机价格谁知道虚拟主机的价格?免费虚拟主机空间请问哪里有:免费一级域名申请,免费虚拟主机,免费空间虚拟空间哪个好虚拟主机哪家的最好?网站空间商网站空间商的选择??虚拟主机管理系统虚拟主机管理系统那一家好?下载虚拟主机虚拟机怎么使用和下载虚拟主机试用30天虚拟主机返佣是怎么回事?中文域名中文域名的概念?花生壳域名用花生壳可申请免费域名吗?域名信息查询有哪些官网可查询 域名信息比较全?
中国互联网域名注册 动态域名解析 香港vps99idc 全球付 免费ftp空间 100m空间 老左正传 空间合租 太原网通测速平台 东莞服务器 个人免费主页 环聊 域名与空间 东莞idc 下载速度测试 广州虚拟主机 百度云空间 闪讯网 hdroad 七十九刀 更多