approachstealthy

stealthy  时间:2021-01-12  阅读:()
ISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4988DEFENDINGSTEALTHYMODEATTACKBYLIVEDETECTIONANDADOPTABLELEARNINGTECHNIQUEMr.
N.
Aravindhu,G.
Vaishnavi,D.
MaheswariSenoirAssistantProfessor,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaABSTRACT:Thisworkemployeescompletestoppingofthebotnetattackmadebybotmaster.
TheattackismadebypassingthecodewordcommentsbyDNSbasedstealthymodecommandandcontrolchannelfromonesystemtoanothersystemtohijacktheserver.
Usuallywecanabletoidentifytheattackonlyaftertheattackhasbeenmadebythebotmaster.
ButbyusingBotnetTrackingTool(BTT)wecankeeptrackofthecodewordbeingused.
TheattackispreventedbymakinguseoftheBotnetTrackingTool(BTT).
Wecontinuouslymonitortheattackmadebythebotmasterandthebots.
Theattackisconcurrentlycheckedinthedatabaseforthepre-definedcodewordandiftheattackhasbeenfounditwouldbestoppedfromfurtherattack.
Ifsupposethenewcodewordisfoundduringtheattackthatcodewordwouldbestoredinthedatabasefutureuseandthenisolatesthem.
Itdoesnotallowuntilaproperauthorizationismadeandclarifiesthemnotasbotmaster.
Keywords:Networksecurity,codewords,DNSsecurity,botnetdetection,botnettrackingtool(BTT),commandandcontrol.
1.
INTRODUCTIONNetworksecuritystartswithauthentication,usuallywithausernameandapassword.
Thisrequiresonedetailauthenticationtheusernameandthepassword—thisisalsocalledasone-factorauthentication.
Withthetwo-factorauthentication-theuserhasused(e.
g.
asecuritytokenordongle,anATMcardoramobilephone);andwith3-factorauthenticationtheuseralsousedfingerprintorretinalscan.
Whenitisauthenticating,afirewallenforcesaccesspoliciessuchastheserviceswhichareallowsthenetworkuserstoaccessthenetwork.
Theeffectivenessofpreventingtheunauthorizedaccess,thiscomponentmayfailtocheckpotentiallyharmfulcontentsuchascomputerwormsorTrojansbeingtransmittedoverthenetwork.
Anti-virussoftwareoranintrusionpreventionsystem(IPS)helpdetectandinhibittheactionofsuchmalware.
Ananomaly-basedintrusiondetectionsystemmayalsomonitorthenetworkandtrafficfornetworkmaybeloggedforauditpurposesandforlaterhigh-levelanalysis.
Communicationbetweentwohostsusinganetworkmaybeencryptedtomaintainprivacy[1].
Ageneralconceptincludingasspecialcasesuchattributesasreliability,availability,safety,integrity,maintainability,etcSecuritybringsinconcernsforconfidentiality,inadditiontoavailabilityandintegrityBasicdefinitionsaregivenfirstTheyarethencommentedupon,andsupplementedbyadditionaldefinitions,whichaddressthethreatstodependabilityandsecurity(faults,errors,failures),theirattributes,andthemeansfortheirachievement(faultprevention,faulttolerance,faultremoval,faultforecasting)Theaimistoexplicateasetofgeneralconcepts,ofrelevanceacrossawiderangeofsituationsand,therefore,helpingcommunicationandcooperationamonganumberofscientificandtechnicalcommunities,includingonesthatareconcentratingonparticulartypesofsystem,ofsystemfailures,orofcausesofsystemfailures[3].
Thetermbotisshortforrobot.
Criminalsdistributemalicioussoftware(alsoknownasmalware)thatcanturnyourcomputerintoabot(alsoknownasazombie).
Whenthisoccurs,yourcomputercanperformautomatedtasksovertheInternet,withoutyouknowingit.
Criminalstypicallyusebotstoinfectlargenumbersofcomputers.
Thesecomputersformanetwork,orabotnet.
Criminalsusebotnetstosendoutspamemailmessages,spreadISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4989viruses,attackcomputersandservers,andcommitotherkindsofcrimeandfraud.
Ifyourcomputerbecomespartofabotnet,yourcomputermightslowdownandyoumightinadvertentlybehelpingcriminals.
2.
RELATEDWORK2.
1FINDINGMALICIOUSDOMAINSUSINGPASSIVEDNSANALYSISInthispaper,weintroduceEXPOSURE,asystemthatemployslarge-scale,passiveDNSanalysistechniquestodetectdomainsthatareinvolvedinmaliciousactivity.
Weuse15featuresthatweextractfromtheDNStrafficthatallowustocharacterizedifferentpropertiesofDNSnamesandthewaysthattheyarequeried.
Ourexperimentswithalarge,real-worlddatasetconsistingof100billionDNSrequests,andareal-lifedeploymentfortwoweeksinanISPshowthatourapproachisscalableandthatweareabletoautomaticallyidentifyunknownmaliciousdomainsthataremisusedinavarietyofmaliciousactivity(suchasforbotnetcommandandcontrol,spamming,andphishing)[4].
2.
2DETECTIONOFDNSANOMALIESUSINGFLOWDATAANALYSISThispaperdescribesalgorithmsusedtomonitoranddetectcertaintypesofattackstotheDNSinfrastructureusingflowdata.
Ourmethodologyisbasedonalgorithmsthatdonotrelyonknownsignatureattackvectors.
Theeffectivenessofoursolutionisillustratedwithrealandsimulatedtrafficexamples.
Inoneexample,wewereabletodetectatunnelingattackwellbeforetheappearanceofpublicreportsofit[5].
3.
EXISTINGSYSTEMInitiallyanattackbythebotmasterismadeandtheaftertheattacktheyhaveidentifiedthatanattackhasbeenmade.
Theyhavecheckedexperimentalevaluationmakesuseofatwo-month-long4.
6-GBcampusnetworkdatasetand1milliondomainnamesobtainedfromalexa.
com.
TheyhaveconcludedthattheDNS-basedstealthycommandand-controlchannel(inparticular,thecodewordmode)canbeverypowerfulforattackers,showingtheneedforfurtherresearchbydefendersinthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
inthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
Theyhavebeenabletoidentifyitonlyaftertheattackhasbeenmade.
.
Botnetcommand-and-control(C&C)channelusedbybotsandbotmastertocommunicatewitheachother,e.
g.
,forbotstoreceiveattackcommandsandmodifyfrombotmaster,astolendata.
AC&Cchannelforabotnetneedstobereliableone.
ManybotmasterusedtheInternetRelayChatprotocol(IRC)orHTTPserverstosendinformation.
Botnetoperatorscontinuouslyexplorenewstealthycommunicationmechanismstoevadedetection.
HTTP-basedcommandandcontrolisdifficulttodistinguishthelegitimatewebtraffic.
WedonotallowbotstosubmitDNSqueriestoeradicatedetection.
WeonlyallowbotstoeitherpiggybacktheirquerieswithlegitimateDNSqueriesfromtthehost,orfollowaquerydistribution.
OurimplementationusesthePythonModularDNSServer(pymds)andadesignedplug-intorespondtoDNSrequests.
PyMDSimplementsthefullDNSprotocolwhileallowingtheusertoimplementaprogrammaticanddynamicbackendtocreatetheDNSrecordsreturned.
Insteadofreturningrecordsfromastaticfile,PyMDSallowedforthedecodingofcodewordsandthegenerationofappropriateresponses.
Toevaluatethepiggybackquerystrategy,ourdatasetisatwo-month-longnetworktraceobtainedfromauniversityandcollectedwiththeIPAudittool.
Astaticapproachistohaveabotmastercreateanorderedlistofdomainnamesandpackthelistinmalwarecodeforbottolookup,whichissametotheuseofaone-timepasswordpadforauthentication.
Botnetshavebeentousesubdirectoriesfordirectcommunication,However,foraDNS-tunneling-basedchannel,subdirectoryapproachdoesnotapply,asthebotmasterdoesnotrunawebserverandtheISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4990communicationisbasedsolelyondomainnamesystems.
Consideringthatbotnetsoftenusethird-leveldomainsinsteadofsubdirectories,Dagonproposedtousetheratiobetweensecond-leveldomains(SLDs)andthird-leveldomains(3LDs)toidentifybotnettraffic.
DNS-basedstealthymessagingsystemsthatrequiresdeeppacketinspectionandstatisticalanalysis.
Deeppacketinspectionexaminespacketpayloadbeyondthepacketheader.
Specifically,wequantitativelyanalyzetheprobabilitydistributionsof(bot's)DNS-packetcontent.
.
.
3.
1DRAWBACKSINEXISTINGSYSTEMAbletoidentifyabotmasteronlyafteranattackhasbeenmade.
Itcannotpreventorpredictanattacksotheycan'tprotectit.
DidnotcheckitinLive.
BotMastercannotbecaughtredhanded.
4.
PROPOSEDSYSTEMItusesstochasticimplementationofmarkovschainlinkanalysisalgorithmtocorrelatewithhistoryindatabase.
Thismethodisusedtostorethenewattackwhichisdetectedlivelyduringprocessintothedatabase.
AdiscreteMarkovchainmodelcanbedefinedbythetuple.
Scorrespondstothestatespace,Aisamatrixrepresentingtransitionprobabilitiesfromonestatetoanother.
λistheinitialprobabilitydistributionofthestatesinS.
ThefundamentalpropertyofMarkovmodelisthedependencyonthepreviousstate.
Ifthevectors[t]denotestheprobabilityvectorforallthestatesattime't',then:Ifthereare'n'statesinourMarkovchain,thenthematrixoftransitionprobabilitiesAisofsizenxn.
Markovchainscanbeappliedtoweblinksequencemodeling.
Inthisformulation,aMarkovstatecancorrespondtoanyofthefollowing:URI/URLHTTPrequestAction(suchasadatabaseupdate,orsendingemail)ThematrixAcanbeestimatedusingmanymethods.
Withoutlossofgenerality,themaximumlikelihoodprincipleisappliedinthispapertoestimateAandλ.
EachofthematrixA[s,s']canbeestimatedasfollows:C(s,s')isthecountofthenumberoftimess'followssinthetrainingdata.
AlthoughMarkovchainshavebeentraditionallyusedtocharacterizeasymptoticpropertiesofrandomvariables,weutilizethetransitionmatrixtoestimateshort-termlinkpredictions.
AnelementofthematrixA,sayA[s,s']canbeinterpretedastheprobabilityoftransitioningfromstatestos'inonestep.
SimilarlyanelementofA*Awilldenotetheprobabilityoftransitioningfromonestatetoanotherintwosteps,andsoon.
Giventhe"linkhistory"oftheuserL(t-k),L(t-k+1).
.
.
.
L(t-1),wecanrepresenteachlinkasavectorwithaprobability1atthatstateforthattime(denotedbyi(t-k),i(t-k+1).
.
.
i(t-1)).
TheMarkovChainmodelsestimationoftheprobabilityofbeinginastateattime't'isshowninequation4.
TheMarkovianassumptioncanbevariedinavarietyofways.
Inourproblemoflinkprediction,wehavetheuser'shistoryavailable;however,aprobabilityISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4991distributioncanbecreatedaboutwhichofthepreviouslinksare"goodpredictors"ofthenextlink.
ThereforeweproposevaianctsoftheMarkovprocesstoaccommodateweightingofmorethanonehistorystate.
Inthefollowingequations,wecanseetheateachofthepreviouslinksareusedtopredictthefuturelinksandcombinedinavarietyofways.
ItisworthnotingthatratherthancomputeA*Aandhigherpowersofthetransitionmatrix,theseaybedirectlyestimatedusingthetrainingdata.
Inpractice,thestateprobablilityvectors(t)canbenormalizedandthresholdedinordertoselectalistof"probablelinks/stated"thatheuserwillchoose.
4.
1BOTNETTRACKINGTOOLBotnettrackingtoolisimpliedtodetectthebotnetattacklivelyinthenetwork.
Thistoolisusedtoreviewtheprocesswhichisgoingon.
Inthisthedetectionofanyattackwillbedetected.
Itusesmachineadoptablelearningtechniqueforpreventionofforthcomingattacks.
Thismethodisusedtosaycompletelyabouttheattackwhichischeckedwiththedatabasethatitisanattackornot.
Ifitisanattackthenitwillbestoppedfromfurtherprocess.
Ifitisfoundthatitisnotanattackthenitallowsittodotheprocess.
Someofthemostsuccessfuldeeplearningmethodsinvolveartificialneuralnetworks.
DeepLearningNeuralNetworksdatebackatleasttothe1980NeocognitronbyKunihikoFukushima.
Itisinspiredbythe1959biologicalmodelproposedbyNobellaureateDavidH.
Hubel&TorstenWiesel,whofoundtwotypesofcellsinthevisualprimarycortex:simplecellsandcomplexcells.
Manyartificialneuralnetworkscanbeviewedascascadingmodelsofcelltypesinspiredbythesebiologicalobservations.
Withtheadventoftheback-propagationalgorithm,manyresearcherstriedtotrainsuperviseddeepartificialneuralnetworksfromscratch,initiallywithlittlesuccess.
SeppHochreiter'sdiplomathesisof1991formallyidentifiedthereasonforthisfailureinthe"vanishinggradientproblem,"whichnotonlyaffectmany-layeredfeedforwardnetworks,butalsorecurrentneuralnetworks.
Thelatteraretrainedbyunfoldingtheintoverydeepfeedforwardnetworks,whereanewlayeriscreatedforeachtimestepofaninputsequenceprocessedbythenetwork.
Aserrorspropagatefromlayertolayer,theyshrinkexponentiallywiththenumberoflayers.
Toovercomethisproblem,severalmethodswereproposed.
OneisJurgenSchmidhuber'smulti-levelhierarchyofnetworks(1992)pre-trainedonelevelatatimethroughunsupervisedlearning,fine-tunedthroughbackpropagation.
Hereeachlevellearnsacompressedrepresentationoftheobservationsthatisfedtothenextlevel.
Anothermethodisthelongshorttermmemory(LSTM)networkof1997byHochreiter&Schmidhuber.
In2009,deepmultidimensionalLSTMnetworksdemonstratedthepowerofdeeplearningwithmanynonlinearlayers,bywinningthreeICDAR2009competitionsinconnectedhandwritingrecognition,withoutanypriorknowledgeaboutthethreedifferentlanguagestobelearned.
Whathasattractedthemostinterestinneuralnetworksisthepossibilityoflearning.
Givenaspecifictasktosolve,andaclassoffunctionsF,learningmeansusingasetofobservationstofindwhichsolvesthetaskinsomeoptimalsense.
TheentailsdefiningacostfunctionC:F->IRsuchthat,fortheoptimalsolution,-i.
e.
,noISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4992solutionhasacostlessthanthecostoftheoptimalsolution(seeMathematicaloptimization).
ThecostfunctionCisanimportantconceptinlearning,asitisameasureofhowfarawayaparticularsolutionisfromanoptimalsolutiontotheproblemtobesolved.
Learningalgorithmsearchthroughthesolutionspacetofindafunctionthathasthecost.
smallestpossible.
4.
2ADVANTAGESOFPROPOSEDSYSTEMAbletoidentifybotmasterbeforeanattackismade.
CanbeinLiveNetwork.
Trackingtoolcanidentifiesthewholechainofnetworkinvolvedinattack.
Toolcreatedwhichwillisolatethebotmasterandwouldnotbeallowedtobeexecutedatanytime.
5.
CONCLUSIONBotnettrackingtoolexperimentedbygivingattackingcodewordedmessagesthroughthebotsnetworksothatserverwilllivelydetectthestatusofthesystemsthatareincommunicationandthosesystemsalsowillbeundersurveillance.
Databasehistorywillbecomparedwiththecodedmessagessoastopreventanyattackingkeywordssenttoanysecureddatabase.
Itdynamicallyupdatesthecurrentattacktakesplacebylearningthenewtechniqueapplied.
5.
ACKNOWLEDGMENTSOurthankstotheexpertswhohavecontributedtowardsdevelopmentofthetemplate.
REFERENCES[1]http://en.
wikipedia.
org/wiki/Network_securityDing,W.
andMarchionini,G.
1997AStudyonVideoBrowsingStrategies.
TechnicalReport.
UniversityofMarylandatCollegePark.
[2]http://dl.
acm.
org/citation.
cfmid=1026492Tavel,P.
2007ModelingandSimulationDesign.
AKPetersLtd.
[3]http://65.
54.
113.
26/Publication/1436760Forman,G.
2003.
Anextensiveempiricalstudyoffeatureselectionmetricsfortextclassification.
J.
Mach.
Learn.
Res.
3(Mar.
2003),1289-1305.
[4]L.
Bilge,E.
Kirda,C.
Kruegel,andM.
Balduzzi,"Exposure:FindingMaliciousDomainsUsingPassiveDNSAnalysis,"Proc.
18thAnn.
NetworkandDistributedSystemSecuritySymp.
(NDSS),Feb.
2011.
[5]A.
Karasaridis,K.
S.
Meier-Hellstern,andD.
A.
Hoeflin,"DetectionofDNSAnomaliesUsingFlowDataAnalysis,"Proc.
IEEEGlobeCom,2006.
[6]C.
J.
Dietrich,C.
Rossow,F.
C.
Freiling,H.
Bos,M.
vanSteen,andN.
Pohlmann,"OnBotnetsthatUseDNSforCommandandControl,"Proc.
EuropeanConf.
ComputerNetworkDefense,Sept.
2011.
[7]E.
Kartaltepe,J.
Morales,S.
Xu,andR.
Sandhu,"SocialNetwork-BasedBotnetCommand-and-Control:EmergingThreatsandCountermeasures,"Proc.
EighthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS).
[8]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10).
[9]P.
Butler,K.
Xu,andD.
Yao,"QuantitativelyAnalyzingStealthyCommunicationChannels,"Proc.
NinthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS'11).
[10]G.
Ollmann,"BotnetCommunicationTopologies:UnderstandingtheIntricaciesofBotnetCommand-andControl,"https://www.
damballa.
com/downloads/r_pubs/WP_BotnetCommunications_Primer.
pdf,2013.
[11]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10),pp.
48-61,2010.
[12]http://www.
microsoft.
com/security/resources/botnet-whatis.
aspx

atcloud:480G超高防御VPS低至$4/月,美国/新加坡等6机房,512m内存/1核/500g硬盘/不限流量

atcloud主要提供常规cloud(VPS)和storage(大硬盘存储)系列VPS,其数据中心分布在美国(俄勒冈、弗吉尼亚)、加拿大、英国、法国、德国、新加坡,所有VPS默认提供480Gbps的超高DDoS防御+不限流量,杜绝DDoS攻击骚扰,比较适合海外建站等相关业务。ATCLOUD.NET是一家成立于2020年的海外主机商,主要提供KVM架构的VPS产品、LXC容器化产品、权威DNS智能解...

NameCheap黑色星期五和网络礼拜一

如果我们较早关注NameCheap商家的朋友应该记得前几年商家黑色星期五和网络星期一的时候大促采用的闪购活动,每一个小时轮番变化一次促销活动而且限量的。那时候会导致拥挤官网打不开迟缓的问题。从去年开始,包括今年,NameCheap商家比较直接的告诉你黑色星期五和网络星期一为期6天的活动。没有给你限量的活动,只有限时六天,这个是到11月29日。如果我们有需要新注册、转入域名的可以参加,优惠力度还是比...

什么是BGP国际线路及BGP线路有哪些优势

我们在选择虚拟主机和云服务器的时候,是不是经常有看到有的线路是BGP线路,比如前几天有看到服务商有国际BGP线路和国内BGP线路。这个BGP线路和其他服务线路有什么不同呢?所谓的BGP线路机房,就是在不同的运营商之间通过技术手段时间各个网络的兼容速度最佳,但是IP地址还是一个。正常情况下,我们看到的某个服务商提供的IP地址,在电信和联通移动速度是不同的,有的电信速度不错,有的是移动速度好。但是如果...

stealthy为你推荐
独立ip空间如何给网站申请独立的IP空间免费虚拟主机空间免费的虚拟主机空间有没有虚拟主机推荐有哪些好的虚拟主机推荐免费虚拟主机申请谁有1年免费的虚拟主机申请地址吖?vps试用免费vps申请哪里有,免费vps试用的也可以?代理主机什么叫做代理服务器?有什么用途?美国vps租用VPS服务器租用哪里的好?台湾vps台湾服务器租用托管那里好台湾主机台湾的第一台电脑虚拟主机评测网怎么选一台好的虚拟主机
cn域名 过期域名 cybermonday 唯品秀 vultr美国与日本 12306抢票攻略 directadmin parseerror 2017年万圣节 一元域名 godaddy域名证书 秒杀预告 双11秒杀 稳定免费空间 鲁诺 最漂亮的qq空间 根服务器 沈阳主机托管 英国伦敦 日本代理ip 更多