approachstealthy

stealthy  时间:2021-01-12  阅读:()
ISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4988DEFENDINGSTEALTHYMODEATTACKBYLIVEDETECTIONANDADOPTABLELEARNINGTECHNIQUEMr.
N.
Aravindhu,G.
Vaishnavi,D.
MaheswariSenoirAssistantProfessor,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaStudent,CSE,ChristcollegeofEngineering&Technology,Puducherry,IndiaABSTRACT:Thisworkemployeescompletestoppingofthebotnetattackmadebybotmaster.
TheattackismadebypassingthecodewordcommentsbyDNSbasedstealthymodecommandandcontrolchannelfromonesystemtoanothersystemtohijacktheserver.
Usuallywecanabletoidentifytheattackonlyaftertheattackhasbeenmadebythebotmaster.
ButbyusingBotnetTrackingTool(BTT)wecankeeptrackofthecodewordbeingused.
TheattackispreventedbymakinguseoftheBotnetTrackingTool(BTT).
Wecontinuouslymonitortheattackmadebythebotmasterandthebots.
Theattackisconcurrentlycheckedinthedatabaseforthepre-definedcodewordandiftheattackhasbeenfounditwouldbestoppedfromfurtherattack.
Ifsupposethenewcodewordisfoundduringtheattackthatcodewordwouldbestoredinthedatabasefutureuseandthenisolatesthem.
Itdoesnotallowuntilaproperauthorizationismadeandclarifiesthemnotasbotmaster.
Keywords:Networksecurity,codewords,DNSsecurity,botnetdetection,botnettrackingtool(BTT),commandandcontrol.
1.
INTRODUCTIONNetworksecuritystartswithauthentication,usuallywithausernameandapassword.
Thisrequiresonedetailauthenticationtheusernameandthepassword—thisisalsocalledasone-factorauthentication.
Withthetwo-factorauthentication-theuserhasused(e.
g.
asecuritytokenordongle,anATMcardoramobilephone);andwith3-factorauthenticationtheuseralsousedfingerprintorretinalscan.
Whenitisauthenticating,afirewallenforcesaccesspoliciessuchastheserviceswhichareallowsthenetworkuserstoaccessthenetwork.
Theeffectivenessofpreventingtheunauthorizedaccess,thiscomponentmayfailtocheckpotentiallyharmfulcontentsuchascomputerwormsorTrojansbeingtransmittedoverthenetwork.
Anti-virussoftwareoranintrusionpreventionsystem(IPS)helpdetectandinhibittheactionofsuchmalware.
Ananomaly-basedintrusiondetectionsystemmayalsomonitorthenetworkandtrafficfornetworkmaybeloggedforauditpurposesandforlaterhigh-levelanalysis.
Communicationbetweentwohostsusinganetworkmaybeencryptedtomaintainprivacy[1].
Ageneralconceptincludingasspecialcasesuchattributesasreliability,availability,safety,integrity,maintainability,etcSecuritybringsinconcernsforconfidentiality,inadditiontoavailabilityandintegrityBasicdefinitionsaregivenfirstTheyarethencommentedupon,andsupplementedbyadditionaldefinitions,whichaddressthethreatstodependabilityandsecurity(faults,errors,failures),theirattributes,andthemeansfortheirachievement(faultprevention,faulttolerance,faultremoval,faultforecasting)Theaimistoexplicateasetofgeneralconcepts,ofrelevanceacrossawiderangeofsituationsand,therefore,helpingcommunicationandcooperationamonganumberofscientificandtechnicalcommunities,includingonesthatareconcentratingonparticulartypesofsystem,ofsystemfailures,orofcausesofsystemfailures[3].
Thetermbotisshortforrobot.
Criminalsdistributemalicioussoftware(alsoknownasmalware)thatcanturnyourcomputerintoabot(alsoknownasazombie).
Whenthisoccurs,yourcomputercanperformautomatedtasksovertheInternet,withoutyouknowingit.
Criminalstypicallyusebotstoinfectlargenumbersofcomputers.
Thesecomputersformanetwork,orabotnet.
Criminalsusebotnetstosendoutspamemailmessages,spreadISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4989viruses,attackcomputersandservers,andcommitotherkindsofcrimeandfraud.
Ifyourcomputerbecomespartofabotnet,yourcomputermightslowdownandyoumightinadvertentlybehelpingcriminals.
2.
RELATEDWORK2.
1FINDINGMALICIOUSDOMAINSUSINGPASSIVEDNSANALYSISInthispaper,weintroduceEXPOSURE,asystemthatemployslarge-scale,passiveDNSanalysistechniquestodetectdomainsthatareinvolvedinmaliciousactivity.
Weuse15featuresthatweextractfromtheDNStrafficthatallowustocharacterizedifferentpropertiesofDNSnamesandthewaysthattheyarequeried.
Ourexperimentswithalarge,real-worlddatasetconsistingof100billionDNSrequests,andareal-lifedeploymentfortwoweeksinanISPshowthatourapproachisscalableandthatweareabletoautomaticallyidentifyunknownmaliciousdomainsthataremisusedinavarietyofmaliciousactivity(suchasforbotnetcommandandcontrol,spamming,andphishing)[4].
2.
2DETECTIONOFDNSANOMALIESUSINGFLOWDATAANALYSISThispaperdescribesalgorithmsusedtomonitoranddetectcertaintypesofattackstotheDNSinfrastructureusingflowdata.
Ourmethodologyisbasedonalgorithmsthatdonotrelyonknownsignatureattackvectors.
Theeffectivenessofoursolutionisillustratedwithrealandsimulatedtrafficexamples.
Inoneexample,wewereabletodetectatunnelingattackwellbeforetheappearanceofpublicreportsofit[5].
3.
EXISTINGSYSTEMInitiallyanattackbythebotmasterismadeandtheaftertheattacktheyhaveidentifiedthatanattackhasbeenmade.
Theyhavecheckedexperimentalevaluationmakesuseofatwo-month-long4.
6-GBcampusnetworkdatasetand1milliondomainnamesobtainedfromalexa.
com.
TheyhaveconcludedthattheDNS-basedstealthycommandand-controlchannel(inparticular,thecodewordmode)canbeverypowerfulforattackers,showingtheneedforfurtherresearchbydefendersinthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
inthisdirection.
ThestatisticalanalysisofDNSpayloadasacountermeasurehaspracticallimitationsinhibitingitslargescaledeployment.
Theyhavebeenabletoidentifyitonlyaftertheattackhasbeenmade.
.
Botnetcommand-and-control(C&C)channelusedbybotsandbotmastertocommunicatewitheachother,e.
g.
,forbotstoreceiveattackcommandsandmodifyfrombotmaster,astolendata.
AC&Cchannelforabotnetneedstobereliableone.
ManybotmasterusedtheInternetRelayChatprotocol(IRC)orHTTPserverstosendinformation.
Botnetoperatorscontinuouslyexplorenewstealthycommunicationmechanismstoevadedetection.
HTTP-basedcommandandcontrolisdifficulttodistinguishthelegitimatewebtraffic.
WedonotallowbotstosubmitDNSqueriestoeradicatedetection.
WeonlyallowbotstoeitherpiggybacktheirquerieswithlegitimateDNSqueriesfromtthehost,orfollowaquerydistribution.
OurimplementationusesthePythonModularDNSServer(pymds)andadesignedplug-intorespondtoDNSrequests.
PyMDSimplementsthefullDNSprotocolwhileallowingtheusertoimplementaprogrammaticanddynamicbackendtocreatetheDNSrecordsreturned.
Insteadofreturningrecordsfromastaticfile,PyMDSallowedforthedecodingofcodewordsandthegenerationofappropriateresponses.
Toevaluatethepiggybackquerystrategy,ourdatasetisatwo-month-longnetworktraceobtainedfromauniversityandcollectedwiththeIPAudittool.
Astaticapproachistohaveabotmastercreateanorderedlistofdomainnamesandpackthelistinmalwarecodeforbottolookup,whichissametotheuseofaone-timepasswordpadforauthentication.
Botnetshavebeentousesubdirectoriesfordirectcommunication,However,foraDNS-tunneling-basedchannel,subdirectoryapproachdoesnotapply,asthebotmasterdoesnotrunawebserverandtheISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4990communicationisbasedsolelyondomainnamesystems.
Consideringthatbotnetsoftenusethird-leveldomainsinsteadofsubdirectories,Dagonproposedtousetheratiobetweensecond-leveldomains(SLDs)andthird-leveldomains(3LDs)toidentifybotnettraffic.
DNS-basedstealthymessagingsystemsthatrequiresdeeppacketinspectionandstatisticalanalysis.
Deeppacketinspectionexaminespacketpayloadbeyondthepacketheader.
Specifically,wequantitativelyanalyzetheprobabilitydistributionsof(bot's)DNS-packetcontent.
.
.
3.
1DRAWBACKSINEXISTINGSYSTEMAbletoidentifyabotmasteronlyafteranattackhasbeenmade.
Itcannotpreventorpredictanattacksotheycan'tprotectit.
DidnotcheckitinLive.
BotMastercannotbecaughtredhanded.
4.
PROPOSEDSYSTEMItusesstochasticimplementationofmarkovschainlinkanalysisalgorithmtocorrelatewithhistoryindatabase.
Thismethodisusedtostorethenewattackwhichisdetectedlivelyduringprocessintothedatabase.
AdiscreteMarkovchainmodelcanbedefinedbythetuple.
Scorrespondstothestatespace,Aisamatrixrepresentingtransitionprobabilitiesfromonestatetoanother.
λistheinitialprobabilitydistributionofthestatesinS.
ThefundamentalpropertyofMarkovmodelisthedependencyonthepreviousstate.
Ifthevectors[t]denotestheprobabilityvectorforallthestatesattime't',then:Ifthereare'n'statesinourMarkovchain,thenthematrixoftransitionprobabilitiesAisofsizenxn.
Markovchainscanbeappliedtoweblinksequencemodeling.
Inthisformulation,aMarkovstatecancorrespondtoanyofthefollowing:URI/URLHTTPrequestAction(suchasadatabaseupdate,orsendingemail)ThematrixAcanbeestimatedusingmanymethods.
Withoutlossofgenerality,themaximumlikelihoodprincipleisappliedinthispapertoestimateAandλ.
EachofthematrixA[s,s']canbeestimatedasfollows:C(s,s')isthecountofthenumberoftimess'followssinthetrainingdata.
AlthoughMarkovchainshavebeentraditionallyusedtocharacterizeasymptoticpropertiesofrandomvariables,weutilizethetransitionmatrixtoestimateshort-termlinkpredictions.
AnelementofthematrixA,sayA[s,s']canbeinterpretedastheprobabilityoftransitioningfromstatestos'inonestep.
SimilarlyanelementofA*Awilldenotetheprobabilityoftransitioningfromonestatetoanotherintwosteps,andsoon.
Giventhe"linkhistory"oftheuserL(t-k),L(t-k+1).
.
.
.
L(t-1),wecanrepresenteachlinkasavectorwithaprobability1atthatstateforthattime(denotedbyi(t-k),i(t-k+1).
.
.
i(t-1)).
TheMarkovChainmodelsestimationoftheprobabilityofbeinginastateattime't'isshowninequation4.
TheMarkovianassumptioncanbevariedinavarietyofways.
Inourproblemoflinkprediction,wehavetheuser'shistoryavailable;however,aprobabilityISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4991distributioncanbecreatedaboutwhichofthepreviouslinksare"goodpredictors"ofthenextlink.
ThereforeweproposevaianctsoftheMarkovprocesstoaccommodateweightingofmorethanonehistorystate.
Inthefollowingequations,wecanseetheateachofthepreviouslinksareusedtopredictthefuturelinksandcombinedinavarietyofways.
ItisworthnotingthatratherthancomputeA*Aandhigherpowersofthetransitionmatrix,theseaybedirectlyestimatedusingthetrainingdata.
Inpractice,thestateprobablilityvectors(t)canbenormalizedandthresholdedinordertoselectalistof"probablelinks/stated"thatheuserwillchoose.
4.
1BOTNETTRACKINGTOOLBotnettrackingtoolisimpliedtodetectthebotnetattacklivelyinthenetwork.
Thistoolisusedtoreviewtheprocesswhichisgoingon.
Inthisthedetectionofanyattackwillbedetected.
Itusesmachineadoptablelearningtechniqueforpreventionofforthcomingattacks.
Thismethodisusedtosaycompletelyabouttheattackwhichischeckedwiththedatabasethatitisanattackornot.
Ifitisanattackthenitwillbestoppedfromfurtherprocess.
Ifitisfoundthatitisnotanattackthenitallowsittodotheprocess.
Someofthemostsuccessfuldeeplearningmethodsinvolveartificialneuralnetworks.
DeepLearningNeuralNetworksdatebackatleasttothe1980NeocognitronbyKunihikoFukushima.
Itisinspiredbythe1959biologicalmodelproposedbyNobellaureateDavidH.
Hubel&TorstenWiesel,whofoundtwotypesofcellsinthevisualprimarycortex:simplecellsandcomplexcells.
Manyartificialneuralnetworkscanbeviewedascascadingmodelsofcelltypesinspiredbythesebiologicalobservations.
Withtheadventoftheback-propagationalgorithm,manyresearcherstriedtotrainsuperviseddeepartificialneuralnetworksfromscratch,initiallywithlittlesuccess.
SeppHochreiter'sdiplomathesisof1991formallyidentifiedthereasonforthisfailureinthe"vanishinggradientproblem,"whichnotonlyaffectmany-layeredfeedforwardnetworks,butalsorecurrentneuralnetworks.
Thelatteraretrainedbyunfoldingtheintoverydeepfeedforwardnetworks,whereanewlayeriscreatedforeachtimestepofaninputsequenceprocessedbythenetwork.
Aserrorspropagatefromlayertolayer,theyshrinkexponentiallywiththenumberoflayers.
Toovercomethisproblem,severalmethodswereproposed.
OneisJurgenSchmidhuber'smulti-levelhierarchyofnetworks(1992)pre-trainedonelevelatatimethroughunsupervisedlearning,fine-tunedthroughbackpropagation.
Hereeachlevellearnsacompressedrepresentationoftheobservationsthatisfedtothenextlevel.
Anothermethodisthelongshorttermmemory(LSTM)networkof1997byHochreiter&Schmidhuber.
In2009,deepmultidimensionalLSTMnetworksdemonstratedthepowerofdeeplearningwithmanynonlinearlayers,bywinningthreeICDAR2009competitionsinconnectedhandwritingrecognition,withoutanypriorknowledgeaboutthethreedifferentlanguagestobelearned.
Whathasattractedthemostinterestinneuralnetworksisthepossibilityoflearning.
Givenaspecifictasktosolve,andaclassoffunctionsF,learningmeansusingasetofobservationstofindwhichsolvesthetaskinsomeoptimalsense.
TheentailsdefiningacostfunctionC:F->IRsuchthat,fortheoptimalsolution,-i.
e.
,noISSN(Print):2319-5940ISSN(Online):2278-1021InternationalJournalofAdvancedResearchinComputerandCommunicationEngineeringVol.
3,Issue1,January2014CopyrighttoIJARCCEwww.
ijarcce.
com4992solutionhasacostlessthanthecostoftheoptimalsolution(seeMathematicaloptimization).
ThecostfunctionCisanimportantconceptinlearning,asitisameasureofhowfarawayaparticularsolutionisfromanoptimalsolutiontotheproblemtobesolved.
Learningalgorithmsearchthroughthesolutionspacetofindafunctionthathasthecost.
smallestpossible.
4.
2ADVANTAGESOFPROPOSEDSYSTEMAbletoidentifybotmasterbeforeanattackismade.
CanbeinLiveNetwork.
Trackingtoolcanidentifiesthewholechainofnetworkinvolvedinattack.
Toolcreatedwhichwillisolatethebotmasterandwouldnotbeallowedtobeexecutedatanytime.
5.
CONCLUSIONBotnettrackingtoolexperimentedbygivingattackingcodewordedmessagesthroughthebotsnetworksothatserverwilllivelydetectthestatusofthesystemsthatareincommunicationandthosesystemsalsowillbeundersurveillance.
Databasehistorywillbecomparedwiththecodedmessagessoastopreventanyattackingkeywordssenttoanysecureddatabase.
Itdynamicallyupdatesthecurrentattacktakesplacebylearningthenewtechniqueapplied.
5.
ACKNOWLEDGMENTSOurthankstotheexpertswhohavecontributedtowardsdevelopmentofthetemplate.
REFERENCES[1]http://en.
wikipedia.
org/wiki/Network_securityDing,W.
andMarchionini,G.
1997AStudyonVideoBrowsingStrategies.
TechnicalReport.
UniversityofMarylandatCollegePark.
[2]http://dl.
acm.
org/citation.
cfmid=1026492Tavel,P.
2007ModelingandSimulationDesign.
AKPetersLtd.
[3]http://65.
54.
113.
26/Publication/1436760Forman,G.
2003.
Anextensiveempiricalstudyoffeatureselectionmetricsfortextclassification.
J.
Mach.
Learn.
Res.
3(Mar.
2003),1289-1305.
[4]L.
Bilge,E.
Kirda,C.
Kruegel,andM.
Balduzzi,"Exposure:FindingMaliciousDomainsUsingPassiveDNSAnalysis,"Proc.
18thAnn.
NetworkandDistributedSystemSecuritySymp.
(NDSS),Feb.
2011.
[5]A.
Karasaridis,K.
S.
Meier-Hellstern,andD.
A.
Hoeflin,"DetectionofDNSAnomaliesUsingFlowDataAnalysis,"Proc.
IEEEGlobeCom,2006.
[6]C.
J.
Dietrich,C.
Rossow,F.
C.
Freiling,H.
Bos,M.
vanSteen,andN.
Pohlmann,"OnBotnetsthatUseDNSforCommandandControl,"Proc.
EuropeanConf.
ComputerNetworkDefense,Sept.
2011.
[7]E.
Kartaltepe,J.
Morales,S.
Xu,andR.
Sandhu,"SocialNetwork-BasedBotnetCommand-and-Control:EmergingThreatsandCountermeasures,"Proc.
EighthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS).
[8]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10).
[9]P.
Butler,K.
Xu,andD.
Yao,"QuantitativelyAnalyzingStealthyCommunicationChannels,"Proc.
NinthInt'lConf.
AppliedCryptographyandNetworkSecurity(ACNS'11).
[10]G.
Ollmann,"BotnetCommunicationTopologies:UnderstandingtheIntricaciesofBotnetCommand-andControl,"https://www.
damballa.
com/downloads/r_pubs/WP_BotnetCommunications_Primer.
pdf,2013.
[11]S.
Yadav,A.
K.
K.
Reddy,A.
N.
Reddy,andS.
Ranjan,"DetectingAlgorithmicallyGeneratedMaliciousDomainNames,"Proc.
10thAnn.
Conf.
InternetMeasurement(IMC'10),pp.
48-61,2010.
[12]http://www.
microsoft.
com/security/resources/botnet-whatis.
aspx

DMIT:香港国际线路vps,1.5GB内存/20GB SSD空间/4TB流量/1Gbps/KVM,$9.81/月

DMIT怎么样?DMIT是一家美国主机商,主要提供KVM VPS、独立服务器等,主要提供香港CN2、洛杉矶CN2 GIA等KVM VPS,稳定性、网络都很不错。支持中文客服,可Paypal、支付宝付款。2020年推出的香港国际线路的KVM VPS,大带宽,适合中转落地使用。现在有永久9折优惠码:July-4-Lite-10OFF,季付及以上还有折扣,非 中国路由优化;AS4134,AS4837 均...

创梦云 香港沙田、长沙联通2核1G仅需29元一个月 挂机宝7元一个月

商家介绍:创梦云是来自国内的主机销售商,成立于2018年4月30日,创梦云前期主要从事免备案虚拟主机产品销售,现在将提供5元挂机宝、特惠挂机宝、香港云服务器、美国云服务器、低价挂机宝等产品销售。主打高性价比高稳定性挂机宝、香港云服务器、美国云服务器、香港虚拟主机、美国虚拟主机。官方网站:http://cmy0.vnetdns.com本次促销产品:地区CPU内存硬盘带宽价格购买地址香港特价云服务器1...

DMIT:新推出美国cn2 gia线路高性能 AMD EPYC/不限流量VPS(Premium Unmetered)$179.99/月起

DMIT,最近动作频繁,前几天刚刚上架了日本lite版VPS,正在酝酿上线日本高级网络VPS,又差不多在同一时间推出了美国cn2 gia线路不限流量的美国云服务器,不过价格太过昂贵。丐版只有30M带宽,月付179.99 美元 !!目前美国云服务器已经有个4个套餐,分别是,Premium(cn2 gia线路)、Lite(普通直连)、Premium Secure(带高防的cn2 gia线路),Prem...

stealthy为你推荐
域名注册公司公司域名注册在哪个网站上注册好全能虚拟主机旗舰型全能主机500m(x500.特惠虚拟主机)要什么数据库已备案域名查询怎样知道一个网站是不是真的已经备案?vpsvps和服务器哪个比较划算免费国内空间想做一个网站想找个免费的空间最好是国外的,国内的太多都是骗人的或者不稳定的。谢谢!免费网站空间哪里有永久免费的网站空间?100m网站空间50M的网页内容买100M的网站空间够用了没?香港虚拟主机想买一个香港虚拟主机,大家推荐一下吧独立ip虚拟主机独立ip的虚拟主机和vps的区别和优势??虚拟主机控制面板如何利用虚拟主机控制面板对网站进行管理
vps主机 动态域名 光棍节日志 2017年黑色星期五 lighttpd 国内加速器 一元域名 赞助 33456 新睿云 smtp虚拟服务器 中国电信测速网站 杭州电信 上海联通 腾讯云平台 月付空间 瓦工工资 装修瓦工招聘 sockscap教程 万网主机代理 更多