A worm is usually used to spread the exploit code to attack hosts in the Internet rapidly. Many worms use the encrypting techniques to hide themselves from the intrusion detection system (IDS), which decrease the netw...
详细信息
A worm is usually used to spread the exploit code to attack hosts in the Internet rapidly. Many worms use the encrypting techniques to hide themselves from the intrusion detection system (IDS), which decrease the network defense infrastructures dramatically. The traditional IDS use signatures of shellcode to detect worms, which are not able to detect the encrypted polymorphic worm. For against the polymorphic worm, we need to study how the polymorphism could mutate themselves hide from the current detection mechanism. In this paper, we use the encryption mechanism and polymorphic decoder to test whether the well-known IDS systems, such as Snort, a signature-based IDS, could detect out penetration testing tool or not. We propose a scheme to mutate the shellcode of a worm, which could be executed normally on destination to evade the IDSs such as STRIDE or APE. Finally, we use Sasser and Blaster worms as examples to inject into normal traffic in our experiment network, and compare the performance of our penetration testing tool and other IDSs, such as Snort and STRIDE. According to the emulation results, our tool could be successful possess the exploit code and evading the IDS to the end host above 90%.
Our previously described framework for an artificial immune server protects servers on the Internet against cyber attacks. The prototype of this artificial immune server adaptively acquired immunity against cyber atta...
详细信息
Our previously described framework for an artificial immune server protects servers on the Internet against cyber attacks. The prototype of this artificial immune server adaptively acquired immunity against cyber attacks that exploit server vulnerabilities. This study describes our implementation of mechanisms of protection against denial of service (DoS) attacks, and their incorporation into the prototype system. Performance tests showed that, once the prototype system learned a certain DoS attack, it was able to cause DoS due to false detections. To reduce these false detections, we examined detection performance using simulated machine learning techniques. Random forest and extra trees classifiers were able to determine almost the highest true negative rate, achieving compatibility between a higher true positive rate and a faster learning speed. These findings indicated that these classifiers are suitable for mission-critical servers where high availability, including a high true negative rate and fast learning speed, is required.
This paper focuses on an artificial immunity-enhancing module designed to counter internet-based cyberattacks on high-availability servers. The module consists of innate and adaptive immune functions. The innate immun...
详细信息
This paper focuses on an artificial immunity-enhancing module designed to counter internet-based cyberattacks on high-availability servers. The module consists of innate and adaptive immune functions. The innate immune function detects known and unknown cyberattacks, whereas the adaptive immune function uses a random forest classifier to learn the cyberattack detected by the innate immune function. This paper proposes a new innate immune function that detects two DoS attacks not detected by our previous innate immune function. In addition, a mechanism to maintain learning data is added to the adaptive immune function. The performance of the module was evaluated using four types of attack. Its overall detection accuracy was found to be 87.3%, corresponding to true positive and true negative rates of 78.95% and 95.70%, respectively. Investigation of its detection accuracy for four types of attack showed that a single type of attack degraded the overall detection accuracy. The overheads of the innate and adaptive immune functions were 6% and 4%, respectively, and were little affected by the number of trees in a random forest classifier. The number of learning data required by the adaptive immune function to maintain its high detection accuracy against cyberattacks was approximately 900.
Network security research focused content is a buffer *** is a technology used by hackers *** paper,based buffer overflow,given the use of the remote overflow implanted backdoor design,and implementation *** this pape...
详细信息
Network security research focused content is a buffer *** is a technology used by hackers *** paper,based buffer overflow,given the use of the remote overflow implanted backdoor design,and implementation *** this paper,introduce the detailed steps to structure shellcode,as well as the specific implementation of the ***,gives remote overflow prevention recommendations.
Macro-based malware attacks are on the rise in recent cyber-attacks using malicious code written in visual basic code which can be used to target computers to achieve various exploitations. Macro malware can be obfusc...
详细信息
Macro-based malware attacks are on the rise in recent cyber-attacks using malicious code written in visual basic code which can be used to target computers to achieve various exploitations. Macro malware can be obfuscated using various tools and easily evade antivirus software. To detect this macro malware, several methods of machine learning techniques have been proposed with an inadequate dataset for both benign and malicious macro codes which are not reproducible and evaluated on unbalanced datasets. In this paper, use of word embedding technique such as Word2Vec embedding is used for code analysis is proposed to analyze and process macro code written in visual basic language to understand and detect the attack vector before opening the documents. The proposed word embedding technique, called Obfuscated-Word2vec is proposed to detect obfuscated keywords, Obfuscated function names from the macro code and classify them as obfuscated or benign function calls which are later used as feature vectors to train models to extract the most relevant features from macro code and even to help the classifiers to detect more accurately as a downloader, dropper malware, shellcode, PowerShell exploits, etc. Experimental results show that proposed method is reproducible and could detect completely new macro malware by analyzing the macro code by the help of Random forest classifier with 82.65 percent accuracy.
暂无评论