Bong-Nam Noh

Detecting P2P Botnets Using a Multi-phased Flow Model

In this paper, we propose a useful method for modeling multi-phased flows of P2P botnet traffic. Botnets are becoming more sophisticated and more dangerous each day and attackers use the P2P protocol to avoid centralized botnet topologies. We focus on the feature that a peer bot generates multiple traffic to communicate with large number of remote peers. In this case, phased botnet flows have similar patterns, which occur at irregular intervals. We compress duplicated flows via flow grouping and construct a transition model of the clustered flows using a probability-based matrix. A flow state is decided by features consisting of; protocol, port, and traffic. Our model involves transition information about the state values. Finally, we use the likelihood ratio for detection. In the experimental evaluation, we show the efficiency of our proposed system with the SpamThru, Storm, and Nugache botnets.

Analysis of HTTP2P botnet: case study waledac

Malicious botnet is evolving very quickly and using the many ways to evade detection system. The change of protocol is the most important part of the malicious botnets evolution and evasion techniques. The initial malicious botnet was using the IRC protocol for communication between the command and contorl server and the zombie system. After that they use the HTTP protocol on the firewall-friendly and the P2P protocol to escape a Client/Server architecture. Because Many researchers studied malicious HTTP or P2P botnet for detection, the malicious botnet began to use the distorted communication method called HTTP2P. In this paper, we study the malicious HTTP2P botnet, and we will give to help malicious HTTP2P botnet detection by analyzing waledac botnet.

Android platform based linux kernel rootkit

Android with linux kernel is on its way to be a standard platform of various smart devices. Therefore, Android platform based linux kernel rootkit will be a major security threat to smart phones, tablet PCs, smart TVs and so on. Although there is an urgent need of remedy for this threat, no solution or even a suitable study has been announced. In this paper, we are going to depict some rootkits which exploit android kernel by taking advantage of LKM(loadable kernel module) and /dev/kmem device access technology and discuss the danger the rootkit attack would bring.

A Fuzzy Expert System for Network Forensics

The field of digital forensic science emerged as a response to the growth of a computer crime. Digital forensics is the art of discovering and retrieving information about a crime in such a way to make digital evidence admissible in court. Especially, network forensics is digital forensic science in networked environments. The more network traffic, the harder network analyzing. Therefore, we need an effective and automated analyzing system for network forensics. In this paper, we develop a fuzzy logic based expert system for network forensics that can analyze computer crimes in networked environments and make digital evidences automatically. This system can provide an analyzed information for forensic experts and reduce the time and cost of forensic analysis.

Design and Implementation of Context-Awareness Simulation Toolkit for Context learning

The study deals with the most important elements of ubiquitous computing, that is, the toolkit to acquire, express and safely use the context information. To do so, we introduce CAST (context-awareness simulation toolkit) and show how it works. CAST generates users and devices in a virtual home domain, designates their relation and creates virtual context information. The created context information is reused by the request of application and put into use for context learning. Particularly, we have given a consideration to security in the process of context creation and its consumption. That is, we applied SPKI/SDSI to test if the created context information was valid information and if the application that called for the context had legitimate authority to do so. CAST not only captures virtual context information, but it also guarantees the safe sharing of the context information requested by the application

A Similarity based Technique for Detecting Malicious Executable files for Computer Forensics

With the rapidly increasing complexity of computer systems and the sophistication of hacking tools and techniques, there is a crucial need for computer forensic analysis techniques. Very few techniques exist to support forensic analysis of unknown executable files. The existing techniques primarily inspect executable files to detect known signatures or are based on metadata information. A key goal of such forensic investigation is to identify malicious executable files that hackers might have installed in a targeted system. Finding such malware in a compromised system is difficult because it is hard to identify the purpose of the fragments of executable files. In this paper, we present a similarity-based technique that analyzes targeted executable files to identify a malware present in a compromised system. The technique involves assigning a similarity value to the fragments of executable files present in a compromised hard disk against a set of source files. We present some results based on the comparison of assembly instruction sequences of well-known hacking tools with those of various executable files, and suggest various ways to reduce the false positives

Experiments and Countermeasures of Security Vulnerabilities on Next Generation Network

IPv6 is the next generation protocol designed by the IETF to replace the current version Internet protocol, IPv4. It is difficult to translate immediately from IPv4 to IPv6 because of financial and technical problems. So mixed IPv4/IPv6 network is expected to be formed. IPv6 is more secure than IPv4, but IPv6 still has many security vulnerabilities that are not only the same on IPv4 but also the new. This paper describes the security vulnerabilities on IPv6 and IPv4/IPv6 network that are difference and new features in comparison to IPv4, and some possible solutions for security vulnerabilities on IPv6 and mixed IPv4/IPv6 network. Finally, this paper describes the scenarios of security vulnerabilities about the routing header and fragment header of IPv6, and source spoofing on DSTM, also the result of the experiments that are firewall evasion, DoS on native IPv6 network and DoS on DSTM.

SQL injection attack detection: profiling of web application parameter using the sequence pairwise alignment

Web applications employing database-driven content have become widely deployed on the Internet, and organizations use them to provide a broad range of services to people. Along with their growing deployment, there has been a surge in attacks that target these applications. One type of attack in particular, SQL injection, is especially harmful. SQL injections can give attackers direct access to the database underlying an application and allow them to leak confidential or even sensitive information. SQL injection is able to evade or detour IDS or firewall in various ways. Hence, detection system based on regular expression or predefined signatures cannot prevent SQL injection effectively. We present a detection mode for SQL injection using pairwise sequence alignment of amino acid code formulated from web application parameter database sent via web server. An experiment shows that our method detects SQL injection and, moreover, previously unknown attacks as well as variations of known attacks.

A New Role-Based Delegation Model Using Sub-role Hierarchies

Delegation in computer systems plays an important role in relieving security officer’s management efforts, especially in a large-scale, highly decentralized environment. By distributing management authorities to a number of delegatees, scalable and manageable security management functionality can be achieved. Recently, a number of researches are proposed to incorporate delegation concept into Role-Based Access Control(RBAC) model, which is becoming a promising model for enterprise environment with various organization structures. In this paper, we propose a new role-based delegation model using sub-role hierarchies supporting restricted inheritance functionality, in which security administrator can easily control permission inheritance behavior using sub-roles. Also, we describe how role-based user-to-user, role-to-role delegations are accomplished in the proposed model and analyze our delegation model against various delegation characteristics.

The design and implementation of secure event manager using SPKI/SDSI certificate

In the ubiquitous computing environment new service components should be able to connect to networks at any time, and clients also should be able to use them immediately even without extra settings. Jini is one of the widely used middlewares today. Although event management is an essential component of ubiquitous middlewares, Jini is distributed without event management service. Accordingly, we design and implement the event manager based on Jini and suggest three methods in which only right event consumer can listen to the event using Access-Control Lists and SPKI/SDSI certificates. In the proposed method, our event manager controls the access of events by putting trust checking engine on Jini.