Ivan Homoliak

Automated Malware Detection Based on Novel Network Behavioral Signatures

In this paper we introduce the second generation of the experimental detection framework of AIPS system which is used for experimentation with detection models and with their combinations. Our research aims mainly on detection of attacks that abuse vulnerabilities of buffer overflow type, but the final goal is to extend detection techniques to cover various types of vulnerabilities. This article describes the concept of detection framework, updated set of network metrics, provides a design of model architecture and shows an experimental results with draft of framework on the set of laboratory simulated attacks. Index Terms—Artificial intelligence, behavioral signatures, metrics, network security, security, security design. 112 metrics divided into five categories according to their nature. These metrics are used to describe properties of detected attack not upon the fingerprint of common signature, but based on its behavior. During the experiments we found several limitations of the original idea and some parts of the architecture were changed. We extended the metric dataset to 169 metrics containing approximately 4000 parameters and changed the categories to reflect the nature of the new dataset. The main goals of this research is (a) to design the architecture of detection framework that will enhance the overall network security level with the ability to learn new behaviors of attacks without intervention of human by using the expert knowledge from Honeypot (or similar) systems; (b) to find the most suitable set of metrics that will successfully describe the behavior of attacks in the network traffic and will significantly higher the detection rate and lower the false positive rate. In this article we introduce the second generation of the experimental detection framework of AIPS system which is used for experimentation with detection models and with their combinations. The fundamental principle of the detection is based on evaluation of metrics set, which describes the behavior of attack. These metrics are formally specified and extraction of them can be generally realized for each data flow. We could interpret the specification of metrics set as formally extended protocol NetFlow (9), which describes more than statistical properties of network

On the application of symbolic regression and genetic programming for cryptanalysis of symmetric encryption algorithm

The aim of the paper is to show different point of view on the problem of cryptanalysis of symmetric encryption algorithms. Our dissimilar approach, compared to the existing methods, lies in the use of the power of evolutionary principles which are in our cryptanalytic system applied with leveraging of the genetic programming (GP) in order to perform known plaintext attack (KPA). Our expected result is to find a program (i.e. function) that models the behavior of a symmetric encryption algorithm DES instantiated by specific key. If such a program would exist, then it could be possible to decipher new messages that have been encrypted by unknown secret key. The GP is employed as the basis of this work. GP is an evolutionary algorithm-based methodology inspired by biological evolution which is capable of creating computer programs solving a corresponding problem. The symbolic regression (SR) method is employed as the application of GP in practical problem. The SR method builds functions from predefined set of terminal blocks in the process of the GP evolution; and these functions approximate a list of input value pairs. The evolution of GP is controlled by a fitness function which evaluates the goal of a corresponding problem. The Hamming distance, a difference between a current individual value and a reference one, is chosen as the fitness function for our cryptanalysis problem. The results of our experiments did not confirmed initial expectation. The number of encryption rounds did not influence the quality of the best individual, however, its quality was influenced by the cardinality of a training set. The elimination of the initial and final permutations had no influence on the quality of the results in the process of evolution. These results showed that our KPA GP solution is not capable of revealing internal structure of the DES algorithms behavior.

Survey of Privacy Enabling Strategies in IoT Networks

In this paper, we discuss privacy issues in modern networks for Internet of Things. We focus on anonymization of both devices and users in the context of both IP and non-IP networks. We take a closer look on two current non-IP technologies -- LoRaWan and ZigBee. Those represent two distinct groups of Internet of Things (IoT) networks -- Low Power WANs covering large areas and providing connectivity as a service, and Wireless PANs following traditional scheme with a local network interconnecting IoT devices. For both IP and non-IP networks we analyze possible approaches to preserve privacy of connected devices and identify open problems for future investigation. We propose strategies for ensuring privacy for IoT devices in IP, LPWAN and PAN networks based on their specific features and analyze possible problems of suggested strategies.

Features for Behavioral Anomaly Detection of Connectionless Network Buffer Overflow Attacks

Buffer overflow (BO) attacks are one of the most dangerous threats in the area of network security. Methods for detection of BO attacks basically use two approaches: signature matching against packets’ payload versus analysis of packets’ headers with the behavioral analysis of the connection’s flow. The second approach is intended for detection of BO attacks regardless of packets’ content which can be ciphered. In this paper, we propose a technique based on Network Behavioral Anomaly Detection (NBAD) aimed at connectionless network traffic. A similar approach has already been used in related works, but focused on connection-oriented traffic. All principles of connection-oriented NBAD cannot be applied in connectionless anomaly detection. There is designed a set of features describing the behavior of connectionless BO attacks and the tool implemented for their offline extraction from network traffic dumps. Next, we describe experiments performed in the virtual network environment utilizing SIP and TFTP network services exploitation and further data mining experiments employing supervised machine learning (ML) and Naive Bayes classifier. The exploitation of services is performed using network traffic modifications with intention to simulate real network conditions. The experimental results show the proposed approach is capable of distinguishing BO attacks from regular network traffic with high precision and class recall.

Exploitation of NetEm Utility for Non-payload-based Obfuscation Techniques Improving Network Anomaly Detection

The impact of a successfully performed intrusion can be very crucial. There exists a lot of space which needs research in order to improve detection capabilities of various types of intrusions. Therefore, many researchers and developers are encouraged to design new methods and approaches for detection of known and unknown (zero-day) network attacks. These facts are the most important reasons why Anomaly Detection Systems (ADS) intended for intrusion detection arose. Network ADS (further ADS) approaches attack detection by utilizing packets’ headers and communication behavior, not the content of the packets. Thus, basic principles of ADS open possibilities of an attacker to evade ADS detection by obfuscation techniques.

NBA of obfuscated network vulnerabilities' exploitation hidden into HTTPS traffic

This paper examines the detection properties of obfuscated network buffer overflow attacks by selected IDS and NBA. The obfuscation was performed by tunneling the malicious traffic in HTTP and HTTPS protocols with the intention of simulating the usual legitimate characteristics of the HTTP traffics flow. The buffer overflow vulnerabilities of four services were used: Samba, BadBlue, Apache, DCOM RPC. Exploitation was performed in a virtual network environment by using scenarios simulating real traffics conditions as well as legitimate traffic simulations which were performed. Captured data were examined by SNORT and by ASNM network features of the AIPS representing statistically and behaviorally based NBA. The achieved results show an obfuscated attacks transparency for SNORT detection and low detection performance of the AIPS trained by direct attacks and legitimate traffic only in contrast with high classification accuracy of the AIPS trained with an inclusion of obfuscated attacks. Data mining analysis was performed by using both bi-nominal and poly-nominal classifications, resulting into better performance of poly-nominal classification. At the summary, we emphasize the necessity of training the statistically and behaviorally based NBAs with divergent obfuscation techniques to strengthen their detection capabilities.

Chapter 12 – Advanced Security Network Metrics

In this chapter we propose a method for the extraction of data from network flow and a contextual separation of partial connections, using a set of network metrics that create a signature defining the connection behavior. We begin with defining the input dataset of captured communication and the process of extracting metrics from separated connections. Then we define the set of metrics included in the final behavioral signature. The second part of the chapter describes experiments performed with a state-of-the-art set of network metrics, with comparison to our proposed experimental set. The chapter concludes with the results of our experiments.

A concept of behavioral reputation system in wireless networks

Nowadays wireless networks are becoming important in personal and public communication. Most of them are secured by 802.11i standard with strong AES cipher - WPA2. In many cases an attacker has the ability to listen to all encrypted network traffic, which may become a potential intrusion. Each client in wireless network is vulnerable to a variety of threats and attacks. Many attacks, especially in corporate networks, are realized from internal environment. Identity theft is another serious problem of wireless networks. We present a concept of reputation system based on user behavior. Our goal is to precisely identify every entity in wireless network, and then determine malicious behavior of these entities.