Mikhail Zolotukhin

Analysis of HTTP Requests for Anomaly Detection of Web Attacks

Attacks against web servers and web-based applications remain a serious global network security threat. Attackers are able to compromise web services, collect confidential information from web data bases, interrupt or completely paralyze web servers. In this study, we consider the analysis of HTTP logs for the detection of network intrusions. First, a training set of HTTP requests which does not contain any attacks is analyzed. When all relevant information has been extracted from the logs, several clustering and anomaly detection algorithms are employed to describe the model of normal users behavior. This model is then used to detect network attacks as deviations from the norms in an online mode. The simulation results presented show that, compared to other data mining algorithms, the method results in a higher accuracy rate.

Detection of zero-day malware based on the analysis of opcode sequences

Today, rapid growth in the amount of malicious software is causing a serious global security threat. Unfortunately, widespread signature-based malware detection mechanisms are not able to deal with constantly appearing new types of malware and variants of existing ones, until an instance of this malware has damaged several computers or networks. In this research, we apply an anomaly detection approach which can cope with the problem of new malware detection. First, executable files are analyzed in order to extract operation code sequences and then n-gram models are employed to discover essential features from these sequences. A clustering algorithm based on the iterative usage of support vector machines and support vector data descriptions is applied to analyze feature vectors obtained and to build a benign software behavior model. Finally, this model is used to detect malicious executables within new files. The scheme proposed allows one to detect malware unseen previously. The simulation results presented show that the method results in a higher accuracy rate than that of the existing analogues.

Increasing web service availability by detecting application-layer DDoS attacks in encrypted traffic

Nowadays, zero-day Denial-of-Service (DoS) attacks become frighteningly common in high-speed networks due to constantly increasing number of vulnerabilities. Moreover, these attacks become more sophisticated, and, therefore, they are hard to detect before they damage several networks and hosts. Due to these reasons, real-time monitoring, processing and network anomaly detection must be among key features of a modern DoS prevention system. In this paper, we present a method which allows us to timely detect various denial-of-service attacks against a computer or a network system. We focus on detection of application-layer DoS attacks that utilize encrypted protocols by applying an anomaly-detection-based approach to statistics extracted from network packets. Since network traffic decryption can violate ethical norms and regulations on privacy, the detection scheme proposed analyzes network traffic without its decryption. The scheme includes the analysis of conversations between a web server and its clients, the construction of a model of normal user behavior by dividing these conversations into clusters and the examination of distribution of these conversations among the resulting clusters with the help of the stacked auto-encoder which belongs to a class of deep learning algorithms. Conversations of clients that deviate from those normal patterns are classified as anomalous. The proposed technique is tested on the data obtained with the help of a realistic cyber environment.

Online anomaly detection by using N-gram model and growing hierarchical self-organizing maps

In this research, online detection of anomalous HTTP requests is carried out with Growing Hierarchical Self-Organizing Maps (GHSOMs). By applying an n-gram model to HTTP requests from network logs, feature matrices are formed. GHSOMs are then used to analyze these matrices and detect anomalous requests among new requests received by the webserver. The system proposed is self-adaptive and allows detection of online malicious attacks in the case of continuously updated web-applications. The method is tested with network logs, which include normal and intrusive requests. Almost all anomalous requests from these logs are detected while keeping the false positive rate at a very low level.

On optimal placement of low power nodes for improved performance in heterogeneous networks

Low power nodes have been a hot topic in research, standardization, and industry communities, which is typically considered under an umbrella term called heterogeneous networking. In this paper, we look at the problem of optimal deployment of low power nodes that could be either small cells connected via the wired backhaul or relays that utilize the same spectrum and the wireless access technology to get connected to the core network. We present that even though both relay and small cell nodes should be located somewhere at the cell edge, their optimal coordinates are not the same since relays have a limitation that comes from a link between a relay and the master base station.

Energy efficient resource allocation in heterogeneous software defined network: A reverse combinatorial auction approach

In this paper, resource allocation for energy efficiency in heterogeneous Software Defined Network (SDN) with multiple network service providers (NSPs) is studied. The considered problem is modeled as a reverse combinatorial auction game, which takes different quality of service (QoS) requirements into account. The heterogeneous network selection associated with power allocation problem is optimized by maximizing the energy efficiency of data transmission. By exploiting the properties of fractional programming, the resulting non-convex Winner Determination Problem (WDP) is transformed into an equivalent subtractive convex optimization problem. The proposed reverse combinatorial auction game is proved to be strategy-proof with low computing complexity. Simulation results illustrate that with SDN controller, the proposed iterative ascending price algorithm converges in a small number of iterations and demonstrates the trade-off between energy efficiency and heterogeneous QoS requirement, especially ensures high fairness among different network service providers.

Support vector machine integrated with game-theoretic approach and genetic algorithm for the detection and classification of malware

In the modern world, a rapid growth of malicious software production has become one of the most significant threats to the network security. Unfortunately, widespread signature-based anti-malware strategies can not help to detect malware unseen previously nor deal with code obfuscation techniques employed by malware designers. In our study, the problem of malware detection and classification is solved by applying a data-mining-based approach that relies on supervised machine-learning. Executable files are presented in the form of byte and opcode sequences and n-gram models are employed to extract essential features from these sequences. Feature vectors obtained are classified with the help of support vector classifiers integrated with a genetic algorithm used to select the most essential features, and a game-theory approach is applied to combine the classifiers together. The proposed algorithm, ZSGSVM, is tested by using a set of byte and opcode sequences obtained from a set containing executable files of benign software and malware. As a result, almost all malicious files are detected while the number of false alarms remains very low.

Phase Adjustment in HS-SFN for HSDPA

High Speed Single Frequency Network (HS-SFN) is one of the possible multi-cell transmission schemes for High-Speed Downlink Packet Access (HSDPA). This technique helps user equipments (UEs) in the softer handover area by combining signals from two neighbouring cells and also by reducing intercell interference. However, combining of two signals does not always have positive impact due to uncorrelated fast fading. This problem can be solved if the transmitted signals from the cells are adjusted such that the signals would arrive in phase. In this article the impact on HS-SFN is shown when phase adjustments are applied.

Multi-hop relays for high frequency next generation wireless systems

Recent development of wireless communication systems and standards is characterized by constant increase of allocated spectrum resources. Since lower frequency ranges cannot provide sufficient amount of bandwidth, new bands are allocated at higher frequencies, for which operators might resort to deploy more base stations to ensure the same coverage. Connecting increased number of base stations to the backhaul network with wired connections becomes a non-trivial task and requires more capital investments. To overcome this challenge, it is possible to consider relaying technologies. However, as the operating frequency range increases, so the relay communication range shrinks, which in turn calls for multi-hop relays.

Analysis of Approaches to Internet Traffic Generation for Cyber Security Research and Exercise

Because of the severe global security threat of malwares, vulnerabilities and attacks against networked systems cyber-security research, training and exercises are required for achieving cyber resilience of organizations. Especially requirement for organizing cyber security exercises has become more and more relevant for companies or government agencies. Cyber security research, training and exercise require closed Internet like environment and generated Internet traffic. JAMK University of Applied Sciences has built a closed Internet-like network called Realistic Global Cyber Environment (RGCE). The traffic generation software for the RGCE is introduced in this paper. This paper describes different approaches and use cases to Internet traffic generation. Specific software for traffic generation is created, to which no existing traffic generation solutions were suitable.