Napoleon Paxton

Towards Practical Framework for Collecting and Analyzing Network-Centric Attacks

Since nearly the beginning of the Internet, malware has been a significant deterrent to productivity for end-users, both personal and business related. A particular malware, known as a hot, can create networks of compromised machines called botnets, which are some of the most threatening adversaries over the Internet due in large part to the difficulty of identifying botnet traffic patterns. We have witnessed that existing signature-based detection and protection methods are ineffective, when used alone, in dealing with new unknown bots. In this paper, we introduce a risk-aware network-centric management framework to detect and prevent targeted botnet attacks as well as propagation attempts within the network. As the first step in that direction we focus on learning more information about the bots by identifying malicious characteristics through the network traffic. Once we have their characteristics we then decide whether or not those characteristics present a significant risk to the network that is being protected by our architecture. Using risk as a factor in the decision process helps identify the bots more systematically. We present two scenarios that describe the risk-aware process and show that our framework shows great promise.

MasterBlaster: Identifying Influential Players in Botnet Transactions

Botnets continue to be a critical tool for hackers in exploiting vulnerabilities of systems and destructing computer networks. Botnet monitoring is a method used to study and identify malicious capabilities of a botnet, but current botnet monitoring projects mainly identify the magnitude of the botnet problem and tend to overt some fundamental problems, such as the diversified sources of the attacks. Most malicious botnets have the ability to be rented out to a broad range of potential customers, allowing each customer to launch different attacks from the other. Consequently, under the control of multiple botmasters, various attacks and transactions at different times attempt to damage networked infrastructures. In this paper we propose a multi-layered analysis system called Master Blaster which identifies the communication characteristics of a botmaster in botnet transactions and correlates those characteristics with evolutionary changes within botnet communication channels. Our results show the level of involvement of the monitored botmasters within a botnet as well as their general motives. Our system clearly indicates that the investigation of each botmaster and analysis of botmaster interactions are essential to cope with net-centric attacks caused by botnets.

A Survey of Community Detection Algorithms Based On Analysis-Intent

There has been a significant amount of research dedicated to identifying community structures within graphs. Most of these studies have focused on partitioning techniques and the resultant quality of discovered groupings (communities) without regard for the intent of the analysis being conducted (analysis-intent). In many cases, a given network community can be composed of significantly different elements depending upon the context in which a partitioning technique is used or applied. Moreover, the number of communities within a network will vary greatly depending on the analysis-intent and thus the discretion quality and performance of algorithms will similarly vary. In this survey we review several algorithms from the literature developed to discover community structure within networks. We review these approaches from two analysis perspectives: role/process focused (category-based methods) and topological structure or connection focused (event-based methods). We discuss the strengths and weaknesses of each algorithm and provide suggestions on the algorithms’ use depending on analysis context.

Utilizing Network Science and Honeynets for Software Induced Cyber Incident Analysis

Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the Black Energy malware network, captured by our honey net. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.