Prabaharan Poornachandran

An efficient classification model for detecting advanced persistent threat

Among most of the cyber attacks that occured, the most drastic are advanced persistent threats. APTs are differ from other attacks as they have multiple phases, often silent for long period of time and launched by adamant, well-funded opponents. These targeted attacks mainly concentrated on government agencies and organizations in industries, as are those involved in international trade and having sensitive data. APTs escape from detection by antivirus solutions, intrusion detection and intrusion prevention systems and firewalls. In this paper we proposes a classification model having 99.8% accuracy, for the detection of APT.

A lexical approach for classifying malicious URLs

Given the continuous growth of malicious activities on the internet, there is a need for intelligent systems to identify malicious web pages. It has been shown that URL analysis is an effective tool for detecting phishing, malware, and other attacks. Previous studies have performed URL classification using a combination of lexical features, network traffic, hosting information, and other strategies. These approaches require time-intensive lookups which introduce significant delay in real-time systems. In this paper, we describe a lightweight approach for classifying malicious web pages using URL lexical analysis alone. Our goal is to explore the upper-bound of the classification accuracy of a purely lexical approach. We also aim to develop a scalable approach which could be used in a real-time system. We develop a classification system based on lexical analysis of URLs. It correctly classifies URLs of malicious web pages with 99.1% accuracy, a 0.4% false positive rate, an F1-Score of 98.7, and 0.62 milliseconds on average. Our method also outperforms similar approaches when classifying out-of-sample data.

Stylometry Detection Using Deep Learning

Author profiling is one of the active researches in the field of data mining. Rather than only concentrated on the syntactic as well as stylometric features, this paper describes about more relevant features which will profile the authors more accurately. Readability metrics, vocabulary richness, and emotional status are the features which are taken into consideration. Age and gender are detected as the metrics for author profiling. Stylometry is defined by using deep learning algorithm. This approach has attained an accuracy of 97.7% for gender and 90.1% for age prediction.

Evaluating shallow and deep networks for secure shell (ssh)traffic analysis

The family of recurrent neural network (RNN) mechanisms are largely used for the various tasks in natural language processing, speech recognition, image processing and many others due to they established as a powerful mechanism to capture dynamic temporal behaviors in arbitrary length of large-scale sequence data. This paper attempts to know the effectiveness of various RNN mechanisms on the traffic classification specifically for Secure Shell (SSH) protocol by modeling the feature sets of statistical flows as time-series obtained from various public and private traces. These traces are from NIMS (Network Information Management and Security Group), DARPA (Defense Advanced Research Projects Agency) 1999 Week1, DARPA 1999 Week3, MAWI (Measurement and Analysis on the WIDE Internet), and NLANR (National Laboratory for Applied Network Research) Active Measurement Project (AMP). A various configurations of network topologies, network parameters and network structures are used for family of RNN architectures to identify an optimal architecture. The experiments are run up to 1000 epochs with learning rate in the range [0.01-05] on both the binary and multiclass classification settings. RNN mechanisms have performed well in comparison to the other classical machine learning algorithms. Moreover, long short-term memory (LSTM) mechanism is a modified RNN, as achieved highest accuracy in cross-validation and testing of binary and multi-class classification cases. The background reason to that is, RNN mechanisms have capability to capture the dynamic temporal dependencies by storing information and updating them, when it is necessary across time-steps.

Applying convolutional neural network for network intrusion detection

Recently, Convolutional neural network (CNN) architectures in deep learning have achieved significant results in the field of computer vision. To transform this performance toward the task of intrusion detection (ID) in cyber security, this paper models network traffic as time-series, particularly transmission control protocol / internet protocol (TCP/IP) packets in a predefined time range with supervised learning methods such as multi-layer perceptron (MLP), CNN, CNN-recurrent neural network (CNN-RNN), CNN-long short-term memory (CNN-LSTM) and CNN-gated recurrent unit (GRU), using millions of known good and bad network connections. To measure the efficacy of these approaches we evaluate on the most important synthetic ID data set such as KDDCup 99. To select the optimal network architecture, comprehensive analysis of various MLP, CNN, CNN-RNN, CNN-LSTM and CNN-GRU with its topologies, network parameters and network structures is used. The models in each experiment are run up to 1000 epochs with learning rate in the range [0.01-05]. CNN and its variant architectures have significantly performed well in comparison to the classical machine learning classifiers. This is mainly due to the reason that CNN have capability to extract high level feature representations that represents the abstract form of low level feature sets of network traffic connections.

Evaluating effectiveness of shallow and deep networks to intrusion detection system

Network intrusion detection system (NIDS) is a tool used to detect and classify the network breaches dynamically in information and communication technologies (ICT) systems in both academia and industries. Adopting a new and existing machine learning classifiers to NIDS has been a significant area in security research due to the fact that the enhancement in detection rate and accuracy is of important in large volume of security audit data including diverse and dynamic characteristics of attacks. This paper evaluates the effectiveness of various shallow and deep networks to NIDS. The shallow and deep networks are trained and evaluated on the KDDCup ‘99’ and NSL-KDD data sets in both binary and multi-class classification settings. The deep networks are performed well in comparison to the shallow networks in most of the experiment configurations. The main reason to this might be a deep network passes information through several layers to learn the underlying hidden patterns of normal and attack network connection records and finally aggregates these learned features of each layer together to effectively distinguish the normal and various attacks of network connection records. Additionally, deep networks have not only performed well in detecting and classifying the known attacks additionally in unknown attacks too. To achieve an acceptable detection rate, we used various configurations of network settings and its parameters in deep networks. All the various configurations of deep network are run up to 1000 epochs in training with a learning rate in the range [0.01-0.5] to effectively capture the time varying patterns of normal and various attacks.

Demalvertising: A Kernel Approach for Detecting Malwares in Advertising Networks

From search engines to e-commerce websites and online video channels to smartphone applications, most of the internet applications use advertising as one of their primary source of revenue generation. Malvertising is the act of distributing malicious software to users via advertisements on websites. The major causes of malvertisement are the presence of hundreds of third party advertising solutions and the improper verification of ads at the publisher’s site. Moreover, smartly tailored advertisements are placed which exploit a browser’s bugs and vulnerabilities to infect user with malicious software. In this paper, we highlight loopholes in the currently applied advertising policies and the vulnerabilities that are exploited to attack customers by serving malicious ads on user applications. The major contribution of the authors is a framework developed to identify malicious advertisements at the publishers’ end. It is based on two types of analyses. The first type of analysis involves static analysis of the advertisement’s source code. The other type is the behavioral analysis of the advertisements done in a secure sandboxed environment to detect any malicious activity. We extracted a total of 9 features from 15,000 advertisements and classified it using a trained one class SVM classifier. Our result shows that 53 % of the suspicious ads contain dubious iFrames while 69 % of them perform redirections followed by drive by download 18 % with very low false positive and false negative rates.

B-secure: A dynamic reputation system for identifying anomalous BGP paths

BGP (Border Gateway Protocol) is one of the core internet backbone protocols, which were designed to address the large-scale routing among the ASes (Autonomous System) in order to ensure the reachability among them. However, an attacker can inject update messages into the BGP communication from the peering BGP routers and those routing information will be propagated across the global BGP routers. This could cause disruptions in the normal routing behavior. Specially crafted BGP messages can reroute the traffic path from a source ASN to a specific destination ASN via another path and this attack is termed as AS Path Hijacking. This research work is focused on the detection of suspicious deviation in the AS path between a source and destination ASNs, by analyzing the BGP update messages that are collected by passive peering to the BGP routers. The research mainly focuses on identifying the AS Path Hijacking by quantifying: (1). How far the deviation occurred for a given AS Path and (2). How much credible is the deviated AS path. We propose a novel approach to calculate the deviation occurred by employing weighted edit distance algorithm. A probability score using n-gram frequency is used to determine credibility of the path. Both the scores are correlated together to determine whether a given AS Path is suspicious or not. The experimental results show that our approach is capable of identifying AS path hijacks with low false positives.

Password Reuse Behavior: How Massive Online Data Breaches Impacts Personal Data in Web

Web 2.0 has given a new dimension to Internet bringing in the “social web” where personal data of a user resides in a public space. Personal Knowledge Management (PKM) by websites like Facebook, LinkedIn, and Twitter, etc. has given rise to need of a proper security. All these websites and other online accounts manage authentication of the users with simple text-based passwords. Password reuse behavior can compromise connected user accounts if any of the company’s data is breached. The main idea of this paper is to demonstrate that the password reuse behavior makes one’s account vulnerable and these accounts are prone to attack/hack. In this study, we collected usernames and passwords dumps of 15 different websites from public forums like pastebin.com. We used 62,000 and 3000 login credentials from Twitter and Thai4promotion websites, respectively for our research. Our experiments revealed an extensive password reuse behavior across sites like Twitter, Facebook, Gmail, etc. About 35 % of accounts we experimented were vulnerable to this phenomenon. A survey was conducted targeting online users which showed us that, around 59 % out of 79 % regular internet users still reuse passwords for multiple accounts.

Condition Monitoring in Roller Bearings using Cyclostationary Features

Proper machine condition monitoring is really crucial for any industrial and mechanical systems. The efficiency of mechanical systems greatly relies on rotating components like shaft, bearing and rotor. This paper focuses on detecting different fault in the roller bearings by casting the problem as machine learning based pattern classification problem. The different bearing fault conditions considered are, bearing-good condition, bearing with inner race fault, bearing with outer race fault and bearing with inner and outer race fault. Earlier the statistical features of the vibration signals were used for the classification task. In this paper, the cyclostationary behavior of the vibration signals is exploited for the purpose. In the feature space the vibration signals are represented by cyclostationary feature vectors extracted from it. The features thus extracted were trained and tested using pattern classification algorithms like decision tree J48, Sequential Minimum Optimization (SMO) and Regularized Least Square (RLS) based classification and provides a comparison on accuracies of each method in detecting faults.