Selvakumar Manickam

Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art

Botnets are prevailing mechanisms for the facilitation of the distributed denial of service (DDoS) attacks on computer networks or applications. Currently, Botnet-based DDoS attacks on the application layer are latest and most problematic trends in network security threats. Botnet-based DDoS attacks on the application layer limits resources, curtails revenue, and yields customer dissatisfaction, among others. DDoS attacks are among the most difficult problems to resolve online, especially, when the target is the Web server. In this paper, we present a comprehensive study to show the danger of Botnet-based DDoS attacks on application layer, especially on the Web server and the increased incidents of such attacks that has evidently increased recently. Botnetbased DDoS attacks incidents and revenue losses of famous companies and government websites are also described. This provides better understanding of the problem, current solution space, and future research scope to defend against such attacks efficiently.

Leveraging XML-based electronic medical records to extract experiential clinical knowledge: An automated approach to generate cases for medical case-based reasoning systems

Case-based reasoning (CBR)-driven medical diagnostic systems demand a critical mass of up-to-date diagnostic-quality cases that depict the problem-solving methodology of medical experts. In practical terms, procurement of CBR-compliant cases is quite challenging, as this requires medical experts to map their experiential knowledge to an unfamiliar computational formalism. In this paper, we propose a novel medical knowledge acquisition approach that leverages routinely generated electronic medical records (EMRs) as an alternate source for CBR-compliant cases. We present a methodology to autonomously transform XML-based EMR to specialized CBR-compliant cases for CBR-driven medical diagnostic systems. Our multi-stage methodology features: (a) collection of heterogeneous EMR from Internet-accessible EMR repositories via intelligent agents, (b) automated transformation of both the structure and content of generic EMR to specialized CBR-compliant cases, and (c) inductive estimation of the weight of each case-defining attribute. The computational implementation of our methodology is presented as case acquisition and transcription info-structure (CATI).

Distributed data mining from heterogeneous healthcare data repositories: towards an intelligent agent-based framework

This paper presents a case for an intelligent agent-based framework for knowledge discovery in a distributed healthcare environment comprising multiple heterogeneous healthcare data repositories. Data-mediated knowledge discovery, especially from multiple heterogeneous data resources, is a tedious process and imposes significant operational constraints on end-users. We demonstrate that autonomous, reactive and proactive intelligent agents provide an opportunity to generate end-user-oriented, packaged, value-added decision-support/strategic planning services for healthcare professionals and managers. We propose the use of intelligent agents to implement a distributed agent-based data mining information structure that provides a suite of healthcare-oriented decision-support/strategic planning services.

Study on Advanced Visualization Tools In Network Monitoring Platform

Visualization tools have emerged as a critical component, especially in medical, education, engineering, military and environmental management. These fields have applied the visualization techniques to improve decision making and organization management performance. In recent times, with the advent of Internet and the explosive growth of networking infrastructure on a global scale demand for an intuitive and wholesome approach to visual the network traffic. Complexity of network architecture and insufficient vendor support are the major issues always that are faced by a user in solving a network monitoring problem. Network engineer needs to start on network monitoring by integrating conventional network monitoring tools with an innovative visualization tool, which can provide the network activities that are easily understood by a user. Currently, there are numerous data visualization tools in network monitoring namely Network Analysis Visualization, Spinning Cube of Potential Doom (SCPD), Visual Information Security Utility for Administration Live (VISUAL), SeeNet, Cichlid, CyberNet and others. These tools provided useful information about network activities, which important for monitoring purpose. Our work entails the development of an advanced visualization framework to intelligently visualize high volume, real-time network traffic data.

An Intelligent ICMPv6 DDoS Flooding-Attack Detection Framework (v6IIDS) using Back-Propagation Neural Network

ABSTRACT IPv6 was designed to solve the issue of adopting IPv4 addresses by presenting a large number of address spaces. Currently, many networking devices consider IPv6 as a supportive IPv6-enabled device that includes routers, notebooks, personal computers, and mobile phones. Security has increasingly become a significant issue in exploiting networks and obtaining the benefits of IPv6. One of the important protocols in IPv6 implementation that is used for neighbor and router discovery is ICMPv6. However, this protocol can be used by attackers to deny network services through ICMPv6 DDoS flooding attacks that decrease the network performance. To solve this problem, this study proposes an intelligent ICMPv6 DDoS flooding-attack detection framework using back-propagation neural network (v6IIDS) in IPv6 networks. This study also explores and analyzes the detection accuracy of the proposed v6IIDS framework. The effectiveness of the v6IIDS framework is demonstrated by using real data-sets obtained from an NAv6 laboratory. The data-set traffic is based on a test-bed environment created on the basis of certain parameters used as inputs to generate a new data-set. The results prove that the proposed framework is capable of detecting ICMPv6 DDoS flood attacks with a detection accuracy rate of 98.3%.

Design, deployment and use of HTTP-based botnet (HBB) testbed

Botnet is one of the most widespread and serious malware which occur frequently in todays cyber attacks. A botnet is a group of Internet-connected computer programs communicating with other similar programs in order to perform various attacks. HTTP-based botnet is most dangerous botnet among all the different botnets available today. In botnets detection, in particularly, behavioural-based approaches suffer from the unavailability of the benchmark datasets and this lead to lack of precise results evaluation of botnet detection systems, comparison, and deployment which originates from the deficiency of adequate datasets. Most of the datasets in the botnet field are from local environment and cannot be used in the large scale due to privacy problems and do not reflect common trends, and also lack some statistical features. To the best of our knowledge, there is not any benchmark dataset available which is infected by HTTP-based botnet (HBB) for performing Distributed Denial of Service (DDoS) attacks against Web servers by using HTTP-GET flooding method. In addition, there is no Web access log infected by botnet is available for researchers. Therefore, in this paper, a complete test-bed will be illustrated in order to implement a real time HTTP-based botnet for performing variety of DDoS attacks against Web servers by using HTTP-GET flooding method. In addition to this, Web access log with http bot traces are also generated. These real time datasets and Web access logs can be useful to study the behaviour of HTTP-based botnet as well as to evaluate different solutions proposed to detect HTTP-based botnet by various researchers.

A Survey of Intrusion Alert Correlation and Its Design Considerations

ABSTRACT In recent years, network intrusion attempts have been on the rise. Malicious attempts, including hacking, botnets, and worms are used to intrude and compromise the organizations networks affecting their confidentiality, integrity and availability of resources. In order to detect these malicious activities, intrusion detection systems (IDSs) have been widely deployed in corporate networks. IDS sends alerts to security personnel in case of anomalous activities in the network. Unfortunately, one of the IDSs’ drawbacks is they produce a large number of false positives and non-relevant positives alerts that could overwhelm the security personnel. Existing efforts to address this are done via identification of the similarities and causality relationships between alerts, grouping them into different clusters and prioritizing them after conducting the assessment on them. In this paper, we present commonly used alert correlation approaches and highlight the advantages and disadvantages from various perspectives. Existing alert correlation models are critically reviewed and compared in this paper. Subsequently, we emphasize four main considerations in alert correlation design which are: attack scenario either single packet or multi-stage attack, its architecture either centralized or distributed, performance assessment on accuracy of alert detection, and its processing time and the data to be used for testing.

A survey of mitigation techniques against Economic Denial of Sustainability (EDoS) attack on cloud computing architecture

Cloud computing is the next revolution in the Information and Communication Technology arena. It is a model in which computing is delivered as a commoditized service similar to electricity, water and telecommunication. Cloud computing provides software, platform, infrastructure and other hybrid models which are delivered as subscription-based services in which customers pay based on usage. Nevertheless, security is one of the main factors that inhibit the proliferation of cloud computing. Economic Denial of Sustainability (EDoS) is a new breed of security and economical threats to the cloud computing. Unlike the traditional Distributed Denial of Service (DDoS) which brings down a particular service by exhausting the resources of the server in traditional setup, EDoS takes advantage of the elasticity of the cloud service. This causes the resources to dynamically scale to meet the demand (as a result of EDoS attack) resulting in a hefty bill for the customer. In this survey, we review various EDoS mitigation techniques that have been introduced in recent years.

Collection Mechanism and Reduction of IDS Alert

techniques and approaches are used to address the threats that are faced by computer networks todays. Some of these reactive approaches involve Intrusion Detection System (IDS), malware data mining and network monitoring. Numerous false positive alerts are generated by the IDS, contributing negatively to system complexity and performance. In this paper, we present a new framework called collection mechanism and reduction of IDS alert framework (CMRAF) to remove duplicate IDS alerts and reduce the amount of false alerts. CMRAF is based on two models. The first model develops a mechanism to save IDS alerts, extract the standard features as intrusion detection message exchange format, and save them in DB file (CSV- type). The second model consists of three phases. The first phase removes redundant alerts, the second phase reduces false alerts based on threshold time value, and the last phase reduces false alerts based on rules with threshold common vulnerabilities and exposure value. We applied CMRAF on two environments: the Darpa 1999 and the NAv6 network center data sets. The result obtained from the experiment on Darpa 1999 data set recorded an 92% alert reduction rate, whereas that on the NAv6 data set recorded an 84% alert reduction rate. From the results, CMRAF was able to scale back a massive quantity of redundant alerts and effectively reduces false alerts.

On the resilience of P2P-based botnet graphs

P2P botnets represent another escalation level in the race of arms between criminals and the research community. By utilizing a distributed P2P architecture they are resilient against random failures and attacks and overcome the limitations of a central command and control server. For this reason, it is important to monitor them to gather information for potential takedown attempts. In this paper, we introduce our high-frequency crawling tool Strobo-Crawler that can carry out a fine-grained node enumeration. Furthermore, we propose mechanisms to derive accurate snapshots of the botnet graph on the basis of restricted monitoring data. We applied Strobo-Crawler in a two week crawling campaign in the P2P botnets Sality and ZeroAccess and describe the results along with a careful evaluation of our graph reconstruction. Furthermore, we provide a thorough analysis of the resulting botnet graphs and also provide these graphs to the public. Our results indicate that they are highly resilient against node churn, but also against targeted attacks. Bots are highly interconnected and the graphs are characterized by a high clustering coefficient, high density, and low diameter.