Shankar Karuppayah

Taxonomy and Survey of Collaborative Intrusion Detection

The dependency of our society on networked computers has become frightening: In the economy, all-digital networks have turned from facilitators to drivers; as cyber-physical systems are coming of age, computer networks are now becoming the central nervous systems of our physical world—even of highly critical infrastructures such as the power grid. At the same time, the 24/7 availability and correct functioning of networked computers has become much more threatened: The number of sophisticated and highly tailored attacks on IT systems has significantly increased. Intrusion Detection Systems (IDSs) are a key component of the corresponding defense measures; they have been extensively studied and utilized in the past. Since conventional IDSs are not scalable to big company networks and beyond, nor to massively parallel attacks, Collaborative IDSs (CIDSs) have emerged. They consist of several monitoring components that collect and exchange data. Depending on the specific CIDS architecture, central or distributed analysis components mine the gathered data to identify attacks. Resulting alerts are correlated among multiple monitors in order to create a holistic view of the network monitored. This article first determines relevant requirements for CIDSs; it then differentiates distinct building blocks as a basis for introducing a CIDS design space and for discussing it with respect to requirements. Based on this design space, attacks that evade CIDSs and attacks on the availability of the CIDSs themselves are discussed. The entire framework of requirements, building blocks, and attacks as introduced is then used for a comprehensive analysis of the state of the art in collaborative intrusion detection, including a detailed survey and comparison of specific CIDS approaches.

Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art

Botnets are prevailing mechanisms for the facilitation of the distributed denial of service (DDoS) attacks on computer networks or applications. Currently, Botnet-based DDoS attacks on the application layer are latest and most problematic trends in network security threats. Botnet-based DDoS attacks on the application layer limits resources, curtails revenue, and yields customer dissatisfaction, among others. DDoS attacks are among the most difficult problems to resolve online, especially, when the target is the Web server. In this paper, we present a comprehensive study to show the danger of Botnet-based DDoS attacks on application layer, especially on the Web server and the increased incidents of such attacks that has evidently increased recently. Botnetbased DDoS attacks incidents and revenue losses of famous companies and government websites are also described. This provides better understanding of the problem, current solution space, and future research scope to defend against such attacks efficiently.

A honeypot-driven cyber incident monitor: lessons learned and steps ahead

In recent years, the amount and the sophistication of cyber attacks has increased significantly. This creates a plethora of challenges from a security perspective. First, for the efficient monitoring of a network, the generated alerts need to be presented and summarized in a meaningful manner. Second, additional analytics are required to identify sophisticated and correlated attacks. In particular, the detection of correlated attacks requires collaboration between different monitoring points. Cyber incident monitors are platforms utilized for supporting the tasks of network administrators and provide an initial step towards coping with the aforementioned challenges. In this paper, we present our cyber incident monitor TraCINg. TraCINg obtains alert data from honeypot sensors distributed across all over the world. The main contribution of this paper is a thoughtful discussion of the lessons learned, both from a design rational perspective as well as from the analysis of data gathered during a five month deployment period. Furthermore, we show that even with a relatively small number of deployed sensors, it is possible to detect correlated attacks that target multiple sensors.

On advanced monitoring in resilient and unstructured P2P botnets

Botnets are a serious threat to Internet-based services and end users. The recent paradigm shift from centralized to more sophisticated Peer-to-Peer (P2P)-based botnets introduces new challenges for security researchers. Centralized botnets can be easily monitored, and once their command and control server is identified, easily be taken down. However, P2P-based botnets are much more resilient against such attempts. To make it worse, botnets like P2P Zeus include additional countermeasures to make monitoring and crawling more difficult for the defenders. In this paper, we discuss in detail the problems of P2P botnet monitoring. As our main contribution, we introduce the Less Invasive Crawling Algorithm (LICA) for efficiently crawling unstructured P2P botnets and utilize only local information. We compare the performance of LICA with other known crawling methods such as Depth-first and Breadth-first search. This is achieved by simulating these methods on not only a real-world botnet dataset, but also on an unstructured P2P file sharing network dataset. Our analysis results indicate that LICA significantly outperforms the other known crawling methods.

Zeus Milker: Circumventing the P2P Zeus Neighbor List Restriction Mechanism

The emerging trend of highly-resilient P2P botnets poses a huge security threat to our modern society. Carefully designed countermeasures as applied in sophisticated P2P botnets such as P2P Zeus impede botnet monitoring and successive takedown. These countermeasures reduce the accuracy of the monitored data, such that an exact reconstruction of the botnets topology is hard to obtain efficiently. However, an accurate topology snapshot, revealing particularly the identities of all bots, is crucial to execute effective botnet takedown operations. With the goal of obtaining the required snapshot in an efficient manner, we provide a detailed description and analysis of the P2P Zeus neighbor list restriction mechanism. As our main contribution, we propose ZeusMilker, a mechanism for circumventing the existing anti-monitoring countermeasures of P2P Zeus. In contrast to existing approaches, our mechanism deterministically reveals the complete neighbor lists of bots and hence can efficiently provide a reliable topology snapshot of P2P Zeus. We evaluated ZeusMilker on a real-world dataset and found that it outperforms state-of-the-art techniques for botnet monitoring with regard to the number of queries needed to retrieve a bots complete neighbor list. Furthermore, ZeusMilker is provably optimal in retrieving the complete neighbor list, requiring at most 2n queries for an n-elemental list. Moreover, we also evaluated how the performance of ZeusMilker is impacted by various protocol changes designed to undermine its provable performance bounds.

This network is infected: HosTaGe - a low-interaction honeypot for mobile devices

In recent years, the number of sophisticated cyber attacks has increased rapidly. At the same time, people tend to utilize unknown, in terms of trustworthiness, wireless networks in their daily life. They connect to these networks, e.g., airports, without knowledge of whether they are safe or infected with actively propagating malware. In traditional networks, malicious behavior can be detected via Intrusion Detection Systems (IDSs). However, IDSs cannot be applied easily to mobile environments and to resource constrained devices. Another common defense mechanism is honeypots, i.e., systems that pretend to be an attractive target to attract malware and attackers. As a honeypot has no productive use, each attempt to access it can be interpreted as an attack. Hence, they can provide an early indication on malicious network environments. Since low interaction honeypots do not demand high CPU or memory requirements, they are suitable to resource constrained devices like smartphones or tablets. In this paper we present the idea of Honeypot-To-Go. We envision portable honeypots on mobile devices that aim on the fast detection of malicious networks and thus boost the security awareness of users. Moreover, to demonstrate the feasibility of this proposal we present our prototype HosTaGe, a low-interaction honeypot implemented for the Android OS. We present some initial results regarding the performance of this application as well as its ability to detect attacks in a realistic environment. To the best of our knowledge, HosTaGe is the first implementation of a generic low-interaction honeypot for mobile devices.

HosTaGe: a Mobile Honeypot for Collaborative Defense

The continuous growth of the number of cyber attacks along with the massive increase of mobile devices creates a highly heterogeneous landscape in terms of security challenges. We argue that in order for security researchers to cope with both the massive amount and the complexity of attacks, a more pro-active approach has to be taken into account. In addition, distributed attacks that are carried out by interconnected attackers require a collaborative defense. Diverging from traditional security defenses, honeypots are systems whose value lies on in being attacked and compromised. In this paper, we extend the idea of HosTaGe, i.e., a low interaction honeypot for mobile devices. Our system is specifically designed in a user-centric manner and runs out-of-the-box in the Android operating system. We present the design rational and discuss the different attack surfaces that HosTaGe is able to handle. The main contribution of this paper is the introduction of the collaborative capabilities of HosTaGe.

Hide and seek: Detecting sensors in P2P botnets

Many cyber-crimes, such as Denial of Service (DoS) attacks and banking frauds, originate from botnets. To prevent botnets from being taken down easily, botmasters have adopted peer-to-peer (P2P) mechanisms to prevent any single point of failure. However, sensor nodes that are often used for both, monitoring and executing sinkholing attacks, are threatening such botnets. In this paper, we introduce a novel mechanism to detect sensor nodes in P2P botnets using the clustering coefficient as a metric. We evaluated our mechanism on the real-world botnet Sality over the course of a week and were able to detect an average of 25 sensors per day with a false positive rate of 20%.

On the resilience of P2P-based botnet graphs

P2P botnets represent another escalation level in the race of arms between criminals and the research community. By utilizing a distributed P2P architecture they are resilient against random failures and attacks and overcome the limitations of a central command and control server. For this reason, it is important to monitor them to gather information for potential takedown attempts. In this paper, we introduce our high-frequency crawling tool Strobo-Crawler that can carry out a fine-grained node enumeration. Furthermore, we propose mechanisms to derive accurate snapshots of the botnet graph on the basis of restricted monitoring data. We applied Strobo-Crawler in a two week crawling campaign in the P2P botnets Sality and ZeroAccess and describe the results along with a careful evaluation of our graph reconstruction. Furthermore, we provide a thorough analysis of the resulting botnet graphs and also provide these graphs to the public. Our results indicate that they are highly resilient against node churn, but also against targeted attacks. Bots are highly interconnected and the graphs are characterized by a high clustering coefficient, high density, and low diameter.

BoobyTrap: On autonomously detecting and characterizing crawlers in P2P botnets

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.