Sherif Saad

Botnet detection based on traffic behavior analysis and flow intervals

Botnets represent one of the most serious cybersecurity threats faced by organizations today. Botnets have been used as the main vector in carrying many cyber crimes reported in the recent news. While a significant amount of research has been accomplished on botnet analysis and detection, several challenges remain unaddressed, such as the ability to design detectors which can cope with new forms of botnets. In this paper, we propose a new approach to detect botnet activity based on traffic behavior analysis by classifying network traffic behavior using machine learning. Traffic behavior analysis methods do not depend on the packets payload, which means that they can work with encrypted network communication protocols. Network traffic information can usually be easily retrieved from various network devices without affecting significantly network performance or service availability. We study the feasibility of detecting botnet activity without having seen a complete network flow by classifying behavior based on time intervals. Using existing datasets, we show experimentally that it is possible to identify the presence of existing and unknown botnets activity with high accuracy even with very small time windows.

Detecting P2P botnets through network behavior analysis and machine learning

Botnets have become one of the major threats on the Internet for serving as a vector for carrying attacks against organizations and committing cybercrimes. They are used to generate spam, carry out DDOS attacks and click-fraud, and steal sensitive information. In this paper, we propose a new approach for characterizing and detecting botnets using network traffic behaviors. Our approach focuses on detecting the bots before they launch their attack. We focus in this paper on detecting P2P bots, which represent the newest and most challenging types of botnets currently available. We study the ability of five different commonly used machine learning techniques to meet online botnet detection requirements, namely adaptability, novelty detection, and early detection. The results of our experimental evaluation based on existing datasets show that it is possible to detect effectively botnets during the botnet Command-and- Control (C&C) phase and before they launch their attacks using traffic behaviors only. However, none of the studied techniques can address all the above requirements at once.

Authorship verification for short messages using stylometry

Authorship verification can be checked using stylometric techniques through the analysis of linguistic styles and writing characteristics of the authors. Stylometry is a behavioral feature that a person exhibits during writing and can be extracted and used potentially to check the identity of the author of online documents. Although stylometric techniques can achieve high accuracy rates for long documents, it is still challenging to identify an author for short documents, in particular when dealing with large authors populations. These hurdles must be addressed for stylometry to be usable in checking authorship of online messages such as emails, text messages, or twitter feeds. In this paper, we pose some steps toward achieving that goal by proposing a supervised learning technique combined with n-gram analysis for authorship verification in short texts. Experimental evaluation based on the Enron email dataset involving 87 authors yields very promising results consisting of an Equal Error Rate (EER) of 14.35% for message blocks of 500 characters.

Peer to Peer Botnet Detection Based on Flow Intervals

Botnets are becoming the predominant threat on the Internet today and is the primary vector for carrying out attacks against organizations and individuals. Botnets have been used in a variety of cybercrime, from click-fraud to DDOS attacks to the generation of spam. In this paper we propose an approach to detect botnet activity by classifying network traffic behavior using machine learning classification techniques. We study the feasibility of detecting botnet activity without having seen a complete network flow by classifying behavior based on time intervals and we examine the performance of two popular classification techniques with respect to this data. Using existing datasets, we show experimentally that it is possible to identify the presence of botnet activity with high accuracy even with very small time windows, though there are some limitations to the approach based on the selection of attributes.

Method ontology for intelligent network forensics analysis

Network forensics is an after the fact process to investigate malicious activities conducted over computer networks by gathering useful intelligence. Recently, several machine learning techniques have been proposed to automate and develop intelligent network forensics systems. An intelligent network forensics system that reconstructs intrusion scenarios and makes attack attributions requires knowledge about intrusions signatures, evidences, impacts, and objectives. In addition, problem solving knowledge that describes how the system can use domain knowledge to analyze malicious activities is essential for the design of intelligent network forensics systems. In this paper we adapt recent researches in semantic-web, information architecture, and ontology engineering to design a method ontology for network forensics analysis. The proposed ontology represents both network forensics domain knowledge and problem solving knowledge. It can be used as a knowledge-base for developing sophisticated intelligent network forensics systems to support complex chain of reasoning. We use a real life network intrusion scenario to show how our ontology can be integrated and used in intelligent network forensics systems.

Extracting attack scenarios using intrusion semantics

Building the attack scenario is the first step to understand an attack and extract useful attack intelligence. Existing attack scenario reconstruction approaches, however, suffer from several limitations that weaken the elicitation of the attack scenarios and decrease the quality of the generated attack scenarios. In this paper, we discuss the limitations of the existing attack scenario reconstruction approaches and propose a novel hybrid approach using semantic analysis and intrusion ontology. Our approach can reconstruct known and unknown attack scenarios and correlate alerts generated in multi-sensor IDS environment. Our experimental results show the potential of our approach and its advantages over previous approaches.

Semantic aware attack scenarios reconstruction

Abstract Intrusion analysis is a resource intensive, complex and expensive process for any organization. The reconstruction of the attack scenario is an important aspect of such endeavor. We tackle in this paper several challenges overlooked by existing attack scenarios reconstruction techniques that undermine their performances. These include the ability to identify and extract novel attack patterns and the correlation of heterogeneous multisensor alerts. We propose a novel attack scenario reconstruction approach that analyzes both implicit and explicit relationships between intrusion alerts using semantic analysis and a new intrusion ontology. The proposed approach can reconstruct known and unknown attack scenarios and correlate alerts generated in multi-sensor IDS environment. Moreover, our approach can handle for the first time both novel attacks and false negative alerts generated by Intrusion Detection Systems (IDSs). Our experimental results show the potential of our approach and its advantages over previous approaches.

Detection of Online Fake News Using N-Gram Analysis and Machine Learning Techniques

Fake news is a phenomenon which is having a significant impact on our social life, in particular in the political world. Fake news detection is an emerging research area which is gaining interest but involved some challenges due to the limited amount of resources (i.e., datasets, published literature) available. We propose in this paper, a fake news detection model that use n-gram analysis and machine learning techniques. We investigate and compare two different features extraction techniques and six different machine classification techniques. Experimental evaluation yields the best performance using Term Frequency-Inverted Document Frequency (TF-IDF) as feature extraction technique, and Linear Support Vector Machine (LSVM) as a classifier, with an accuracy of 92%.

A semantic analysis approach to manage IDS alerts flooding

In this paper we propose a new approach to manage alerts flooding in IDSs. The proposed approach uses semantic analysis and ontology engineering techniques to combine and fuse two or more raw IDS alerts into one summarized hybrid/meta-alert. Our approach applies a new method based on measuring the semantic similarity between IDS alerts attributes to identify the alerts that are suitable for aggregation and summarization. In contrast to previous works our approach ensures that the aggregated alerts will not lose any valuable information existing in the raw alerts set. The experimental results show that our approach is effective and efficient in fusing massive number of alerts compared to previous works in the area.

Verifying Online User Identity using Stylometric Analysis for Short Messages

Stylometry consists of the analysis of linguistic styles and writing characteristics of the authors for identification, characterization, or verification purposes. In this paper, we investigate authorship verification for the purpose of user authentication process. In this setting, authentication consists of comparing sample writing of an individual against the model or profile associated with the identity claimed by that individual at login time (i.e. 1-to-1 identity matching). In addition, the authentication process must be done in a short period of time, which means analyzing short messages. Although a significant amount of literature has been produced showing high accuracy rates for long documents, it is still challenging to identify accurately authors of short unstructured documents, in particular when dealing with large authors populations. In this paper, we pose some steps toward achieving that goal by proposing a supervised learning technique combined with n-grams analysis for authorship verification for short texts. We introduce a new n-gram metric and study several sizes of n-grams using a relatively large dataset. The experimental evaluation shows increased effectiveness of our approach compared to the existing approaches published in the literature.