Sureswaran Ramadass

A Survey of Botnet and Botnet Detection

Among the various forms of malware, botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical targets, malware dissemination, phishing, and click fraud. The defining characteristic of botnets is the use of command and control channels through which they can be updated and directed. Recently, botnet detection has been an interesting research topic related to cyber-threat and cyber-crime prevention. This paper is a survey of botnet and botnet detection. The survey clarifies botnet phenomenon and discusses botnet detection techniques. This survey classifies botnet detection techniques into four classes: signature-based, anomaly-based, DNS-based, and mining-base. It summarizes botnet detection techniques in each class and provides a brief comparison of botnet detection techniques.

Survey of Internet Protocol Version 6 Link Local Communication Security Vulnerability and Mitigation Methods

Abstract IPv6 is a network layer protocol of the OSI reference model. IPv6 uses the Neighbor Discovery Protocol (NDP) that works on link local scope of IPv6 network. NDP covers host initialization and address auto configuration that is one of IPv6 advantages and other important functionalities. IPv6 mandates to support Internet Protocol Security (IPSec) for end-to-end communication security. However, this security protocol does not cover the link local communication that uses NDP. It is important to consider the link local security issues as the Internet being an open network is vulnerable to be exploited by attackers from both outside and inside the network. In addition, most of the security mechanisms typically block external threats but are relatively vulnerable to the threats originating from internal network. Thus, understanding the threat and vulnerability in the local network is very important. This paper surveys local network security phenomenon and the current defense methods on the IPv6 link local network security vulnerability mitigations.

Architecture for Applying Data Mining and Visualization on Network Flow for Botnet Traffic Detection

Botnet is one of the most recent tools used in cyber-crime including Distributed Denial of Service attacks, phishing, spamming, and spying on remote computers. These days, governments, business, and individuals are facing catastrophic damages caused by hackers using malicious botnets. It is a major challenge for cyber-security research community to combat the emerging threat of botnets. Current network intrusion detection methods based on anomaly detection approaches suffer from fairly high error rate and low performance. The proposed flow based botnet detection system tackles these issues by combining data mining and visualization. The anomalous data is passed to several trust models, and the flows are re-evaluated to obtain their trustfulness, which is then aggregated to detect malicious traffic via visualization. The visualized information will be analyzed by human intellectual and conceptual ability to gain useful knowledge about botnet activities for further precaution and validation.

Study on Advanced Visualization Tools In Network Monitoring Platform

Visualization tools have emerged as a critical component, especially in medical, education, engineering, military and environmental management. These fields have applied the visualization techniques to improve decision making and organization management performance. In recent times, with the advent of Internet and the explosive growth of networking infrastructure on a global scale demand for an intuitive and wholesome approach to visual the network traffic. Complexity of network architecture and insufficient vendor support are the major issues always that are faced by a user in solving a network monitoring problem. Network engineer needs to start on network monitoring by integrating conventional network monitoring tools with an innovative visualization tool, which can provide the network activities that are easily understood by a user. Currently, there are numerous data visualization tools in network monitoring namely Network Analysis Visualization, Spinning Cube of Potential Doom (SCPD), Visual Information Security Utility for Administration Live (VISUAL), SeeNet, Cichlid, CyberNet and others. These tools provided useful information about network activities, which important for monitoring purpose. Our work entails the development of an advanced visualization framework to intelligently visualize high volume, real-time network traffic data.

False positive reduction in intrusion detection system: A survey

Since the first intrusion detection system and up to this moment all IDSs had generated thousands and thousands of alerts and most of these alerts are false alerts, which lead the researchers to develop an idea to reduce the rate of the alerts or at least the false alerts of them. One of the ideas was to create correlation methods which cover the problem of dealing with the huge amount of both real alerts as well as false alerts. The techniques used in this area plan to help the analyst party to analyze these alerts to distinguish between alerts generated by real attacks and legal traffic. This paper will highlight the false positive reduction techniques surrounding this area.

Improving the performance of IPv6 packet transmission over LAN

IPv6 has extended features with a host of advantages when compared to IPv4 which could be capitalized to leverage on todays communication needs. Apart from its advantages, IPv6 header size has increased to twice the size of a typical IPv4 header resulting in increased overhead. IPv6 includes IPSec which adds further overhead and reduces network performance. The increased header size and IPSec in IPv6 would increase bandwidth utilization, increase latency and reduce throughput for IPv6 traffic. Devising appropriate methods to offset this increased overhead will significantly improve the performance of IPv6 packet transmission depending on the traffic being transferred. Based on our ongoing research, we present a customized IPv6 header for packet transmission over a LAN. The customized IPv6 header reduces the size of the IPv6 packet header. The reduction in header size will significantly improve the performance of small sized IPv6 packets that are dominantly present over a LAN in terms of bandwidth savings, better response time and increased throughput.

A Survey of Intrusion Alert Correlation and Its Design Considerations

ABSTRACT In recent years, network intrusion attempts have been on the rise. Malicious attempts, including hacking, botnets, and worms are used to intrude and compromise the organizations networks affecting their confidentiality, integrity and availability of resources. In order to detect these malicious activities, intrusion detection systems (IDSs) have been widely deployed in corporate networks. IDS sends alerts to security personnel in case of anomalous activities in the network. Unfortunately, one of the IDSs’ drawbacks is they produce a large number of false positives and non-relevant positives alerts that could overwhelm the security personnel. Existing efforts to address this are done via identification of the similarities and causality relationships between alerts, grouping them into different clusters and prioritizing them after conducting the assessment on them. In this paper, we present commonly used alert correlation approaches and highlight the advantages and disadvantages from various perspectives. Existing alert correlation models are critically reviewed and compared in this paper. Subsequently, we emphasize four main considerations in alert correlation design which are: attack scenario either single packet or multi-stage attack, its architecture either centralized or distributed, performance assessment on accuracy of alert detection, and its processing time and the data to be used for testing.

Malaysian Internet Surfing Addiction (MISA): Factors affecting the Internet use and its consequences

Internet addiction provoked as a serious mental health issue in the recent decade. In the recent times, Internet addiction had become a global concern to the human society. As the electronic world has become more and more common to the young, younger generations are alleged to be susceptible to the risk of Internet addiction. This research outlines a method to examine the addictive level to the Malaysians Internet surfing. The purpose of our study is to identify the Internet use among Malaysians and the relation of excessive use to the addictive level. We propose and devise an online survey to study the Internet use among the younger generations. The questionnaire consists of five subsections; such as the relevant demographic questions, the diagnosis of the Internet addiction level, related questions on the Internet surfing behavior, the reasons of excessive Internet usage, and the consequences of the addictive behavior. Participants of the online survey were selected randomly from Malaysia, ranging from the age of 7-year old to the age of 30-year old. We found that the Internet use of the younger generations was susceptible to the Internet addiction. The findings reflect that younger generations are vulnerable to the fantasized world.

Discovery of Invariant Bot Behavior through Visual Network Monitoring System

Botnets are emerging as the most significant threat facing online ecosystems and computing assets due to their enormous volume and sheer power. It is a major challenge for cyber-security research community to combat the emerging threat of botnets. Most of useful approaches for botnet traffic detection are based on passive network traffic monitoring and analysis. Nevertheless, typical network traffic generates a huge amount of data for analysis. In addition, the poor user interfaces of the existing tools lead to the insufficient utilization of the captured data, and do not consider utilization of human intellectual capability. The proposed visual network monitoring system tackles these issues by adopting proper visualization techniques. The proposed visualization techniques enhance the visibility of network traffic related to invariant bot behaviors, and provide notification of bot existence without distracting the user with huge volumes of data. The visual illustration of typical bot behavior improves the botnet traffic detection process by engaging human perception capabilities. This approach assists security personnel with a visual security tool to mitigate botnet threats by discovering invariant botnet behaviors during the benign state of a botnet in small to medium size networks. Moreover, the user friendly interface of this system is interactive, flexible, and easy to use.

Performance Study of Fluid Content Distribution Model for Peer-to-Peer Overlay Networks

Recently overlay networks are used to serve high-concurrency applications ranging from live streaming to reliable delivery of popular content. Comparing to traditional communication mechanism overlay networks offer an enhanced alternative for content delivery in terms of flexibility, scalability, and ease of deployment. Content distribution process in overlay networks is facilitated by leveraging the uploading capacity of the receiving nodes. Content distribution in overlay networks is generally based on Chunk and Fluid model. Fluid model provides continuous transfer of the content from the source to multiple receivers. However, deploying Fluid model in heterogeneous peer-topeer overlay networks requires special consideration due to the incorporation of tightly coupled connections between adjacent peers. The aim of this paper is to study the performance of different Fluid content distribution models for peer-topeer overlay networks. In this paper, investigates three different classes of Fluid content distribution models including: Fluid model with scheduling, backpressure and encoding. Moreover, the performance of Fluid model with backpressure, and encoding, have been evaluated and compared based on download time as a critical performance metric in peer-to-peer overlay networks. The performance tests have been carried out by real implementation tests over “PlanetLab”.