Yukiko Sawaya

Detection of Attackers in Services Using Anomalous Host Behavior Based on Traffic Flow Statistics

Flow-based attacker detection is a common way to detect malicious hosts at a router on a high-traffic network with fewer computing resources. The most challenging aspect is to detect attackers that traverse well-known ports such as TCP ports 21, 25, 80, 443, etc. Although various methods have been studied, they cannot accurately detect such attackers. We propose a new flow-based attacker detection method that achieves a high detection rate using traffic flow statistics obtained by Net Flow, sFlow, etc. The proposed method focuses on the characteristics of attackers who send flows to both the object port and generally closed port in the global network. Our method accurately identifies hosts sending flows to object port as attackers, without any deep packet inspection. We evaluated our method using actually collected Net Flow data. The results show that it detects 90.0% of attackers, with few misidentifications of legitimate hosts.

On the use of Enhanced Bogon Lists (EBLs) to detect malicious traffic

Spoofed IP traffic (traffic containing packets with incorrect source IP addresses) is often used by Internet-based attackers for anonymity. This method reduces the risk of trace-back and avoids attack detection by traffic-based sensors. In general, attackers may use randomly or selectively chosen IP address space to serve as source IP addresses on attack packets. The IP address allocation process creates room for bogons as well as other prefix space that is either unallocated or semi-dark, i.e. allocated but not in operational use. In this paper, we detail novel techniques to construct filters that cover unallocated and semi-dark space. We then evaluate the use of such IP source prefix filters using efficient filtering techniques on an enterprise network and the correlations of such source IP addresses with malicious traffic or bad actors. Our initial results indicate that there is a high degree of correlation between dark or semi-dark source IP prefix space and malicious traffic. As such, it may be feasible for network operators to deploy effective filters based on dark or semi-dark source IP prefix space that block malicious traffic with a low degree of false positives. Further, the presence of such traffic can serve as an early warning of DoS or other attacks.

Managing high volume data for network attack detection using real-time flow filtering

In this paper, we present Real-Time Flow Filter (RTFF) -a system that adopts a middle ground between coarse-grained volume anomaly detection and deep packet inspection. RTFF was designed with the goal of scaling to high volume data feeds that are common in large Tier-1 ISP networks and providing rich, timely information on observed attacks. It is a software solution that is designed to run on off-the-shelf hardware platforms and incorporates a scalable data processing architecture along with lightweight analysis algorithms that make it suitable for deployment in large networks. RTFF also makes use of state of the art machine learning algorithms to construct attack models that can be used to detect as well as predict attacks.

Classification of Landing and Distribution Domains Using Whois’ Text Mining

Detection of drive-by-download attack has gained a focus in security research since the attack has turned into the most popular and serious threat to web infrastructure. The attack exploits vulnerabilities in web browsers and their extensions for unnoticeably downloading malicious software. Often, the victim is sent through a long chain of redirection operations in order to take down the offending pages. Concretely, the attack is triggered when a user visits a benign webpage that is compromised by the attacker (called landing page) and is inserted some malicious code inside. The user is then automatically redirected to an actual page that installs malware on the users computer (called distribution page) without his/her consent or knowledge. While there is a large body of works targeting on detection of drive-by download attack, there is little attention on the redirection which is a crucial characteristic of the attack. In this paper, for the first time, we propose an approach to the classification of landing and distribution domains which are important components forming the head and tail of a redirection chain in the attack. The methodology in our approach is to use machine learning for text mining on the registered information of the domains called whois. We intensively implemented our approach with six popular supervised learning algorithms, compared the results and concluded that Linear-based Support Vector Machine and CART algorithm-based Decision Tree are the best models for our dataset which respectively give 98.55% and 99.28% of accuracy, 97.78% and 98.95% of F1 score, 98.35% and 99.45% of average precision.