The Experts below are selected from a list of 1131 Experts worldwide ranked by ideXlab platform
Satinder Singh - One of the best experts on this subject based on the ideXlab platform.
-
a stackelberg game model for botnet Data Exfiltration
Decision and Game Theory for Security, 2017Co-Authors: Thanh H Nguyen, Michael P Wellman, Satinder SinghAbstract:Cyber-criminals can distribute malware to control computers on a networked system and leverage these compromised computers to perform their malicious activities inside the network. Botnet-detection mechanisms, based on a detailed analysis of network traffic characteristics, provide a basis for defense against botnet attacks. We formulate the botnet defense problem as a zero-sum Stackelberg security game, allocating detection resources to deter botnet attacks taking into account the strategic response of cyber-criminals. We model two different botnet Data-Exfiltration scenarios, representing Exfiltration on single or multiple paths. Based on the game model, we propose algorithms to compute an optimal detection resource allocation strategy with respect to these formulations. Our algorithms employ the double-oracle method to deal with the exponential action spaces for attacker and defender. Furthermore, we provide greedy heuristics to approximately compute an equilibrium of these botnet defense games. Finally, we conduct experiments based on both synthetic and real-world network topologies to demonstrate advantages of our game-theoretic solution compared to previously proposed defense policies.
-
GameSec - A Stackelberg Game Model for Botnet Data Exfiltration
Lecture Notes in Computer Science, 2017Co-Authors: Thanh H Nguyen, Michael P Wellman, Satinder SinghAbstract:Cyber-criminals can distribute malware to control computers on a networked system and leverage these compromised computers to perform their malicious activities inside the network. Botnet-detection mechanisms, based on a detailed analysis of network traffic characteristics, provide a basis for defense against botnet attacks. We formulate the botnet defense problem as a zero-sum Stackelberg security game, allocating detection resources to deter botnet attacks taking into account the strategic response of cyber-criminals. We model two different botnet Data-Exfiltration scenarios, representing Exfiltration on single or multiple paths. Based on the game model, we propose algorithms to compute an optimal detection resource allocation strategy with respect to these formulations. Our algorithms employ the double-oracle method to deal with the exponential action spaces for attacker and defender. Furthermore, we provide greedy heuristics to approximately compute an equilibrium of these botnet defense games. Finally, we conduct experiments based on both synthetic and real-world network topologies to demonstrate advantages of our game-theoretic solution compared to previously proposed defense policies.
Asaf Shabtai - One of the best experts on this subject based on the ideXlab platform.
-
Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol
Computers & Security, 2019Co-Authors: Asaf Nadler, Avi Aminov, Asaf ShabtaiAbstract:Abstract In the presence of security countermeasures, a malware designed for Data Exfiltration must use a covert channel to achieve its goal. The Domain Name System (DNS) protocol is a covert channel commonly used by malware developers today for this purpose. Although the detection of covert channels using the DNS has been studied for the past decade, prior research has largely dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection should not be minimized, an entire class of low throughput DNS Exfiltration malware has been overlooked. In this study, we propose a method for detecting both tunneling and low throughput Data Exfiltration over the DNS. After determining that previously detected malware used Internet domains that were registered for a cyber-campaign rather than compromising existing legitimate domains, we focus on detecting and denying requests to these domains as an effective Data leakage shutdown. Therefore, our proposed solution handles streaming DNS traffic in order to detect and automatically deny requests to domains that are used for Data exchange. The initial Data collection phase collects DNS logs per domain in a manner that permits scanning for long periods of time, and is thus capable of dealing with “low and slow” attacks. In the second phase features are extracted based on the querying behavior of each domain, and in the last phase an anomaly detection model is used to classify domains based on their use for Data Exfiltration. With regard to detection, DNS requests to domains that were classified as being used for Data Exfiltration will be denied indefinitely. Our method was evaluated on a large-scale recursive DNS server’s logs with a peaking high of 47 million requests per hour. Within these DNS logs, we injected Data Exfiltration traffic from DNS tunneling tools as well as two real-life malware: FrameworkPOS, previously used for the theft of 56M credit cards from Home Depot in 2014, and Backdoor.Win32.Denis, which was active in the Cobalt Kitty APT in 2016. Even when restricting our method to an extremely low false positive rate (i.e., one in fifty thousand domains), it detected all of the above. In addition, the logs are used to compare our system with two recently published methods that focus on detecting DNS tunneling in order to stress the novelty of detecting low throughput Exfiltration malware.
-
Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol
arXiv: Cryptography and Security, 2017Co-Authors: Asaf Nadler, Avi Aminov, Asaf ShabtaiAbstract:In the presence of security countermeasures, a malware designed for Data Exfiltration must do so using a covert channel to achieve its goal. Among existing covert channels stands the domain name system (DNS) protocol. Although the detection of covert channels over the DNS has been thoroughly studied in the last decade, previous research dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection is not undermined, an entire class of low throughput DNS Exfiltration malware remained overlooked. The goal of this study is to propose a method for detecting both tunneling and low-throughput Data Exfiltration over the DNS. Towards this end, we propose a solution composed of a supervised feature selection method, and an interchangeable, and adjustable anomaly detection model trained on legitimate traffic. In the first step, a one-class classifier is applied for detecting domain-specific traffic that does not conform with the normal behavior. Then, in the second step, in order to reduce the false positive rate resulting from the attempt to detect the low-throughput Data Exfiltration we apply a rule-based filter that filters Data exchange over DNS used by legitimate services. Our solution was evaluated on a medium-scale recursive DNS server logs, and involved more than 75,000 legitimate uses and almost 2,000 attacks. Evaluation results shows that while DNS tunneling is covered with at least 99% recall rate and less than 0.01% false positive rate, the detection of low throughput Exfiltration is more difficult. While not preventing it completely, our solution limits a malware attempting to avoid detection with at most a 1kb/h of payload under the limitations of the DNS syntax (equivalent to five credit cards details, or ten user credentials per hour) which reduces the effectiveness of the attack.
Thanh H Nguyen - One of the best experts on this subject based on the ideXlab platform.
-
a stackelberg game model for botnet Data Exfiltration
Decision and Game Theory for Security, 2017Co-Authors: Thanh H Nguyen, Michael P Wellman, Satinder SinghAbstract:Cyber-criminals can distribute malware to control computers on a networked system and leverage these compromised computers to perform their malicious activities inside the network. Botnet-detection mechanisms, based on a detailed analysis of network traffic characteristics, provide a basis for defense against botnet attacks. We formulate the botnet defense problem as a zero-sum Stackelberg security game, allocating detection resources to deter botnet attacks taking into account the strategic response of cyber-criminals. We model two different botnet Data-Exfiltration scenarios, representing Exfiltration on single or multiple paths. Based on the game model, we propose algorithms to compute an optimal detection resource allocation strategy with respect to these formulations. Our algorithms employ the double-oracle method to deal with the exponential action spaces for attacker and defender. Furthermore, we provide greedy heuristics to approximately compute an equilibrium of these botnet defense games. Finally, we conduct experiments based on both synthetic and real-world network topologies to demonstrate advantages of our game-theoretic solution compared to previously proposed defense policies.
-
GameSec - A Stackelberg Game Model for Botnet Data Exfiltration
Lecture Notes in Computer Science, 2017Co-Authors: Thanh H Nguyen, Michael P Wellman, Satinder SinghAbstract:Cyber-criminals can distribute malware to control computers on a networked system and leverage these compromised computers to perform their malicious activities inside the network. Botnet-detection mechanisms, based on a detailed analysis of network traffic characteristics, provide a basis for defense against botnet attacks. We formulate the botnet defense problem as a zero-sum Stackelberg security game, allocating detection resources to deter botnet attacks taking into account the strategic response of cyber-criminals. We model two different botnet Data-Exfiltration scenarios, representing Exfiltration on single or multiple paths. Based on the game model, we propose algorithms to compute an optimal detection resource allocation strategy with respect to these formulations. Our algorithms employ the double-oracle method to deal with the exponential action spaces for attacker and defender. Furthermore, we provide greedy heuristics to approximately compute an equilibrium of these botnet defense games. Finally, we conduct experiments based on both synthetic and real-world network topologies to demonstrate advantages of our game-theoretic solution compared to previously proposed defense policies.
Weijie Wang - One of the best experts on this subject based on the ideXlab platform.
-
a visual analytics approach to detecting server redirections and Data Exfiltration
Intelligence and Security Informatics, 2015Co-Authors: Weijie Wang, Baijian Yang, Victor Yingjie ChenAbstract:How to better find potential cyberattacks is a challenging question for security researchers and practitioners. In recent years, visualization has been applied in the field of analyzing cybersecurity issues, but most work has not been able to provide better than non-visualization based techniques. In this paper, we innovatively designed a visual analytics system to allow analysts to overview network traffic and identify such suspicious such activities as server redirection attack and Data Exfiltration. Because of the nature of the problem, the overview design must be scalable, accurate, and fast. Through aggregating traffic Data along the two dimensions of duration and payload, the system reveals key network traffic characteristics for the analyst to identify security events. The system is evaluated with the test Data sets from VAST 2013 mini-challenge 3. The results are very encouraging and shed a more positive light on applying visual analytics in information security.
-
A visual analytics based approach on identifying server redirections and Data Exfiltration
2015Co-Authors: Weijie Wang, Baijian Yang, Yingjie ChenAbstract:How to better find potential cyber attacks is the billion question facing security researchers and practitioners. In recently years, visualization have being applied in the field of information technology but most work have not being able to provide better than non-visualization based techniques. In this work, we innovatively designed a graphic based system overview that can make suspicious activities related to server redirection attack and Data Exfiltration easier to identify. Due to the nature of the problem, the overview design must be scalable, accurate, and fast. This demands the system to visualize Data that can reveal security events rather than simply plotting the raw Data. The approach adopted in this work is to visualize aggregated traffic characteristics. The system is evaluated with the test Data sets from VAST 2013 mini-challenge 3. The results are very encouraging and shed more positive lights on applying visual analytics in information Security.
-
ISI - A visual analytics approach to detecting server redirections and Data Exfiltration
2015 IEEE International Conference on Intelligence and Security Informatics (ISI), 2015Co-Authors: Weijie Wang, Baijian Yang, Victor Yingjie ChenAbstract:How to better find potential cyberattacks is a challenging question for security researchers and practitioners. In recent years, visualization has been applied in the field of analyzing cybersecurity issues, but most work has not been able to provide better than non-visualization based techniques. In this paper, we innovatively designed a visual analytics system to allow analysts to overview network traffic and identify such suspicious such activities as server redirection attack and Data Exfiltration. Because of the nature of the problem, the overview design must be scalable, accurate, and fast. Through aggregating traffic Data along the two dimensions of duration and payload, the system reveals key network traffic characteristics for the analyst to identify security events. The system is evaluated with the test Data sets from VAST 2013 mini-challenge 3. The results are very encouraging and shed a more positive light on applying visual analytics in information security.
Asaf Nadler - One of the best experts on this subject based on the ideXlab platform.
-
Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol
Computers & Security, 2019Co-Authors: Asaf Nadler, Avi Aminov, Asaf ShabtaiAbstract:Abstract In the presence of security countermeasures, a malware designed for Data Exfiltration must use a covert channel to achieve its goal. The Domain Name System (DNS) protocol is a covert channel commonly used by malware developers today for this purpose. Although the detection of covert channels using the DNS has been studied for the past decade, prior research has largely dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection should not be minimized, an entire class of low throughput DNS Exfiltration malware has been overlooked. In this study, we propose a method for detecting both tunneling and low throughput Data Exfiltration over the DNS. After determining that previously detected malware used Internet domains that were registered for a cyber-campaign rather than compromising existing legitimate domains, we focus on detecting and denying requests to these domains as an effective Data leakage shutdown. Therefore, our proposed solution handles streaming DNS traffic in order to detect and automatically deny requests to domains that are used for Data exchange. The initial Data collection phase collects DNS logs per domain in a manner that permits scanning for long periods of time, and is thus capable of dealing with “low and slow” attacks. In the second phase features are extracted based on the querying behavior of each domain, and in the last phase an anomaly detection model is used to classify domains based on their use for Data Exfiltration. With regard to detection, DNS requests to domains that were classified as being used for Data Exfiltration will be denied indefinitely. Our method was evaluated on a large-scale recursive DNS server’s logs with a peaking high of 47 million requests per hour. Within these DNS logs, we injected Data Exfiltration traffic from DNS tunneling tools as well as two real-life malware: FrameworkPOS, previously used for the theft of 56M credit cards from Home Depot in 2014, and Backdoor.Win32.Denis, which was active in the Cobalt Kitty APT in 2016. Even when restricting our method to an extremely low false positive rate (i.e., one in fifty thousand domains), it detected all of the above. In addition, the logs are used to compare our system with two recently published methods that focus on detecting DNS tunneling in order to stress the novelty of detecting low throughput Exfiltration malware.
-
Detection of Malicious and Low Throughput Data Exfiltration Over the DNS Protocol
arXiv: Cryptography and Security, 2017Co-Authors: Asaf Nadler, Avi Aminov, Asaf ShabtaiAbstract:In the presence of security countermeasures, a malware designed for Data Exfiltration must do so using a covert channel to achieve its goal. Among existing covert channels stands the domain name system (DNS) protocol. Although the detection of covert channels over the DNS has been thoroughly studied in the last decade, previous research dealt with a specific subclass of covert channels, namely DNS tunneling. While the importance of tunneling detection is not undermined, an entire class of low throughput DNS Exfiltration malware remained overlooked. The goal of this study is to propose a method for detecting both tunneling and low-throughput Data Exfiltration over the DNS. Towards this end, we propose a solution composed of a supervised feature selection method, and an interchangeable, and adjustable anomaly detection model trained on legitimate traffic. In the first step, a one-class classifier is applied for detecting domain-specific traffic that does not conform with the normal behavior. Then, in the second step, in order to reduce the false positive rate resulting from the attempt to detect the low-throughput Data Exfiltration we apply a rule-based filter that filters Data exchange over DNS used by legitimate services. Our solution was evaluated on a medium-scale recursive DNS server logs, and involved more than 75,000 legitimate uses and almost 2,000 attacks. Evaluation results shows that while DNS tunneling is covered with at least 99% recall rate and less than 0.01% false positive rate, the detection of low throughput Exfiltration is more difficult. While not preventing it completely, our solution limits a malware attempting to avoid detection with at most a 1kb/h of payload under the limitations of the DNS syntax (equivalent to five credit cards details, or ten user credentials per hour) which reduces the effectiveness of the attack.