The Experts below are selected from a list of 243 Experts worldwide ranked by ideXlab platform
Paul Jenkins - One of the best experts on this subject based on the ideXlab platform.
-
Honeypots that bite back a fuzzy technique for identifying and inhibiting fingerprinting attacks on Low Interaction Honeypots
IEEE International Conference on Fuzzy Systems, 2018Co-Authors: Nitin Naik, Paul Jenkins, Roger Cooke, Longzhi YangAbstract:The development of a robust strategy for network security is reliant upon a combination of in-house expertise and for completeness attack vectors used by attackers. A Honeypot is one of the most popular mechanisms used to gather information about attacks and attackers. However, Low-Interaction Honeypots only emulate an operating system and services, and are more prone to a fingerprinting attack, resulting in severe consequences such as revealing the identity of the Honeypot and thus ending the usefulness of the Honeypot forever, or worse, enabling it to be converted into a bot used to attack others. A number of tools and techniques are available both to fingerprint Low-Interaction Honeypots and to defend against such fingerprinting; however, there is an absence of fingerprinting techniques to identify the characteristics and behaviours that indicate fingerprinting is occurring. Therefore, this paper proposes a fuzzy technique to correlate the attack actions and predict the probability that an attack is a fingerprinting attack on the Honeypot. Initially, an experimental assessment of the fingerprinting attack on the Low- Interaction Honeypot is performed, and a fingerprinting detection mechanism is proposed that includes the underlying principles of popular fingerprinting attack tools. This implementation is based on a popular and commercially available Low-Interaction Honeypot for Windows - KFSensor. However, the proposed fuzzy technique is a general technique and can be used with any Low-Interaction Honeypot to aid in the identification of the fingerprinting attack whilst it is occurring; thus protecting the Honeypot from the fingerprinting attack and extending its life.
-
a fuzzy approach for detecting and defending against spoofing attacks on Low Interaction Honeypots
International Conference on Information Fusion, 2018Co-Authors: Nitin Naik, Paul JenkinsAbstract:Honeypots are a well-recognised entrapment mechanism for baiting attackers in the field of network security. They gather real-time and valuable information from the attacker regarding their attack processes, which is not possible by other security means. Despite this invaluable contribution of the Honeypot in moulding a cohesive security policy, the Honeypot is normally designed with fewer resources, as security personnel do not consider it as part of the operational network. Consequently, such limited capability or Low-Interaction Honeypots are vulnerable to common security attacks. A spoofing attack is one such attack that can be carried out on these Low-Interaction Honeypots making them ineffectual. Unfortunately, these Low-Interaction Honeypots have very limited or no capability to detect and defend against this type of attack due their inadequate ability to respond, versus a more complex Honeypot with greater deceptive capabilities. Therefore, this paper proposes a resource-optimised fuzzy approach for detecting and defending against a spoofing attack on a Low-Interaction Honeypot. Primarily, it proposes a detection mechanism for the spoofing attack based on the analysis of experimental data gathered from the Honeypot and its internal network. Subsequently, the paper proposes a fuzzy approach for predicting and alerting, in a timely manner, the spoofing attack on Low-Interaction Honeypots to prevent the attack. Finally, experimental simulation is utilised to demonstrate that any Low-Interaction Honeypot can be made a spoofing attack-aware Honeypot by employing the proposed fuzzy approach.
-
FUZZ-IEEE - Honeypots That Bite Back: A Fuzzy Technique for Identifying and Inhibiting Fingerprinting Attacks on Low Interaction Honeypots
2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), 2018Co-Authors: Nitin Naik, Paul Jenkins, Roger Cooke, Longzhi YangAbstract:The development of a robust strategy for network security is reliant upon a combination of in-house expertise and for completeness attack vectors used by attackers. A Honeypot is one of the most popular mechanisms used to gather information about attacks and attackers. However, Low-Interaction Honeypots only emulate an operating system and services, and are more prone to a fingerprinting attack, resulting in severe consequences such as revealing the identity of the Honeypot and thus ending the usefulness of the Honeypot forever, or worse, enabling it to be converted into a bot used to attack others. A number of tools and techniques are available both to fingerprint Low-Interaction Honeypots and to defend against such fingerprinting; however, there is an absence of fingerprinting techniques to identify the characteristics and behaviours that indicate fingerprinting is occurring. Therefore, this paper proposes a fuzzy technique to correlate the attack actions and predict the probability that an attack is a fingerprinting attack on the Honeypot. Initially, an experimental assessment of the fingerprinting attack on the Low- Interaction Honeypot is performed, and a fingerprinting detection mechanism is proposed that includes the underlying principles of popular fingerprinting attack tools. This implementation is based on a popular and commercially available Low-Interaction Honeypot for Windows - KFSensor. However, the proposed fuzzy technique is a general technique and can be used with any Low-Interaction Honeypot to aid in the identification of the fingerprinting attack whilst it is occurring; thus protecting the Honeypot from the fingerprinting attack and extending its life.
-
FUSION - A Fuzzy Approach for Detecting and Defending Against Spoofing Attacks on Low Interaction Honeypots
2018 21st International Conference on Information Fusion (FUSION), 2018Co-Authors: Nitin Naik, Paul JenkinsAbstract:Honeypots are a well-recognised entrapment mechanism for baiting attackers in the field of network security. They gather real-time and valuable information from the attacker regarding their attack processes, which is not possible by other security means. Despite this invaluable contribution of the Honeypot in moulding a cohesive security policy, the Honeypot is normally designed with fewer resources, as security personnel do not consider it as part of the operational network. Consequently, such limited capability or Low-Interaction Honeypots are vulnerable to common security attacks. A spoofing attack is one such attack that can be carried out on these Low-Interaction Honeypots making them ineffectual. Unfortunately, these Low-Interaction Honeypots have very limited or no capability to detect and defend against this type of attack due their inadequate ability to respond, versus a more complex Honeypot with greater deceptive capabilities. Therefore, this paper proposes a resource-optimised fuzzy approach for detecting and defending against a spoofing attack on a Low-Interaction Honeypot. Primarily, it proposes a detection mechanism for the spoofing attack based on the analysis of experimental data gathered from the Honeypot and its internal network. Subsequently, the paper proposes a fuzzy approach for predicting and alerting, in a timely manner, the spoofing attack on Low-Interaction Honeypots to prevent the attack. Finally, experimental simulation is utilised to demonstrate that any Low-Interaction Honeypot can be made a spoofing attack-aware Honeypot by employing the proposed fuzzy approach.
Nitin Naik - One of the best experts on this subject based on the ideXlab platform.
-
Honeypots that bite back a fuzzy technique for identifying and inhibiting fingerprinting attacks on Low Interaction Honeypots
IEEE International Conference on Fuzzy Systems, 2018Co-Authors: Nitin Naik, Paul Jenkins, Roger Cooke, Longzhi YangAbstract:The development of a robust strategy for network security is reliant upon a combination of in-house expertise and for completeness attack vectors used by attackers. A Honeypot is one of the most popular mechanisms used to gather information about attacks and attackers. However, Low-Interaction Honeypots only emulate an operating system and services, and are more prone to a fingerprinting attack, resulting in severe consequences such as revealing the identity of the Honeypot and thus ending the usefulness of the Honeypot forever, or worse, enabling it to be converted into a bot used to attack others. A number of tools and techniques are available both to fingerprint Low-Interaction Honeypots and to defend against such fingerprinting; however, there is an absence of fingerprinting techniques to identify the characteristics and behaviours that indicate fingerprinting is occurring. Therefore, this paper proposes a fuzzy technique to correlate the attack actions and predict the probability that an attack is a fingerprinting attack on the Honeypot. Initially, an experimental assessment of the fingerprinting attack on the Low- Interaction Honeypot is performed, and a fingerprinting detection mechanism is proposed that includes the underlying principles of popular fingerprinting attack tools. This implementation is based on a popular and commercially available Low-Interaction Honeypot for Windows - KFSensor. However, the proposed fuzzy technique is a general technique and can be used with any Low-Interaction Honeypot to aid in the identification of the fingerprinting attack whilst it is occurring; thus protecting the Honeypot from the fingerprinting attack and extending its life.
-
a fuzzy approach for detecting and defending against spoofing attacks on Low Interaction Honeypots
International Conference on Information Fusion, 2018Co-Authors: Nitin Naik, Paul JenkinsAbstract:Honeypots are a well-recognised entrapment mechanism for baiting attackers in the field of network security. They gather real-time and valuable information from the attacker regarding their attack processes, which is not possible by other security means. Despite this invaluable contribution of the Honeypot in moulding a cohesive security policy, the Honeypot is normally designed with fewer resources, as security personnel do not consider it as part of the operational network. Consequently, such limited capability or Low-Interaction Honeypots are vulnerable to common security attacks. A spoofing attack is one such attack that can be carried out on these Low-Interaction Honeypots making them ineffectual. Unfortunately, these Low-Interaction Honeypots have very limited or no capability to detect and defend against this type of attack due their inadequate ability to respond, versus a more complex Honeypot with greater deceptive capabilities. Therefore, this paper proposes a resource-optimised fuzzy approach for detecting and defending against a spoofing attack on a Low-Interaction Honeypot. Primarily, it proposes a detection mechanism for the spoofing attack based on the analysis of experimental data gathered from the Honeypot and its internal network. Subsequently, the paper proposes a fuzzy approach for predicting and alerting, in a timely manner, the spoofing attack on Low-Interaction Honeypots to prevent the attack. Finally, experimental simulation is utilised to demonstrate that any Low-Interaction Honeypot can be made a spoofing attack-aware Honeypot by employing the proposed fuzzy approach.
-
FUZZ-IEEE - Honeypots That Bite Back: A Fuzzy Technique for Identifying and Inhibiting Fingerprinting Attacks on Low Interaction Honeypots
2018 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), 2018Co-Authors: Nitin Naik, Paul Jenkins, Roger Cooke, Longzhi YangAbstract:The development of a robust strategy for network security is reliant upon a combination of in-house expertise and for completeness attack vectors used by attackers. A Honeypot is one of the most popular mechanisms used to gather information about attacks and attackers. However, Low-Interaction Honeypots only emulate an operating system and services, and are more prone to a fingerprinting attack, resulting in severe consequences such as revealing the identity of the Honeypot and thus ending the usefulness of the Honeypot forever, or worse, enabling it to be converted into a bot used to attack others. A number of tools and techniques are available both to fingerprint Low-Interaction Honeypots and to defend against such fingerprinting; however, there is an absence of fingerprinting techniques to identify the characteristics and behaviours that indicate fingerprinting is occurring. Therefore, this paper proposes a fuzzy technique to correlate the attack actions and predict the probability that an attack is a fingerprinting attack on the Honeypot. Initially, an experimental assessment of the fingerprinting attack on the Low- Interaction Honeypot is performed, and a fingerprinting detection mechanism is proposed that includes the underlying principles of popular fingerprinting attack tools. This implementation is based on a popular and commercially available Low-Interaction Honeypot for Windows - KFSensor. However, the proposed fuzzy technique is a general technique and can be used with any Low-Interaction Honeypot to aid in the identification of the fingerprinting attack whilst it is occurring; thus protecting the Honeypot from the fingerprinting attack and extending its life.
-
FUSION - A Fuzzy Approach for Detecting and Defending Against Spoofing Attacks on Low Interaction Honeypots
2018 21st International Conference on Information Fusion (FUSION), 2018Co-Authors: Nitin Naik, Paul JenkinsAbstract:Honeypots are a well-recognised entrapment mechanism for baiting attackers in the field of network security. They gather real-time and valuable information from the attacker regarding their attack processes, which is not possible by other security means. Despite this invaluable contribution of the Honeypot in moulding a cohesive security policy, the Honeypot is normally designed with fewer resources, as security personnel do not consider it as part of the operational network. Consequently, such limited capability or Low-Interaction Honeypots are vulnerable to common security attacks. A spoofing attack is one such attack that can be carried out on these Low-Interaction Honeypots making them ineffectual. Unfortunately, these Low-Interaction Honeypots have very limited or no capability to detect and defend against this type of attack due their inadequate ability to respond, versus a more complex Honeypot with greater deceptive capabilities. Therefore, this paper proposes a resource-optimised fuzzy approach for detecting and defending against a spoofing attack on a Low-Interaction Honeypot. Primarily, it proposes a detection mechanism for the spoofing attack based on the analysis of experimental data gathered from the Honeypot and its internal network. Subsequently, the paper proposes a fuzzy approach for predicting and alerting, in a timely manner, the spoofing attack on Low-Interaction Honeypots to prevent the attack. Finally, experimental simulation is utilised to demonstrate that any Low-Interaction Honeypot can be made a spoofing attack-aware Honeypot by employing the proposed fuzzy approach.
Z. Zhan - One of the best experts on this subject based on the ideXlab platform.
-
Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study
arXiv: Cryptography and Security, 2016Co-Authors: Z. ZhanAbstract:Rigorously characterizing the statistical properties of cyber attacks is an important problem. In this paper, we propose the {\em first} statistical framework for rigorously analyzing Honeypot-captured cyber attack data. The framework is built on the novel concept of {\em stochastic cyber attack process}, a new kind of mathematical objects for describing cyber attacks. To demonstrate use of the framework, we apply it to analyze a Low-Interaction Honeypot dataset, while noting that the framework can be equally applied to analyze high-Interaction Honeypot data that contains richer information about the attacks. The case study finds, for the first time, that Long-Range Dependence (LRD) is exhibited by Honeypot-captured cyber attacks. The case study confirms that by exploiting the statistical properties (LRD in this case), it is feasible to predict cyber attacks (at least in terms of attack rate) with good accuracy. This kind of prediction capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations. The idea of "gray-box" (rather than "black-box") prediction is central to the utility of the statistical framework, and represents a significant step towards ultimately understanding (the degree of) the {\em predictability} of cyber attacks.
-
1Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study
2016Co-Authors: Z. ZhanAbstract:Abstract—Rigorously characterizing the statistical properties of cyber attacks is an important problem. In this paper, we propose the first statistical framework for rigorously analyzing Honeypot-captured cyber attack data. The framework is built on the novel concept of stochastic cyber attack process, a new kind of mathematical objects for describing cyber attacks. To demonstrate use of the framework, we apply it to analyze a Low-Interaction Honeypot dataset, while noting that the framework can be equally applied to analyze high-Interaction Honeypot data that contains richer information about the attacks. The case study finds, for the first time, that Long-Range Dependence (LRD) is exhibited by Honeypot-captured cyber attacks. The case study confirms that by exploiting the statistical properties (LRD in this case), it is feasible to predict cyber attacks (at least in terms of attack rate) with good accuracy. This kind of prediction capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations. The idea of “gray-box ” (rather than “black-box”) prediction is central to the utility of the statistical framework, and represents a significant step towards ultimately understanding (the degree of) the predictability of cyber attacks. Index Terms—Cyber security, cyber attacks, stochastic cy-ber attack process, statistical properties, long-range dependence (LRD), cyber attack prediction I
-
Characterizing Honeypot-captured cyber attacks: Statistical framework and case study
IEEE Transactions on Information Forensics and Security, 2013Co-Authors: Z. Zhan, M Xu, S. XuAbstract:Rigorously characterizing the statistical properties of cyber attacks is an important problem. In this paper, we propose the first statistical framework for rigorously analyzing Honeypot-captured cyber attack data. The framework is built on the novel concept of stochastic cyber attack process, a new kind of mathematical objects for describing cyber attacks. To demonstrate use of the framework, we apply it to analyze a Low-Interaction Honeypot dataset, while noting that the framework can be equally applied to analyze high-Interaction Honeypot data that contains richer information about the attacks. The case study finds, for the first time, that long-range dependence (LRD) is exhibited by Honeypot-captured cyber attacks. The case study confirms that by exploiting the statistical properties (LRD in this case), it is feasible to predict cyber attacks (at least in terms of attack rate) with good accuracy. This kind of prediction capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations. The idea of “gray-box” (rather than “black-box”) prediction is central to the utility of the statistical framework, and represents a significant step towards ultimately understanding (the degree of) the predictability of cyber attacks.
S. Xu - One of the best experts on this subject based on the ideXlab platform.
-
Characterizing Honeypot-captured cyber attacks: Statistical framework and case study
IEEE Transactions on Information Forensics and Security, 2013Co-Authors: Z. Zhan, M Xu, S. XuAbstract:Rigorously characterizing the statistical properties of cyber attacks is an important problem. In this paper, we propose the first statistical framework for rigorously analyzing Honeypot-captured cyber attack data. The framework is built on the novel concept of stochastic cyber attack process, a new kind of mathematical objects for describing cyber attacks. To demonstrate use of the framework, we apply it to analyze a Low-Interaction Honeypot dataset, while noting that the framework can be equally applied to analyze high-Interaction Honeypot data that contains richer information about the attacks. The case study finds, for the first time, that long-range dependence (LRD) is exhibited by Honeypot-captured cyber attacks. The case study confirms that by exploiting the statistical properties (LRD in this case), it is feasible to predict cyber attacks (at least in terms of attack rate) with good accuracy. This kind of prediction capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations. The idea of “gray-box” (rather than “black-box”) prediction is central to the utility of the statistical framework, and represents a significant step towards ultimately understanding (the degree of) the predictability of cyber attacks.
Jacob Zimmermann - One of the best experts on this subject based on the ideXlab platform.
-
2008 IFIP International Conference on Network and Parallel Computing Characterization of Attackers ’ Activities in Honeypot Traffic Using Principal Component Analysis
2010Co-Authors: Saleh I. Almotairi, Andrew Clark, George M. Mohay, Jacob ZimmermannAbstract:Monitoring Internet traffic is critical in order to acquire a good understanding of threats and in designing efficient security systems. While Honeypots are flexible security tools for gathering intelligence of Internet attacks, traffic collected by Honeypots is of high dimensionality that makes it difficult to characterize. In this paper, we propose the use of principal component analysis, a multivariate analysis technique, for characterizing Honeypot traffic and separating latent groups of activities. In addition, we show the usefulness of principal component plots in visualizing the interrelationships between the detected groups of activities and in finding outliers. This work is demonstrated through the use of Low Interaction Honeypot traffic data from the Leurrè.com project, a world wide deployment of Low Interaction Honeypots. 1
-
A technique for detecting new attacks in Low-Interaction Honeypot traffic
2009Co-Authors: Saleh I. Almotairi, Andrew Clark, George M. Mohay, Jacob ZimmermannAbstract:Honeypots are flexible security tools for gathering artefacts associated with a variety of Internet attack activities. While existing work on Honeypot traffic analysis focuses mainly on identifying existing attacks, this paper describes a technique for detecting new attacks based on principal component analysis. The proposed technique requires no prior knowledge of attack types and has Low computational requirements that makes it suitable for online detection systems. Our method of detecting new attacks is based on measuring changes in the residual space using square prediction error (SPE) statistics. When attack vectors are projected onto the residual space, attacks that are not presented by the main hyperspace will create new directions with high SPE values. We demonstrate the usefulness of our technique by using real traffic data from the Leurre.com project, a world-wide deployment of Low-Interaction Honeypots, where several examples of new traffic detected by the system are illustrated.
-
Characterization of attackers' activities in Honeypot traffic using principal component analysis
2008Co-Authors: Saleh I. Almotairi, Andrew Clark, George M. Mohay, Jacob ZimmermannAbstract:Monitoring Internet traffic is critical in order to acquire a good understanding of threats and in designing efficient security systems. While Honeypots are flexible security tools for gathering intelligence of Internet attacks, traffic collected by Honeypots is of high dimensionality that makes it difficult to characterize. In this paper, we propose the use of principal component analysis, a multivariate analysis technique, for characterizing Honeypot traffic and separating latent groups of activities. In addition, we show the usefulness of principal component plots in visualizing the interrelationships between the detected groups of activities and in finding outliers. This work is demonstrated through the use of Low Interaction Honeypot traffic data from the Leurre.com project, a world wide deployment of Low Interaction Honeypots.
-
NPC Workshops - Characterization of Attackers' Activities in Honeypot Traffic Using Principal Component Analysis
2008 IFIP International Conference on Network and Parallel Computing, 2008Co-Authors: Saleh I. Almotairi, Andrew Clark, George M. Mohay, Jacob ZimmermannAbstract:Monitoring Internet traffic is critical in order to acquire a good understanding of threats and in designing efficient security systems. While Honeypots are flexible security tools for gathering intelligence of Internet attacks, traffic collected by Honeypots is of high dimensionality that makes it difficult to characterize. In this paper, we propose the use of principal component analysis, a multivariate analysis technique, for characterizing Honeypot traffic and separating latent groups of activities. In addition, we show the usefulness of principal component plots in visualizing the interrelationships between the detected groups of activities and in finding outliers. This work is demonstrated through the use of Low Interaction Honeypot traffic data from the Leurre.com project, a world wide deployment of Low Interaction Honeypots.
