DOCSLIB.ORG

Laying the IT Security Foundation

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Laying the IT Security Foundation Key Steps to Preventing Cyber Attacks Government systems are getting hit on a daily basis by new and ingenious external attacks. Federal, state and municipal agencies, plus government contractors, must find a way to adjust to this evolving threat landscape to prevent these threats from wreaking havoc. It is imperative that government organizations get back to the basics of security and lay a strong security foundation to weather these attacks by proactively addressing their root causes. February 2010 WP-EN-02-04-10 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks Disengaging from the Arms Race The numbers are in, and it’s clear to most that tacks (48 percent) and software vulnerabilities (26 they don’t bode well for those within government percent). Another survey of federal IT profession- IT security. The latest statistics show that on als conducted by CDW Government in November the Internet, a new Web site is compromised by 2009 showed that more than half of agencies are host malware every five seconds. Cybercriminals experiencing cyber security incidents on a daily or and cyberterrorists are amassing large fortunes weekly basis. through the sale and trade of information from each of these exploits, only to reinvest more and This relentless barrage of attacks infiltrates sys- more resources into developing even more sophis- tems in a cloaked manner to fool detection mech- ticated attacks as time goes by. Their attacks are anisms. Plus, attackers are constantly changing highly polymorphic, and they are obfuscated. They them to evade signature-based protections, such don’t just attack vulnerabilities in applications, but as antivirus. Not only are they sophisticated, but also fundamental flaws in the way agencies protect these pieces of malware are flooding the playing their machines. These attacks are coming at a diz- field. The idea is to keep security professionals zying speed, especially as foreign states employ a guessing, to keep them engaging with old attack loose-knit network of hackers, however informal- approaches while the new ones sneak in the back ly, to extend their long arm of intelligence into as door. And for the most part, security teams are un- many American government systems as possible. able to keep up with the barrage of new threats with a set of old tools and a limited budget. It’s no wonder, then, that the National Association of State Chief Information Officers (NASCIO) voted The problem is that government security profes- IT security as a top 10 strategic priority for 2010 sionals are stuck in a rut. We’re involved in an arms and security enhancement tools in the top five hot- race with the bad guys that can only benefit them. test product categories for 2010. Meanwhile, half Rather than addressing the fundamentals that allow of agency CISOs at the federal level worried that, an attack to occur in the first place, we’re address- even though their organizations may be making ing each individual attack as it crops up through a progress in security practices, they are still “not detect-and-block schema. Every time we get that getting ahead of attackers,” according to a survey rock to the top of the hill, it just rolls back down. conducted by ISC2 in April 2009. Tops on their list It’s time to take a new approach. It’s time to get of most pressing problems today are external at- some bulldozers and flatten the hill. 1 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks Addressing Security’s Biggest Problem The attacks are largely successful because vulner- on machines across the federal government. abilities and mis-configurations exist within appli- Since 2009, federal agencies have been required cations and throughout the government IT frame- to adhere to FDCC on their workstations and lap- work. If those vulnerabilities didn’t exist, the vast tops as part of greater Federal Information Security majority of attacks wouldn’t succeed no matter how Management Act (FISMA) compliance. According plentiful they were. In fact, more than 90 percent to Karen Evens, the then-administrator for OMB’s of attacks exploit a vulnerability for which a patch Office of E-Government and Information Technol- already exists. ogy, who wrote the first memo outlining FDCC in 2007, the idea for establishing this baseline was “to Think about it. If you had a door with a broken lock improve system performance, decrease operating that was being taken advantage of by burglars, you costs and ensure public confidence in the confi- wouldn’t start by spending your money on expen- dentiality, integrity and availability of government sive closed-circuit cameras, on booby traps within information.” the home or on chaining your big-screen TV to the wall. No, you’d address the root cause of the break- One of the pilot adopters of this FDCC approach ins and fix the lock first. was the U.S. Air Force, which managed to not only improve security by reducing its patch cycles from Many within government are starting to buy into seven weeks to three days, but it has also achieved such an approach. According to the ISC2 survey, cost savings as the number of help-desk calls of all the cyber security programs they’re tasked “have dropped drastically because there are fewer to participate in, the Federal Desktop Core Con- one-off configurations and mysterious problems to figuration (FDCC) is one that federal CISOs feel address,” reported FedTech Magazine. is making the most progress — likely because the FDCC offers such a good security ROI. The example provided by FDCC has a lot of benefit as a case study in endpoint configuration, not just The idea behind FDCC is simple: With the help of at the federal government, but also at state and Microsoft and the National Institute for Science and municipal levels because, at the end of the day, se- Technology (NIST), the Office of Management and cure configuration is the very bedrock of any secu- Budget (OMB) developed a standard configuration rity program. It always has been and will continue setup for managed endpoints using Windows XP to be so in the future — one only need look at the and Windows Vista so that the tenets of security — current threat environment to understand why. such as the rule of least privilege — are followed 2 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks Adjusting to the Evolving may not have ever been intended for outside con- Threat Landscape nectivity. Many of these back-end systems contain valuable citizen, operational and financial data, as As much heat as Microsoft receives from the secu- well as national security secrets. The combination rity research community, the company has actually of these factors has been like the lining up of cher- made a lot of progress over the last several years ries in a Vegas slot machine for the state and non- in building defenses within Windows. In that time state hackers. And there’s no end in sight. we’ve seen the advent of the built-in firewall, user access control and improvements in the data ex- Many of these Web-based programs utilize SQL ecution system. The protections were not perfect, Server as the back-end technology that holds all but enough roadblocks were thrown up to make of the content seen by users as they browse a site. hackers look for easier prey. When they shifted The drastic spike in 2009 of SQL injection attacks their crosshairs to the application layer, what they — the insertion of specially crafted queries to break found was a target-rich environment that was not the technology to reveal sensitive information and only more vulnerable to attacks, but also more allow attackers to install malware or redirect them profitable to attack. to malware-laden Web sites — comes by way of insecure coding practices by developers rushing to And just as improvements in the operating system meet this need for Web application expansion. (OS) were gaining steam, there was a convergence in user behavior that made Web-based applica- And these Web-based attacks aren’t all we have tions extremely appealing to attackers. Known as to worry about, either. State and non-state actors the Web 2.0 movement in common parlance, this have also turned their attention to Microsoft Office confluence of action saw organizations double, and browser-related weaknesses that hadn’t been triple and even quadruple their number of custom previously exploited because the OS used to be so applications. easy to attack. They’re also more closely scruti- nizing opportunities in countless other applications This Web 2.0 revolution has seen the rise in Web- from vendors such as Cisco, Apple and Adobe. based collaborative tools, mash-ups, social media, They’re even attacking firmware on hardware such enriched instant messaging and user-contributed as printers. The attack surface has clearly expand- content online. Not only have many of these ap- ed dramatically. plications been built hastily with minimal regard for security to take advantage of quickly chang- Not only are Web-based applications riddled with ing market conditions, but they’ve been tunneled vulnerabilities, but many users exacerbate the through the network firewall to provide Web-based problem by surfing the Web and running docu- access directly into back-end systems that may or 3 Laying the IT Security Foundation: Key Steps to Preventing Cyber Attacks ments on old, insecure versions of browsers and easily avoided a spread in infection had they im- productivity applications. Attackers not only find proved their password policies to protect fileshares.
Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
  • Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A. Alahmadi Enrico Mariconti Riccardo Spolaor University of Oxford, UK University College London, UK University of Oxford, UK [email protected] [email protected] [email protected] Gianluca Stringhini Ivan Martinovic Boston University, USA University of Oxford, UK [email protected] [email protected] ABSTRACT through DDoS (e.g. DDoS on Estonia [22]), email spam (e.g. Geodo), Botnets continue to be a threat to organizations, thus various ma- ClickFraud (e.g. ClickBot), and spreading malware (e.g. Zeus). 10,263 chine learning-based botnet detectors have been proposed. How- malware botnet controllers (C&C) were blocked by Spamhaus Mal- ever, the capability of such systems in detecting new or unseen ware Labs in 2018 alone, an 8% increase from the number of botnet 1 botnets is crucial to ensure its robustness against the rapid evo- C&Cs seen in 2017. Cybercriminals are actively monetizing bot- lution of botnets. Moreover, it prolongs the effectiveness of the nets to launch attacks, which are evolving significantly and require system in detecting bots, avoiding frequent and time-consuming more effective detection mechanisms capable of detecting those classifier re-training. We present BOTection, a privacy-preserving which are new or unseen. bot detection system that models the bot network flow behavior Botnets rely heavily on network communications to infect new as a Markov Chain. The Markov Chains state transitions capture victims (propagation), to communicate with the C&C server, or the bots’ network behavior using high-level flow features as states, to perform their operational task (e.g.
  • Fortinet's March Threatscape Report Shows Domination of Ransomware and Troublesome Zero-Day

    Fortinet's March Threatscape Report Shows Domination of Ransomware and Troublesome Zero-Day

    Fortinet's March Threatscape Report Shows Domination of Ransomware and Troublesome Zero-Day Rise of Ransomware Is Primarily Driven by Bredolab and Pushdo Botnets SUNNYVALE, CA, Apr 01, 2010 (MARKETWIRE via COMTEX News Network) -- Fortinet(R) (NASDAQ: FTNT) -- a leading network security provider and worldwide leader of unified threat management (UTM) solutions -- today announced its March 2010 Threatscape report showed domination of ransomware threats with nine of the detections in the malware top ten list resulting in either scareware or ransomware infesting the victim's PC. Fortinet observed the primary drivers behind these threats to be two of the most notorious botnet "loaders" -- Bredolab and Pushdo. Another important finding is the aggressive entrance of a new zero-day threat in FortiGuard's top ten attack list, MS.IE.Userdata.Behavior.Code.Execution, which accounted for 25 percent of the detected activity last month. Key threat activities for the month of March include: -- SMS-based Ransomware High Activity: A new ransomware threat -- W32/DigiPog.EP -- appeared in Fortinet's top ten malware list. DigiPog is an SMS blocker using Russian language, locking out a system and aggressively killing off popular applications like Internet Explorer and Firefox until an appropriate code is entered into a field provided to the user. To obtain the code, a user must send an SMS message to the provided number, receiving a code in return. Upon execution, DigiPog registers the user's MAC address with its server. It is the first time that SMS-based ransomware enters Fortinet's top ten list, showing that the rise of ransomware is well on its way.
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
  • Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new vulnerabilities. Attackers have interest in identifying networks and hosts to expose vulnerabilities : . Network scans . Worms . Trojans . Botnet Complicated methods of attacks make difficult to identify the real attacks : It is not simple as filtering out the traffic from some sources Security is implemented like an “add on” module for the Internet. Understanding nature behavior of malicious sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures Help the cyber security policy-making process, and to raise public awareness Questions : . Do malicious sources generate the attacks uniformly ? . Is there any pattern specific i.e. recurrence event ? . Is there any correlation between the number of some attacks over specific time ? Many systems and phenomena (events) are distributed according to a “power law” When one quantity (say y) depends on another (say x) raised to some power, we say that y is described by a power law A power law applies to a system when: . large is rare and . small is common Collection of System logs from Networked Intrusion Detection System (IDS) The NIDS contains 11 sensors installed in different core networks in Indonesian ISP (NAP) Period : January, 2012 - September, 2012 . Available fields : ▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID Two quantities x and y are related by a power law if y is proportional to x(-c) for a constant c y = .x(-c) If x and y are related by a power law, then the graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log() The slope of the log-log plot is the power exponent c Destination Port Distribution .
  • PC Anti-Virus Protection 2011

    PC Anti-Virus Protection 2011

    PC Anti-Virus Protection 2011 12 POPULAR ANTI-VIRUS PROGRAMS COMPARED FOR EFFECTIVENESS Dennis Technology Labs, 03/08/2010 www.DennisTechnologyLabs.com This test aims to compare the effectiveness of the most recent releases of popular anti-virus software1. The products include those from Kaspersky, McAfee, Microsoft, Norton (Symantec) and Trend Micro, as well as free versions from Avast, AVG and Avira. Other products include those from BitDefender, ESET, G-Data and K7. The tests were conducted between 07/07/2010 and 22/07/2010 using the most up to date versions of the software available. A total of 12 products were exposed to genuine internet threats that real customers could have encountered during the test period. Crucially, this exposure was carried out in a realistic way, reflecting a customer’s experience as closely as possible. For example, each test system visited real, infected websites that significant numbers of internet users were encountering at the time of the test. These results reflect what would have happened if those users were using one of the seven products tested. EXECUTIVE SUMMARY Q Products that block attacks early tended to protect the system more fully The nature of web-based attacks means that the longer malware has access to a system, the more chances it has of downloading and installing further threats. Products that blocked the malicious and infected websites from the start reduced the risk of compromise by secondary and further downloads. Q 100 per cent protection is rare This test recorded an average protection rate of 87.5 per cent. New threats appear online frequently and it is inevitable that there will be times when specific security products are unable to protect from some of these threats.
  • Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    2-3 nicterReport —TransitionAnalysisofCyberAttacksBasedon Long-termObservation— NAKAZATO Junji and OHTAKA Kazuhiro In this report, we provide a statistical data concerning cyber attacks and malwares based on a long-term network monitoring on the nicter. Especially, we show a continuous observation report of Conficker, which is a pandemic malware since November 2008. In addition, we report a transition analysis of the scale of botnet activities. Keywords Incident analysis, Darknet, Network monitoring, Malware analysis 1 Introduction leverages the traffic as detected by the four black hole sensors placed on different network We have been monitoring the IP address environments as shown by Fig. 1. space that is reachable and unused on the ● Sensor I : Structure where live nets and Internet (i.e. darknets) on a large-scale to darknets coexist in a class B understand the overall impact inflicted by network infectious activities including malware. This ● Sensor II : Structure where only darknets report analyzes the darknet traffic that has exist in a class B network been monitored and accumulated over six ● Sensor III : Structure where a /24 subnet years by an incident analysis center named in a class B network is a dark- *1 the nicter[1][2] to provide changing trends of net cyber attacks and fluctuation of attacker host ● Sensor IV : Structure where live nets and activities as obtained by long-term monitor- darknets coexist in a class B ing. In particular, we focus on Conficker, a network worm that has triggered large-scale infections The traffic obtained by these four sensors since November 2008, and report its impact on is analyzed by different analysis engines[3][4] the Internet and its current activities.
  • Symantec Intelligence Report: June 2011

    Symantec Intelligence Report: June 2011

    Symantec Intelligence Symantec Intelligence Report: June 2011 Three-quarters of spam send from botnets in June, and three months on, Rustock botnet remains dormant as Cutwail becomes most active; Pharmaceutical spam in decline as new Wiki- pharmacy brand emerges Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011. Report highlights Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011): page 11 Phishing – One in 330.6 emails identified as phishing (a decrease of 0.05 percentage points since May 2011): page 14 Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011): page 15 Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011): page 17 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011): page 17 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011): page 17 Review of Spam-sending botnets in June 2011: page 3 Clicking to Watch Videos Leads to Pharmacy Spam: page 6 Wiki for Everything, Even for Spam: page 7 Phishers Return for Tax Returns: page 8 Fake Donations Continue to Haunt Japan: page 9 Spam Subject Line Analysis: page 12 Best Practices for Enterprises and Users: page 19 Introduction from the editor Since the shutdown of the Rustock botnet in March1, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.
  • Effective Malicious Features Extraction and Classification for Incident Handling Systems

    Effective Malicious Features Extraction and Classification for Incident Handling Systems

    EFFECTIVE MALICIOUS FEATURES EXTRACTION AND CLASSIFICATION FOR INCIDENT HANDLING SYSTEMS CHO CHO SAN UNIVERSITY OF COMPUTER STUDIES, YANGON OCTOBER, 2019 Effective Malicious Features Extraction and Classification for Incident Handling Systems Cho Cho San University of Computer Studies, Yangon A thesis submitted to the University of Computer Studies, Yangon in partial fulfillment of the requirements for the degree of Doctor of Philosophy October, 2019 Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other University or Institution. …..…………………………… .…………........………………………… Date Cho Cho San ACKNOWLEDGEMENTS First of all, I would like to thank Hist Excellency, the Minister for the Ministry of Education, for providing full facilities support during the Ph.D. course at the University of Computer Studies, Yangon. Secondly, my profound gratitude goes to Dr. Mie Mie Thet Thwin, Rector of the University of Computer Studies, Yangon, for allowing me to develop this research and giving me general guidance during the period of my study. I would like to express my greatest pleasure and the deepest appreciation to my supervisor, Dr. Mie Mie Su Thwin, Professor, the University of Computer Studies, Yangon, for her excellent guidance, caring, patient supervision, and providing me with excellent ideas throughout the study of this thesis. I would also like to extend my special appreciation to Dr. Khine Moe Nwe, Professor and Course-coordinator of the Ph.D. 9th Batch, the University of Computer Studies, Yangon, for her useful comments, advice, and insight which are invaluable through the process of researching and writing this dissertation.
  • Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57
  • An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers

    An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers

    applied sciences Article An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers Riaz Ullah Khan 1,* , Xiaosong Zhang 1, Rajesh Kumar 1 , Abubakar Sharif 1, Noorbakhsh Amiri Golilarz 1 and Mamoun Alazab 2 1 Center of Cyber Security, School of Computer Science & Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China; [email protected] (X.Z.); [email protected] (R.K.); [email protected] (A.S.); [email protected] (N.A.G.) 2 College of Engineering, IT and Environment, Charles Darwin University, Casuarina 0810, Australia; [email protected] * Correspondence: [email protected]; Tel.: +86-155-2076-3595 Received: 19 March 2019; Accepted: 24 April 2019; Published: 11 June 2019 Abstract: In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features.
  • A Highly Immersive Approach to Teaching Reverse Engineering Golden G

    A Highly Immersive Approach to Teaching Reverse Engineering Golden G

    A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III Department of Computer Science University of New Orleans New Orleans, LA 70148 Email: [email protected] Abstract most operating systems courses, but for reverse engi- neering, the devil really is in the details. For example, While short training courses in reverse engineering are to understand an offensive technique like Shadow frequently offered at meetings like Blackhat and Walker [13], which relies on de-synchronization of the through training organizations such as SANS, there are data and instruction TLBs in Intel’s split-TLB design virtually no reverse engineering courses offered in aca- to hide code and data, it’s not enough to have seen a demia. This paper discusses possible reasons for this Powerpoint slide depicting the abstract functionality of situation, emphasizes the importance of teaching re- a TLB—that’s a good start, but both more details and verse engineering (and applied computer security edu- hands-on experience are needed. Furthermore, assem- cation in general), and presents the overall design of a bler language courses, if they exist at all as independ- semester-long course in reverse engineering malware, ent courses in a modern computing curriculum, tend to recently offered by the author at the University of New be much weaker than in the past, often emphasizing the Orleans. use of High Level Assembler (HLA) [4] and develop- 1 Introduction ment of toy applications. In many curricula, the as- sembler language course of old has been folded into the Reverse engineering of software involves detailed undergraduate architecture class.