DOCSLIB.ORG

Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

THE NATIONAL ACADEMIES PRESS This PDF is available at http://nap.edu/12651 SHARE Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities DETAILS 390 pages | 6x9 | PAPERBACK ISBN 978-0-309-13850-5 | DOI 10.17226/12651 AUTHORS BUY THIS BOOK William A. Owens, Kenneth W. Dam, and Herbert S. Lin, editors; Committee on Offensive Information Warfare; National Research Council FIND RELATED TITLES Visit the National Academies Press at NAP.edu and login or register to get: – Access to free PDF downloads of thousands of scientific reports – 10% off the price of print titles – Email or social media notifications of new titles related to your interests – Special offers and discounts Distribution, posting, or copying of this PDF is strictly prohibited without written permission of the National Academies Press. (Request Permission) Unless otherwise indicated, all materials in this PDF are copyrighted by the National Academy of Sciences. Copyright © National Academy of Sciences. All rights reserved. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of CYBerattacK CapaBILITIes William A. Owens, Kenneth W. Dam, and Herbert S. Lin, Editors Committee on Offensive Information Warfare Computer Science and Telecommunications Board Division on Engineering and Physical Sciences Copyright National Academy of Sciences. All rights reserved. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities THE NATIONAL ACADEMIES PRESS 500 Fifth Street, N.W. Washington, DC 20001 NOTICE: The project that is the subject of this report was approved by the Gov- erning Board of the National Research Council, whose members are drawn from the councils of the National Academy of Sciences, the National Academy of Engi- neering, and the Institute of Medicine. The members of the committee responsible for the report were chosen for their special competences and with regard for appropriate balance. Support for this project was provided by the MacArthur Foundation under award number 04-80965-000-GSS, the Microsoft Corporation under an unnumbered award, and the NRC Presidents’ Committee under an unnumbered award. Any opinions, findings, conclusions, or recommendations expressed in this pub- lication are those of the authors and do not necessarily reflect the views of the organizations that provided support for the project. International Standard Book Number-13: 978-0-309-13850-5 International Standard Book Number-10: 0-309-13850-7 Library of Congress Control Number: 2009930416 Additional copies of this report are available from: The National Academies Press 500 Fifth Street, N.W., Lockbox 285 Washington, DC 20055 (800) 624-6242 (202) 334-3313 (in the Washington metropolitan area) Internet: http://www.nap.edu Copyright 2009 by the National Academy of Sciences. All rights reserved. Printed in the United States of America Copyright National Academy of Sciences. All rights reserved. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities The National Academy of Sciences is a private, nonprofit, self-perpetuating society of distinguished scholars engaged in scientific and engineering research, dedicated to the furtherance of science and technology and to their use for the general welfare. Upon the authority of the charter granted to it by the Congress in 1863, the Academy has a mandate that requires it to advise the federal govern- ment on scientific and technical matters. Dr. Ralph J. Cicerone is president of the National Academy of Sciences. The National Academy of Engineering was established in 1964, under the char- ter of the National Academy of Sciences, as a parallel organization of outstand- ing engineers. It is autonomous in its administration and in the selection of its members, sharing with the National Academy of Sciences the responsibility for advising the federal government. The National Academy of Engineering also sponsors engineering programs aimed at meeting national needs, encourages education and research, and recognizes the superior achievements of engineers. Dr. Charles M. Vest is president of the National Academy of Engineering. The Institute of Medicine was established in 1970 by the National Academy of Sciences to secure the services of eminent members of appropriate professions in the examination of policy matters pertaining to the health of the public. The Institute acts under the responsibility given to the National Academy of Sciences by its congressional charter to be an adviser to the federal government and, upon its own initiative, to identify issues of medical care, research, and education. Dr. Harvey V. Fineberg is president of the Institute of Medicine. The National Research Council was organized by the National Academy of Sciences in 1916 to associate the broad community of science and technology with the Academy’s purposes of furthering knowledge and advising the federal government. Functioning in accordance with general policies determined by the Academy, the Council has become the principal operating agency of both the National Academy of Sciences and the National Academy of Engineering in pro- viding services to the government, the public, and the scientific and engineering communities. The Council is administered jointly by both Academies and the Institute of Medicine. Dr. Ralph J. Cicerone and Dr. Charles M. Vest are chair and vice chair, respectively, of the National Research Council. www.national-academies.org Copyright National Academy of Sciences. All rights reserved. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Copyright National Academy of Sciences. All rights reserved. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Committee on OFFENSIVE INFORMATION WARFARE WILLIAM A. OWENS, AEA Holdings, Inc., Co-chair KENNETH W. DAM, University of Chicago, Co-chair THOMAS A. BERSON, Anagram Laboratories GERHARD CASPER, Stanford University DAVID D. CLARK, Massachusetts Institute of Technology RICHARD L. GARWIN, IBM Fellow Emeritus JACK L. GOLDSMITH III, Harvard Law School CARL G. O’BERRY, The Boeing Company JEROME H. SALTZER, Massachusetts Institute of Technology (retired) MARK SEIDEN, MSB Associates SARAH SEWALL, Harvard University WALTER B. SLOCOMBE, Caplin & Drysdale WILLIAM O. STUDEMAN, U.S. Navy (retired) MICHAEL A. VATIS, Steptoe & Johnson LLP Staff HERBERT S. LIN, Study Director KRISTEN BATCH, Associate Staff Officer (through August 2008) TED SCHMITT, Consultant JANICE SABUDA, Senior Project Assistant (through March 2008) ERIC WHITAKER, Senior Project Assistant Copyright National Academy of Sciences. All rights reserved. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD JOSEPH F. TRAUB, Columbia University, Chair PRITHVIRAJ BANERJEE, Hewlett Packard Company FREDERICK R. CHANG, University of Texas, Austin WILLIAM DALLY, Stanford University MARK E. DEAN, IBM Almaden Research Center DEBORAH L. ESTRIN, University of California, Los Angeles KEVIN C. KAHN, Intel Corporation JAMES KAJIYA, Microsoft Corporation RANDY H. KATZ, University of California, Berkeley JOHN E. KELLY III, IBM Research SARA KIESLER, Carnegie Mellon University JON KLEINBERG, Cornell University PETER LEE, Carnegie Mellon University TERESA H. MENG, Stanford University WILLIAM H. PRESS, University of Texas, Austin PRABHAKAR RAGHAVAN, Yahoo! Research DAVID E. SHAW, D.E. Shaw Research ALFRED Z. SPECTOR, Google, Inc. ROBERT F. SPROULL, Sun Microsystems, Inc. PETER SZOLOVITS, Massachusetts Institute of Technology ANDREW J. VITERBI, Viterbi Group, LLC PETER WEINBERGER, Google, Inc. JON EISENBERG, Director RENEE HAWKINS, Financial and Administrative Manager HERBERT S. LIN, Chief Scientist, CSTB LYNETTE I. MILLETT, Senior Program Officer NANCY GILLIS, Program Officer Enita A. williams, Associate Program Officer MORGAN R. MOTTO, Program Associate Shenae Bradley, Senior Program Assistant ERIC WHITAKER, Senior Program Assistant For more information on CSTB, see its website at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, N.W., Wash- ington, DC 20001, call (202) 334-2605, or e-mail CSTB at [email protected]. i Copyright National Academy of Sciences. All rights reserved. Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities Preface Given the reality of a densely interconnected information society, much has been written about the possibility that adversaries of the United States such as terrorists or hostile nations might conduct very damag- ing cyberattacks against critical sectors of the U.S. economy and critical national infrastructure that depend on reliably functioning, secure com- puter systems and networks. For some years, the topic of cybersecurity has been an important part of the report portfolio of the National Research Council,1 and a great deal of national attention has been given, in public, to the problem of how to protect U.S. information technology systems and networks against such attacks—that is, how to defend these systems and networks in both military and non-military contexts.2 But, perhaps reflect- ing the common wisdom of the time, these efforts have focused almost exclusively on the cyberdefense side of the equation. The possibility that the United
Recommended publications
  • Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress

    Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic,
  • July 2009 1663 Los Alamos Science and Technology Magazine July 2009 the Complicated Network of Transmission a Very Chilly –300°F, to Become Superconducting

    July 2009 1663 Los Alamos Science and Technology Magazine July 2009 the Complicated Network of Transmission a Very Chilly –300°F, to Become Superconducting

    loslos alamos alamos science science and and technology technology magazine magazine JUJULYLY 20 20 09 09 Wired for the Future Cyber Wars Have SQUIDs, Will Travel 1663 A Trip to Nuclear North Korea About Our Name: during World War ii, all that the 1663outside world knew of los alamos and its top-secret table of contents laboratory was the mailing address—P. o. Box 1663, santa Fe, new mexico. that box number, still part of our address, symbolizes our historic role in the nation’s from terry wallace service. PrINcIPaL aSSocIatE DIrEctor For ScIENcE, tEchNoLogy, aND ENgINEErINg located on the high mesas of northern new mexico, los alamos national laboratory was founded in 1943 to build the first atomic bomb. it remains a premier scientific laboratory, dedicated to national security in its broadest the Scientist Envoy INSIDE FroNt coVEr sense. the laboratory is operated by los alamos national security, llc, for the department of energy’s national nuclear security administration. features About the Cover: artist’s conception of a hacker’s “trojan horse,” in cyberspace. los alamos fights an mosArchive unending battle against trojan horses, worms, and la other forms of malicious software but is spearheading LosA research to play offense rather than defense in the Wired for the Future 2 During the Manhattan Project, Enrico Fermi, Nobel Laureate and leader of SUPErcoNDUctINg WIrES MIght traNSForM ENErgy DIStrIBUtIoN ongoing cyber wars. F-Division, meets with San Ildefonso Pueblo’s Maria Martinez, famous worldwide for her extraordinary black pottery. from terry wallace cyber Wars The Scientist Envoy 6 thE UNENDINg BATTLE For coNtroL Since the middle of the His direct experience with both plutonium metallurgy nineteenth century and the and international diplomacy have allowed him to days of Mendeleev, Darwin, communicate with the North’s weapons scientists, Pasteur, and Maxwell, obtain accurate information about the country’s scientists have helped to plutonium capabilities, and report his findings to the have SQUIDs, Will travel 12 better society.
  • A Double Horizon Defense Design for Robust Regulation of Malicious Traffic

    A Double Horizon Defense Design for Robust Regulation of Malicious Traffic

    University of Pennsylvania ScholarlyCommons Departmental Papers (ESE) Department of Electrical & Systems Engineering August 2006 A Double Horizon Defense Design for Robust Regulation of Malicious Traffic Ying Xu University of Pennsylvania, [email protected] Roch A. Guérin University of Pennsylvania, [email protected] Follow this and additional works at: https://repository.upenn.edu/ese_papers Recommended Citation Ying Xu and Roch A. Guérin, "A Double Horizon Defense Design for Robust Regulation of Malicious Traffic", . August 2006. Copyright 2006 IEEE. In Proceedings of the Second IEEE Communications Society/CreateNet International Conference on Security and Privacy in Communication Networks (SecureComm 2006). This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of the University of Pennsylvania's products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to [email protected]. By choosing to view this document, you agree to all provisions of the copyright laws protecting it. This paper is posted at ScholarlyCommons. https://repository.upenn.edu/ese_papers/190 For more information, please contact [email protected]. A Double Horizon Defense Design for Robust Regulation of Malicious Traffic Abstract Deploying defense mechanisms in routers holds promises for protecting infrastructure resources such as link bandwidth or router buffers against network Denial-of-Service (DoS) attacks. However, in spite of their efficacy against bruteforce flooding attacks, existing outer-basedr defenses often perform poorly when confronted to more sophisticated attack strategies.
  • Effective Malicious Features Extraction and Classification for Incident Handling Systems

    Effective Malicious Features Extraction and Classification for Incident Handling Systems

    EFFECTIVE MALICIOUS FEATURES EXTRACTION AND CLASSIFICATION FOR INCIDENT HANDLING SYSTEMS CHO CHO SAN UNIVERSITY OF COMPUTER STUDIES, YANGON OCTOBER, 2019 Effective Malicious Features Extraction and Classification for Incident Handling Systems Cho Cho San University of Computer Studies, Yangon A thesis submitted to the University of Computer Studies, Yangon in partial fulfillment of the requirements for the degree of Doctor of Philosophy October, 2019 Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other University or Institution. …..…………………………… .…………........………………………… Date Cho Cho San ACKNOWLEDGEMENTS First of all, I would like to thank Hist Excellency, the Minister for the Ministry of Education, for providing full facilities support during the Ph.D. course at the University of Computer Studies, Yangon. Secondly, my profound gratitude goes to Dr. Mie Mie Thet Thwin, Rector of the University of Computer Studies, Yangon, for allowing me to develop this research and giving me general guidance during the period of my study. I would like to express my greatest pleasure and the deepest appreciation to my supervisor, Dr. Mie Mie Su Thwin, Professor, the University of Computer Studies, Yangon, for her excellent guidance, caring, patient supervision, and providing me with excellent ideas throughout the study of this thesis. I would also like to extend my special appreciation to Dr. Khine Moe Nwe, Professor and Course-coordinator of the Ph.D. 9th Batch, the University of Computer Studies, Yangon, for her useful comments, advice, and insight which are invaluable through the process of researching and writing this dissertation.
  • Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3: Viruses, Worms, and Blended Threats

    Chapter 3 Chapter 3: Viruses, Worms, and Blended Threats.........................................................................46 Evolution of Viruses and Countermeasures...................................................................................46 The Early Days of Viruses.................................................................................................47 Beyond Annoyance: The Proliferation of Destructive Viruses .........................................48 Wiping Out Hard Drives—CIH Virus ...................................................................48 Virus Programming for the Masses 1: Macro Viruses...........................................48 Virus Programming for the Masses 2: Virus Generators.......................................50 Evolving Threats, Evolving Countermeasures ..................................................................51 Detecting Viruses...................................................................................................51 Radical Evolution—Polymorphic and Metamorphic Viruses ...............................53 Detecting Complex Viruses ...................................................................................55 State of Virus Detection.........................................................................................55 Trends in Virus Evolution..................................................................................................56 Worms and Vulnerabilities ............................................................................................................57
  • A Highly Immersive Approach to Teaching Reverse Engineering Golden G

    A Highly Immersive Approach to Teaching Reverse Engineering Golden G

    A Highly Immersive Approach to Teaching Reverse Engineering Golden G. Richard III Department of Computer Science University of New Orleans New Orleans, LA 70148 Email: [email protected] Abstract most operating systems courses, but for reverse engi- neering, the devil really is in the details. For example, While short training courses in reverse engineering are to understand an offensive technique like Shadow frequently offered at meetings like Blackhat and Walker [13], which relies on de-synchronization of the through training organizations such as SANS, there are data and instruction TLBs in Intel’s split-TLB design virtually no reverse engineering courses offered in aca- to hide code and data, it’s not enough to have seen a demia. This paper discusses possible reasons for this Powerpoint slide depicting the abstract functionality of situation, emphasizes the importance of teaching re- a TLB—that’s a good start, but both more details and verse engineering (and applied computer security edu- hands-on experience are needed. Furthermore, assem- cation in general), and presents the overall design of a bler language courses, if they exist at all as independ- semester-long course in reverse engineering malware, ent courses in a modern computing curriculum, tend to recently offered by the author at the University of New be much weaker than in the past, often emphasizing the Orleans. use of High Level Assembler (HLA) [4] and develop- 1 Introduction ment of toy applications. In many curricula, the as- sembler language course of old has been folded into the Reverse engineering of software involves detailed undergraduate architecture class.
  • Nusikaltimai Elektroninėje Erdvėje Ir Jų Tyrimo Metodikos Nikolaj Goranin Dalius Mažeika

    Nusikaltimai Elektroninėje Erdvėje Ir Jų Tyrimo Metodikos Nikolaj Goranin Dalius Mažeika

    Nikolaj Goranin Dalius Mažeika NUSIKALTIMAI elektroninėje erDvėje ir jų tyriMo MetoDikos Nikolaj Goranin Dalius Mažeika NUSIKALTIMAI ELEKTRONINĖJE ERDVĖJE IR JŲ TYRIMO METODIKOS MOKOMOJI KNYGA Projektas „Aukštojo mokslo I ir II pakopų informatikos ir informatikos inžinerijos krypčių studijų programų atnaujinimas bei naujų sukūrimas ir įgyvendinimas (AMIPA)“, kodas VP1–2.2–ŠMM–09–V–01–003, finansuojamas iš Europos socialinio fondo ir Lietuvos valstybės biudžeto lėšų. Recenzavo: prof. dr. V. Jusas doc. dr. K. Driaunys © N. Goranin, D. Mažeika, 2011 © KTU Informatikos fakultetas, 2011 © VGTU Fundamentaliųjų mokslų fakultetas, 2011 © UAB TEV, 2011 ISBN 978-609-433-055-1 TURINYS ĮVADAS ........................................................................................................................7 1. NUSIKALTIMAI ELEKTRONINĖJE ERDVĖJE ...................................................9 1.1. Nusikaltimų elektroninėje erdvėje apibrėžimas ir jų tipai ................................9 1.2. Informacinis karas ...........................................................................................11 1.3. Savikontrolės klausimai ..................................................................................14 2. NEE TEISINIAI ASPEKTAI ..................................................................................15 2.1. Teisinė nusikaltimų elektroninėje erdvėje samprata .......................................15 2.2. Elektroninių nusikaltimų kategorijos ..............................................................17 2.3. Tarptautiniai
  • Malware Primer Malware Primer

    Malware Primer Malware Primer

    Malware Primer Malware Primer Table of Contents Introduction Introduction ...........................................................................................................................................................................2 In The Art of War, Sun Tzu wrote, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” This certainly applies Chapter 1: A Brief History of Malware—Its Evolution and Impact ..............................3 to cyberwarfare. This primer will help you get to know cybercriminals by providing you with a solid foundation in one of their principle weapons: Chapter 2: Malware Types and Classifications ....................................................................................8 malware. Chapter 3: How Malware Works—Malicious Strategies and Tactics ........................11 Our objective here is to provide a baseline of knowledge about the different types of malware, what malware is capable of, and how it’s distributed. Chapter 4: Polymorphic Malware—Real Life Transformers .............................................14 Because effectively protecting your network, users, data, and company from Chapter 5: Keyloggers and Other Password Snatching Malware ...............................16 malware-based attacks requires an understanding of the various ways that the enemy is coming at you. Chapter 6: Account and Identity Theft Malware ...........................................................................19 Keep in mind, however, that we’re only able here
  • CS 3700 Networks and Distributed Systems

    CS 3700 Networks and Distributed Systems

    CS 3700 Networks and Distributed Systems Lecture 20: Malware/Botnets Slides stolen from Vern Paxson (ICSI) and Stefan Savage (UCSD) Motivation 2 Internet currently used for important services ! Financial transactions, medical records Increasingly used for critical services ! 911, surgical operations, water/electrical system control, remote controlled drones, etc. Networks more open than ever before ! Global, ubiquitous Internet, wireless Malicious Users 3 Miscreants, e.g. LulzSec ! In it for thrills, street cred, or just to learn ! Defacing web pages, spreading viruses, etc. Hacktivists, e.g. Anonymous ! Online political protests ! Stealing and revealing classified information Organized Crime ! Profit driven, online criminals ! Well organized, divisions of labor, highly motivated Network Security Problems 4 Host Compromise ! Attacker gains control of a host ! Can then be used to try and compromise others Denial-of-Service ! Attacker prevents legitimate users from gaining service Attack can be both ! E.g., host compromise that provides resources for denial-of- service Definitions 5 Virus ! Program that attaches itself to another program Worm ! Replicates itself over the network ! Usually relies on remote exploit (e.g. buffer overflow) Rootkit ! Program that infects the operating system (or even lower) ! Used for privilege elevation, and to hide files/processes Trojan horse ! Program that opens “back doors” on an infected host ! Gives the attacker remote access to machines Botnet ! A large group of Trojaned machines, controlled
  • Leading International University Squashes Threats from Modern Malware with Palo Alto Networks

    Leading International University Squashes Threats from Modern Malware with Palo Alto Networks

    PALO ALTO NETWORKS: Customer Profile Leading International University Squashes Threats from Modern Malware with Palo Alto Networks “Palo Alto Networks gives us true insight into what’s really going on in our network to ensure that risky traffic and activity is blocked. The control, visibility and threat prevention capabilities of the PA-4000 Series are unmatched. The cost was right and the ORGANIZATION: benefits quickly justified the cost.” University of Groningen – Mente Heemstra, Network Specialist, University of Groningen INDUSTRY: Education BACKGROUND CHALLENGE: Founded in 1614, the University of Groningen enjoys an international reputation Gain visibility into network to improve as one of the oldest and leading educational and research universities in Europe. security and control while maintaining a Located in the north of the Netherlands, the university offers degree programs policy of application access for all users. at Bachelor’s, Master’s and Ph.D. levels in virtually every field, many of them SOLUTION: completely taught in English. Research and knowledge, combined with an Replace legacy firewalls and Intrusion interdisciplinary approach, form the basis of the school’s programs. Research and Prevention System (IPS) managing traffic education at the University of Groningen is internationally oriented, as students between the university and its Internet from every continent prepare themselves for international career paths. Groningen Service Provider with Palo Alto Networks PA Series next-generation firewall with is an ideal, safe city with a flourishing student life. IPS for granular visibility of threats and better control of suspect Internet FILE SHARING AND MALWARE ON CAMPUS applications. Approximately 28,000 students study at the acclaimed University of Groningen.
  • Mining Web User Behaviors to Detect Application Layer Ddos Attacks

    Mining Web User Behaviors to Detect Application Layer Ddos Attacks

    JOURNAL OF SOFTWARE, VOL. 9, NO. 4, APRIL 2014 985 Mining Web User Behaviors to Detect Application Layer DDoS Attacks Chuibi Huang1 1Department of Automation, USTC Key laboratory of network communication system and control Hefei, China Email: [email protected] Jinlin Wang1, 2, Gang Wu1, Jun Chen2 2Institute of Acoustics, Chinese Academy of Sciences National Network New Media Engineering Research Center Beijing, China Email: {wangjl, chenj}@dsp.ac.cn Abstract— Distributed Denial of Service (DDoS) attacks than TCP or UDP-based attacks, requiring fewer network have caused continuous critical threats to the Internet connections to achieve their malicious purposes. The services. DDoS attacks are generally conducted at the MyDoom worm and the CyberSlam are all instances of network layer. Many DDoS attack detection methods are this type attack [2, 3]. focused on the IP and TCP layers. However, they are not suitable for detecting the application layer DDoS attacks. In The challenges of detecting the app-DDoS attacks can this paper, we propose a scheme based on web user be summarized as the following aspects: browsing behaviors to detect the application layer DDoS • The app-DDoS attacks make use of higher layer attacks (app-DDoS). A clustering method is applied to protocols such as HTTP to pass through most of extract the access features of the web objects. Based on the the current anomaly detection systems designed access features, an extended hidden semi-Markov model is for low layers. proposed to describe the browsing behaviors of web user. • Along with flooding, App-DDoS traces the The deviation from the entropy of the training data set average request rate of the legitimate user and uses fitting to the hidden semi-Markov model can be considered as the abnormality of the observed data set.
  • AUGUST 2005 43 Your Defense Is Offensive STEVE MANZUIK EDITOR ;Login: Is the Official WORKPLACE Rik Farrow Magazine of the Rik@Usenix.Org USENIX Association

    AUGUST 2005 43 Your Defense Is Offensive STEVE MANZUIK EDITOR ;Login: Is the Official WORKPLACE Rik Farrow Magazine of the [email protected] USENIX Association

    A UGUST 2005 VOLUME 30 NUMBER 4 THE USENIX MAGAZINE OPINION Musings RIK FARROWS Conference Password Sniffing ABE SINGER SYSADMIN The Inevitability of Xen JON CROWCROFT, KEIR FRASER, STEVEN HAND, IAN PRATT, AND ANDREW WARFIELD Secure Automated File Transfer MARK MCCULLOUGH SAN vs. NAS for Oracle: A Tale of Two Protocols ADAM LEVIN Practical Perl ADAM TUROFF ISPadmin ROBERT HASKINS L AW Primer on Cybercrime Laws DANI EL L. APPELMAN SECURITY Forensics for System Administrators SEAN PEISERT Your Defense Is Offensive STEVE MANZUIK WORKPLACE Marketing after the Bubble EMILY W. SALUS AND PETER H. SALUS BOOK REVIEWS Book Reviews RIK FAROWS USENIX NOTES SAGE Update DAVID PARTER ...and much more CONFERENCES 2005 USENIX Annual Technical Conference 2nd Symposium on Networked Systems Design and Implementation (NSDI ’05) 6th IEEE Workshop on Mobile Computing Systems and Applications (WMCSA 2004) The Advanced Computing Systems Association Upcoming Events INTERNET MEASUREMENT CONFERENCE 2005 4TH USENIX CONFERENCE ON FILE AND (IMC ’05) STORAGE TECHNOLOGIES (FAST ’05) Sponsored by ACM SIGCOMM in cooperation with USENIX Sponsored by USENIX in cooperation with ACM SIGOPS, IEEE Mass Storage Systems Technical Committee (MSSTC), OCTOBER 19–21, 2005, NEW ORLEANS, LA, USA and IEEE TCOS http://www.usenix.org/imc05 DECEMBER 14–16, 2005, SAN FRANCISCO, CA, USA http://www.usenix.org/fast05 ACM/IFIP/USENIX 6TH INTERNATIONAL MIDDLEWARE CONFERENCE 3RD SYMPOSIUM ON NETWORKED SYSTEMS NOVEMBER 28–DECEMBER 2, 2005, GRENOBLE, FRANCE DESIGN AND IMPLEMENTATION (NSDI ’06) http://middleware05.objectweb.org