Notification:
We are currently experiencing intermittent issues impacting performance. We apologize for the inconvenience.
By Topic

Computer Network Defense (EC2ND), 2010 European Conference on

Date 28-29 Oct. 2010

Filter Results

Displaying Results 1 - 17 of 17
  • [Front cover]

    Publication Year: 2010 , Page(s): C1
    Save to Project icon | Request Permissions | PDF file iconPDF (2447 KB)  
    Freely Available from IEEE
  • [Title page i]

    Publication Year: 2010 , Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (27 KB)  
    Freely Available from IEEE
  • [Title page iii]

    Publication Year: 2010 , Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (157 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Publication Year: 2010 , Page(s): iv
    Save to Project icon | Request Permissions | PDF file iconPDF (168 KB)  
    Freely Available from IEEE
  • Table of contents

    Publication Year: 2010 , Page(s): v - vi
    Save to Project icon | Request Permissions | PDF file iconPDF (152 KB)  
    Freely Available from IEEE
  • Message from the Program Chair

    Publication Year: 2010 , Page(s): vii
    Save to Project icon | Request Permissions | PDF file iconPDF (104 KB) |  | HTML iconHTML  
    Freely Available from IEEE
  • Organizing Committee

    Publication Year: 2010 , Page(s): viii - ix
    Save to Project icon | Request Permissions | PDF file iconPDF (81 KB)  
    Freely Available from IEEE
  • Embedded Malware - An Analysis of the Chuck Norris Botnet

    Publication Year: 2010 , Page(s): 3 - 10
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1174 KB) |  | HTML iconHTML  

    This paper describes a new botnet that we have discovered at the beginning of December 2009. Our Net Flow-based network monitoring system reported an increasing amount of Telnet scanning probes. Tracing back to a source we have identified world wide infected DSL modems and home routers. Nowadays, various vendors use Linux in this kind of devices. A further investigation has shown that most of deployed SoHo (small office/home office) devices use default passwords or an unpatched vulnerable firmware. Some devices allow a remote access via Telnet, SSH or a web interface. Linux malware exploiting weak passwords allows fast propagation and a virtually unlimited potential for malicious activities. In comparison to a traditional desktop oriented malware, end users have almost no chance to discover a bot infection. We call the botnet after Chuck Norris because an early version included the string [R]anger Killato : in nome di Chuck Norris! View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Experiences and Observations from the NoAH Infrastructure

    Publication Year: 2010 , Page(s): 11 - 18
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1859 KB) |  | HTML iconHTML  

    Monitoring large chunks of unused IP address space yields interesting observations and useful results. However, the volume and diversity of the collected data makes the extraction of information a challenging task. Additionally, the maintenance of the monitoring infrastructure is another demanding and time-consuming effort. To overcome these problems, we present several visualization techniques that enable users to observe what happens in their unused address space over arbitrary time periods and provide the necessary tools for administrators to monitor their infrastructure. Our approach, which is based on open-source standard technologies, transforms the raw information at the network level and provides a customized and Web-accessible view. In this paper, we present the design, implementation and early experiences of the visualization techniques and tools deployed for the NoAH project, a large-scale honey pot-based infrastructure. Additionally, we provide a traffic analysis of data collected over a six month period of our infrastructure's operation. During the data collection period, we observed that the number of attackers continually increased as did the volume of traffic they generated. Furthermore, interesting patterns for specific types of traffic have been identified, such as the diurnal cycle of the traffic targeting TCP port 445 (Windows Directory Services), the port that receives the largest volume of attack traffic. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • iLeak: A Lightweight System for Detecting Inadvertent Information Leaks

    Publication Year: 2010 , Page(s): 21 - 28
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (214 KB) |  | HTML iconHTML  

    Data loss incidents, where data of sensitive nature are exposed to the public, have become too frequent and have caused damages of millions of dollars to companies and other organizations. Repeatedly, information leaks occur over the Internet, and half of the time they are accidental, caused by user negligence, misconfiguration of software, or inadequate understanding of an application's functionality. This paper presents iLeak, a lightweight, modular system for detecting inadvertent information leaks. Unlike previous solutions, iLeak builds on components already present in modern computers. In particular, we employ system tracing facilities and data indexing services, and combine them in a novel way to detect data leaks. Our design consists of three components: uaudits are responsible for capturing the information that exits the system, while Inspectors use the indexing service to identify if the transmitted data belong to files that contain potentially sensitive information. The Trail Gateway handles the communication and synchronization of uaudits and Inspectors. We implemented iLeak on Mac OS X using DTrace and the Spotlight indexing service. Finally, we show that iLeak is indeed lightweight, since it only incurs 4% overhead on protected applications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • HTTPreject: Handling Overload Situations without Losing the Contact to the User

    Publication Year: 2010 , Page(s): 29 - 34
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (166 KB) |  | HTML iconHTML  

    The web is a crucial source of information nowadays. At the same time, web applications become more and more complex. Therefore, a spontaneous increase in the number of visitors, e.g., based on news reports or events, easily brings a web server in an overload situation. In contrast to the classical model of distributed denial of service (DDoS) attacks, such a so-called flash effect situation is not triggered by a bulk of bots just aiming at hurting the system but by humans with a high interest in the content of the web site itself. While the bots do not stop their attack until told so by their operator, the user try repeatedly to access the site without knowing that the repeated reloads effectively increase the web server's overload. Classical approaches try to distinguish between real user and harmful requests, which is not applicable in this scenario. Simply restricting the number of connections leads to very technical error messages displayed by the users' client software if at all. Therefore, we propose a mean to efficiently block connection attempts and to keep the user informed at the same time. A small subset of HTTP and TCP is state lessly implemented to display simple busy messages or relevant news updates to the end user with only few resources. In this paper we present the protocol subset used and discuss the compatibility problems on the protocol and client software level. Furthermore, we show the results of performance experiments using a prototype implementation. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An Evolutionary Computing Approach for Hunting Buffer Overflow Vulnerabilities: A Case of Aiming in Dim Light

    Publication Year: 2010 , Page(s): 37 - 45
    Cited by:  Papers (3)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (278 KB) |  | HTML iconHTML  

    We propose an approach in the form of a light weight smart fuzzer to generate string based inputs to detect buffer overflow vulnerability in C code. The approach is based on an evolutionary algorithm which is a combination of genetic algorithm and evolutionary strategies. In this preliminary work we focus on the problem that there are constraints on string inputs that must be satisfied in order to reach the vulnerable statement in the code and we have very little or no knowledge about them. Unlike other similar approaches, our approach is able to generate such inputs without knowing these constraints explicitly. It learns these constraints automatically while generating inputs dynamically by executing the vulnerable program. We provide few empirical results on a benchmarking dataset-Verisec suite of programs. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • USB Device Drivers: A Stepping Stone into Your Kernel

    Publication Year: 2010 , Page(s): 46 - 52
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (157 KB) |  | HTML iconHTML  

    The widely-used Universal Serial Bus (USB) exposes a physical attack vector which has received comparatively little attention in the past. While most research on device driver vulnerabilities concentrated on wireless protocols, we show that USB device drivers provide the same potential for vulnerabilities but offer a larger attack surface resulting from the universal nature of the USB protocol. To demonstrate the effectiveness of fuzzing USB device drivers, we present our prototypical implementation of a mutation-based, man-in-the-middle USB fuzzing framework based on an emulated environment. We practically applied our framework to fuzz the communication between an Apple iPod device and a WindowsXP system. This way, we found several potential vulnerabilities. This supports our claim that the USB architecture exposes real attack vectors and should be considered when assessing the physical security of computer systems in the future. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Response Initiation in Distributed Intrusion Response Systems for Tactical MANETs

    Publication Year: 2010 , Page(s): 55 - 62
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (262 KB) |  | HTML iconHTML  

    Even though Intrusion Detection Systems (IDS) are in wide-spread use, the question of how to efficiently initiate responses to detected attacks has been discussed far less often, especially in highly dynamic scenarios such as tactical MANETs. Despite being flexible and robust in their ability to self-organize, these MANETS are distinctly more susceptible to attacks than their wired counterparts. Especially in military settings such as the interconnection of infantrymen or autonomous robots, remote initiation of countermeasures is critical since local administrative personnel may not be available. In this contribution we present an architecture for response initiation that is specifically tailored to the requirements intrinsic to mobile ad hoc networks in these settings. First we introduce IRMEF (Intrusion Response Message Exchange Format) as a means of specifying and parameterizing responses remotely which is an extension of the IDMEF RFC, an experimental yet well-established and recommended IETF draft for formatting event messages. Response initiation messages are dispatched from a central location via a secure, reliable, and robust communication infrastructure based on SNMPv3. An Authenticated Flooding service ensures that messages are delivered to their destination even while the network is under attack. Locally installed responder components are responsible for the application of the response measure. These mechanisms are designed and implemented explicitly with the limitations in mind which are imposed by the MANET operating environment: For example, resource constraints are taken into account by avoiding bandwidth intensive message formats, and the use of an intelligent flooding mechanism ensures resiliency under routing attacks. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Empirical Evaluation of the Internet Analysis System for Application in the Field of Anomaly Detection

    Publication Year: 2010 , Page(s): 63 - 70
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (345 KB) |  | HTML iconHTML  

    Anomaly detection in computer networks is an actively researched topic in the field of intrusion detection. The Internet Analysis System (IAS) is a software framework which provides passive probes and centralized backend services to collect purely statistical network data in distributed computer networks. This paper presents an empirical evaluation of the IAS data format for detecting anomalies, caused by attack traffic. This process involved the generation of labeled evaluation data based on the 1999 DARPA Intrusion Detection Evaluation data sets and two different supervised machine learning approaches for the assessment. The results of this evaluation conclude, that the IAS is not a convenient data source for advanced anomaly detection in the scope of our research. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Author index

    Publication Year: 2010 , Page(s): 71
    Save to Project icon | Request Permissions | PDF file iconPDF (84 KB)  
    Freely Available from IEEE
  • [Publisher's information]

    Publication Year: 2010 , Page(s): 72
    Save to Project icon | Request Permissions | PDF file iconPDF (141 KB) |  | HTML iconHTML  
    Freely Available from IEEE