By Topic

Computer Network Defense (EC2ND), 2011 Seventh European Conference on

Date 6-7 Sept. 2011

Filter Results

Displaying Results 1 - 24 of 24
  • [Front cover]

    Page(s): C4
    Save to Project icon | Request Permissions | PDF file iconPDF (3884 KB)  
    Freely Available from IEEE
  • [Title page i]

    Page(s): i
    Save to Project icon | Request Permissions | PDF file iconPDF (18 KB)  
    Freely Available from IEEE
  • [Title page iii]

    Page(s): iii
    Save to Project icon | Request Permissions | PDF file iconPDF (36 KB)  
    Freely Available from IEEE
  • [Copyright notice]

    Page(s): iv
    Save to Project icon | Request Permissions | PDF file iconPDF (118 KB)  
    Freely Available from IEEE
  • Table of contents

    Page(s): v - vi
    Save to Project icon | Request Permissions | PDF file iconPDF (130 KB)  
    Freely Available from IEEE
  • Preface

    Page(s): vii
    Save to Project icon | Request Permissions | PDF file iconPDF (68 KB)  
    Freely Available from IEEE
  • Conference Committees

    Page(s): viii - ix
    Save to Project icon | Request Permissions | PDF file iconPDF (75 KB)  
    Freely Available from IEEE
  • External Reviewers

    Page(s): x
    Save to Project icon | Request Permissions | PDF file iconPDF (61 KB)  
    Freely Available from IEEE
  • Sponsors

    Page(s): xi
    Save to Project icon | Request Permissions | PDF file iconPDF (208 KB)  
    Freely Available from IEEE
  • A Rose by Any Other Name or an Insane Root? Adventures in Name Resolution

    Page(s): 1 - 8
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (223 KB)  

    Namespaces are fundamental to computing systems. Each namespace maps the names that clients use to retrieve resources to the actual resources themselves. However, the indirection that namespaces provide introduces avenues of attack through the name resolution process. Adversaries can trick programs into accessing unintended resources by changing the binding between names and resources and by using names whose target resources are ambiguous. In this paper, we explore whether a unified system approach may be found to prevent many name resolution attacks. For this, we examine attacks on various namespaces and use these to derive invariants to defend against these attacks. Four prior techniques are identified that enforce aspects of name resolution, so we explore how these techniques address the proposed invariants. We find that each of these techniques are incomplete in themselves, but a combination could provide effective enforcement of the invariants. We implement a prototype system that can implement these techniques for the Linux file system namespace, and show that invariant rules specific to each, individual program system call can be enforced with a small overhead (less than 3%), indicating that fine-grained name resolution enforcement may be practical. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • On Botnets That Use DNS for Command and Control

    Page(s): 9 - 16
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (220 KB)  

    We discovered and reverse engineered Feederbot, a botnet that uses DNS as carrier for its command and control. Using k-Means clustering and a Euclidean Distance based classifier, we correctly classified more than 14m DNS transactions of 42,143 malware samples concerning DNS-C&C usage, revealing another bot family with DNS C&C. In addition, we correctly detected DNS C&C in mixed office workstation network traffic. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • dead.drop: URL-Based Stealthy Messaging

    Page(s): 17 - 24
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (438 KB)  

    In this paper we propose the use of URLs as a covert channel to relay information between two or more parties. We render our technique practical, in terms of bandwidth, by employing URL-shortening services to form URL chains of hidden information. We discuss the security aspects of this technique and present proof-of-concept implementation details along with measurements that prove the feasibility of our approach. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Adaptive Detection of Covert Communication in HTTP Requests

    Page(s): 25 - 32
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (245 KB)  

    The infection of computer systems with malicious software is an enduring problem of computer security. Avoiding an infection in the first place is a hard task, as computer systems are often vulnerable to a multitude of attacks. However, to explore and control an infected system, an attacker needs to establish a communication channel with the victim. While such a channel can be easily established to an unprotected end host in the Internet, infiltrating a closed network usually requires passing an application-level gateway -- in most cases a web proxy -- which constitutes an ideal spot for detecting and blocking unusual outbound communication. This papers introduces DUMONT, a system for detecting covert outbound HTTP communication passing through a web proxy. DUMONT learns profiles of normal HTTP requests for each user of the proxy and adapts to individual web surfing characteristics. The profiles are inferred from a diverse set of features, covering the structure and content of outbound data, and allowing for automatically identifying tunnels and covert channels as deviations from normality. While this approach does not generally rule out sophisticated covert communication, it significantly improves on state-of-the-art methods and hardens networks against malware proliferation. This capability is demonstrated in an evaluation with 90 days of web traffic, where DUMONT uncovers the communication of malware, tunnels and backdoors with few false alarms. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • IRILD: An Information Retrieval Based Method for Information Leak Detection

    Page(s): 33 - 40
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (185 KB)  

    The traditional approach for detecting information leaks is to generate fingerprints of sensitive data, by partitioning and hashing it, and then comparing these fingerprints against outgoing documents. Unfortunately, this approach incurs a high computation cost as every part of document needs to be checked. As a result, it is not applicable to systems with a large number of documents that need to be protected. Additionally, the approach is prone to false positives if the fingerprints are common phrases. In this paper, we propose an improvement for this approach to offer a much faster processing time with less false positives. The core idea of our solution is to eliminate common phrases and non-sensitive phrases from the fingerprinting process. Non-sensitive phrases are identified by looking at available public documents of the organization that we want to protect from information leaks and common phrases are identified with the help of a search engine. In this way, our solution both accelerates leak detection and increases the accuracy of the result. Experiments were conducted on real-world data to prove the efficiency and effectiveness of the proposed solution. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • MELISSA: Towards Automated Detection of Undesirable User Actions in Critical Infrastructures

    Page(s): 41 - 48
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (539 KB)  

    We address the detection of process-related threats in control systems used in critical infrastructures. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the industrial process. We use logs to detect anomalous patterns of user actions on process control application. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Remote Control of Smart Meters: Friend or Foe?

    Page(s): 49 - 56
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (286 KB)  

    The traditional electrical grid is transitioning into the smart grid. New equipment is being installed to simplify the process of monitoring and managing the grid, making the system more transparent to use but also introducing new security problems. Smart meters are replacing the traditional electrical utility meters, offering new functionalities such as remote reading, automatic error reporting, and the possibility for remote shutoff. This last feature is studied in this paper through two scenarios where the effects are outlined, both on a theoretical level and through a simulation. In the first scenario, the frequency property of the grid is the target to possibly cause a blackout. In the second scenario, the voltage is driven out of bounds by the adversary. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The Anti-Social Behavior of Spam

    Page(s): 57
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (95 KB)  

    Spam mitigation strategies that aim at detecting spam on the network level, should classify email senders based on their sending behavior rather than the content of what they send. To achieve this goal, we have performed a social network analysis on a network of email communications. Such a network captures the social communication patterns of email senders and receivers. Our social network analysis on email traffic have revealed that structural properties of networks of email communications differ from other types of interaction and social networks such as online social networks, the web, Internet AS topology, and phone call graphs. The difference is caused by extensive amount of unsolicited email traffic which therefore can be used to discriminate spam senders from legitimate users. Deployment of such social network-based spam detection strategy on a small network device makes it possible to stop spam closer to its source and without inspecting email contents. In this presentation, we will look at the anti-social behavior of spam and how it can be used for detection of spam senders. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Location Privacy: User-Centric Threat Analysis

    Page(s): 58
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (77 KB)  

    Information that describes the geographic locations of a person over time is a fairly new class of potentially privacy-harming data. In pace with certain technological advances of the recent years, more and more location data is generated and processed by various systems. Its usage for different location-based services (including the integration into social network services) encounters a steep and still ongoing rise in popularity. Besides communication infrastructure based localization methods that map IP-addresses, GSM-cell identifiers or wireless router MAC-addresses to geographic locations, the main contribution to this development comes from the proliferation of GPS-enabled mobile user devices. The critical point is that plain location data has the potential to both identify a single user and disclose sensitive information about that user's activity at the same time. This makes the robust anonymization of position information a non-trivial task and has created a lively branch in privacy research over the last years. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Mitigating Distributed Denial-of-Service Attacks: Application-Defense and Network-Defense Methods

    Page(s): 59
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (81 KB)  

    Summary form only given. Distributed Denial of Service (DDoS) attacks can be so powerful that they can easily deplete the computing resources or bandwidth of the potential targets. Based on the types of the targets, DDoS attacks can be addressed in two levels: application-level and network-level. Taking the network-based applications into consideration, a weak point is that they commonly open some known communication port(s), making themselves targets for denial of service (DoS) attacks. Considering adversaries that can eavesdrop and launch directed DoS attacks to the applications' open ports, solutions based on pseudorandom port-hopping have been suggested [1], [5], where applications defend the attacks to the communication ports by changing them periodically. As port-hopping needs the communicating parties to "hop" in a synchronized manner, these solutions suggest acknowledgment-based protocols between a client-server pair or assume the presence of synchronized clocks. Acknowledgments, if lost, can cause a port to be open for longer time and thus be vulnerable to DoS attacks, time servers for synchronizing clocks can become targets to DoS attack themselves. Following this line of research, in [2] we proposed a solution for port-hopping in the presence of clock-drifts, which are common in networking. The solution basically consists of two algorithms: H O P ER AA and B IG W HEEL. H O P ER AA enables each client to interact with the server independently of the other clients, B IG W HEEL enables a server to communicate with multiple clients in a port-hopping manner, without synchronizing with each client individually, which supports multi-party applications as well. Anti-DDoS solutions in the application-level, such as port-hopping, are ineffective when the DDoS attacks aim to congest the victim's network. Victims may need the help from network-based (i.e. in the router level) solutions to solve the problem. Among the network-based solutions against DDoS attacks, n- twork-capability mechanism is a novel approach [6]. A capability is a ticket-like token, checkable by routers, that a server can issue for legitimate traffic. Still, malicious hosts may swamp a server with requests for capability establishment, essentially causing possible Denial-of-Capability (DoC). In [4] we proposed an algorithm to mitigate DoC attacks. With this algorithm, the legitimate hosts can get service with guaranteed probability. The algorithm divides the server's capacity for handling capability requests into quotas. Quotas are allocated based on a sink tree architecture. Randomization and Bloom filters are used as tools against threats (attacking scenarios). Issues on fault-tolerance and the deployment of the approach proposed were also addressed in [4]. The algorithm is not only suitable for solving DoC problem, but also suitable for general authentication-based solution against DDoS attacks, since legitimate hosts always need to get the secret for generating authentication tokens before sending data packets to the server. Mitigating DDoS attacks are challenging not only for the targets of the attacks, but also for the network, as large volume of illegitimate traffic share the same network resources as legitimate traffic and can furthermore causes congestion phenomena and performance degradation. Considering malicious traffic, we would like ideally to disallow it completely from consuming network resources. To achieve that, the malicious traffic should be controlled as close to the source(s) as possible. It is observed that there is a trade-off between the protection level of the network and the efficiency/overhead of the protecting method. By building on earlier work and improving on distribution of control aspects, in [3] we proposed a proactive method, called CluB, to mitigate DDoS attacks. The method balances the effectiveness-overhead trade-off by addressing the issue of granularity of control in the network. CluB can collaborate with different View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • CAPTCHuring Automated (Smart)Phone Attacks

    Page(s): 60
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (117 KB)  

    In this work we expand the notion of Phone CAPTCHAs as a countermeasure against DIAL attacks. We explore several axes upon which they can be improved. We also propose their use as defense mechanisms against several recent attacks that target smartphones. Our key contributions are summarized as follows: As shown in our previous work, end telephone devices have little means to defend themselves from a DIAL attack. To mitigate this effect, we implemented a fully functional call center incorporating Phone CAPTCHAs for protecting telephone devices from such attacks. Furthermore, we propose a series of improvements to traditional audio CAPTCHAs to strengthen them against voice recognition attacks; We expand the idea of DIAL attacks and demonstrate that by exploiting a vulnerability in a smartphone, one can leverage cellular networks for flooding a target telephone device with calls; We propose the modification of smartphone operating system API calls to incorporate client-side Phone CAPTCHAs so as to prohibit compromised devices from issuing arbitrary calls; And we conduct a user study that demonstrates the applicability of Phone CAPTCHAs, as first-time, nonnative users managed to successfully solve the CAPTCHAs in 71% to 83% of the cases. We consider this to be very satisfactory for the newly introduced CAPTCHAs. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Security in Wireless Sensor Networks

    Page(s): 61
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (80 KB)  

    A wireless sensor network is a network of small computers, sensor nodes, that can gather information via its sensors, do computations and communicate wirelessly with other sensor nodes. In general a wireless sensor network is an ad hoc network in which the nodes organize themselves without any preexisting infrastructure. Once in the area, the nodes that survived the deployment procedure communicate with the other nodes that happened to end up in its vicinity, and they set up an infrastructure. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Discussion Panel in conjunction with the 7th European Conference on Computer Network Defense (EC2ND 2011): Security Issues in the Smart Grid

    Page(s): 62 - 63
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (87 KB)  

    For EC2ND 2011, a special emphasis was given to the protection against attacks in "special environments," such as the ICT component of the smart grid, or the protection against attacks that could cause a large societal impact. To complement the research papers, also a panel was organized to discuss security issues in the smart grid. The members of the panel represent several of the actors involved in the development and deployment of the smart grid, such as government agencies, companies selling equipment and software, companies producing and distributing electricity, as well as researchers in both computer science and power engineering. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Author index

    Page(s): 64
    Save to Project icon | Request Permissions | PDF file iconPDF (60 KB)  
    Freely Available from IEEE
  • [Publisher's information]

    Page(s): 66
    Save to Project icon | Request Permissions | PDF file iconPDF (125 KB)  
    Freely Available from IEEE