6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2. Network infiltration detection<br />
David Merritt and Barry Mullins<br />
Intrusion detection helps us answer the question: “Is there a malicious intrusion into the network?”<br />
Because there are countless manual and automated mechanisms to identify suspicious network<br />
behavior, this section will only discuss the most common techniques for intrusion detection. This<br />
glimpse into intrusion detection serves as a backdrop for the explanation of the synthesis approach,<br />
which assumes that network infiltration can be detected somewhat reliably.<br />
A network-based intrusion detection system (NIDS) detects network-oriented attacks and traditionally<br />
monitors the access points into a network. If a cyber spy chooses a common network attack method<br />
to infiltrate a network, such as a common buffer overflow exploit, then the NIDS will have a high<br />
detection success rate (Patcha and Park, 2007: 3448-3470). If there is a novel or sophisticated attack<br />
that is difficult to detect, NIDS relies on its anomaly detection capability. Kuang and Zulkernine (2008:<br />
921-926) have shown that an anomaly-based NIDS employing the Combined Strangeness and<br />
Isolation measure K-Nearest Neighbors algorithm can accurately identify novel attacks at a detection<br />
rate of 94.6%, where the detection rate is defined as the ratio of correctly classified network intrusion<br />
samples to the total number of samples.<br />
3. Malware detection<br />
Malware detection helps us answer the question: “Is there something malicious happening on a<br />
host?” This section is not an exhaustive survey of all malware detection mechanisms and methods.<br />
Rather, it simply makes evident the fact that there are numerous ways to reliably detect most malware<br />
on a system. Malware comes in many forms with many names. For simplicity and convenience, we<br />
will refer to any unwanted and malicious program or code running on a system as malware. Naturally,<br />
detection of unknown malware is the goal, assuming the cyber spy will use sophisticated, novel<br />
malicious programs to establish footholds on a computer and within a network.<br />
3.1 Antivirus<br />
Antivirus, or anti-malware, software does not need much explanation as it is a commonly used and<br />
moderately understood term. Antivirus products rely primarily on signature-based detection, although<br />
most products have integrated at least a rudimentary mechanism for behavioral analysis of<br />
executables. The vast majority of known malware is caught by commodity software. As a point of<br />
reference, most antivirus products have proven they can detect malware in sample sizes of over one<br />
million with accuracy in the upper 90 th percentile (Virus Bulletin, 2008).<br />
3.2 Malware analysis<br />
There are historically two methods of analyzing unknown programs, or binaries: static and dynamic<br />
(Ding et al, 2009: 72-77). Static analysis starts with the conversion of a program from its binary<br />
representation to a more symbolic, human-readable version of assembly code instructions. This<br />
disassembly ideally takes into account all possible code execution paths of the unknown program,<br />
which provides a reverse engineer with the complete set of program instructions and therefore inner<br />
workings of the unknown program’s code. Analyzing this code to discover a program’s purpose and<br />
capabilities makes up the bulk of static analysis. Christodorescu et al (2005: 32-46) and Kruegel,<br />
Robertson and Vigna (2004: 91-100) discuss a couple effective approaches in using this kind of<br />
analysis to detect and classify unknown malware.<br />
On the other hand, analyzing the code during execution is called dynamic analysis. Dynamic analysis<br />
is effective against binaries that obfuscate themselves or are self-modifying. This is due to the fact<br />
that the destiny of all programs is to be run on a system, so when the program is running, its behavior<br />
and subsequent system modifications can be seen. Willems, Holz and Freiling (2007: 32-39) and<br />
Bayer et al (2006: 67-77) discuss dynamic analysis techniques that are successful in detecting<br />
unknown malware. Also, Rieck et al (2008: 108-125) used a learning based approach to automatically<br />
classify 70% of over 3,000 previously undetected malware binaries.<br />
4. Data exfiltration detection<br />
Data exfiltration detection helps us answer the question: “Is someone stealing data off the network?”<br />
Detecting suspicious and outright malicious events in the realm of data exfiltration is arguably the<br />
most difficult but most important to achieve out of the three steps of cyber espionage. Because the<br />
existence of a computer network implies the need for data to be accessed both inbound to and<br />
181