• Title/Summary/Keyword: malicious attacks

Search Result 453, Processing Time 0.023 seconds

WebSHArk 1.0: A Benchmark Collection for Malicious Web Shell Detection

  • Kim, Jinsuk;Yoo, Dong-Hoon;Jang, Heejin;Jeong, Kimoon
    • Journal of Information Processing Systems
    • /
    • v.11 no.2
    • /
    • pp.229-238
    • /
    • 2015
  • Web shells are programs that are written for a specific purpose in Web scripting languages, such as PHP, ASP, ASP.NET, JSP, PERL-CGI, etc. Web shells provide a means to communicate with the server's operating system via the interpreter of the web scripting languages. Hence, web shells can execute OS specific commands over HTTP. Usually, web attacks by malicious users are made by uploading one of these web shells to compromise the target web servers. Though there have been several approaches to detect such malicious web shells, no standard dataset has been built to compare various web shell detection techniques. In this paper, we present a collection of web shell files, WebSHArk 1.0, as a standard dataset for current and future studies in malicious web shell detection. To provide baseline results for future studies and for the improvement of current tools, we also present some benchmark results by scanning the WebSHArk dataset directory with three web shell scanning tools that are publicly available on the Internet. The WebSHArk 1.0 dataset is only available upon request via email to one of the authors, due to security and legal issues.

Identification of Attack Group using Malware and Packer Detection (악성코드 및 패커 탐지를 이용한 공격 그룹 판별)

  • Moon, Heaeun;Sung, Joonyoung;Lee, Hyunsik;Jang, Gyeongik;Kwak, Kiyong;Woo, Sangtae
    • Journal of KIISE
    • /
    • v.45 no.2
    • /
    • pp.106-112
    • /
    • 2018
  • Recently, the number of cyber attacks using malicious code has increased. Various types of malicious code detection techniques have been researched for several years as the damage has increased. In recent years, profiling techniques have been used to identify attack groups. This paper focuses on the identification of attack groups using a detection technique that does not involve malicious code detection. The attacker is identified by using a string or a code signature of the malicious code. In addition, the detection rate is increased by adding a technique to confirm the packing file. We use Yara as a detection technique. We have research about RAT (remote access tool) that is mainly used in attack groups. Further, this paper develops a ruleset using malicious code and packer main feature signatures for RAT which is mainly used by the attack groups. It is possible to detect the attacker by detecting RAT based on the newly created ruleset.

A Malicious Comments Detection Technique on the Internet using Sentiment Analysis and SVM (감성분석과 SVM을 이용한 인터넷 악성댓글 탐지 기법)

  • Hong, Jinju;Kim, Sehan;Park, Jeawon;Choi, Jaehyun
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.20 no.2
    • /
    • pp.260-267
    • /
    • 2016
  • The Internet has brought lots of changes to us sharing information mutually. However, as all social symptom have double-sided character, it has serious social problem. Vicious users have been taking advantage of anonymity on the Internet, stating comments aggressively for defamation, personal attacks, privacy violation and more. Malicious comments on the Internet are creating the biggest problem regarding unlawful acts and insults which occur on the Internet. In order to solve the issues, several studies have been done to efficiently manage the comments. However, there are limitations to recognize modified malicious vocabulary in previous research. So, in this paper, we propose a malicious comments detection technique by improving limitation of previous studies. The experimental result has shown accuracy of 87.8% providing higher accuracy as compared to previous studies done.

A Countermeasure against a Whitelist-based Access Control Bypass Attack Using Dynamic DLL Injection Scheme (동적 DLL 삽입 기술을 이용한 화이트리스트 기반 접근통제 우회공격 대응 방안 연구)

  • Kim, Dae-Youb
    • Journal of IKEEE
    • /
    • v.26 no.3
    • /
    • pp.380-388
    • /
    • 2022
  • The traditional malware detection technologies collect known malicious programs and analyze their characteristics. Then such a detection technology makes a blacklist based on the analyzed malicious characteristics and checks programs in the user's system based on the blacklist to determine whether each program is malware. However, such an approach can detect known malicious programs, but responding to unknown or variant malware is challenging. In addition, since such detection technologies generally monitor all programs in the system in real-time, there is a disadvantage that they can degrade the system performance. In order to solve such problems, various methods have been proposed to analyze major behaviors of malicious programs and to respond to them. The main characteristic of ransomware is to access and encrypt the user's file. So, a new approach is to produce the whitelist of programs installed in the user's system and allow the only programs listed on the whitelist to access the user's files. However, although it applies such an approach, attackers can still perform malicious behavior by performing a DLL(Dynamic-Link Library) injection attack on a regular program registered on the whitelist. This paper proposes a method to respond effectively to attacks using DLL injection.

Efficient Buffer Management Scheme for Mitigating Possibility of DDoS Attack (DDoS 공격 가능성 완화를 위한 효율적인 버퍼 관리 기술)

  • Noh, Hee-Kyeong;Kang, Nam-Hi
    • The Journal of the Institute of Internet, Broadcasting and Communication
    • /
    • v.12 no.2
    • /
    • pp.1-7
    • /
    • 2012
  • DDoS attack is a malicious attempt to exhaust resources of target system and network capacities using lots of distributed zombi systems. DDoS attack introduced in early 2000 has being evolved over time and presented in a various form of attacks. This paper proposes a scheme to detect DDoS attacks and to reduce possibility of such attacks that are especially based on vulnerabilities presented by using control packets of existing network protocols. To cope with DDoS attacks, the proposed scheme utilizes a buffer management techniques commonly used for congestion control in Internet. Our scheme is not intended to detect DDoS attacks perfectly but to minimize possibility of overloading of internal system and to mitigate possibility of attacks by discarding control packets at the time of detecting DDoS attacks. In addition, the detection module of our scheme can adapt dynamically to instantly increasing traffic unlike previously proposed schemes.

LoGos: Internet-Explorer-Based Malicious Webpage Detection

  • Kim, Sungjin;Kim, Sungkyu;Kim, Dohoon
    • ETRI Journal
    • /
    • v.39 no.3
    • /
    • pp.406-416
    • /
    • 2017
  • Malware propagated via the World Wide Web is one of the most dangerous tools in the realm of cyber-attacks. Its methodologies are effective, relatively easy to use, and are developing constantly in an unexpected manner. As a result, rapidly detecting malware propagation websites from a myriad of webpages is a difficult task. In this paper, we present LoGos, an automated high-interaction dynamic analyzer optimized for a browser-based Windows virtual machine environment. LoGos utilizes Internet Explorer injection and API hooks, and scrutinizes malicious behaviors such as new network connections, unused open ports, registry modifications, and file creation. Based on the obtained results, LoGos can determine the maliciousness level. This model forms a very lightweight system. Thus, it is approximately 10 to 18 times faster than systems proposed in previous work. In addition, it provides high detection rates that are equal to those of state-of-the-art tools. LoGos is a closed tool that can detect an extensive array of malicious webpages. We prove the efficiency and effectiveness of the tool by analyzing almost 0.36 M domains and 3.2 M webpages on a daily basis.

Optimal thresholds of algorithm and expansion of Application-layer attack detection block ALAB in ALADDIN (ALADDIN의 어플리케이션 계층 공격 탐지 블록 ALAB 알고리즘의 최적 임계값 도출 및 알고리즘 확장)

  • Yoo, Seung-Yeop;Park, Dong-Gue;Oh, Jin-Tae;Jeon, In-Ho
    • The KIPS Transactions:PartC
    • /
    • v.18C no.3
    • /
    • pp.127-134
    • /
    • 2011
  • Malicious botnet has been used for more malicious activities, such as DDoS attacks, sending spam messages, steal personal information, etc. To prevent this, many studies have been preceded. But malicious botnets have evolved and evaded detection systems. In particular, HTTP GET Request attack that exploits the vulnerability of the application layer is used. ALAB of ALADDIN proposed by ETRI is DDoS attack detection system that HTTP GET, Incomplete GET request flooding attack detection algorithm is applied. In this paper, we extend Incomplete GET detection algorithm of ALAB and derive the optimal configuration parameters to verify the validity of the algorithm ALAB by the study of the normal and attack packets.

Assessment of Dynamic Open-source Cross-site Scripting Filters for Web Application

  • Talib, Nurul Atiqah Abu;Doh, Kyung-Goo
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.15 no.10
    • /
    • pp.3750-3770
    • /
    • 2021
  • This study investigates open-source dynamic XSS filters used as security devices in web applications to account for the effectiveness of filters in protecting against XSS attacks. The experiment involves twelve representative filters, which are examined individually by placing them into the final output function of a custom-built single-input-form web application. To assess the effectiveness of the filters in their tasks of sanitizing XSS payloads and in preserving benign payloads, a black-box testing method is applied using an automated XSS testing framework. The result in working with malicious and benign payloads shows an important trade-off in the filters' tasks. Because the filters that only check for dangerous or safe elements, they seem to neglect to validate their values. As some safe values are mistreated as dangerous elements, their benign payload function is lost in the way. For the filters to be more effective, it is suggested that they should be able to validate the respective values of malicious and benign payloads; thus, minimizing the trade-off. This particular assessment of XSS filters provides important insight regarding the filters that can be used to mitigate threats, including the possible configurations to improve them in handling both malicious and benign payloads.

Bayesian Rules Based Optimal Defense Strategies for Clustered WSNs

  • Zhou, Weiwei;Yu, Bin
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.12 no.12
    • /
    • pp.5819-5840
    • /
    • 2018
  • Considering the topology of hierarchical tree structure, each cluster in WSNs is faced with various attacks launched by malicious nodes, which include network eavesdropping, channel interference and data tampering. The existing intrusion detection algorithm does not take into consideration the resource constraints of cluster heads and sensor nodes. Due to application requirements, sensor nodes in WSNs are deployed with approximately uncorrelated security weights. In our study, a novel and versatile intrusion detection system (IDS) for the optimal defense strategy is primarily introduced. Given the flexibility that wireless communication provides, it is unreasonable to expect malicious nodes will demonstrate a fixed behavior over time. Instead, malicious nodes can dynamically update the attack strategy in response to the IDS in each game stage. Thus, a multi-stage intrusion detection game (MIDG) based on Bayesian rules is proposed. In order to formulate the solution of MIDG, an in-depth analysis on the Bayesian equilibrium is performed iteratively. Depending on the MIDG theoretical analysis, the optimal behaviors of rational attackers and defenders are derived and calculated accurately. The numerical experimental results validate the effectiveness and robustness of the proposed scheme.

Android App Reuse Analysis using the Sequential Hypothesis Testing

  • Ho, Jun-Won
    • International Journal of Internet, Broadcasting and Communication
    • /
    • v.8 no.4
    • /
    • pp.11-18
    • /
    • 2016
  • Due to open source policy, Android systems are exposed to a variety of security problems. In particular, app reuse attacks are detrimental threat to the Android system security. This is because attacker can create core malign components and quickly generate a bunch of malicious apps by reusing these components. Hence, it is very imperative to discern whether Android apps contain reused components. To meet this need, we propose an Android app reuse analysis technique based on the Sequential Hypothesis Testing. This technique quickly makes a decision with a few number of samples whether a set of Android apps is made through app reuse. We performed experimental study with 6 malicious app groups, 1 google and 1 third-party app group such that each group consists of 100 Android apps. Experimental results demonstrate that our proposed analysis technique efficiently judges Android app groups with reused components.