Network infrastructures have played important part in most daily communications for business industries,
social networking, government sectors and etc. Despites the advantages that came from such
functionalities, security threats have become a daily struggle. One major security threat is hacking.
Consequently, security experts and researchers have suggested possible security solutions such as
Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and
Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason
behind that, there is a few researches that examine the behavior of hackers. This paper formally and
practically examines in details the behavior of hackers and their targeted environments. Moreover, this
paper formally examines the properties of one essential pre-hacking step called scanning and highlights its
importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in
most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
Toward Continuous Cybersecurity with Network Automation
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
A Modular Approach To Intrusion Detection in Homogenous Wireless Network
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
Intelligent Network Surveillance Technology for APT Attack Detections
Recently, long-term, advanced cyber-attacks targeting a specific enterprise or organization have been occurring again. These attacks occur over a long period and bypass detection by security systems unlike the existing attack pattern. For such reason, they create problems such as delayed real-time response and detection after damages have already been incurred. This paper introduces the design of technology that applies real-time network traffic monitoring to detect unknown functional cyber-attack on the network. Specifically, the algorithm was verified and evaluated in terms of performance in an actual commercial environment. Cyber-attack detection performance is expected to be improved by enhancing the algorithm and processing large volumes of traffic
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
This document provides an overview of intrusion detection and prevention systems (IDPS). It discusses the types of threats, vulnerabilities, and intrusions that IDPS aim to address. It describes the differences between network-based and host-based IDPS, as well as signature-based and anomaly-based detection methods. The document also outlines some key capabilities of IDPS, such as identifying hosts, operating systems, applications, and network characteristics. It notes limitations of IDPS, including inability to analyze encrypted traffic. Finally, it emphasizes the importance of properly deploying and managing IDPS according to organizational needs and policies as part of a layered defense-in-depth security strategy.
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
Technical solutions, introduced by policies and implantations are essential requirements of an
information security program. Advanced technologies such as intrusion detection and prevention system (IDPS)
and analysis tools have become prominent in the network environment while they involve with organizations to
enhance the security of their information assets. Scanning and analyzing tools to pinpoint vulnerabilities, holes
in security components, unsecured aspects of the network and deploying of IDPS technology are highlighted.
Wireless Networks Security in Jordan: A Field Study
- The document summarizes a study that evaluated the security of wireless networks in Jordan through a process called "wardriving" where the researchers drove around with wireless network detection tools.
- The results found that the majority (79.52%) of wireless networks tested were unsecured and vulnerable. Most networks used either low levels of encryption (68.67%) or no encryption at all (11.45%).
- Nearly all networks broadcast the default SSID (92.17%), leaving them exposed to potential hackers since changing the SSID is a basic security precaution.
A technical review and comparative analysis of machine learning techniques fo...
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber attacks at the network-level and the host-level in a timely and automatic manner. However, Traditional Intrusion Detection Systems (IDS), based on traditional machine learning methods, lacks reliability and accuracy. Instead of the traditional machine learning used in previous researches, we think deep learning has the potential to perform better in extracting features of massive data considering the massive cyber traffic in real life. Generally Mobile Ad Hoc Networks have given the low physical security for mobile devices, because of the properties such as node mobility, lack of centralized management and limited bandwidth. To tackle these security issues, traditional cryptography schemes can-not completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying Deep learning methods techniques in IDS are capable of adapting the dynamic environments of MANETs and enables the system to make decisions on intrusion while continuing to learn about their mobile environment. An IDS in MANET is a sensoring mechanism that monitors nodes and network activities in order to detect malicious actions and malicious attempt performed by Intruders. Recently, multiple deep learning approaches have been proposed to enhance the performance of intrusion detection system. In this paper, we made a systematic comparison of three models, Inceprtion architecture convolutional neural network (Inception-CNN), Bidirectional long short-term memory (BLSTM) and deep belief network (DBN) on the deep learning-based intrusion detection systems, using the NSL-KDD dataset containing information about intrusion and regular network connections, the goal is to provide basic guidance on the choice of deep learning models in MANET.
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to
rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus
or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection
System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data
created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for
anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack
signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with
the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System
called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in
detecting abnormal content in the traffic data during information passing from one node to another and
also detects known attack signature and unknown attack. This approach is tested by running the artificial
network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
As the Supervisory Control and Data Acquisition (SCADA) system are deployed in infrastructures which are critical to the survival of a nation, they have emerged as a potential terrain for cyber-war, thus attracting the considered attention of ‘nation-states’. The analysis of worms like ‘stuxnet’ ‘flame’ and ‘duqu’ reveals the hand of a ‘nation-state’ in their design and deployment. Hence, the necessity to understand various issues in the defence of SCADA systems arises. The forensics of the SCADA system provide deep insight into the design and deployment of the worm (the malware) once the system is attacked. This is precisely the scope of this essay.
This document discusses intrusion detection techniques for mobile networks. It begins by outlining the vulnerabilities of wireless networks, including the open medium, dynamic topology, lack of centralized monitoring, and cooperative algorithms. It then explains the need for intrusion detection systems, as completely preventing intrusions is unrealistic. The document classifies intrusion detection systems and outlines their requirements, including continuous monitoring, fault tolerance, and adaptability. It concludes by describing the two main techniques of intrusion detection: anomaly detection, which flags deviations from a normal activity profile; and misuse detection, which searches for patterns matching known attacks.
TRUST FACTOR AND FUZZY-FIREFLY INTEGRATED PARTICLE SWARM OPTIMIZATION BASED I...
Mobile Ad hoc Networks (MANET) is one of the rapidly emanating technologies, which has gained attention in a wide range of applications in the fields of military, private sectors, commercials and natural calamities. Securing MANET is a dominant responsibility, and hence, a trust factor and fuzzy based intrusion detection and prevention system is proposed for routing in this paper. Based on the trust values of the nodes, the fuzzy system identifies the intruder, such that the path generated in the MANET is secured. Moreover, an optimization algorithm, entitled Fuzzy integrated Particle Swarm Optimization (FuzzyFPSO), is proposed by the concatenation of the Firefly Algorithm (FA) and Particle Swarm Optimization (PSO) for the optimal path selection in order to provide secure routing. The simulation of the proposed methodology is NS2 simulator and analysis is carried out considering four cases, like without attack, flooding attacks, black hole attack and selective packet drop attack concerning throughput, delay and detection rate. The remarkable evaluation measures of the proposed Fuzzy-FPSO are the maximal throughput of 0.634, minimal delay of 0.044 , maximal detection rate of 0.697 and minimal routing overhead of 0.24550 And the evaluation measure for the case without any attacks are the maximal throughput of 0.762, minimal delay of 0.029 ,maximal detection rate of 0.805 and minimal routing overhead of 0.11511.
This summary cloud security survey from Intel captures key findings from 800 IT managers in the U.S., the U.K., China, and Germany that provide insight into cloud computing security concerns and how those concerns might be alleviated.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
Peripheral Review and Analysis of Internet Network Security
This paper is on the exploration of Internet Network security. With the advent of the internet, security became a major concern for computer users, organizations and the Military. The internet structure itself allow for many security threats to occur. Knowing the attack methods, the architecture of the internet when modified can reduce the possible attacks that can be sent across the network. The internet can be secured by the means of VPN, IPSec, Anti‐Malware Software and scanners, Secure Socket Layer, intrusion‐detection, security management, firewalls and cryptography mechanisms. The essence of this research is to forecast the future of internet network security.
This document provides background information on the history and importance of network security. It discusses how the advent of the internet led to security becoming a major concern, as the internet's architecture allowed for many security threats. The document outlines the internet and network security timeline, from the creation of the ARPANET in 1969 to the crimes of Kevin Mitnick in the 1990s that heightened awareness of information security. It also examines the differences between data security and network security, and how a layered security model corresponds to the OSI model layers.
This document discusses enumerating and profiling web services by examining a WSDL file for critical information like service methods, input parameters, and output parameters. Understanding the WSDL structure allows one to build a profile or matrix of the web services. The goal is to understand the process of profiling web services from a WSDL file before defining attack vectors, which will be covered in a subsequent document.
In mobile adhoc networks (MANETs) an efficient and secure key management scheme is extremely crucial. Key management schemes for MANETs are mainly based on identity-based public key cryptography (ID-PKC) or certificate-based public key cryptography, both of which has their inherit problem. The ID-PKC has the key escrow problem and certificate based cryptography have a high computational costs of certificates deployment. In this paper, we present a distributed key management scheme, in which a combination of certificate less public key cryptography (CL-PKC) and threshold cryptography is employed. The scheme proposed in this paper not only achieves several enhanced security attributes for key management in MANET but also eliminates the need for certificate-based public key distribution and the key escrow problem efficiently.
A survey of trends in massive ddos attacks and cloud based mitigations
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
In this paper, a new steganography algorithm has been suggested to enforce the security of data hiding and to increase the amount of payloads. This algorithm is based on four safety layers; the first safety layer has been initiated through compression and an encryption of a confidential message using a set partition in hierarchical trees (SPIHT) and advanced encryption standard (AES) mechanisms respectively. An irregular image segmentation algorithm (IIS) on a cover-image (Ic) has been constructed successfully in
the second safety layer, and it is based on the adaptive reallocation segments' edges (ARSE) by applying an
adaptive finite-element method (AFEM) to find the numerical solution of the proposed partial differential equation (PDE). An intelligent computing technique using a hybrid adaptive neural network with a modified ant colony optimizer (ANN_MACO) has been proposed in the third safety layer to construct a
learning system. This system accepts entry using support vector machine (SVM) to generate input patterns as features of byte attributes and produces new features to modify a cover-image. The significant innovation of the proposed novel steganography algorithm is applied efficiently on the forth
safety layer which is more robust for hiding a large amount of confidential message reach to six bits per pixel (bpp) into color images. The new approach of hiding algorithm works against statistical and visual attacks with high imperceptible of hiding data into stego-images (Is). The experimental results are
discussed and compared with the previous steganography algorithms; it demonstrates that the proposed algorithm has a significant improvement on the effect of the security level of steganography by making an arduous task of retrieving embedded confidential message from color images.
1. Cyber Ethics and Cyber Crime
2. Security in Social Media & Risk of Child Internet
3. Social media in Schools and photo privacy
4. Risk of OSNs and Security, Privacy of Facebook
5. Risk and Security of Social Networking site Facebook and Twitter
6. Risk analysis of Government and Online Transaction
Evaluation of enhanced security solutions inIJNSA Journal
Traditionally, 802.11-based networks that relied on wired equivalent protocol (WEP) were especially
vulnerable to packet sniffing. Today, wireless networks are more prolific, and the monitoring devices used
to find them are mobile and easy to access. Securing wireless networks can be difficult because these
networks consist of radio transmitters and receivers, and anybody can listen, capture data and attempt to
compromise it. In recent years, a range of technologies and mechanisms have helped makes networking
more secure. This paper holistically evaluated various enhanced protocols proposed to solve WEP related
authentication, confidentiality and integrity problems. It discovered that strength of each solution depends
on how well the encryption, authentication and integrity techniques work. The work suggested using a
Defence-in-Depth Strategy and integration of biometric solution in 802.11i. Comprehensive in-depth
comparative analysis of each of the security mechanisms is driven by review of related work in WLAN
security solutions.
Mobile Ad hoc Networks (MANETs) are wireless networks consisted of mobile free nodes that can move anywhere at any time without the need to any fixed infrastructure or any centralized administration. In this category of networks existing nodes must rely on each other to play the role of routers or switches instead of using central ones. The self-organized nature of such environments made MANETs vulnerable against many security threats. As a result, providing security requirements in MANETs is one of the most interesting challenges in such a network. In this group of networks, the use of cryptographic solutions is one of the most interesting security issues. The importance of this scientific area in MANETs is more drastic by considering that mentioned schemes must be lightweight enough to be appropriate for resource constrained platforms in such environment. This paper has tried to represent the position of cryptographic issues in MANETs. Moreover, security issues in mobile Ad hoc networks beside of different classes of public key cryptosystems have been introduced.
Network security is a dynamic art, with dangers appearing as fast as black hats can exploit vulnerabilities. While there are basic “golden rules” which can make life difficult for the bad guys, it remains a challenge to keep networks secure. John Chambers, Executive Chairman of Cisco, famously said “there are two types of companies: those that have been hacked, and those who don’t know they have been hacked”. The question for most organizations isn’t if they’re going to be breached, but how quickly they can isolate and mitigate the threat. In this paper, we’ll examine best practices for effective cybersecurity – from both a proactive (access hardening) and reactive (threat isolation and mitigation) perspective. We’ll address how network automation can help minimize cyberattacks by closing vulnerability gaps and how it can improve incident response times in the event of a cyberthreat. Finally, we’ll lay a vision for continuous network security, to explore how machine-to-machine automation may deliver an auto-securing and self-healing network.
Go to www.esgjrconsultinginc.com
A Modular Approach To Intrusion Detection in Homogenous Wireless NetworkIOSR Journals
This document discusses a modular approach to intrusion detection in homogeneous wireless networks. It begins by introducing wireless networks and the need for intrusion detection systems (IDS) due to security vulnerabilities. It then discusses different types of IDS, including signature-based detection that identifies known attacks, and anomaly-based detection that identifies deviations from normal behavior but can result in high false positives. The document proposes a modular approach combining advantages of signature-based and anomaly-based detection for high detection rates and low false positives. Requirements for IDS in wireless networks are also outlined.
Intelligent Network Surveillance Technology for APT Attack DetectionsAM Publications,India
Recently, long-term, advanced cyber-attacks targeting a specific enterprise or organization have been occurring again. These attacks occur over a long period and bypass detection by security systems unlike the existing attack pattern. For such reason, they create problems such as delayed real-time response and detection after damages have already been incurred. This paper introduces the design of technology that applies real-time network traffic monitoring to detect unknown functional cyber-attack on the network. Specifically, the algorithm was verified and evaluated in terms of performance in an actual commercial environment. Cyber-attack detection performance is expected to be improved by enhancing the algorithm and processing large volumes of traffic
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...Ahmad Sharifi
This document provides an overview of intrusion detection and prevention systems (IDPS). It discusses the types of threats, vulnerabilities, and intrusions that IDPS aim to address. It describes the differences between network-based and host-based IDPS, as well as signature-based and anomaly-based detection methods. The document also outlines some key capabilities of IDPS, such as identifying hosts, operating systems, applications, and network characteristics. It notes limitations of IDPS, including inability to analyze encrypted traffic. Finally, it emphasizes the importance of properly deploying and managing IDPS according to organizational needs and policies as part of a layered defense-in-depth security strategy.
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...IOSR Journals
Technical solutions, introduced by policies and implantations are essential requirements of an
information security program. Advanced technologies such as intrusion detection and prevention system (IDPS)
and analysis tools have become prominent in the network environment while they involve with organizations to
enhance the security of their information assets. Scanning and analyzing tools to pinpoint vulnerabilities, holes
in security components, unsecured aspects of the network and deploying of IDPS technology are highlighted.
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
- The document summarizes a study that evaluated the security of wireless networks in Jordan through a process called "wardriving" where the researchers drove around with wireless network detection tools.
- The results found that the majority (79.52%) of wireless networks tested were unsecured and vulnerable. Most networks used either low levels of encryption (68.67%) or no encryption at all (11.45%).
- Nearly all networks broadcast the default SSID (92.17%), leaving them exposed to potential hackers since changing the SSID is a basic security precaution.
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber attacks at the network-level and the host-level in a timely and automatic manner. However, Traditional Intrusion Detection Systems (IDS), based on traditional machine learning methods, lacks reliability and accuracy. Instead of the traditional machine learning used in previous researches, we think deep learning has the potential to perform better in extracting features of massive data considering the massive cyber traffic in real life. Generally Mobile Ad Hoc Networks have given the low physical security for mobile devices, because of the properties such as node mobility, lack of centralized management and limited bandwidth. To tackle these security issues, traditional cryptography schemes can-not completely safeguard MANETs in terms of novel threats and vulnerabilities, thus by applying Deep learning methods techniques in IDS are capable of adapting the dynamic environments of MANETs and enables the system to make decisions on intrusion while continuing to learn about their mobile environment. An IDS in MANET is a sensoring mechanism that monitors nodes and network activities in order to detect malicious actions and malicious attempt performed by Intruders. Recently, multiple deep learning approaches have been proposed to enhance the performance of intrusion detection system. In this paper, we made a systematic comparison of three models, Inceprtion architecture convolutional neural network (Inception-CNN), Bidirectional long short-term memory (BLSTM) and deep belief network (DBN) on the deep learning-based intrusion detection systems, using the NSL-KDD dataset containing information about intrusion and regular network connections, the goal is to provide basic guidance on the choice of deep learning models in MANET.
NETWORK INTRUSION DETECTION AND COUNTERMEASURE SELECTION IN VIRTUAL NETWORK (...ijsptm
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to
rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus
or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection
System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data
created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for
anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack
signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with
the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System
called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in
detecting abnormal content in the traffic data during information passing from one node to another and
also detects known attack signature and unknown attack. This approach is tested by running the artificial
network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
As the Supervisory Control and Data Acquisition (SCADA) system are deployed in infrastructures which are critical to the survival of a nation, they have emerged as a potential terrain for cyber-war, thus attracting the considered attention of ‘nation-states’. The analysis of worms like ‘stuxnet’ ‘flame’ and ‘duqu’ reveals the hand of a ‘nation-state’ in their design and deployment. Hence, the necessity to understand various issues in the defence of SCADA systems arises. The forensics of the SCADA system provide deep insight into the design and deployment of the worm (the malware) once the system is attacked. This is precisely the scope of this essay.
Intrusion Detection Techniques In Mobile NetworksIOSR Journals
This document discusses intrusion detection techniques for mobile networks. It begins by outlining the vulnerabilities of wireless networks, including the open medium, dynamic topology, lack of centralized monitoring, and cooperative algorithms. It then explains the need for intrusion detection systems, as completely preventing intrusions is unrealistic. The document classifies intrusion detection systems and outlines their requirements, including continuous monitoring, fault tolerance, and adaptability. It concludes by describing the two main techniques of intrusion detection: anomaly detection, which flags deviations from a normal activity profile; and misuse detection, which searches for patterns matching known attacks.
TRUST FACTOR AND FUZZY-FIREFLY INTEGRATED PARTICLE SWARM OPTIMIZATION BASED I...IJCNCJournal
Mobile Ad hoc Networks (MANET) is one of the rapidly emanating technologies, which has gained attention in a wide range of applications in the fields of military, private sectors, commercials and natural calamities. Securing MANET is a dominant responsibility, and hence, a trust factor and fuzzy based intrusion detection and prevention system is proposed for routing in this paper. Based on the trust values of the nodes, the fuzzy system identifies the intruder, such that the path generated in the MANET is secured. Moreover, an optimization algorithm, entitled Fuzzy integrated Particle Swarm Optimization (FuzzyFPSO), is proposed by the concatenation of the Firefly Algorithm (FA) and Particle Swarm Optimization (PSO) for the optimal path selection in order to provide secure routing. The simulation of the proposed methodology is NS2 simulator and analysis is carried out considering four cases, like without attack, flooding attacks, black hole attack and selective packet drop attack concerning throughput, delay and detection rate. The remarkable evaluation measures of the proposed Fuzzy-FPSO are the maximal throughput of 0.634, minimal delay of 0.044 , maximal detection rate of 0.697 and minimal routing overhead of 0.24550 And the evaluation measure for the case without any attacks are the maximal throughput of 0.762, minimal delay of 0.029 ,maximal detection rate of 0.805 and minimal routing overhead of 0.11511.
This summary cloud security survey from Intel captures key findings from 800 IT managers in the U.S., the U.K., China, and Germany that provide insight into cloud computing security concerns and how those concerns might be alleviated.
This document discusses network intrusion detection systems (NIDS) and their ability to handle high-speed traffic. It introduces NIDS and their role in monitoring network traffic. The document presents an experiment that tests the open-source NIDS Snort under high-volume traffic. The experiment shows that Snort drops more packets as traffic speed and volume increases, demonstrating a weakness of NIDS in high-speed environments. It suggests using a parallel NIDS technique to help NIDS better handle high-speed network traffic and reduce packet dropping.
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
With the ever increasing number and diverse type of attacks, including new and previously unseen attacks, the effectiveness of an Intrusion Detection System is very important. Hence there is high demand to reduce the threat level in networks to ensure the data and services offered by them to be more secure. In this paper we developed an effective test suite for improving the efficiency and accuracy of an intrusion detection system using the layered CRFs. We set up different types of checks at multiple levels in each layer. Our framework examines various attributes at every layer in order to effectively identify any breach of security. Once the attack is detected, it is intimated through mobile phone to the system administrator for safeguarding the server system. We established experimentally that the layered CRFs can thus be more effective in detecting intrusions when compared with the other previously known techniques.
Peripheral Review and Analysis of Internet Network SecurityIJRES Journal
This paper is on the exploration of Internet Network security. With the advent of the internet, security became a major concern for computer users, organizations and the Military. The internet structure itself allow for many security threats to occur. Knowing the attack methods, the architecture of the internet when modified can reduce the possible attacks that can be sent across the network. The internet can be secured by the means of VPN, IPSec, Anti‐Malware Software and scanners, Secure Socket Layer, intrusion‐detection, security management, firewalls and cryptography mechanisms. The essence of this research is to forecast the future of internet network security.
This document provides background information on the history and importance of network security. It discusses how the advent of the internet led to security becoming a major concern, as the internet's architecture allowed for many security threats. The document outlines the internet and network security timeline, from the creation of the ARPANET in 1969 to the crimes of Kevin Mitnick in the 1990s that heightened awareness of information security. It also examines the differences between data security and network security, and how a layered security model corresponds to the OSI model layers.
This document discusses enumerating and profiling web services by examining a WSDL file for critical information like service methods, input parameters, and output parameters. Understanding the WSDL structure allows one to build a profile or matrix of the web services. The goal is to understand the process of profiling web services from a WSDL file before defining attack vectors, which will be covered in a subsequent document.
Certificate less key management scheme inIJNSA Journal
In mobile adhoc networks (MANETs) an efficient and secure key management scheme is extremely crucial. Key management schemes for MANETs are mainly based on identity-based public key cryptography (ID-PKC) or certificate-based public key cryptography, both of which has their inherit problem. The ID-PKC has the key escrow problem and certificate based cryptography have a high computational costs of certificates deployment. In this paper, we present a distributed key management scheme, in which a combination of certificate less public key cryptography (CL-PKC) and threshold cryptography is employed. The scheme proposed in this paper not only achieves several enhanced security attributes for key management in MANET but also eliminates the need for certificate-based public key distribution and the key escrow problem efficiently.
A survey of trends in massive ddos attacks and cloud based mitigationsIJNSA Journal
Distributed Denial of Service (DDoS) attacks today
have been amplified into gigabits volume with
broadband Internet access; at the same time, the us
e of more powerful botnets and common DDoS
mitigation and protection solutions implemented in
small and large organizations’ networks and servers
are no longer effective. Our survey provides an in-
depth study on the current largest DNS reflection a
ttack
with more than 300 Gbps on Spamhaus.org. We have re
viewed and analysed the current most popular
DDoS attack types that are launched by the hacktivi
sts. Lastly, effective cloud-based DDoS mitigation
and
protection techniques proposed by both academic res
earchers and large commercial cloud-based DDoS
service providers are discussed
In this paper, a new steganography algorithm has been suggested to enforce the security of data hiding and to increase the amount of payloads. This algorithm is based on four safety layers; the first safety layer has been initiated through compression and an encryption of a confidential message using a set partition in hierarchical trees (SPIHT) and advanced encryption standard (AES) mechanisms respectively. An irregular image segmentation algorithm (IIS) on a cover-image (Ic) has been constructed successfully in
the second safety layer, and it is based on the adaptive reallocation segments' edges (ARSE) by applying an
adaptive finite-element method (AFEM) to find the numerical solution of the proposed partial differential equation (PDE). An intelligent computing technique using a hybrid adaptive neural network with a modified ant colony optimizer (ANN_MACO) has been proposed in the third safety layer to construct a
learning system. This system accepts entry using support vector machine (SVM) to generate input patterns as features of byte attributes and produces new features to modify a cover-image. The significant innovation of the proposed novel steganography algorithm is applied efficiently on the forth
safety layer which is more robust for hiding a large amount of confidential message reach to six bits per pixel (bpp) into color images. The new approach of hiding algorithm works against statistical and visual attacks with high imperceptible of hiding data into stego-images (Is). The experimental results are
discussed and compared with the previous steganography algorithms; it demonstrates that the proposed algorithm has a significant improvement on the effect of the security level of steganography by making an arduous task of retrieving embedded confidential message from color images.
The broadcast nature of radio medium in GSM networks makes them more vulnerable to various attacks.
Any attacker can have complete control over the communication channel, listen to phone calls, read email,
and spy on whatever data has been sent via GSM mobile communication system. This paper introduces a
middleware security system that aims to protect the GSM communication channel and minimize the
computational overheads of the provided authentication and cryptographic schemes of the network The
proposed scheme supports an end-to-end secured communication between the GSM mobile devices and the
GSM base stations; insure compatibility between wireless GSM devices (telephones, PDAs, etc.), and easy
to install without any modification of the current systems
Ciphering algorithms play a main role in information security systems. Therefore in this paper we are
considering the important performance of these algorithms like CPU time consumption, memory usage and
battery usage. This research tries to demonstrate a fair comparison between the most common algorithms
and with a novel method called Secured Watermark System (SWS) in data encryption field according to
CPU time, packet size and power consumption. It provides a comparison the most known algorithms used
in encryption: AES (Rijndael), DES, Blowfish, and Secured Watermark System (SWS).
For comparing these algorithms with each other variations of data block sizes, and a variation of
encryption-decryption speeds where used in this research.
In addition a comparison with different platforms such as Windows 8, Windows XP and Linux has been
conducted. Finally the results of the experimentation demonstrate the performance and efficiency of the
compared encryption algorithms with different parameters.
This paper presents a brief study of recent advances in wireless network security issues. The paper makes a number of contributions to the wireless networking field. First, it studies the 4G mail threats and risk and their design decisions. Second, the security of 4G architecture with next generation network security and 8-security dimensions of 4G network. Third, security issues and possible threats on 4G are discussed. Finally, we proposed four layer security model which manages to ensure more secure packets transmission by taking all the necessary security measures.
This document summarizes research on email security threats like phishing, spam and fraud. It discusses several studies that have proposed techniques to detect phishing emails using methods like blacklist/whitelist filtering, textual and URL analysis, machine learning algorithms and social engineering schemes. One study developed a Link-Guard algorithm that was able to detect 96% of anonymous phishing attacks. Another proposed a proactive approach called Pguard that aims to shut down phishing attacks at their source by warning web hosts. Future work discussed includes improving accuracy rates and automating detection and response mechanisms.
This document discusses using artificial neural networks for network intrusion detection. Specifically, it proposes a hybrid classification model that uses entropy-based feature selection to reduce the dataset, followed by four neural network techniques (RBFN, SOM, SMO, PART) for classification. It provides details on each neural network technique and the overall methodology, which uses 10-fold cross validation to evaluate performance based on standard criteria. The goal is to build an efficient intrusion detection system with low false alarms and high detection rates.
Many of previous research have proven that the usage of rhetorical relations is capable to enhance many applications such as text summarization, question answering and natural language generation. This work proposes an approach that expands the benefit of rhetorical relations to address redundancy problem for cluster-based text summarization of multiple documents. We exploited rhetorical relations exist between sentences to group similar sentences into multiple clusters to identify themes of common information. The candidate summary were extracted from these clusters. Then, cluster-based text summarization is performed using Conditional Markov Random Walk Model to measure the saliency scores of the candidate summary. We evaluated our method by measuring the cohesion and separation of the clusters constructed by exploiting rhetorical relations and ROUGE score of generated summaries. The experimental result shows that our method performed well which shows promising potential of applying rhetorical relation in text clustering which benefits text summarization of multiple documents.
Strong zero knowledge authentication based on the session keys (sask)IJNSA Journal
This document proposes a new authentication protocol called Strong Zero-Knowledge Authentication Based on Session Keys (SASK). The protocol aims to strengthen user authentication and provide a secure communication channel. It uses a two-step authentication process: 1) regenerating a virtual password and ensuring integrity and confidentiality of nonces exchanged via symmetric encryption with a virtual password, and 2) calculating a session key shared between the client and server to encrypt via the session key. This allows strengthening the authentication process, updating it, and providing better cyber defense against various attack types by verifying identity, creating a secure channel, and using unpredictable session keys.
Cryptography and Network Security is a difficult subject to understand, mainly because of the complexity of security protocols and the mathematical rigour required to understand encryption algorithms. Realizing the need for an interactive visualization tool to facilitate the understanding of cryptographic concepts and protocols, several tools had been developed. However, these tools cannot be easily adapted to animate different protocols. The aim of this paper is to propose an interactive visualization tool, called the Cryptographic Protocol Animator (CPAnim). The tool enables a student to specify a protocol and gain knowledge about the impact of its behavior. The protocol is specified by using a scenario-based approach and it is demonstrated as a number of scenes displaying a complete scenario. The effectiveness of this tool was tested using an empirical evaluation method. The results show that this tool was effective in meeting its learning objectives.
Android is an extensively used mobile platform and with evolution it has also witnessed an increased influx of malicious applications in its market place. The availability of multiple sources for downloading applications has also contributed to users falling prey to malicious applications. A major hindrance in blocking the entry of malicious applications into the Android market place is scarcity of effective mechanisms to identify malicious applications. This paper presents AndroInspector, a system for comprehensive analysis of an Android application using both static and dynamic analysis techniques. And roInspector derives, extracts and analyses crucial features of Android applications using static analysis and subsequently classifies the application using machine learning techniques. Dynamic analysis includes automated execution of Android application to identify a set of pre-defined malicious actions performed by application at run-time.
A new image steganography algorithm basedIJNSA Journal
In recent years, the rapid growth of information technology and digital communication has become very
important to secure information transmission between the sender and receiver. Therefore, steganography
introduces strongly to hide information and to communicate a secret data in an appropriate multimedia
carrier, e.g., image, audio and video files. In this paper, a new algorithm for image steganography has
been proposed to hide a large amount of secret data presented by secret color image. This algorithm is
based on different size image segmentations (DSIS) and modified least significant bits (MLSB), where the
DSIS algorithm has been applied to embed a secret image randomly instead of sequentially; this approach
has been applied before embedding process. The number of bit to be replaced at each byte is non uniform,
it bases on byte characteristics by constructing an effective hypothesis. The simulation results justify that
the proposed approach is employed efficiently and satisfied high imperceptible with high payload capacity
reached to four bits per byte.
The Ad Hoc mobile network (MANET) is a wireless network with properties which may constitute
challenges and weaknesses before the security progress in MANET network. It causes weakness in security,
which leads to increased attacks on MANET. In this paper the challenges and attacks likely to threaten
MANET will be investigated. As a corollary, security solutions will be discussed, the relationship between
them will be concluded and architectural security solutions in MANET will beproposed.
A Measurement Study of Open Resolvers and DNS Server VersionYuuki Takano
The document summarizes the results of a study that measured DNS servers on the public Internet. The researchers sent probes to the entire IPv4 address space to discover over 30 million DNS servers. Approximately 25 million of the servers were identified as "open resolvers" that accept recursive queries from any host. Software version information was obtained from over 7 million servers, revealing that BIND is the most common, though many servers have outdated versions. Reverse lookups of server IP addresses showed domain name distributions and identified many open resolvers in domains favored by spammers.
1. The document discusses the topic of ethical hacking and defines it as "methodology adopted by ethical hackers to discover the vulnerabilities existing in information systems’ operating environments."
2. Ethical hackers are independent computer security professionals who break into computer systems to evaluate security without damaging systems or stealing information.
3. The document outlines different types of attacks ethical hackers may perform such as insider attacks, outsider attacks, and social engineering attacks to evaluate a target system's security and vulnerabilities.
The document discusses hybrid covert channels, which are complex to detect. A hybrid covert channel scenario can have multiple trapdoors, or backdoors, existing simultaneously in the same or different layers of a protocol stack. This allows covert communication through different covert channel variants at the same time. The paper aims to understand different covert communication schemes, modeling attack scenarios, and potential covert mediums for detection metrics. It also categorizes covert channels and discusses examples of covert communication through techniques like encoding data in sequence numbers or timing channels.
This document provides an overview of hacking, including its history, definitions, types, famous hackers, reasons for hacking, and advice on security and ethics. Hacking emerged in the 1960s at MIT and refers to attempting to gain unauthorized access to computer systems. It describes hackers as those who exploit weaknesses in computers. Different types of hacking are outlined such as website, network, password, and computer hacking. Advice is given around using strong unique passwords, backing up data, and contacting authorities if hacked. Both advantages like security testing and disadvantages like privacy harm are discussed.
Network Intrusion Detection And Countermeasure Selection In Virtual Network (...ClaraZara1
Intrusion in a network or a system is a problem today as the trend of successful network attacks continue to rise. Intruders can explore vulnerabilities of a network system to gain access in order to deploy some virus or malware such as Denial of Service (DOS) attack. In this work, a frequency-based Intrusion Detection System (IDS) is proposed to detect DOS attack. The frequency data is extracted from the time-series data created by the traffic flow using Discrete Fourier Transform (DFT). An algorithm is developed for anomaly-based intrusion detection with fewer false alarms which further detect known and unknown attack signature in a network. The frequency of the traffic data of the virus or malware would be inconsistent with the frequency of the legitimate traffic data. A Centralized Traffic Analyzer Intrusion Detection System called CTA-IDS is introduced to further detect inside attackers in a network. The strategy is effective in detecting abnormal content in the traffic data during information passing from one node to another and also detects known attack signature and unknown attack. This approach is tested by running the artificial network intrusion data in simulated networks using the Network Simulator2 (NS2) software.
This document discusses securing healthcare networks against cyber attacks. It proposes using intrusion detection systems to continuously monitor networks, firewalls to ensure endpoint devices comply with security policies, and biometrics for identity-based network access control. This would help protect patient privacy by safeguarding electronic health records and enhancing the security of hospital networks. The growing adoption of electronic records and devices in healthcare has increased risks of attacks that could intercept patient data or take over entire hospital networks. Strong network security measures are needed to address these risks.
This document summarizes an article that proposes integrating conditional random fields (CRFs) and a layered approach to improve intrusion detection systems. CRFs can effectively model relationships between different features to increase attack detection accuracy. A layered approach reduces computation time by eliminating communication overhead between layers and using a small set of features in each layer. The proposed system aims to achieve both high attack detection accuracy using CRFs and high efficiency using the layered approach. It presents integrating these two methods for intrusion detection to address issues with limited coverage, high false alarms, and inefficiency in existing systems.
This document discusses the design and implementation of a network security model using routers and firewalls. It begins by outlining the importance of network security and some common vulnerabilities, threats, and attacks against network devices like routers. It then provides details on specific attacks like session hijacking, spoofing, and denial of service attacks. The document also discusses best practices for router and firewall security policies, including access control, authentication, and traffic filtering. The overall aim is to protect networks from vulnerabilities and security weaknesses by implementing preventative measures, securing devices like routers and firewalls, and establishing proper security policies.
INTRUSION DETECTION SYSTEM USING CUSTOMIZED RULES FOR SNORTIJMIT JOURNAL
This document proposes an intrusion detection system using customized rules for the Snort tool to improve security. The system uses Wireshark to scan network traffic for anomalies, Snort to detect attacks using customized rulesets for faster response times, and Wazuh and Splunk to analyze log files. Rules are created using the Snorpy tool and added to Snort to monitor for specific attacks like ICMP ping impersonation and authentication attempts. When attacks are attempted, the system successfully detects them and logs the alerts. The integration of these tools provides low-cost intrusion detection capabilities with automated threat identification and faster response compared to existing Snort configurations.
Cyber Warfare is the current single greatest emerging threat to National Security. Network security has become an essential component of any computer network. As computer networks and systems become ever more fundamental to modern society, concerns about security has become increasingly important. There are a multitude of different applications open source and proprietary available for the protection +-system administrator, to decide on the most suitable format for their purpose requires knowledge of the available safety measures, their features and how they affect the quality of service, as well as the kind of data they will be allowing through un flagged. A majority of methods currently used to ensure the quality of a networks service are signature based. From this information, and details on the specifics of popular applications and their implementation methods, we have carried through the ideas, incorporating our own opinions, to formulate suggestions on how this could be done on a general level. The main objective was to design and develop an Intrusion Detection System. While the minor objectives were to; Design a port scanner to determine potential threats and mitigation techniques to withstand these attacks. Implement the system on a host and Run and test the designed IDS. In this project we set out to develop a Honey Pot IDS System. It would make it easy to listen on a range of ports and emulate a network protocol to track and identify any individuals trying to connect to your system. This IDS will use the following design approaches: Event correlation, Log analysis, Alerting, and policy enforcement. Intrusion Detection Systems (IDSs) attempt to identify unauthorized use, misuse, and abuse of computer systems. In response to the growth in the use and development of IDSs, we have developed a methodology for testing IDSs. The methodology consists of techniques from the field of software testing which we have adapted for the specific purpose of testing IDSs. In this paper, we identify a set of general IDS performance objectives which is the basis for the methodology. We present the details of the methodology, including strategies for test-case selection and specific testing procedures. We include quantitative results from testing experiments on the Network Security Monitor (NSM), an IDS developed at UC Davis. We present an overview of the software platform that we have used to create user-simulation scripts for testing experiments. The platform consists of the UNIX tool expect and enhancements that we have developed, including mechanisms for concurrent scripts and a record-and-replay feature. We also provide background information on intrusions and IDSs to motivate our work.
DEFENSE MECHANISMS FOR COMPUTER-BASED INFORMATION SYSTEMSIJNSA Journal
Nowadays, corporations and a government agencies relay on computer-based information system to
manage their information, this information may be classified, so it will be dangerous if it is disclosed by
unauthorized persons. Therefore, there is urgent need for defense. In this research, defense has been
categorized into four mechanisms technical defense, operation defense, management defense, and physical
defense based on the logic of computer and network security. Also, each mechanism has been investigated
and explained in the term of computer based information systems.
A Proposed Model for Datacenter in -Depth Defense to Enhance Continual SecurityHossam Al-Ansary
This document proposes a model for implementing defense in depth strategies to enhance security for datacenters. It discusses key elements of defense in depth including layered defenses at multiple points to resist different classes of attacks from a variety of potential threats. The document outlines people, technology, and operations aspects of achieving security assurance and maintaining security posture. It proposes designing security mechanisms that achieve integration of continual security improvement and risk localization to resist attacks and ensure business continuity for datacenters.
This document summarizes a research paper on developing a honey pot intrusion detection system. The paper introduces cyber warfare as a growing threat and the need for effective network security. It then describes designing and implementing a honey pot IDS to detect potential threats on a host system by emulating network services and monitoring connections. The IDS would use event correlation, log analysis, alerting and policy enforcement. The document provides background on intrusions, IDS testing methodology, and reasons why only creating secure systems is not enough to prevent all intrusions.
HYBRIDIZED MODEL FOR DATA SECURITY BASED ON SECURITY HASH ANALYSIS (SHA 512) ...IJNSA Journal
High-profile security breaches and attacks on many organization’s database have been on the increase and the consequences of this, are the adverse effect on the organizations in terms of financial loss and reputation. Many of the security breaches has been ascribed to the vulnerability of the organization’s networks, security policy and operations. Additionally, the emerging technology solutions like Internet-ofThings (IoT), Artificial Intelligence, and Cloud Computing, has extremely exposed many of the organizations to different forms of cyber-threats and attacks. Researchers and system designers have made attempts to proffer solution to some of these challenges. However, the efficacy of the techniques remains a great concern due to insufficient control mechanisms. For instance, many of the techniques are majorly based on a single mode encryption techniques which are not too robust to withstand the threats and attacks on organization’s database. To proffer solution to these challenges, the current research designed and integrated a hybridized data security model based on Secured Hash Analysis (SHA 512) and Salting Techniques to enhance the adeptness of the existing techniques. The Hash Analysis algorithm was used to map the data considered to a bit string of a fixed length and salt was added to the password strings essentially to hide its real hash value. The idea of adding salt to the end of the password is basically to complicate the password cracking process. The hybridized model was implemented in Windows environment using python 3.7 IDE platform and tested on a dedicated Local Area Network (LAN) that was exposed to threats from both internal and external sources. The results from the test show that the model performed well in terms of efficiency and robustness to attacks. The performance of the new model recorded a high level of improvement over the existing techniques with a recital of 97.6%.
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
This document discusses an enhanced method for intrusion detection using the KDD Cup 99 dataset. It aims to improve the accuracy of the dataset by analyzing the contribution of different attack classes to metrics like true positive rate and precision. The study examines these evaluation metrics for an intrusion detection system to identify which attack classes most impact recall and precision. The goal is to help improve the quality of the KDD Cup 99 dataset to achieve higher accuracy with lower false positives.
Designing Security Assessment of Client Server System using Attack Tree Modelingijtsrd
Information security has grown as a prominent issue in our digital life. The network security is becoming more significant as the volume of data being exchanged over net increases day by day. Attack trees AT technique play an important role to investigate the threat analysis problem to known cyber attacks for risk assessment. The technique is especially effective in assessing and managing the risks from hostile, intelligent adversaries. It is useful for analyzing threats against assets ranging from information systems to physical infrastructure. By using attack tree modeling analysis an organization can understand the ways in which they will be attacked, determine the likelihood and impact damage of these attacks and decide what action to take where the risks are unacceptable. This paper describes the attack tree model for organization based on Client Server Network. It provides the ways for defending and preventing sensitive information from attackers. Attack tree modeling provides for effective security solutions, cost effective security solutions and defensible risk mitigation decisions. Sandar Pa Pa Thein | Phyu Phyu | Thin Thin Swe "Designing Security Assessment of Client- Server System using Attack Tree Modeling" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26727.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/26727/designing-security-assessment-of-client--server-system-using-attack-tree-modeling/sandar-pa-pa-thein
This document discusses controls for protecting critical information infrastructure from cyberattacks. It begins by examining vulnerabilities in critical information infrastructure that cyberthreats exploit to launch attacks, such as software vulnerabilities, personnel vulnerabilities, and network protocol vulnerabilities. It then analyzes various cyberthreats like malware, distributed denial of service attacks, cyberwarfare, and social engineering that target these vulnerabilities. The document proposes implementing a system of preventive, detective, and corrective security controls based on general systems theory to address the vulnerabilities. Finally, it presents a model for securing critical information infrastructure that is currently insecure.
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
End users are increasingly vulnerable to attacks directed at web browsers which make the most of popularity of today’s web services. While organizations deploy several layers of security to protect their systems and data against unauthorised access, surveys reveal that a large fraction of end users do not utilize and/or are not familiar with any security tools. End users’ hesitation and unfamiliarity with security products contribute vastly to the number of online DDoS attacks, malware and Spam distribution. This work on progress paper proposes a design focused on the notion of increased participation of internet service providers in protecting end users. The proposed design takes advantage of three different detection tools to identify the maliciousness of a website content and alerts users through utilising Internet Content Adaptation Protocol (ICAP) by an In-Browser cross-platform messaging system. The system also incorporates the users’ online behaviour analysis to minimize the scanning intervals of malicious websites database by client honeypots. Findings from our proof of concept design and other research indicate that such a design can provide a reliable hybrid detection mechanism while introducing low delay time into user browsing experience.
Defense-through-Deception Network Security Model: Securing University Campus ...journalBEEI
Denial of Service (DOS) and (DDOS) Distributed Denial of Service attacks have become a major security threat to university campus network security since most of the students and teachers prepare online services such as enrolment, grading system, library etc. Therefore, the issue of network security has become a priority to university campus network management. Using online services in university network can be easily compromised. However, traditional security mechanisms approach such as Defense-In-Depth (DID) Model is outdated in today’s complex network and DID Model has been used as a primary cybersecurity defense model in the university campus network today. However, university administration should realize that Defense-In-Depth (DID) are playing an increasingly limited role in DOS/DDoS protection and this paper brings this fact to light. This paper presents that the Defense-In-Depth (DID) is not capable of defending complex and volatile DOS/DDOS attacks effectively. The test results were presented in this study in order to support our claim. The researchers established a Defense-In-Depth (DID) Network model at the Central Luzon State University and penetrated the Network System using DOS/DDOS attack to simulate the real network scenario. This paper also presents the new approach Defense-through-Deception network security model that improves the traditional passive protection by applying deception techniques to them that give insights into the limitations posed by the Defense-In-Depth (DID) Model. Furthermore, this model is designed to prevent an attacker who has already entered the network from doing damage.
This document summarizes various soft computing techniques that can be used for intrusion detection, including fuzzy logic, graph-based approaches, and neural networks. Fuzzy logic can be used to classify parameters and detect anomalies by comparing normal and new fuzzy association rule sets. Graph-based approaches model network traffic as graphs of nodes and edges and use clustering algorithms to detect anomalies. Neural networks can be trained on audit log data to recognize normal behavior and detect deviations that may indicate attacks. These soft computing methods aim to improve on signature-based detection by learning patterns of normal network activity and detecting anomalies.
INTERNAL SECURITY ON AN IDS BASED ON AGENTSIJNSA Journal
An Intrusion Detection System (IDS) can monitor different events that may occur in a determined network or host, and which affect any network security service (confidentiality, integrity, availability). Because of this, an IDS must be flexible and it must detect and trace each alert without affecting the system´s performance. On the other hand, agents ina Multi-Agent system have inherent security problems due to their mobility; that’s why we propose some techniques in order to provide internal security for the agents belonging to the system. The deployed IDS works with a multiagent platform and each component inside the infrastructure is verified using security techniques in order to provide integrity. Likewise, the agents can specialize in order to carry out specific jobs, for example monitoring TCP, UDP traffic, etc. The IDS can work without interfering in the system's performance. In this article we present a hierarchical IDS deployment with internal security on a multiagent system, using a platform named BESA with its processes, functions and results.
INTERNAL SECURITY ON AN IDS BASED ON AGENTSIJNSA Journal
This document describes an intrusion detection system (IDS) based on a multi-agent system that provides internal security for agents. The IDS uses different types of agents (collectors, transceivers, itinerants, monitors) organized in a hierarchical structure to monitor network traffic and detect intrusions. The system implements techniques like a matrix of marks and hash functions to verify the identity and integrity of agents and prevent attacks from within the platform. The IDS architecture is presented along with how the agents communicate and coordinate to correlate events, generate new signatures, and ensure internal security without affecting system performance. The document evaluates this agent-based IDS approach for providing security while maintaining flexibility and adaptability.
Toward Continuous Cybersecurity With Network AutomationKen Flott
Network security is a dynamic art, with dangers appearing as
fast as black hats can exploit vulnerabilities. While there are
basic “golden rules” which can make life difficult for the bad
guys, it remains a challenge to keep networks secure. John
Chambers, Executive Chairman of Cisco, famously said “there
are two types of companies: those that have been hacked, and
those who don’t know they have been hacked”. The question
for most organizations isn’t if they’re going to be breached, but
how quickly they can isolate and mitigate the threat.
In this paper, we’ll examine best practices for effective
cybersecurity – from both a proactive (access hardening)
and reactive (threat isolation and mitigation) perspective.
We’ll address how network automation can help minimize
cyberattacks by closing vulnerability gaps and how it can
improve incident response times in the event of a cyberthreat.
Finally, we’ll lay a vision for continuous network security, to
explore how machine-to-machine automation may deliver an
auto-securing and self-healing network.
Network Security Is Important For Protecting Your ComputerAngie Willis
Here is an annotated bibliography on software firewalls:
1. Cheng, Peter C., et al. "Understanding firewall policy rules using graph mining." IEEE/ACM Transactions on Networking 25.6 (2017): 3807-3821.
This article presents a graph-based approach to analyze and understand firewall policy rules. It models firewall rules as a directed graph and applies graph mining techniques like clustering to analyze relationships between rules. This helps identify redundant rules, detect conflicts, and better understand the overall firewall policy. The approach was evaluated on real-world firewall rulesets.
2. Al-Shaer, Ehab S., and Hamed H. Hamed. "Discovery of policy anomalies in distributed
Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large...YanKing2
Pre-trained Large Language Models (LLM) have achieved remarkable successes in several domains. However, code-oriented LLMs are often heavy in computational complexity, and quadratically with the length of the input code sequence. Toward simplifying the input program of an LLM, the state-of-the-art approach has the strategies to filter the input code tokens based on the attention scores given by the LLM. The decision to simplify the input program should not rely on the attention patterns of an LLM, as these patterns are influenced by both the model architecture and the pre-training dataset. Since the model and dataset are part of the solution domain, not the problem domain where the input program belongs, the outcome may differ when the model is trained on a different dataset. We propose SlimCode, a model-agnostic code simplification solution for LLMs that depends on the nature of input code tokens. As an empirical study on the LLMs including CodeBERT, CodeT5, and GPT-4 for two main tasks: code search and summarization. We reported that 1) the reduction ratio of code has a linear-like relation with the saving ratio on training time, 2) the impact of categorized tokens on code simplification can vary significantly, 3) the impact of categorized tokens on code simplification is task-specific but model-agnostic, and 4) the above findings hold for the paradigm–prompt engineering and interactive in-context learning and this study can save reduce the cost of invoking GPT-4 by 24%per API query. Importantly, SlimCode simplifies the input code with its greedy strategy and can obtain at most 133 times faster than the state-of-the-art technique with a significant improvement. This paper calls for a new direction on code-based, model-agnostic code simplification solutions to further empower LLMs.
Response & Safe AI at Summer School of AI at IIITHIIIT Hyderabad
Talk covering Guardrails , Jailbreak, What is an alignment problem? RLHF, EU AI Act, Machine & Graph unlearning, Bias, Inconsistency, Probing, Interpretability, Bias
In May 2024, globally renowned natural diamond crafting company Shree Ramkrishna Exports Pvt. Ltd. (SRK) became the first company in the world to achieve GNFZ’s final net zero certification for existing buildings, for its two two flagship crafting facilities SRK House and SRK Empire. Initially targeting 2030 to reach net zero, SRK joined forces with the Global Network for Zero (GNFZ) to accelerate its target to 2024 — a trailblazing achievement toward emissions elimination.
Online music portal management system project report.pdfKamal Acharya
The iMMS is a unique application that is synchronizing both user
experience and copyrights while providing services like online music
management, legal downloads, artists’ management. There are several
other applications available in the market that either provides some
specific services or large scale integrated solutions. Our product differs
from the rest in a way that we give more power to the users remaining
within the copyrights circle.
Best Practices of Clothing Businesses in Talavera, Nueva Ecija, A Foundation ...IJAEMSJORNAL
This study primarily aimed to determine the best practices of clothing businesses to use it as a foundation of strategic business advancements. Moreover, the frequency with which the business's best practices are tracked, which best practices are the most targeted of the apparel firms to be retained, and how does best practices can be used as strategic business advancement. The respondents of the study is the owners of clothing businesses in Talavera, Nueva Ecija. Data were collected and analyzed using a quantitative approach and utilizing a descriptive research design. Unveiling best practices of clothing businesses as a foundation for strategic business advancement through statistical analysis: frequency and percentage, and weighted means analyzing the data in terms of identifying the most to the least important performance indicators of the businesses among all of the variables. Based on the survey conducted on clothing businesses in Talavera, Nueva Ecija, several best practices emerge across different areas of business operations. These practices are categorized into three main sections, section one being the Business Profile and Legal Requirements, followed by the tracking of indicators in terms of Product, Place, Promotion, and Price, and Key Performance Indicators (KPIs) covering finance, marketing, production, technical, and distribution aspects. The research study delved into identifying the core best practices of clothing businesses, serving as a strategic guide for their advancement. Through meticulous analysis, several key findings emerged. Firstly, prioritizing product factors, such as maintaining optimal stock levels and maximizing customer satisfaction, was deemed essential for driving sales and fostering loyalty. Additionally, selecting the right store location was crucial for visibility and accessibility, directly impacting footfall and sales. Vigilance towards competitors and demographic shifts was highlighted as essential for maintaining relevance. Understanding the relationship between marketing spend and customer acquisition proved pivotal for optimizing budgets and achieving a higher ROI. Strategic analysis of profit margins across clothing items emerged as crucial for maximizing profitability and revenue. Creating a positive customer experience, investing in employee training, and implementing effective inventory management practices were also identified as critical success factors. In essence, these findings underscored the holistic approach needed for sustainable growth in the clothing business, emphasizing the importance of product management, marketing strategies, customer experience, and operational efficiency.
Exploring Deep Learning Models for Image Recognition: A Comparative Reviewsipij
Image recognition, which comes under Artificial Intelligence (AI) is a critical aspect of computer vision,
enabling computers or other computing devices to identify and categorize objects within images. Among
numerous fields of life, food processing is an important area, in which image processing plays a vital role,
both for producers and consumers. This study focuses on the binary classification of strawberries, where
images are sorted into one of two categories. We Utilized a dataset of strawberry images for this study; we
aim to determine the effectiveness of different models in identifying whether an image contains
strawberries. This research has practical applications in fields such as agriculture and quality control. We
compared various popular deep learning models, including MobileNetV2, Convolutional Neural Networks
(CNN), and DenseNet121, for binary classification of strawberry images. The accuracy achieved by
MobileNetV2 is 96.7%, CNN is 99.8%, and DenseNet121 is 93.6%. Through rigorous testing and analysis,
our results demonstrate that CNN outperforms the other models in this task. In the future, the deep
learning models can be evaluated on a richer and larger number of images (datasets) for better/improved
results.
20CDE09- INFORMATION DESIGN
UNIT I INCEPTION OF INFORMATION DESIGN
Introduction and Definition
History of Information Design
Need of Information Design
Types of Information Design
Identifying audience
Defining the audience and their needs
Inclusivity and Visual impairment
Case study.
Conservation of Taksar through Economic RegenerationPriyankaKarn3
This was our 9th Sem Design Studio Project, introduced as Conservation of Taksar Bazar, Bhojpur, an ancient city famous for Taksar- Making Coins. Taksar Bazaar has a civilization of Newars shifted from Patan, with huge socio-economic and cultural significance having a settlement of about 300 years. But in the present scenario, Taksar Bazar has lost its charm and importance, due to various reasons like, migration, unemployment, shift of economic activities to Bhojpur and many more. The scenario was so pityful that when we went to make inventories, take survey and study the site, the people and the context, we barely found any youth of our age! Many houses were vacant, the earthquake devasted and ruined heritages.
Conservation of those heritages, ancient marvels,a nd history was in dire need, so we proposed the Conservation of Taksar through economic regeneration because the lack of economy was the main reason for the people to leave the settlement and the reason for the overall declination.
An Internet Protocol address (IP address) is a logical numeric address that is assigned to every single computer, printer, switch, router, tablets, smartphones or any other device that is part of a TCP/IP-based network.
Types of IP address-
Dynamic means "constantly changing “ .dynamic IP addresses aren't more powerful, but they can change.
Static means staying the same. Static. Stand. Stable. Yes, static IP addresses don't change.
Most IP addresses assigned today by Internet Service Providers are dynamic IP addresses. It's more cost effective for the ISP and you.
Software Engineering and Project Management - Introduction to Project ManagementPrakhyath Rai
Introduction to Project Management: Introduction, Project and Importance of Project Management, Contract Management, Activities Covered by Software Project Management, Plans, Methods and Methodologies, some ways of categorizing Software Projects, Stakeholders, Setting Objectives, Business Case, Project Success and Failure, Management and Management Control, Project Management life cycle, Traditional versus Modern Project Management Practices.
Unblocking The Main Thread - Solving ANRs and Frozen FramesSinan KOZAK
In the realm of Android development, the main thread is our stage, but too often, it becomes a battleground where performance issues arise, leading to ANRS, frozen frames, and sluggish Uls. As we strive for excellence in user experience, understanding and optimizing the main thread becomes essential to prevent these common perforrmance bottlenecks. We have strategies and best practices for keeping the main thread uncluttered. We'll examine the root causes of performance issues and techniques for monitoring and improving main thread health as wel as app performance. In this talk, participants will walk away with practical knowledge on enhancing app performance by mastering the main thread. We'll share proven approaches to eliminate real-life ANRS and frozen frames to build apps that deliver butter smooth experience.
Profiling of Cafe Business in Talavera, Nueva Ecija: A Basis for Development ...IJAEMSJORNAL
This study aimed to profile the coffee shops in Talavera, Nueva Ecija, to develop a standardized checklist for aspiring entrepreneurs. The researchers surveyed 10 coffee shop owners in the municipality of Talavera. Through surveys, the researchers delved into the Owner's Demographic, Business details, Financial Requirements, and other requirements needed to consider starting up a coffee shop. Furthermore, through accurate analysis, the data obtained from the coffee shop owners are arranged to derive key insights. By analyzing this data, the study identifies best practices associated with start-up coffee shops’ profitability in Talavera. These findings were translated into a standardized checklist outlining essential procedures including the lists of equipment needed, financial requirements, and the Traditional and Social Media Marketing techniques. This standardized checklist served as a valuable tool for aspiring and existing coffee shop owners in Talavera, streamlining operations, ensuring consistency, and contributing to business success.
Profiling of Cafe Business in Talavera, Nueva Ecija: A Basis for Development ...
Deterring hacking strategies via
1. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
DOI : 10.5121/ijnsa.2015.7401 1
DETERRING HACKING STRATEGIES VIA
TARGETING SCANNING PROPERTIES
Saad Alsunbul1,2
, Phu Dung Le1
and Jefferson Tan1
1
Caulfield School of Information Technology, Monash University, Melbourne,Australia
2
Computer Research Institute, King Abdullaziz for Science and Technology,
Riyadh,Saudi Arabia
ABSTRACT
Network infrastructures have played important part in most daily communications for business industries,
social networking, government sectors and etc. Despites the advantages that came from such
functionalities, security threats have become a daily struggle. One major security threat is hacking.
Consequently, security experts and researchers have suggested possible security solutions such as
Firewalls, Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDP) and
Honeynet. Yet, none of these solutions have proven their ability to completely address hacking. The reason
behind that, there is a few researches that examine the behavior of hackers. This paper formally and
practically examines in details the behavior of hackers and their targeted environments. Moreover, this
paper formally examines the properties of one essential pre-hacking step called scanning and highlights its
importance in developing hacking strategies. Also, it illustrates the properties of hacking that is common in
most hacking strategies to assist security experts and researchers towards minimizing the risk of hack.
KEYWORDS
Hacking, network security, security properties, pre-hacking, scanning, necessary information
1. INTRODUCTION
Currently, network infrastructures have played important part in most daily communications for
business industries, social networking, government sectors and etc. It has become a necessity for
most occurring communications in which it incredibly eases exchanging information, storing and
retrieving data. However, such a considerable advantage comes with many security threats. One
major security threat to computer networks is hacking.
Hacking is a descriptive term used to describe the attitude and behaviour of group of people who
are greatly involved in technical activities which, more commonly today than in previous years,
result in gaining unauthorized access on their victims’ infrastructures. Generally, hackers aim to
study all technologies aspects in most infrastructures and explore their vulnerabilities.
Vulnerabilities within infrastructures are mostly derived from vulnerabilities within operating
systems, network technologies, communication protocols, security postures, software errors or
even from the integration between these technologies.
2. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
2
Currently, successful hacking attempts still present. For instance, in 2014, Sony Pictures
Entertainment was struck by hacking attack after releasing a movie called “The interview”. The
attack was intended to literally move data from Sony network and leave no possibility to recover
such lost data. [1]. Also, in 2012, the Saudi Arabia Oil Company (Saudi ARAMCO) was hit by
an external virus named Shamoon, which spread and affected around 30,000 workstations. That
malicious software aims to wipe computers hard drive indiscriminately. Fortunately, The
company stated that the virus did not reach to the production line and they have not clearly
identify the losses [2].
Such incidents have drawn security industry, experts and researchers towards addressing hacking.
There are many security solutions suggested and practically deployed in most network
infrastructures to address hacking in higher scale such as Firewalls, Intrusion Detection Systems
(IDS), Intrusion Detection and Prevention System (IDP), Honeypot and Honeynet. However,
there are still drawbacks associated with these security solutions that have proven their inability
to address such attacks.
There is a noticeable difference between security experts and hackers in the scene of exploring
vulnerabilities in computer systems [3]. For an effective secure defence system, a system designer
must fully understand hackers’ behaviours and propose a defence system that addresses the
common ground between most of hacking techniques. Nevertheless, there is unnoticeable effort
made by security experts and researchers with the aim to study the behavior of hackers.
The difficulty in pursuing this research field is caused by countless factors such as continuous
emerging of new technologies, introducing new vulnerabilities and etc. However, there is
indispensability to examine the behaviour of hackers in a great depth and find the common
starting ground for most hacking strategies. The purpose of this article is to illustrate our finding
of hacking root and common properties that must be satisfied by most hacking strategies that is to
be assisting future security researches towards addressing hacking.
This paper is organized as follows: Section 2 discuses the related work made towards addressing
hacking in large scale and their limitations. Moreover, section 2 highlights the importance of
studying hacking behaviour in order to suggest future security solutions based on our finding in
this article. Section 3 discuses the communication environment in general. Section 4 illustrates
hacking strategies and the necessary information for most hacking strategies. The three essential
pre-hacking steps are examined in section 5. Section 6 discusses the importance of scanning for
obtaining necessary information for hacking strategies. Then, the importance of scanning in
developing hacking strategies is illustrated in section 7. Examining the possibility of deterring
hacking strategies via targeting scanning properties is illustrated in section 7. Section 8 concludes
this paper.
2. RELATED WORK
Most of the current security solutions tend to embrace one option from the general classification
of the current solutions; it is either a passive defence or active defence approach. Passive defence
systems such as Firewalls, Intrusion Detection Systems (IDS) are security approaches that
preclude or minimize all defined or common cyber attacks in the first place when there are
hacking attempts. Despite the fact that most of these systems are essential for many network
3. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
3
infrastructures, there are still limitations present in each of these systems, which will be explained
in detail in the following subsections. However, Active defence systems such as Intrusion
Detection and Prevention (IDP), and Honeypots, are considered more advanced security
approaches that detect common and some new intrusions and actively respond to these attacks.
2.1. Firewalls
The conceptual model of a firewall provides the ability to manage every sub-network separately
and gives every department the capability to manage their own sub-network according to their
policies and requirements [4]. This management feature escalates the importance of firewalls as a
building block of any network design [5]. To make a decision about a packet; the packet must be
examined under a sequence of rules. Then, the firewall generates the decision, which is applied to
the packet [6] [7]. Firewalls as security technology fall into four types based on the filtering
algorithm and the operation layer (IP, Transport or Application layers) and they are: Packet
filtering, Circuit gateway, Application gateway and hybrid firewalls [8].
Despite the fact that firewall is one of the building blocks in any network design, there are
limitations on using them as the one and only line of defence. Depending on the technical
capability of firewall designers, errors might be introduced if a firewall designer is not highly
trained and experienced [5]. The succession of malicious viruses and worms such as Blaster [9]
and Sapphire [10] implies that most of firewall breaches are caused by configuration errors.
Even the modern design of firewalls, which demands the distribution of firewalls within the
organization’s network, it fails because of the complex protection requirements. What makes the
situation even worse is that every host has limited users and all of them are treated as trustworthy
users, the possibility of getting inside attack such as IP network spoofing, packet sniffing and
denial-of-service is still possible [4]. Since those attacking strategies are mostly connected with
human behaviour, the importance of having dynamic security posture have become more
practically than the static security implementation.
2.2. Intrusion Detection Systems (IDS)
The conceptual model of IDS was introduced to be a real-time defence system to detect intruders
inside networks, unauthorized use, abuse and misuse of computer systems [11][12]. Basically, it
has been designed and proposed under the assumption that a normal user’s behaviour is
completely different than an intruder [12]. So, the gap between their behaviours is the key for
spotting an intrusion. IDS has the ability to analyse, detect intrusion, recognize the source of
attack and alleviate the effect of most of unexplored attacks [11].
IDS obtains data from different sources, which constructs a network infrastructure (networks and
hosts), and that differentiation creates a classification for IDS. The classification consists of:
Network-based IDS, Host-based IDS and Hybrid IDS [12].
Nevertheless, Detection technique requires a model of intrusion, which are: Anomaly or misuse
detection techniques. Anomaly detection technique applies the concept of collecting user’s
profiles and defines them as normal behaviours or normal patterns [13]. Then, in real time, IDS
analyses current users’ sessions and maps them with defined normal behaviours to recognize
4. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
4
abnormal activities. The normal behaviour varies depending on the workload and number of
operations and activities operated by users [13][14]. However, the second type is referred as
misuse detection. Basically, it defines the basic techniques used by attackers and models them
into the system under the term “signatures” [12][13]. In that case, the system processes all
streamed audit files searching for these signatures [12][13][14].
Despite the fact that IDS systems are one important security component for most systems and
commonly deployed, there are some drawbacks related to that technology. For example, Anomaly
Intrusion Detection system has large number of false positive alerts. Furthermore, the dynamic
feature which is supposed to detect new forms of attacks, is very difficult in reality. In other
words, it detects only the modelled attacks and disregards any new invented attacks [15][16].
Even that the conceptual model of IDS in detecting modelled attacks seems to be realistic, it is far
from being achieved due to attackers’ abilities to change some information to deceive IDS such
as port number, sequence number or protocol indicator [15]. That trick can pass IDS and provide
the same result without being noticed. Furthermore, false positive alerts can cause overload in the
victim’s network. In reality, a hacker injects the target’s network with common modelled attacks
causing an IDS to generate detection alerts which regularly leads to overload the network. This
attacking strategy is utilized to hide the real breaching path to the systems by shuffling it with the
fake false positive alerts simply to avoid seizing the attention for the real attack [16].
2.3. Intrusion Detection and Prevention System (IDP)
One of the biggest drawbacks of IDS is the non-defendable mechanism in which it recognizes an
attack without any single action in return. IDP shares the same characteristics with IDS but
instead of generating alerts, IDP performs actions against the intrusion. As IDP inherits most of
the design specifications and concepts; consequently, it inherits the drawbacks of the IDS as well.
Moreover, there is an issue arises with IDP especially when it is standard with out-of-thebox
configuration. Precisely, this configuration causes to recognize a large scale of normal activities
as suspicious activities [17]. This issue is defined as false negative rate. Furthermore, it has been
reported that %99 of the reported alerts by IDS/IDP are not related to the security aspects
[17][18].
These limitations within the previous security systems have not reached to the satisfaction level
for the security industry and the need to further researches has become vital. As a result of that, a
Honeypot was introduced.
2.4. Honeypot
The founder of Honeypot, Lance Spitzner [19] defines it as “security resources whose value lies
in being probed, attacked, or compromised”. The fundamental concept of designing Honeypot is
to study hackers’ behaviours and assist the efforts made against hackers besides firewalls, IDS
and IDPs. The basic concept is very simply, a collection of resources that have no reliance on the
main operations of the original network and have no authorization mechanism and these
resources are made to be breached by hackers; thus, their behaviours and techniques are recorded
to gear up against them with proper security postures [20]. If that network does not get hacked, it
has no value for security researchers [19][20].
5. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
5
Primary designed to study hackers’ behaviours and eventually has become a tool for deception or
an active supplement for Intrusion Detection Systems. One use of honeypot system is for
deception; the deception is mainly targeted hackers, luring them to valueless network for their
activities to be observed and recorded and these resources must appear realistic [21][22]. That
valueless information might be a simulation for computers with known vulnerabilities or
operating systems combined with network services with deliberate security holes [21][22]. Then,
it is a Honeypot system responsibility to record a hacker’s behaviour through background
applications, capturing the transferred packets between the hacker and the Honeypot system;
besides analysing and interpretation of the collected data [23]. The other use of honeypot system
and the most common is by engaging it with other security postures. In this situation, Honeypot
acts as a security supplement for IDS contributes to solve the major drawbacks in IDS which are
the false positive and false negative rates. IDS combined with Honeypot may cut the number of
false positive and false negative rates to %10 of the same production of IDS alone [20][23].
Usually setting up a honeypot forces the designer of the system to chose between two different
methodologies, Low interaction and high interaction. Low interaction means that the trap (the
deception) has limited resources due to the simulation process. Specifically, the simulated trap
may have the ability to interact with few numbers of connections at one time compared with the
actual capability of the real system [23]. This issue is one fine indicator for hackers that they have
been deceived. Moreover, honeypot logs are stored locally; thus, escalates the risk of tampering
logs file to serve hackers’ deeds [23]. Likewise for high interaction, a high interaction honeypot
has high cost and complicated configuration process in which if it has not configured probably, it
eventually causes a low efficiency and utilization for the trap [23].
Additionally, most of honeypot is set to work in one segment making it very easy for hackers to
detect them. Actually, the benefit gained from these traps is none. Hackers notice these traps and
avoid presenting their tools and methodologies for breaching which leaves honeypot useless [23].
These traps are given for hackers to play with and show their evil tools and methods for hacking.
In fact, hackers can detect these traps and continue to explore the vulnerabilities for one reason,
launching an attack from honeypot. This reflection attack works for hackers as a barrier saves
them from law enforcements and the third party may take the liability unless certain laws are
presented [22].
Furthermore, these traps have a huge disadvantage, which is the main indicator for the trap itself.
If it allows outbound connections to be made, they face the risk of being used as third party for
another attack. In contrast, blocking outbound connections is very fine indicator for the trap,
which makes it useless in many cases [20]. In addition, it is hard of honeypot to differentiate
between legitimate users and hackers. Actually, it misses any attacks that does not enter the trap
and goes directly to the victim’s system.
2.5. Related work main limitations
Despite the fact that the security solutions discussed above provide some level of security, there
are still limitation in addressing hacking. We Also found that these security solutions tend to
neglect the behaviour of hackers and find similar hacking methodology. We found that hacking
strategies come in different techniques and counting all the techniques is nearly impossible.We
have examined the hacker behaviour based on [24] and found that hacker actually executes some
6. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
6
programs or tools that are classified under three categories. These categories are the prehacking
steps (Footprinting, Scanning and Enumeration). The main purpose of this article is to formally
and practically examine deeply the environment in which hacking takes place and the behaviour
of hackers and find the properties that are shared between most of hacking strategies.
Studying the behavior of hackers provide us with complete understanding of the way they launch
their attacks. “Think like a hacker” is the best way for security experts and researchers in future to
suggested new security solutions and avoid vulnerabilities or at least discover them in the small
time frame before hacker discovers it. Currently, the common security practice is based on
suggesting a new security solution for a specific hacking strategy after vulnerability is being
exploited; then, patched. See next figure for vulnerability lifecycle.
Figure 1: Vulnerability lifecycle for applications [25].
Moreover, hackers’ attitudes, ethical beliefs and cultures towards hacking are important factors
which widen a security experts’ knowledge and create better chances for security experts and
developers to be effective in the defensive line [26]. Furthermore, hackers have proven their
abilities with impressive outcomes via their hacking techniques acquired mostly from their
cultures. In fact, they intensively enrich their culture by exchanging the wealth of practice and
methods, which clearly have demonstrated their effectiveness [27].
Furthermore, There is considerable gap between the way the hackers and computer scientists gain
their skills and techniques creating better chances for hackers to continue and enrich their
cultures. As a result of that, studying hackers’ behaviors is essential to lead to future security
solutions with high resistance and actively effective against most hacking attempts, which is the
main aim for this article.
3. Communication In Network Infrastructures
Before we start examining the behaviour of hackers, the environment where hacking taking place
is important to be inspected.
The design of network infrastructures comes in different topologies and network technologies that
suit needs and requirements of organizations, which might forms complex design of network
infrastructures. Most of network infrastructures contain and not limited to common hardware and
software components that ensure the functionality. However, there are additional components for
7. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
7
functionality and security purposes. The common network infrastructure components are: Hosts,
routers or switches, servers, cables, wireless routers, communication protocols, and network
services. We define the common infrastructure components (INF) as:
Setting up computer network with all services requires some H which stands for Host, where H >
0. Also, directing and managing the communicating with that network require RT or ST, where
RT > 0 and ST > 0; Note that RT stands for routers and ST stands for switches. Nevertheless, S is
a main element in term of functionality in any network which stands for servers; where S > 0.
Also, C is the actually physical connection between all hardware within most computer networks,
which stands for Cables. Moreover, P stands for intercommunication protocols, where P > 0. At
last, SE stands for services provided to users, where SE > 0.
The form of communication that occurs within INF is based on packets. The formation of
transmitted packets may differ based on deployed network protocols. Yet, the structure and
formation of these packets must be predefined. As a consequence, communication protocols were
defined. The main purpose of communication protocols is to facilitate the communication
between participants in which it defines the structure and formation of packet, such as TCP/IP
protocol for Internet.
Usually, packets are sent from source to destination hosts to satisfy an objective of the
communication. The objectives of transmitted packets might vary from a normal request of
webpage, to security breach. Nevertheless, counting all packets’ objectives is close to impossible.
From a security prospective, we categorize packets’ objectives into two main categories, which
are:
• A threat objective.
• None threat objective.
A threat objective appears when a request of the communication from a sender is intended to
breach into computer system of a receiver. Thus, all generated and delivered packets for hacking
purpose fall into the threat objective category. However, transmitted packets that generated for
functionality purposes such as requesting webpage fall into the none threat objective category.
So, the communication between two participants is initiated to satisfy an objective, which is the
objective of the transmitted packets. The communication between two participants appears when
there are packets delivered from the sender to receiver and vice versa. In another words, if one
participant does not send packets to the other participant, the communication in this case does not
appear. Such predefined communication procedure provides tremendous functionalities. Yet, with
great functionalities come communication threats.
8. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
8
3.1. Communication risk
Hacking threats are illustrated in the basic form of the communication, which are in the
transmitted packets. Hacking happens in countless strategies based on deployed technologies in
nominated victims’ infrastructures. Nonetheless, most of hacking strategies heavily rely on
necessary information in which hacking is nearly impossible to be performed without it
(necessary information will be discussed in details in the following section).
The necessary information is obtained from the communication between hackers and their victims
via two main techniques which are: engagement and analysis.
3.1.1. Engagement
The engagement is a sequence of communication between two participants where one participant
sends packets to another participant, and receives responses; see the following figure.
Figure 1: Engagement
It is limited to; a sender sends packets to the receiver, and the receiver responses with packets to
the sender. Thus, when the sender is sending packets to the receiver and the receiver does not
respond, it is not considered engagement. So, the engagement is defined as follows:
Where n and n’, are the maximum number of sent and received packets required for the
communication objective. packet’1
, is the packet generated by the receiver, which is a response to
packet1
.
ENG is main requirement for current deployed technologies, which may become a highly risky
functionality especially for hacking strategies. Eliminating ENG is impossible; however,
controlling ENG between computers systems would eventually limit hacking risk that is
discussed is section 7.
9. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
9
3.1.2. Analysis
Analysis is a process involves extracting information from transmitted packets. The analysis may
include extracting information transmitted through ENG between the hacker and their victim or
between legitimate users. The main purpose of analysis is to obtain the necessary information,
which is discussed in details in section 8.2. Generally, analysis process may vary from a simple to
complex processes depending on the required information for hacking strategy. Due to the
variation of hacking strategies and continuous emerging of new hacking strategies, counting all
analysis processes is impractical. However, this thesis focuses on analysis, as process that assists
hackers to obtain the necessary information. Hence, we define analysis as:
Where EXTRACT_NINF, stands for extracting necessary information from transmitted packets
between a hacker (which is the one who is performing the analysis process), and the victim.
The main requirement for analysis process is to know the structure and format of the transmitted
packets that is defined in section 8.2. There are many protocols that wildly used such as TCP/IP
protocol. Understanding how bits are organized to form packets is essential for any analysis
process that eases extracting necessary information from transmitted packets.
4. Hacking Strategies
Hacking objectives vary because of countless factors such as stealing money, creating political
issues, destroying repetition or just for fun. However, not all hacking attempts are successful in
reaching their objectives and counting all hacking objectives is impractical.
This paper focuses on successful hacking attempts. Therefore, we define a successful hacking
strategy (SHS) as a hacking strategy attempt where it satisfies its objective. SHS is number of
executed operations by hackers where it designed to satisfy its objectives.
SHSo, stands for number of executed successful hacking operations Where I = {1,2,3,4,5...n}.
The following subsection illustrates a case study of common SHS that is remote password
guessing attack on Windows systems. That case study highlights the necessary information of
most remote password guessing attach as for most SHSs.
4.1. Case Study: remote password guessing attack
Windows systems come with built-in security features; however, the main guard of accessing
Windows systems is still passwords. Thus, remote password guessing attack is one of the
common threats to Windows systems [24]. Remote password guessing is wildly used by hackers
10. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
10
due to the simplicity of guessing and overturning authentication credential with high chance of
gaining unauthorized access [24]. Remote password guessing attacks come in many strategies
based on the type and version of the deployed windows systems.
The popular strategy is to target the Window file and print sharing services using Server Message
Block (SMB) protocol [24]. SMB is accessible via ports TCP 445 and 139. Another remote
password guessing attack path is by Microsoft Remote Procedure Call (MSPRC) on port TCP
135. For such attack, the hacker might use automate password guessing command called enum
with a specified target IP. The following is an example for enum command [24]:
Most of SHSs require necessary information in which it is impossible to choose or design suitable
hacking strategies. As the case of password guessing attack the hacker has chosen this SHS based
on the necessary information illustrated in the following section.
4.2. Necessary information
Necessary information is the mean need for any SHSs to take place. This information is essential
for SHSs. The necessary information is listed as: IP address of a victim’s system, operating
system that runs on the victim’s system, opening ports on the victim’s system and running
services on victim’s system. This subsection discusses the importance of necessary information
for SHSs with the use of the case study showed previously.
4.2.1. IP address
Generally, through normal ENG, packets are delivered from one host to another in shortest path
possible to assure packets delivery speed in most communication technologies. With current
technologies development the reliance on the IP address (IP) is important to assure that packets
are delivered to intended recipients.
11. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
11
Consequently, IP address is necessary information for any ENG and SHSs. In the case study of
remote password guessing attack illustrated previously, the IP address (192.168.202.44) was
specified by pre-hacking step called scanning (scanning will be discussed in detail in section 5).
4.2.2. Operating system
The second step after specifying the IP address of the target system is identifying which operating
system (OS) that is deployed in that target system. Operating system holds responsibility of
managing most functionally. Security vulnerabilities vary based on the technical specification of
the deployed operating system. In another words, every operating system has different
vulnerabilities that are associated with it.
Thus, identifying which operating system that manages the target IP is necessary information for
any SHSs. Specifying the type and version of deployed operating system in the victim’s INF is
heavily relied on ANL the ENG between the hacker and victim.
Going back to the case study of remote password guessing attack, we notice that the hacker uses
(enum) command line that is suitable to target Windows system. Specifying the victim’s
operating system is done through scanning as well.
4.2.3. Running services and opening ports
Identifying what services (RS) are and in which ports (OP) they run on the victim’s system is also
necessary information for any SHSs. Services and opening ports from hackers’ prospective are
doors for their delivered packets in which it is impossible for them to enter such system without
identifying possible entrances to their nominated victims’ INFs.
Services are deployed to perform specific tasks in most operating system; thus, these services
may have vulnerabilities that associated with them, or might just give assistance to hackers to
enter the victim’s system. Based on the hacker technical skills and knowledge about deployed
technologies and software, they utilize these services and opening ports to their advantage and in
worst case accomplishing SHSs.
Going back to the case study of the remote password guessing attack, the hacker has effectively
identified the opening ports that are ports 445 and 139, and the running service on theses ports is
SMB through executing scanning operations.
The necessary information might appear basic for some security experts in which it is the
necessary information for most ENG. However, it is impossible for any ENG and SHSs to be
performed without such information. Hence, we define the necessary information (NI) as:
Most of sophisticated hackers perform three pre-hacking steps in order to obtain the NI and
additional information before choose or design hacking strategies. Usually, hacking strategies are
designed to suit victims’ system and finish up with SHSs.
12. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
12
The three pre-hacking steps are: foot printing, scanning and enumeration. Such great deal of NI
and additional information is to be obtained from performing these three steps. However, NI is
obtained from performing scanning alone. This paper focuses on scanning as root of hacking in
which it provides NI for most SHSs. However, following subsections discuss foot printing and
enumeration as well to highlight the importance of scanning between foot printing and
enumeration.
5. Pre-Hacking Steps
Before hackers actually break in, most skilled hackers follow the same methodology. The
methodology consists of three crucial steps which are: footprinting, scanning and enumeration
[24]. These three steps must be performed by most experienced hackers, which give it the phrase
“The root of hacking”; see next figure. The following subsections formally examine every pre
hacking step.
Figure 2: The behaviour of hackers.
5.1. Footprinting
Footprinting is a crafted technique in gathering information [24]. Basically, it is related to
narrowing down the target of interest, investigating every entity related to the victim’s INF. The
hacker at this stage is trying to understand how the victim operates. They investigate the
interrelation between the victim and everything around it without any ENG between the victim
and hacker; In other words, no single packet is sent to the victim. For a successful focussed and
surgical hack, the hacker must harvest the wealth of information about every feature of the
organization's security postures [24].
Footprinting is a process, which involves execution of software operations specifically design to
satisfy footprinting main objectives. Thus, we define footprinting (F) is defined as:
13. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
13
Fo, stands for footprinting operations, where I = {1,2,3,4,5,6…n}. The main aim of F is to end up
with a unique detailed profile (UP) of the target’s Internet, intranet [Info(in)], extranet [Info(ex)],
remote access [Info(ra)], business partners [Info(bp)], deployed protocols [Info(pt)] and general
information about security postures [Info(sp)] [24]. Thus, UP is defined as:
A skilled hacker can narrow their target to specific domain names, IP addresses, routers, subnets
and network blocks; starting from a selected victim and without a single packet being sent [24].
In F step, hackers investigate the interrelation between the victim’s INF and every entity that is
connected to it without sending a single packet to the victim with considerable time and effort
made by hackers. So, we define F property as:
After that, the hacker will proceed to the next step, which is scanning.
5.2. Scanning
By the previous step, the hacker obtains UP about their target. From that point, the hacker starts
sending packets to their victim’s system. Actually, the intention of developing the attack strategy
(scripts and tools) is yet to be determined. In fact, they look for the point of entry to the victim’s
system searching for proper paths to get inside the target’s system [24].
Scanning is the most critical pre-hacking step due the intrusiveness nature and critical
information gained from it. It is a set of executed operations developed specifically to satisfy the
scanning’s main objectives. So, we define scanning as:
So, stands for scanning operations, Where I = {1,2,3,4,5…n}. S rely on the output of F which is
UP, under the assumption that F are executed successfully and data contained in UP is sufficient
enough to start S.
5.2.1. Scanning objectives
S is the most crucial process compared with F and enumeration. At this stage, the hacker searches
for running services and in which ports they run and what the host that runs these services. S
objectives are determining target, operating system, running services and opening ports in the
intended INF. Hence, a successful execution of S operations means that the hacker has obtained
NI. The following subsections examine every objective and use S tools for remote password
guessing attack.
14. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
14
• Determining the target:
Determining the target (DTT) is a number of executed operations that fall within the range of So.
Sophisticated hackers execute these operations to specific target within the intended INF.
Basically, having predefined target eases the enumeration step and developing SHSs. It is one of
the most critical steps since hackers cannot start probing without identifying which system they
target. We define DTT objective as:
Where IDENT_target stands for identification of the target system in the intended INF. Hackers
obtain the IP address of the victims’ INF by ANL the ENG.
Going back to the case study of remote password guessing attack, there are many tools that
identify which system is listening for incoming traffic (which system hacker should target);
however, the most common tool is network ping sweep using nmap command [24]. Nmap
command operates by sending specific type of traffic such as ICMP (internet Control Message
Protocol) to a list of IP addresses or network blocks of the specified victim and analyzing victim’s
replies. In another words, nmap sends ICMP packets to the list of IP addresses or network blocks
and waits for responses. The following example illustrates how nmap identifies the target system
[24].
The first objective of S in determining the IP addresses for the target system is accomplished. Via
one of S tool such as nmap, hacker at this stage has effectively identified the IP address of the
target system (192.168.1.44).
• Determining the operating system:
Every operating system requires technical specifications to execute and run applications on its
environment. Managing applications and services and associating ports to these applications and
services is one of the main functionality of operating systems. Thus, identifying operating (DOS)
system that runs on the target INF is critical part in developing SHSs. We define DOS objective
as:
15. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
15
Where IDENT_OS, stands for identifying the operating system that manages victim’s INF. Going
back to the case study of password guessing attack, there are number of tools that are used to
identify the deployed operating system in the target’s server. Active stack fingerprinting is a
technology that identifies the deployed operating system based on IP stack implementation. Every
operating system interprets RFC guidance differently during implementing their TCP/IP stack
[24]. Thus, by spotting these differences, hacker can identify which the operating system they
deal with by the response type from the target system. One of these tools is nmap. The following
example illustrates how nmap identifies the deployed operating system [24].
TCP Sequence Prediction: Class=random positive increments
Difficulty=26590 (worthy challenge)
Remote operating system guess: Solaris 2.5, 2.51
16. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
16
• Determining the running services:
The following objective of S after DOS is to determine running services (DSR) on the specified
target. The important of DSR is illustrated in identification of the listening ports and applications
that runs on these ports. Such great deal of information can be extracted by sophisticated hackers
from this step. So, we define DSR main objective as:
Where IDENT_APP, stands for identifying the running application and IDENT_SR stands for
identifying the running services on the intended INF. Going back to the case study of password
guessing attack, there is one widely used scanning tool that identifies the running services and
opening ports called netcat [24]. Netcat is a tool designed to perform port scanning on specific
target systems over TCP or UDP protocols. Netcat probes the selected target to determine which
service is in listening state. The following example illustrates how netcat command identifies the
running services and opening ports, which is SMB on port 139 [24].
The above examples of the case study of password guessing attack showed how S operations
provides NI about the nominated victim’s system. A remote password guessing attack is nearly
impossible to be accomplished without NI gained by the previous examples of S objectives. This
paper focuses on worst case in which the hacker has successful executed S and extracted the NI.
Thus, we refer to S as a successful process in which it ends up with NI. We define S objectives
(SOJ) as:
17. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
17
5.2.2. Scanning properties
During S, hackers intensively ENG with their victim by sending and receiving packets.
Moreover, ANL the ENG to obtain NI, such as operating system information, requires broad
knowledge about deployed technologies where was the case of identifying OS type and version in
the previous case study. Thus, we define S properties (Sp) as:
The hacker at this point has defined all the windows and doors that can be routes for launching
attacks. Then, they perform the last step just before launching their attacks, which is enumeration.
The basic building block for most surgical SHSs relies heavily on the wealth of information
gained from S in which it is impossible to develop SHSs without the obtained NI
5.3. Enumeration
At the final stage, the hacker has effectively recognized opening ports and running services
preparing for hack. Before they form their SHS, they intensely probe the spotted services looking
for known weaknesses and discovering new routes [24]. Enumeration (E) is also a number of
executed operations by hackers. However, these operations are more intrusive than Fo and So.
However, the obtained information from enumeration is not critical as information gained from
So.
E is a process that includes active ENG and direct queries to the target’s system, giving it a higher
level of intrusiveness compared with S [24]. This process heavily relies on information gathered
from S. Thus, we define E objective as:
Basically the E objectives are mostly related to the identified applications on the intended INF.
The hacker in E step tries to probe the target to identify the make [Make (y, app, INF)] and model
[Model (y, app, INF)] of the spotted services. At the first glance, the hacker seeks for
misconfiguration of shared resources (for instance, unsecured share systems), user names as an
important factor for dictionary attacks and common security vulnerabilities related to the spotted
services such as remote buffer overflow for a web server [24]. E operations share similar
properties as S, which we define it as:
18. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
18
6. S FOR NI
Developing SHSs require intensive knowledge about victims’ INFs. It does require deep
knowledge about the deployed technologies and security postures in victims’ INFs. Acquiring
knowledge requires successful completion of executed operations by hackers to specifically
extract NI from S and additional information from F and E to assist developing of SHSs.
The main aim of F is to reduce the scope of interest to specific IP addresses and domains.
Moreover, F is aimed to study how the victim operates and interrelation between the victim and
allied organizations. The amount of information gained by the hacker form F encloses
information about internet, intranet, remote access and extranet. Then, the hacker proceeds to
next step, which is S [24].
S is the most critical pre-hacking steps because of the NI obtained from it. The hacker at this
stage tries to identify points of entry of the victim’s INF. Successful execution of sophisticated S
may identify which system is listing for incoming traffic. Although, it can identify the running
services on the specified victim’s system and deployed operating system. Such great deal of
information extracted from successful execution of S which will limit hackers use for specific
tools, scripts and applications to that specific operating system, services, listening system. Then,
the hacker completes gathering additional information by perfuming E [24].
E operations are considered most intrusive compared with S. However, the S is more critical
because of the NI gained from successful execution of So. Information gained from E is mainly to
specify make and model of installed application on the victim’s system. This information won’t
be possible to gain without identifying the listening system, the operating system that runs on
victim’s system and the running services and opening ports.
Hence, S is the most critical pre-hacking step in which it provide NI to be essential factor for any
SHS. This thesis considers the worst case, which assumes that S is executed successfully, and the
NI is gained from execution of S. Thus we define the relation between S and NI as follows:
7. S AND SHS
Based on the information acquired from S, the hacker at this stage develops a suitable SHS to
break into their victim’s system. Counting SHSs is impractical. The sophistication in hacking
techniques and the limitation associated with current security solutions escalate the success rate
for many hacking attempts. However, most of experienced hackers perform S in order to break
into a system.
19. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
19
S is performed to accomplish a great task, acquiring NI about the victims’ systems. Every SHS
requires specific information about how victims operate and what the deployed technologies in
victims’ INF, without this information developing hacking strategies is nearly impossible. So, we
define the relation between NI and SHS as:
Communication between hackers and victims comes in form of packets. Packets are sent to
victims by hackers and vice versa. These packets are impossible to deliver without specifying the
IP address on the victim’s system. Although, data presents in transformed packet are generate by
scripts or tools designed specifically to accomplish specific function on the victim’s system. So,
without knowing the open ports, services running on these ports and operating system,
developing specific tools and script of data forming on the transferred packets is not possible.
Thus, SHS is addressed via deterring S operations. Hence, we define the importance of S to
address SHS as follows:
Nevertheless, it is important to highlight S properties in order to address SHS. So, the following
section discusses S properties, which are ENG and ANL.
8. Deterring Shs Via Targeting S Properties
As it has been discussed previously in this paper, SHS requires NI in which it is impossible for
SHS to be selected or implemented in the first place without it. NI includes known exactly the IP
address of the victim’s system, the deployed operating system in the specified victim, running
services and in which ports they run on the victim’s system. The NI is obtained when the hacker
successful executes S. Thus, the main purpose of S is to end up with NI.
In addition, S requires some technical specification which is not possible to perform S and some
network functionalities without them. These technical specification where illustrated previously
in this paper as communication risk (section 3.1). These technical specifications are defined in
section 5.2 as S properties. These properties are ENG and ANL. The following subsections
discuss ENG and ANL in more details with the use of case study of remote password guessing
attack.
8.1. ENG
ENG is sequence of communication between the hacker and their victim. It occurs when the
hacker is sending threat objective packets to the victim and victim replies back to them with
packets. Packets sent from the hacker are threat objective packets, which leads to NI when the
hacker successful executes S.
20. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
20
In some cases, ENG does not occur between the hacker and their victim such as when the victims
system is switch of or hanged. In this thesis, no ENG means that at least one condition of ENG is
not occurring.
When the hacker is in no ENG condition, it means one of the two following conditions:
• The hacker is sending threat objective packets to the victim. The victim is not replying
back to the hacker.
• The hacker is sending threat objective packets to the victim and packets are dropped or
not delivered during the ENG.
The following figure illustrated the conditions of no ENG.
Figure 3: None ENG.
Hence, we define none ENG as:
In another words, ¬ENG is occurring when the nominated victim does not reply to the hacker.
Through successful execution of S, the replied packets from the victim to hacker hold NI.
Therefore, when hacker does not receive replied packets from the victim, obtaining NI is nearly
impossible. We defined the relation between none ENG and S as follows:
The following subsections illustrate the importance of ENG and ANL with the use of remote
password guessing attack.
21. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
21
8.1.1. ENG for DTT
Going back to the case study of password guessing attack described previously, in the first
objective of S which is DTT, the hacker sends threat objective packets to block of IP addresses to
determine which host is alive. Identifying the exact IP address to target requires from the victim
to reply to the hacker. The following figure illustrates how hackers identify which system to
target.
Figure 5: ENG during DTT.
DTT IP address is essential for most of the communication within INF. It is not possible hosts to
communicate without sending and receiving packets. Thus, as it has been illustrated in the
previous figure the hacker has effectively identified the IP address of the target INF by receiving
a reply from (192.168.1.44).
8.1.2. ¬ ENG for DTT
When ENG is not satisfied, the possibility of identifying the actual IP address of the target system
is impossible. ¬ENG property means that the hacker sends threat objective packets, which is the
case of DTT and receives none replies. The following figure illustrates how the hacker sends
packets to block of IP addresses and receives no reply.
Figure 5: ¬ENG during DTT.
22. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
22
In this case identifying which system to target is not possible, since DTT heavily relies on
receiving replied packets from the victims. Thus the expected output after execution nmap
command line for DTT is:
8.1.3. ENG for DOS
DOS is critical information since SHSs vary based on the type and version of OS that manages
the victim’s system. Remote password guessing attack is commonly associated with Windows
system. The reason behind that is Windows system is still placing reliance on passwords as main
guard to for access. Hence, remote password guessing attack is effective hacking strategies
directed to Windows system. The following figure shows how the hacker ENG with the victim
and successful identified the OS.
Figure 6: ENG for DOS.
As it has been shown in the previous figure, the hacker required ENG property in order to obtain
the type and version of OS. It is impossible to obtain OS type and version without receiving
replied packet with required information to the hacker.
8.1.4. ¬ENG for DOS
Let assume that hacker has effectively DTT of the victim, the following step of S objective is
DOS. ENG property is important through DOS of the target system. It is impossible to DOS
without the presence of ENG between the hacker and their victim. The following figure illustrates
execution of nmap command line for DOS when ENG is not satisfied.
23. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
23
Figure 7: ¬ ENG for DOS.
The expected output of executing nmap without satisfying ENG property would appear to the
hacker as:
8.1.5. ENG for DSR
Information is DSR. DSR is essential as DTT and DOS. Vulnerabilities within INF may appear
from countless factors and running services is one of them. ENG is critical for DSR since it
heavily depend on the replied packets that contain information about running services and
opening ports. The following figure highlights the importance of ENG for DSR of remote
password guessing attack.
Figure 7: ENG for DSR.
24. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
24
8.1.6. ¬ENG for DSR
Let assume that the hacker has effectively DTT and DOS of the target victim. The last step is to
obtain one final NI, which is DSR. The same concept of DTT and DOS of the remote password
guessing attack is applied also on DSR. The following figure illustrate how important is ENG
property for DSR.
Figure 8: ¬ENG for DSR.
The expected output of running netcat command line would appear as:
8.2 ANL
ANL is a process consists of collecting communication traffic, which is in form of packets and
extracts NI information and additional information from these packets. ANL is critical step
formost SHS. The collected packets may be obtained from the ENG between the hacker and their
victim or from ENG between two or more legitimate users. ANL is the second S properties in
which, performing a successful S that assists hackers with NI is impossible to be accomplished
without ANL.
Extracting NI information from transmitted packets requires from hackers to know the protocol
that defines structures and format of bits of packets. There are many protocols that widely used
for communications such TCP/IP protocol or OSI seven layers network protocol. In order for two
computers systems to communicate, the structure (ks) and formation (kf) of bit within packets
must be agreed on or ENG is not possible. Hence, we define ANL requirements (ANLr) as:
25. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
25
Packets structure and format is critical requirement for the ANL process since it is impossible of
hackers to understand the information presents in the transmitted packets, which is applied to the
use of cryptography. So, when ks or kf are not satisfied, that leads to ¬ANL. We define the
relationship between S and ANL as:
The following subsection illustrates the importance of ANL for every S objective.
8.2.1. ANL for DTT
Attack described previously, the hacker sends threat objectives packets to block of IP addresses
and waits for the reply, which identifies the actual IP address of the victim. Identifying the actual
IP address requires that the hacker knows the deployed protocol.
Since the hacker and victim are using TCP/IP protocol, the structure and formation of the packets
are already known for the hacker. ANL the packets to extract IP address in this case is simple
since the source and destination IPs are presented clearly in the transmitted packet, see the
following figure.
Figure 9: ANL for DTT.
8.2.2. ¬ ANL for DTT
Extracting NI from unknown packet format become and complex task for hackers. For nmap
command line as an example the source and destination are presented in most network protocols
that is impossible for packets to be delivered from one host to another. The following figure
illustrates the ENG between the hacker and victim without an agreed network protocol.
26. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
26
Figure 10: ¬ ANL for DTT.
However, the hacker can manually identify the target IP address by analyzing the source IP
address in the sent packet but it will consume considerable time.
8.2.3. ANL for DOS
Extracting information about the deployed operating system in the victim’s INF is more complex
than DTT. This process requires ANL sequences of replied packets from the victim, in which
they may presents a clue about the victims implementation such as interprets RFC guidance for
TCP/IP. The following figure illustrates the importance of ANL for DOS. To simplify the ANL
process we assume that OS information is included in data field of TCP/IP protocol.
Figure 11: ANL for DOS.
8.2.4. ¬ ANL for DOS
ANL the packets to obtain DOS about the victim’s system is complex, however, there are great
deal of tools and scripts that assist hackers. Nevertheless, these tools require predefined and
known protocol such as TCP/IP or OSI network layer protocols. Thus, the expected result of
running nmap command line for the case study may appear as:
27. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
27
Difficulty=26590 (Good luck!)
Remote operating system guess: No exact OS match for host
8.2.5. ANL for DSR
The importance for ANL for DSR is not less than DTT and DOS. DSR is also complex process of
ANL sequence of packets between the hacker and victim. A tool such as netcat ENGs with the
victim and tries all possible ports and services to see which packets they receive from the victim
which is the main indicator of running services and opening ports, see the following figure.
Figure 21: ANL for DSR.
8.2.6. ¬ ANL for DSR
None satisfaction of ANL for DSR makes extracting NI a complex task. The importance of ANL
to DSR is illustrated in the expected output of running netcat command line for the purpose of
obtaining DSR.
28. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
28
8.3 Summary of ENG & ANL
The following table summarizes the pervious techniques and expected results from running some
S tools while ENG and ANL are satisfied and none satisfied to illustrates the importance of these
properties.
Table 1: Satisfying and none satisfying of S properties.
9. Conclusion
SHS is one common threat for most INFs. SHSs differ based on countless factors such as the type
of deployed technologies including hardware and software. However, most of SHSs require
common NI. The possibility of developing SHS without NI is nearly none which includes, the IP
address of the victim INF, the operating system that manages the victim’s INF, the running
services on victim’s INF and the opening ports in the victim’s INF.
29. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
29
NI can be obtained by performing S. S is one of pre-hacking steps performed by most hackers for
one purpose that is acquiring NI. S requires two essential properties in which it impossible to
obtain NI without them. The S properties are: ENG and ANL.
This paper examines the possibility of addressing SHS by designing a secure system that
addresses S properties (ENG, ANL). Target ENG and ANL to deter S which leads to a disclosure
of the NI from being obtained by hackers. Then, the possibility of developing SHS is almost
none.
There are great challenges for security experts and researchers towards addressing hacking
strategies. However, we believe that security solutions should be focused on controlling ENG and
eliminating the possibility to ANL.
References
[1] K. Rawlinson. (2015, 9/1/2015). Available: http://www.bbc.com/news/technology-30744834
[2] Dehlawi, Z.; Abokhodair, N., "Saudi Arabia's response to cyber conflict: A case study of the
Shamoon malware incident," Intelligence and Security Informatics (ISI), 2013 IEEE International
Conference on , pp.73,75, 4-7 June 2013.
[3] S. Bratus, "What Hackers Learn that the Rest of Us Don't: Notes on Hacker Curriculum," Security &
Privacy, IEEE, vol. 5, pp. 72-75, 2007.
[4] C. Payne and T. Markham, "Architecture and applications for a distributed embedded firewall,"
Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual, pp. 329-
336, 2001
[5] A. X. Liu and M. G. Gouda, "Diverse firewall design," Parallel and Distributed Systems, IEEE
Transactions on, vol. 19, pp. 1237-1251, 2008.
[6] A. X. Liu and M. G. Gouda, "Firewall Policy Queries," Parallel and Distributed Systems, IEEE
Transactions on, vol. 20, pp. 766-777, 2009.
[7] Y. Bartal, A. Mayer, K. Nissim, and A. Wool, "Firmato: a novel firewall management toolkit," in
Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on, 1999, pp. 17- 31.
[8] F. Avolio, "Firewalls and Internet security, the second hundred (Internet) years," The Internet
Protocol Journal, vol. 2, pp. 24-32, 1999.
[9] C. C. Center, "CERT Advisory CA-2003-20 W32/Blaster Worm," Available At
http://www.cert.org/advisories/CA-2003-20.html, 2003.
[10] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "The spread of the
sapphire/slammer worm, 2003," Available At
:http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html.[11] M. Roesch, "Snort-
lightweight intrusion detection for networks," in Proceedings of LISA '99: 13'th Systems
Administration Conference, 1999, pp. 229-238.
[12] Y. Lin, Y. Zhang, and Y.-j. Ou, "The Design and Implementation of Host-Based Intrusion Detection
System," in Intelligent Information Technology and Security Informatics (IITSI), 2010 Third
International Symposium on, 2010, pp. 595-598.
[13] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, "Network intrusion detection," Network, IEEE, vol.
8, pp. 26-41, 1994.
[14] D. Goldsmith and M. Schiffman, "Firewalking: A traceroute-like analysis of IP packet responses to
determine gateway access control lists," Cambridge Technology Partners, vol. Available At:
http://www.packetfactory.net/firewalk/firewalk- final.html, 1998.
[15] G. A. Marin, "Network security basics," Security & Privacy, IEEE, vol. 3, pp. 68-72, 2005.
30. International Journal of Network Security & Its Applications (IJNSA) Vol.7, No.4, July 2015
30
[16] D. Mutz, G. Vigna, and R. Kemmerer, "An experience developing an IDS stimulator for the black-
box testing of network intrusion detection systems," in Computer Security Applications Conference,
2003. Proceedings. 19th Annual, 2003, pp. 374-383.
[17] M. Sourour, B. Adel, and A. Tarek, "Environmental awareness intrusion detection and prevention
system toward reducing false positives and false negatives," in Computational Intelligence in Cyber
Security, 2009. CICS '09. IEEE Symposium on, 2009, pp. 107-114.
[18] T. Pietraszek and A. Tanner, "Data mining and machine learning—Towards reducing false positives
in intrusion detection," Information Security Technical Report, vol. 10, pp. 169-183, 2005.
[19] L. Spitzner, Honeypots: tracking hackers: Addison-Wesley Professional, 2003.
[20] L. Spitzner, "The Honeynet Project: trapping the hackers," Security & Privacy, IEEE, vol. 1, pp. 15-
23, 2003.
[21] B. Jian, J. Chang-peng, and G. Mo, "Research on network security of defense based on Honeypot," in
Computer Application and System Modeling (ICCASM), 2010 International Conference on, 2010,
pp. V10-299-V10-302.
[22] C. Rong and Y. Geng, "Honeypots in blackhat mode and its implications [computer security]," in
Parallel and Distributed Computing, Applications and Technologies, 2003. PDCAT'2003.
Proceedings of the Fourth International Conference on, 2003, pp. 185-188. [23] L.-j. Zhang,
"Honeypot-based defense system research and design," in Computer Science and Information
Technology, 2009. ICCSIT 2009. 2nd IEEE International Conference on, 2009, pp.466-47.
[24] S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network Security Secrets and Solutions,
Fourth Edition: McGraw-Hill, Inc., 2003.
[25] S. Frei, B. Tellenbach, and B. Plattner, "0-Day Patch Exposing Vendors (In) security Performance,"
BlackHat Europe, Amsterdam, NL, 2008.
[26] T. J. Holt and M. Kilger, "Techcrafters and Makecrafters: A Comparison of Two Populations of
Hackers," in Information Security Threats Data Collection and Sharing, 2008. WISTDCS '08.
WOMBAT Workshop on, 2008, pp. 67-78.
[27] S. Bratus, "Hacker Curriculum : How Hackers Learn Networking," Distributed Systems Online,
IEEE, vol. 8, pp. 2-2, 2007.