Low-level Attacks Research Articles

GoibhniUWE: A Lightweight and Modular Container-Based Cyber Range

Cyberattacks are rapidly evolving both in terms of techniques and frequency, from low-level attacks through to sophisticated Advanced Persistent Threats (APTs). There is a need to consider how testbed environments such as cyber ranges can be readily deployed to improve the examination of attack characteristics, as well as the assessment of defences. Whilst cyber ranges are not new, they can often be computationally expensive, require an extensive setup and configuration, or may not provide full support for areas such as logging or ongoing learning. In this paper, we propose GoibhniUWE, a container-based cyber range that provides a flexible platform for investigating the full lifecycle of a cyberattack. Adopting a modular approach, users can seamlessly switch out existing, containerised vulnerable services and deploying multiple different services at once, allowing for the creation of complex and realistic deployments. The range is fully instrumented with logging capabilities from a variety of sources including Intrusion Detection Systems (IDSs), service logging, and network traffic captures. To demonstrate the effectiveness of our approach, we deploy the GoibhniUWE range under multiple conditions to simulate various vulnerable environments, reporting on and comparing key metrics such as CPU and memory usage. We simulate complex attacks which span multiple services and networks, with logging at multiple levels, modelling an Advanced Persistent Threat (APT) and their associated Tactics, Techniques, and Procedures (TTPs). We find that even under continuous, active, and targeted deployment, GoibhniUWE averaged a CPU usage of less than 50%, in an environment using four single-core processors, and memory usage of less than 4.5 GB.

Big knowledge-based semantic correlation for detecting slow and low-level advanced persistent threats

Targeted cyber attacks, which today are known as Advanced Persistent Threats (APTs), use low and slow patterns to bypass intrusion detection and alert correlation systems. Since most of the attack detection approaches use a short time-window, the slow APTs abuse this weakness to escape from the detection systems. In these situations, the intruders increase the time of attacks and move as slowly as possible by some tricks such as using sleeper and wake up functions and make detection difficult for such detection systems. In addition, low APTs use trusted subjects or agents to conceal any footprint and abnormalities in the victim system by some tricks such as code injection and stealing digital certificates. In this paper, a new solution is proposed for detecting both low and slow APTs. The proposed approach uses low-level interception, knowledge-based system, system ontology, and semantic correlation to detect low-level attacks. Since using semantic-based correlation is not applicable for detecting slow attacks due to its significant processing overhead, we propose a scalable knowledge-based system that uses three different concepts and approaches to reduce the time complexity including (1) flexible sliding window called Vermiform window to analyze and correlate system events instead of using fixed-size time-window, (2) effective inference using a scalable inference engine called SANSA, and (3) data reduction by ontology-based data abstraction. We can detect the slow APTs whose attack duration is about several months. Evaluation of the proposed approach on a dataset containing many APT scenarios shows 84.21% of sensitivity and 82.16% of specificity.

AToM: Active topology monitoring for the bitcoin peer-to-peer network

Over the past decade, the Bitcoin P2P network protocol has become a reference model for all modern cryptocurrencies. While nodes in this network are known, the connections among them are kept hidden, as it is commonly believed that this helps protect from deanonymization and low-level attacks. However, adversaries can bypass this limitation by inferring connections through side channels. At the same time, the lack of topology information hinders the analysis of the network, which is essential to improve efficiency and security. In this paper, we thoroughly review network-level attacks and empirically show that topology obfuscation is not an effective countermeasure. We then argue that the benefits of an open topology potentially outweigh its risks, and propose a protocol to reliably infer and monitor connections among reachable nodes of the Bitcoin network. We formally analyze our protocol and experimentally evaluate its accuracy in both trusted and untrusted settings. Results show our system has a low impact on the network, and has precision and recall are over 90% with up to 20% of malicious nodes in the network.

Digilantism, discrimination, and punitive attitudes: A digital vigilantism model

In this article, I propose and apply a digital vigilantism model to a specific incident that occurred in Mexico, where the death of two innocent people was filmed through Facebook Live. Using a mixed methods approach and content analysis, I analyzed digilante Facebook posts ( N = 942) coding gender, digital vigilantism categories, discriminatory comments, and punitive attitudes aimed at the perpetrators and the inciter of the lynching. The categories include investigating, blaming, or rebuking, while the discriminatory comments include classism, racism, homophobia, and body-shaming. I coded the punitive attitudes distinguishing four categories: non-physical punishment (calling for God’s wrath and the guilty conscience of the targets), legal sanction, death, and other punishment. The findings reveal the key role gender played in digilantism: females tend to conduct more investigations and low level attacks (blaming) than males, but males tend to perpetrate more harsh attacks (rebuking) than females. The most popular punitive attitude is calling for the death of targets, revealing tensions between legal sanctions and digilantes’ desired punishment. This study suggests the presence of different expressions of discrimination and reasons to engage in digilantism, encompassing both legal and illegal behavior deployed in a mainstream social media platform such as Facebook.

A semantic-based correlation approach for detecting hybrid and low-level APTs

Sophisticated and targeted malwares, which today are known as Advanced Persistent Threats (APTs), use multi-step, distributed, hybrid and low-level patterns to leak and exfiltrate information, manipulate data, or prevent progression of a program or mission. Since current intrusion detection systems (IDSs) and alert correlation systems do not correlate low-level operating system events with network events and use alert correlation instead of event correlation, the intruders use low and hybrid events in order to distribute the attack vector, hide malwares behaviors, and therefore make detection difficult for such detection systems. In this paper, a new approach for detecting hybrid and low-level attacks, which are prevalent in APTs, is proposed. The proposed approach uses low-level interception and correlates operating system events with network events based on the semantic relationships that are defined between the entities in system ontology. In this scheme, malicious events, especially the events implicitly violate the security policies, are deduced and detected based on the event relations and defined security policies. Also, the proposed approach can track information flows between the existing subjects using a memory transition/manipulation model to reconstruct distributed attack vectors. Evaluation of the proposed approach on a computer network which contains many APTs scenarios shows the effectiveness of our detection approach.

Secure data processing for IoT middleware systems

Increasingly, more manufacturing companies are equipping their products with smart capabilities which allow them to provide more informed services to customers. Unfortunately, most of these companies lack enough technical capabilities to build scalable platforms to process data collected by the deployed devices. As a result, these device manufacturers rely on IoT middleware companies to provide the needed processing capabilities and scalability. With the proliferation of these middleware services in handling data and the increase in the risk of data leakage and data breaches, we propose an approach that ensures data protection by leveraging trusted hardware-based technology from the recent Software Guard Extension (SGX) provided by Intel. SGX is a new technology that enforces strong isolation by running a process in a secure sandbox called enclave, and it offers remote attestation to ensure computations on an untrusted system are running within an enclave. By deploying SGX in the IoT gateway and the cloud service, we show that our approach prevents attacks on IoT data in transit as well as at rest by using key hashing to enforce message integrity. Our proposed framework ensures the protection of user data on third-party IoT middleware platforms by dividing the IoT data platform into trusted and untrusted modules and ensures the execution of all sensitive data processing in the trusted module which runs inside a hardware protected memory region called as enclave. Our approach enables the user to implement data access policy control within the enclave. Our proposed framework allows the user to verify that the application is running in an authenticated SGX machine and to ensure the application is not modified by a platform owner as a result of the remote attestation mechanism provided by SGX. Meanwhile, our approach defeats low-level attacks and keeps all data securely encrypted without introducing significant overhead.

A Low-Cost Optical Sensor for Secured Antispoof Touchless Palm Print Biometry

Conventional biometric spoof detection sensors suffer from several problems, including complex expensive sensor assembly and design. They are susceptible to environmental perturbation and are not robust against all types of spoof attacks. Further, for a secured biometric sensor, the hierarchy of spoofing attempts (i.e., curious attempts, low-level attack, and high-level attack) needs to be precisely distinguished to perform different actions (e.g., a high-level attack should be handled carefully). In this article, we propose a novel three-level antispoof palm print biometric sensor using low-cost components and simple optical techniques (photography, fringe projection, and biospeckle analysis). At the first level, to eliminate the curious futile users, a 2-D image of the palm print is captured, and feature matching is performed. Next, the most prevalent low-level attacks (photo and layered attacks) are detected using fringe projection profilometry. At the final level, a novel biospeckle index based on a subtraction average technique is introduced to quantify the liveliness map for eliminating the high-level attacks, including fake prints and cadavers. The robustness of the biospeckle analysis against different possibilities to generate false activity (tremor, air flow, and heat flow) has also been verified.

Bullying and peer violence among children and adolescents in residential care settings: A review of the literature

Abstract The present paper offers a review of the phenomena of bullying and peer violence among children and adolescents living in residential care settings (RCS). The review was conducted on four databases (Scopus, Web of Science, PsycINFO and ERIC). Findings of the 31 full-text papers included in the present work showed that bullying and peer violence involve various forms of direct and indirect attacks. While bullying in RCS involves severe and repeated aggressive actions, peer violence seems to be characterized by distinct levels of severity; i.e., low-level attacks are infrequent and isolated, whereas high level attacks may be severe and frequent. Several individual factors, such as age, gender, and length of stay in RCS were found to be associated with both bullying and peer violence. Contextual risk factors such as activities, structure and facility size, along with a residential peer culture characterized by a high level of hierarchy and a poor emotional bond between children and staff, contributed to bullying and peer violence. Furthermore, findings of the studies included in the present review showed that both perpetrators and victims manifest a number of behavioral and psychological problems. Overall, the present study offers a picture of bullying and peer violence among institutionalized children. However, distinct operationalization of constructs among studies, together with the use of different methods and measures, made comparisons among studies difficult. Future research should overcome these limitations in order to promote validity and compatibility of research in this field of study.

Habituation to atrocity: low-level violence against civilians as a predictor of high-level attacks

ABSTRACT‘Habituation to atrocity’ is characterized as an actor’s increased willingness to carry out high-level violence against civilians (VAC) owing to the choice of low-level attacks in an earlier period. We theoretically analyse habituation to atrocity using a rational choice model in which a government, rebel organization or militia group allocates resources to fighting, attacking civilians and identity formation to achieve territorial control. Based upon concepts available in the rational addiction literature, the model generates a demand function for VAC in which substantial additional demand arises owing to the ‘bad habit’ generated by previous atrocities. The model guides our empirical inquiry into VAC for a sample of forty-nine African countries over the period 1997 to 2014. We find that the number of past low-level civilian attacks (even sometimes those involving zero fatalities) significantly affects the number of high-level attacks in the present. We also find that previous low-level civilian attacks sometimes better predict high-level attacks than civil conflict. Our work suggests that regional and global datasets on ‘small’ VAC incidents can serve as valuable early warning indicators of more severe atrocities.

Non-State actors’ pursuit of CBRN weapons: From motivation to potential humanitarian consequences

AbstractThis paper discusses non-State actors’ motivation and capacity to develop and use chemical, biological, radiological or nuclear (CBRN) improvised weapons in attacks, as well as the possible consequences of such use. Six types of groups have been identified as potential CBRN weapons users that may increasingly be able to acquire relevant CBRN weapons-related knowledge, skills and possibly materials. As technical barriers still form a gap between the theoretical possibility and the operational reality, any potential future CBRN attacks would most likely be crude, low-level attacks, including chemical or radiological materials. CBRN attacks carried out by non-State actors in the future are likely to be more disruptive than destructive.

Intrusion Detection System with Multi Layer using Bayesian Networks

the era of network security, intrusion detection system plays a vital to detect real - time intrusions, and to execute work to stop the attack. Being everything shifting to internet, security became the foremost preference. In real world, the minority attacks R2L (Remote-To-User) and U2R (User-To- Root) are more hazardous than Probe and DoS (Denial-Of- Service) majority attacks. Present IDS are not much efficient to detect these low level attacks. Therefore, it is extremely important to improve the detection performance for the R2L and U2R attacks with the majority attacks. In this paper hierarchical layered approach for improving detection rate of minority attacks as well as majority attacks is propound. The propound model used Naive bayes classifier with K2 learning process on reduced NSL KDD dataset for each attack class. In this method every layer is individually trained to detect a single type of attack category and the outcome of one layer is passed into another layer to increase the detection rate and for better categorization of both the majority and minority attacks. Intrusion detection system (IDS), Network security, Feature selection, naive bayes classifier, R2U, U2R, DoS 1. INTRODUCTIONNetwork Security Can be defined as It is the set of guidelines adopted by a Network administrator to prevent the unauthorized access, modification and misuse of the network traffic by attackers.ID (Intrusion Detection) techniques are used to strength security and increase resistance to internal and external attacks. With the Increase in Technology the chance of malware and Intrusions get increase. The firewalls do not provide much security. In order to inspect network traffic many corporation are using proactive and reactive both types of IDS system. The goal of the intrusion detection system is to monitor and control the network traffic to prevent the numerous types of intrusion attempt. When an intrusion detection system is deployed, it provides warning to the users indicating that system is under attack. These warnings can help users to prevent the attack by increasing resistance to attack.

On Protection by Layout Randomization

Layout randomization is a powerful, popular technique for software protection. We present it and study it in programming-language terms. More specifically, we consider layout randomization as part of an implementation for a high-level programming language; the implementation translates this language to a lower-level language in which memory addresses are numbers. We analyze this implementation, by relating low-level attacks against the implementation to contexts in the high-level programming language, and by establishing full abstraction results.

An architecture-independent instruction shuffler to protect against side-channel attacks

Embedded cryptographic systems, such as smart cards, require secure implementations that are robust to a variety of low-level attacks. Side-Channel Attacks (SCA) exploit the information such as power consumption, electromagnetic radiation and acoustic leaking through the device to uncover the secret information. Attackers can mount successful attacks with very modest resources in a short time period. Therefore, many methods have been proposed to increase the security against SCA. Randomizing the execution order of the instructions that are independent, i.e., random shuffling , is one of the most popular among them. Implementing instruction shuffling in software is either implementation specific or has a significant performance or code size overhead. To overcome these problems, we propose in this work a generic custom hardware unit to implement random instruction shuffling as an extension to existing processors. The unit operates between the CPU and the instruction cache (or memory, if no cache exists), without any modification to these components. Both true and pseudo random number generators are used to dynamically and locally provide the shuffling sequence. The unit is mainly designed for in-order processors, since the embedded devices subject to these kind of attacks use simple in-order processors. More advanced processors (e.g., superscalar, VLIW or EPIC processors) are already more resistant to these attacks because of their built-in ILP and wide word size. Our experiments on two different soft in-order processor cores, i.e., OpenRISC and MicroBlaze, implemented on FPGA show that the proposed unit could increase the security drastically with very modest resource overhead. With around 2% area, 1.5% power and no performance overhead, the shuffler increases the effort to mount a successful power analysis attack on AES software implementation over 360 times.

EFICIÊNCIA DE PRODUTOS ALTERNATIVOS NO CONTROLE Zabrotes subfasciatus, E SEUS EFEITOS SOBRE A QUALIDADE DAS SEMENTES DE Phaseolus vulgaris

The largest losses caused by insects to seeds occur generally in the storage period with partial or total destruction. Beans seeds are infested in the field by insects flying in areas nearby crops prior to harvest. Even under initial low level attacks night losses to the lot may occur due to the generations originatede from that initial low attack. Emgopa Ouro beans seeds, harvested in the municipality of Anapolis, Goias, were analysed in the School of Agronomy in Goiania, Goias. Seeds were divided in 5kg portions and subjected to the following treatments: soybean oil (3, 5 and 7 ml/kg of seeds); ground pepper variety (2, 4 and 6 g/kg of seeds); piriphosphomethyl (20ml/t of seeds), and control. Seeds were then packaged in jute fabric bags and stored in non-controlled environment. The experiment was completely randomized with three replications. The variables analyzed were: infestation, germination, and abnormal seedlings. The experiment was carried out for eight months. The statistical analysis led to the conclusion that ground pepper at 4g/kg of seeds level was the most efficient treatment for Zabrotes subfasciatus control in beans stored for eight months.

Raksha

High-level semantic vulnerabilities such as SQL injection and crosssite scripting have surpassed buffer overflows as the most prevalent security exploits. The breadth and diversity of software vulnerabilities demand new security solutions that combine the speed and practicality of hardware approaches with the flexibility and robustness of software systems. This paper proposes Raksha, an architecture for software security based on dynamic information flow tracking (DIFT). Raksha provides three novel features that allow for a flexible hardware/software approach to security. First, it supports flexible and programmable security policies that enable software to direct hardware analysis towards a wide range of high-level and low-level attacks. Second, it supports multiple active security policies that can protect the system against concurrent attacks. Third, it supports low-overhead security handlers that allow software to correct, complement, or extend the hardware-based analysis without the overhead associated with operating system traps. We present an FPGA prototype for Raksha that provides a full featured Linux workstation for security analysis. Using unmodified binaries for real-world applications, we demonstrate that Raksha can detect high-level attacks such as directory traversal, command injection, SQL injection, and cross-site scripting as well as low-level attacks such as buffer overflows. We also show that low overhead exception handling is critical for analyses such as memory corruption protection in order to address false positives that occur due to the diverse code patterns in frequently used software.

Success and Failure in Terrorist Investigations: Research and Lessons from Northern Ireland

Police investigations of terrorist incidents are rarely straightforward. This paper reports the findings of research that looked at low-level paramilitary attacks in Northern Ireland which have taken place during the ceasefire era. Of 500 incidents studied, 28 were followed by the arrest of suspects. The study examines what factors were important for linking later arrests with other features of the incident. These results are discussed in terms of the wider implications for the successful investigation of paramilitary offences and in terms of the specific implications for investigative policing within Northern Ireland.

Techniques and tools for analyzing intrusion alerts

Traditional intrusion detection systems (IDSs) focus on low-level attacks or anomalies, and raise alerts independently, though there may be logical connections between them. In situations where there are intensive attacks, not only will actual alerts be mixed with false alerts, but the amount of alerts will also become unmanageable. As a result, it is difficult for human users or intrusion response systems to understand the alerts and take appropriate actions. This paper presents a sequence of techniques to address this issue. The first technique constructs attack scenarios by correlating alerts on the basis of prerequisites and consequences of attacks. Intuitively, the prerequisite of an attack is the necessary condition for the attack to be successful, while the consequence of an attack is the possible outcome of the attack. Based on the prerequisites and consequences of different types of attacks, the proposed method correlates alerts by (partially) matching the consequences of some prior alerts with the prerequisites of some later ones. Moreover, to handle large collections of alerts, this paper presents a set of interactive analysis utilities aimed at facilitating the investigation of large sets of intrusion alerts. This paper also presents the development of a toolkit named TIAA, which provides system support for interactive intrusion analysis. This paper finally reports the experiments conducted to validate the proposed techniques with the 2000 DARPA intrusion detection scenario-specific datasets, and the data collected at the DEFCON 8 Capture the Flag event.

클러스터링 기법을 이용한 침입 탐지 시스템의 경보 데이터 상관관계 분석

이 논문에서는 침입 탐지 시스템의 탐지 효율을 높이기 위해 데이터 마이닝의 클러스터링 기법을 이용하여 경보 데이터를 그룹화하고 그 결과를 이용하여 경보 데이터의 상관 관계를 분석하는 방법을 제안하였다. 즉 클러스터링 기법을 이용하여 경보데이터를 사용자가 원하는 개수의 그룹으로 분류하고, 생성된 경보 데이터 클러스터 모델을 이용하여 새로운 경보 데이터을 분류할 수 있도록 하였다. 또한, 결과 클러스터의 생성 원인이 되는 이전의 경보의 분포 데이터를 저장 관리하여 클러스터 간의 시퀀스를 생성하였고, 생성된 각각의 클러스터 시퀀스를 통합하여 클러스터들의 시퀀스를 추출하여 발생한 경보 이후의 향후 발생 가능한 경보 타입을 예측하기 위한방법을 제공하였다. 이는 과거에 탐지된 공격의 형태 뿐만 아니라 새로운 혹은 변형된 경보의 분류나 분석에도 이용 가능하다. 또한 생성된 클러스터간의 생성 원인의 분석에 의한 클러스터 간의 순차적인 관계의 추출을 통해 사용자가 공격의 순차적 구조나 탐지된 각 공격 이면에 감추어진 전략을 이해하는데 도움을 주며 현재의 경보 이후에 발생 가능한 경보들을 얘측할 수 있다. In this paper, we propose an approach to correlate alerts using a clustering analysis of data mining techniques in order to support intrusion detection system. Intrusion detection techniques are still far from perfect. Current intrusion detection systems cannot fully detect novel attacks. However, intrucsion detection techniques are still far from perfect. Current intrusion detection systems cannot fully detect novel attacks or variations of known attacks without generating a large amount of false alerts. In addition, all the current intrusion detection systems focus on low-level attacks or anomalies. Consequently, the intrusion detection systems to underatand the intrusion behind the alerts and take appropriate actions. The clustering analysis groups data objects into clusters such that objects belonging to the same cluster are similar, while those belonging to different ones are dissimilar. As using clustering technique, we can analyze alert data efficiently and extract high-level knowledgy about attacks. Namely, it is possible to classify new type of alert as well as existed. And it helps to understand logical steps and strategies behind series of attacks using sequences of clusters, and can potentially be applied to predict attacks in progress.