Protocol-Independent Detection of Dictionary Attacks

Drašar, Martin

doi:10.1007/978-3-642-40552-5_30

Cited by 6 publications

(7 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They have also found flow counts typical for such attacks. Also Drašar [4] has revealed that for automated dictionary attacks low variance in flow count is symptomatical. Based on their observations we have decided to implement four sketch-based methods covering four different aspects of dictionary attacks.…”

Section: Methods Evaluationmentioning

confidence: 99%

“…The same approach was used for the destination network scan detection, whose result can be seen in Figure 1b, and for abnormal number of connections, whose results can be seen in Figure 2a. Anomaly scores for low traffic variance detection were based on a paper by Drašar [4] and set as an inverse of relative difference in flow count.…”

Section: Particular Detection Methodsmentioning

confidence: 99%

See 1 more Smart Citation

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

Drašar¹,

Jirsík²,

Vizváry³

2014

Monitoring and Securing Virtualized Networks and Services

Self Cite

View full text Add to dashboard Cite

Abstract. The rapid development of network technologies entails an increase in traffic volume and attack count. The associated increase in computational complexity for methods of deep packet inspection has driven the development of behavioral detection methods. These methods distinguish attackers from valid users by measuring how closely their behavior resembles known anomalous behavior. In real-life deployment, an attacker is flagged only on very close resemblance to avoid false positives. However, many attacks can then go undetected. We believe that this problem can be solved by using more detection methods and then correlating their results. These methods can be set to higher sensitivity, and false positives are then reduced by accepting only attacks reported from more sources. To this end we propose a novel sketch-based method that can detect attackers using a correlation of particular anomaly detections. This is in contrast with the current use of sketch-based methods that focuses on the detection of heavy hitters and heavy changes. We illustrate the potential of our method by detecting attacks on RDP and SSH authentication by correlating four methods detecting the following anomalies: source network scan, destination network scan, abnormal connection count, and low traffic variance. We evaluate our method in terms of detection capabilities compared to other deployed detection methods, hardware requirements, and the attacker's ability to evade detection.

show abstract

Section: Methods Evaluationmentioning

confidence: 99%

Section: Particular Detection Methodsmentioning

confidence: 99%

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

Drašar¹,

Jirsík²,

Vizváry³

2014

Monitoring and Securing Virtualized Networks and Services

Self Cite

View full text Add to dashboard Cite

show abstract

“…We often refer to this kind of traffic as flat traffic, since it features traffic flows in the brute-force phase that are alike in terms of the number of packets and bytes, and duration. Most works in the context of flow-based intrusion detection rely on the identification of this flat traffic to find brute-force attacks [8,9,[25][26][27]. The compromise phase is then typically identified by deviations from the brute-force phase traffic pattern [27].…”

Section: Start Endmentioning

confidence: 99%

“…This causes attacks from countries that are far-away from the observation point-above all in terms of geographical distance-to stay under the radar of Intrusion Detection Systems (IDSs). But even if flat traffic is identified properly, its ''detection for HTTP(S) was found to be ineffective, because valid AJAX updates common on Web 2.0 tend to produce flat traffic pattern'' [8]. This is also confirmed by [24], where it is shown impossible to differentiate traffic of Web crawlers and calendar fetchers from dictionary attack traffic based on packet and byte counters alone.…”

Section: Traffic Characteristicsmentioning

confidence: 99%

“…This papers focuses on the analysis of IPFIX data to detect brute force attacks on Web applications, and in particular investigates whether such analysis can also unveil whether the attack has been successful and the system has been compromised. Existing works have shown that promising detection results can be achieved by analyzing flow data of brute-force attacks [8,9,[25][26][27], although fluctuations in network traffic, such as transmission control protocol (TCP) retransmissions and control information, may result in both false positives and false negatives [14]. To overcome these problems, the novelty proposed by this paper is to analyze flow data that is enhanced with histograms that describe packet payload distributions.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Flow-Based Web Application Brute-Force Attack and Compromise Detection

et al. 2017

View full text Add to dashboard Cite

In the early days of network and service management, researchers paid much attention to the design of management frameworks and protocols. Since then the focus of research has shifted from the development of management technologies towards the analysis of management data. From the five FCAPS areas, security of networks and services has become a key challenge. For example, brute-force attacks against Web applications, and compromises resulting thereof, are widespread. Talks with several Top-10 Web hosting companies in the Netherlands reflect that detection of these attacks is often done based on log file analysis on servers, or by deploying host-based intrusion detection systems (IDSs) and firewalls. However, such host-based solutions have several problems. In this paper we therefore investigate the feasibility of a network-based monitoring approach, which detects brute-force attacks against and compromises of Web applications, even in encrypted environments. Our approach is based on per-connection histograms of packet payload sizes in flow data that are exported using IPFIX. We validate our approach using datasets collected in the production network of a large Web hoster in the Netherlands.

show abstract

Similarity as a central approach to flow‐based anomaly detection

2014

Self Cite

View full text Add to dashboard Cite

SUMMARY Network flow monitoring is currently a common practice in mid‐ and large‐size networks. Methods of flow‐based anomaly detection are subject to ongoing extensive research, because detection methods based on deep packets have reached their limits. However, there is a lack of comprehensive studies mapping the state of the art in this area. For this reason, we have conducted a thorough survey of flow‐based anomaly detection methods published on academic conferences and used by the industry. We have analyzed these methods using the perspective of similarity which is inherent to any anomaly detection method. Based on this analysis, we have proposed a new taxonomy of network anomalies and a similarity‐oriented classification of flow‐based detection methods. We have also identified four issues requiring further research: the lack of flow‐based evaluation datasets, infeasible benchmarking of proposed methods, excessive false positive rate and limited coverage of certain anomaly classes. Copyright © 2014 John Wiley & Sons, Ltd.

show abstract

Protocol-Independent Detection of Dictionary Attacks

Cited by 6 publications

References 5 publications

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

Enhancing Network Intrusion Detection by Correlation of Modularly Hashed Sketches

Flow-Based Web Application Brute-Force Attack and Compromise Detection

Similarity as a central approach to flow‐based anomaly detection

Contact Info

Product

Resources

About