Search the Community
Showing results for tags 'detection'.
-
https://id-ransomware.malwarehunterteam.com/index.php
-
Intrusion systems have been the subject of considerable research for decades to improve the inconsistencies and inadequacies of existing methods, from basic detectability of an attack to the prevention of computer misuse. It remains a challenge still today to detect and classify known and unknown malicious network activities through identification of intrusive behavioral patterns (anomaly detection) or pattern matching (misuse or signature-based detection). Meanwhile, the number of network attack incidents continues to grow. Protecting a computer network against attacks or cybersecurity threats is imperative, especially for companies that need to protect not only their own business data but also sensitive information of their clients as well as of their employees. It is not hard to see why even just one breach in data security from a single intrusion of a computer network could wreak havoc on the entire organization. Not only would it question the reliability of the networks’ infrastructure, but it could also seriously damage the business’s reputation. An organization’s first defense against breaches is a well-defined corporate policy and management of systems, as well as the involvement of users in protecting the confidentiality, integrity, and availability of all information assets. Security awareness training is a baseline for staff to gain the knowledge necessary to deter computer breaches and viruses, mitigate the risks associated with malicious attacks, and defend against constantly evolving threats. Users’ awareness and strict IT policies and procedures can help defend a company from attacks, but when a malicious intrusion is attempted, technology is what helps systems administrators protect IT assets. When it comes to perimeter data security, traditional defense mechanisms should be in layers: firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be used. Research and new developments in the field of IDPS (Intrusion Detection and Prevention System) prove different approaches to anomaly and misuse detection can work effectively in practical settings, even without the need of human interaction/supervision in the process. Several case studies emphasize that the use of Artificial Neural Networks (ANN) can establish general patterns and identify attack characteristics in situations where rules are not known. A neural network approach can adapt to certain constraints, learn system characteristics, recognize patterns and compare recent user actions to the usual behavior; this allows resolving many issues/problems even without human intervention. The technology promises to detect misuse and improve the recognition of malicious events with more consistency. A neural network is able to detect any instances of possible misuse, allowing system administrators to protect their entire organization through enhanced resilience against threats. This article explores Artificial Intelligence (AI) as a means to solve the difficulties in identifying intrusions of insecure networks, such as the Internet, and discusses the use of artificial neural networks (ANN) for effective intrusion detection to detect patterns that separate attacks from genuine traffic. It will clarify why ANN technology offers a promising future in the identification of instances of misuse against computer systems. Furthermore, the article will also point out the different directions in which research on neural networks concentrate and the developments and expected future in the intrusion detection and prevention (IDPS) field. IDS & IPS Technology: Detection and Prevention Techniques With computer intrusions—the unauthorized access or malicious use of information resources—becoming more common and a growing challenge to overcome, IT professionals have come to rely more on detection and prevention technologies to protect availability of business-critical information resources and to safeguard data confidentiality and integrity. IDS tools sniff network packet traffic in search of interferences from external sources and can spot a hacker attempting to gain entry; they are designed to detect threats, misuse or unauthorized access to a system or network and are able to analyze system events for signs of incidents. Using both hardware and software, IDSs can detect anything that is suspicious either on a network or host; they then create alarms that system administrators can review to spot possible malicious entries. Intrusion detection systems (IDS) can be classified as: Host based or Network based with the former checking individual machines’ logs and the latter analyzing the content of network packets; Online or Offline, capable of flagging a threat in real-time or after the fact to alert of a problem; Misuse-based or Anomaly-based, either specifically checking a deviation from a routine behavior or comparing activities with normal, known attackers’ behavior. While an IDS is designed to detect attacks and alert humans to any malicious events to investigate, an IPS is used to prevent malicious acts or block suspicious traffic on the network. There are four different types of IPS: network-based intrusion prevention system (NIPS) that looks at the protocol activity to spot suspicious traffic; wireless intrusion prevention system (WIPS) that analyzes wireless networking protocols and is so important in the BYOD and mobile-centric world; network behavior analysis (NBA) that can spot attacks that create unusual traffic, such as distributed denial of service (DDoS) attacks, and it can use anomaly-based detection and stateful protocol analysis; and host-based intrusion prevention system (HIPS) that can be installed on single machines and can use signature-based and anomaly-based methods to detect problems. IDS and IPS tools are often used concurrently, as they are not mutually exclusive. Thus IDPS can offer twice the protection. Security technologist and chief technology officer of Co3 Systems Bruce Schneier mentions, “Good security is a combination of protection, detection, and response.” That just happens to be what IDPS does; it is deployed for information gathering, logging, detection and prevention. These tools provide threat identification capabilities, attack anticipation, and more. Having a network-based IDPS (NIDPS) with signature-based and anomaly-based detection capabilities allows inspecting the content of all the traffic that traverses the network. NIDPS are essential network security appliances that help in maintaining the security goals. They are highly used, as Indraneel Mukhopadhyay explains, for “identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators.” The all familiar Snort—an open-source NIDPS—is a highly used free threat intelligence program, created by Martin Roesch in 1998, that is capable of real-time traffic analysis and packet logging; it utilizes a rules-based detection engine to look for anomalous activity. What makes it a popular choice is its easy-to-use rule language. It can protect even the largest enterprise networks. Snort is an IP-centric program; administrators can view system security logs and find any irregularities or issues relating to things such as improper access patterns. Snort is said to be the most widely deployed intrusion prevention system in the world. Deploying IDS and IPS devices requires a specialized skill set to ensure it properly identifies abnormal traffic and alert network administrator as needed. Along with proper configuration to a predefined rule set, provided by the administrator, these devices need to be fine-tuned (as new threats are discovered) in order to weed out false positives and be adjusted to specific network parameters (when the infrastructure has been altered) to maximize accuracy. Once the type of IDPS technology has been selected, it is key to determine how many components (sensors, agents) will need to be deployed to function accurately to capture security issues, process events and alert appropriate personnel of suspicious activities. Direct network monitoring of the IDPS components like inline sensors between the firewall and the Internet border router is essential to achieve detection and prevention of malicious activity, such as denial of service attacks committed by an intruder. IDPS agents installed on endpoints can not only monitor the current network but also can assign appropriate priorities to alerts. Past and Present of IDSs IDPSs are able to monitor the events of interests on the systems and/or networks and are then able to identify possible incidents, log information about them, and attempt to stop common attacks and report them to security administrators. In the past, Intrusion Detection and Prevention (IDPS) has either been signature-based (able to check activity against known attackers’ patterns, the signature), anomaly-based (also referred to as heuristic, that alerts when traffic and activity are not normal), or based on stateful protocol analysis that looks at the “state” in a connection and “remembers” significant events that occur. These methods are effective but do have some downfalls. IDSs are known to have two main problems: the number of alarms generated and the need for tuning. Anomaly-based detection, for example, needs training and if issues arise during the training period a malicious behavior might be “learned” as legitimate by the system; it’s also prone to many false positives. When analysis is based on rules provided by a vendor or an administrator, instead, updates must be frequent to ensure the proper functioning of the system. The number of alarms generated (many being false) can overwhelm system security managers and prevent them from quickly identifying real ones. The continuous tuning of the intrusion to detect the slightest of variances and training required in order to maintain sufficient performance remains an issue. With a growing number of intrusion events, there is the need to use innovative intrusion detection techniques for critical infrastructure network protection. Research has concentrated on Artificial Neural Networks (ANNs) that can provide a more flexible approach to intrusion prevention in terms of learning. As the need for reliable automatic IDPS builds up, for it to gain acceptance as a viable alternative, it needs to function at a sufficient level of accuracy. That is where Neural Networks and Artificial Intelligence can play an effective role in the improvement of ID systems with the ability to learn from previous episodes of intrusion to identify new types of attack with less analyst interaction with the ID itself. In fact, information system experts believe that Artificial Intelligence (AI) can provide significant improvements to IDS/IPS systems, especially in terms of effectiveness and decreased false positive/negative rates, a major issue in intrusion management. Next Generation Intrusion Detection and Prevention (IDPS) Due to a new generation of hackers that are better organized and equipped than in the past, to get past perimeter security, it is clear that a different approach is required, says Joshua Crumbaugh, lead penetration tester at Tangible Security, Inc., NagaSec. As per the DRAFT Special Publication 800-94 Revision 1, Guide to …, the Next-Generation IDPS for host and network-based deployment options will have automated identification, location, isolation, and resolution of threats in real-time. A GCN staff post, “What’s next in cybersecurity automation,” provides insight on the Enterprise Automated Security Environment (EASE) concept for “shared situational awareness in cyber-relevant time” and, with the concerted efforts of government and private sector interests, the concept may foster continuous innovation for cyberspace defense across the board. Other than EASE, the US Government has already evaluated other options to defend against cyber-attacks that mine homeland security. It pursued, for example, as a project to develop a smart network of sensors (named Einstein) to detect cyber-attacks against critical infrastructures. IPS/IDS has changed, as research shows, with AI techniques that have improved IDSs by making them capable of detecting both current and future intrusion attacks while triggering fewer false positives and negatives. New ANNIDS (Neural networks applied to IDS) techniques have been able to improve the way detection systems are trained to recognize patterns, conduct problem solving and fault diagnosis too. In today’s world, there is the need “for building high-speed, reliable, robust and scalable ANN-based network intrusion detection and prevention system that is highly useful for [humankind] and organizations,” Mukhopadhyay says. Neural network based AIs are able to discover emergent collective properties that are too complex to be noticed by either humans or other computer techniques. AI based techniques are used to classify behavior patterns of a user and an intruder in a way that minimizes false alarms from happening, explains Archit Kumar, India, an M.Tech Student, Department of CSE, in a research paper for IJARCSMS. IDS based on ANN uses algorithms that can analyze the captured data and judge whether the data is intrusion or not by means of behavioral analysis of the neural computation during both learning and recall. Although ANNIDS’ main drawbacks are lower detection precision for low-frequent attacks, and weaker detection stability in the beginning, it is a suitable solution for intrusion detection and network security, says Suresh Kashyap, an Indian research scholar at the Dr. C.V. Raman University. He adds that ANNIDS can be trained and tested by customized datasets enabling it to identify known and unknown (new) attacks with increasing accuracy when other methods fail. Current AI techniques for improving automation of the intrusion detection process are not easily deployable in real life, yet many experiments and tests have been carried out with results showing ANNs capable of detecting intrusive activity in a distributed environment to provide local “threat-level” monitoring of computer DDoS attacks before the successful completion of an intrusion. ANN s are great in terms of learning capabilities and effectiveness in capturing anomalies in activities, but also have some significant downfalls, such as, for example, the requirement of high computational resources. Researchers have been working on resolving this issue by trying to find a way to help ANN systems process info faster and effectively. An approach using AI techniques combined with genetic algorithms and fuzzy logic, for instance, proved well suited for detecting malicious behavior in distributed computer systems. Research concentrated also on the possibility to clustered data in subgroups using fuzzy clustering to use then a different ANN on each set. Results are obtained faster and are then aggregated to have a complete picture. Another method explored more recently is deploying new ANN-based intelligent hybrid IDS models for anomaly detection that involve network- and host-based technologies under a single management console. These are also applicable to many environments: from Grid and Cloud Computing to mobile and network computers. In such an architecture, a Distributed Intrusion Detection System (DIDS) that relies on network and host based sensors is apt to increase the efficiency of the system yielding fast results of abnormal data determined by multiple heterogeneous recognition engines and management components to solve security issues. Conclusion Whether it is through a hybrid IDS using honey pot technology and anomaly detection or artificial neural network (ANN) based IDSs techniques, it is essential to detect and prevent attacks immediately as attempted. Information security practitioners suggest organizations are confident that their security control mechanism in place are sufficient enough for the protection of computer data and programs, but apparently, as per the PwC findings from the 2014 US State of Cybercrime Survey, a good majority of them fail to assess for threats or place emphasis on prevention mechanisms. What’s more, they also lack the ability to diagnose and troubleshoot less sophisticated attacks and have yet to consider where IDS/IPS fits in their security plan. Both system solutions work together and form an integral part of a robust network defense solution. As per the annual Worldwide Infrastructure Security Report (WISR) that provides insight into the Global Threat Landscape, organizations will face even more concerns regarding APT, so they ought to step up their network security defenses with near-real-time intrusion detection to defend critical data and applications from today’s sophisticated attacks. The new reality in IT security is that network breaches are inevitable, and the ability to monitor and control access and behavior patterns and misuse relies upon intrusion detection and prevention methods to be more quickly identified and more effectively addressed. An IDS/IPS is a must-have device; an ANN model based on ESNN learning patterns and classifying intrusion data packets is an effective approach. The main advantages of the ANNs over traditional IDSs are their abilities to learn, classify, process information faster, as well as their ability of self-organization. For these reasons, Neural Networks can increase the accuracy and efficiency of IDSs and AI techniques can improve IDS/IPS effectiveness. References Brecht, D. (2010, April 15). Network Intrusion Detection Systems: a 101. Retrieved from What is a Network Intrusion Detection System (NIDS)? Compare Business Products (2014, March 18). Security: IDS vs. IPS Explained. Retrieved from Security: IDS vs. IPS Explained | Reviews, Comparisons and Buyer's Guides GCN. (2014, December 9). What’s next in cybersecurity automation. Retrieved from What’s next in cybersecurity automation -- GCN Infosecurity Magazine. (2011, October 21). Small enterprises are suffering more intrusions, survey finds. Retrieved from Small enterprises are suffering more intrusions, survey finds - Infosecurity Magazine InfoSight Inc. (n.d). Intrusion Detection (IDS) & Intrusion Prevention (IPS). Retrieved from Intrusion Detection (IDS) & Intrusion Prevention (IPS) – InfoSight Inc Kashyap, S. (2013, May). Importance of Intrusion Detection System with its Different approaches. Retrieved from http://www.ijareeie.com/upload/may/24_Importance.pdf Kumar, A. (2014, May). Intrusion detection system using Expert system (AI) and […]. Retrieved from http://www.ijarcsms.com/docs/paper/volume2/issue5/V2I5-0064.pdf Mukhopadhyay, I. (2014). Hardware Realization of Artificial Neural Network Based Intrusion Detection & Prevention System. Retrieved from http://file.scirp.org/Html/3-7800230_50045.htm Onuwa, O. (2014, November 29). Improving Network Attack Alarm System: A Proposed Hybrid Intrusion Detection System Model. Retrieved from http://www.computerscijournal.org/vol7no3/improving-network-attack-alarm-system-a-proposed-hybrid-intrusion-detection-system-model/ Saied, A. (n.d.). Artificial Neural Networks in the detection of known and unknown DDoS attacks: Proof-of-Concept. Retrieved from http://www.inf.kcl.ac.uk/staff/richard/PAAMS-WASMAS_2014.pdf Surana, S. (2014). Intrusion Detection using Fuzzy Clustering and Artificial Neural Network. Retrieved from http://www.wseas.us/e-library/conferences/2014/Gdansk/FUNAI/FUNAI-32.pdf Vieira, K. (2010, August). Intrusion Detection for Grid and Cloud Computing. Retrieved from http://www.inf.ufsc.br/~westphal/idscloud.pdf Wang, L. (n.d.). Artificial Neural Network for Anomaly Intrusion Detection. Retrieved from https://www.cs.auckland.ac.nz/courses/compsci725s2c/archive/termpapers/725wang.pdf Zakaria, O. (n.d.). Identify Features and Parameters to Devise an Accurate Intrusion Detection System Using Artificial Neural Network. Retrieved from http://www.academia.edu/2612588/Identify_Features_and_Parameters_to_Devise_an_Accurate_Intrusion_Detection_System_Using_Artificial_Neural_Network Zamani, M. (2013, December 8). Machine Learning Techniques for Intrusion Detection. Retrieved from http://arxiv.org/pdf/1312.2177.pdf Source
-
Pushers of the Dridex banking malware have gone old-school for some time now, moving the malware through phishing messages executed by macros in Microsoft Office documents. While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social engineering that urges the user to enable macros—with directions included—in order to view an important invoice, bill or other sensitive document. The cat and mouse game between attackers and defenders took another turn recently when researchers at Proofpoint discovered that a recent spate of phishing messages contained macros-based attacks that did not execute until the malicious document was closed. The technique, which involves the inclusion of an AutoClose method, which helps the malware sample evade detection. “The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens,” said a Proofpoint advisory. “Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.” The use of this type of VBscript function, Proofpoint said, is effective against sandbox detection capabilities. Malware that delays execution isn’t necessarily a new evasion tactic, but attackers have been getting innovative about side-stepping security protections in place. For example, sandboxes and intrusion detection software became wise to short delays in execution times. By executing only when the document closes, this current string of Dridex seems to have taken the next step. “As sandboxes have adjusted to also ‘wait,’ the ability of the malicious macro to run when the document closes expands the infection window and forces a detection sandbox to monitor longer and possibly miss the infection altogether,” Proofpoint said. “No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.” Dridex, once it’s implanted on the compromised machine behaves like most banking malware. It waits for the user to visit their online banking account and injects code onto the bank’s site and captures user credentials via an iframe. Dridex and its cousin Cridex are members of the GameOver Zeus family, which is also adept at wire fraud. GoZ uses a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. Previous Dridex campaigns have spread via Excel documents laced with a malicious macro. Earlier this month, researchers at Trustwave found a spike of phishing messages using XML files as a lure. The XML files were passed off as remittance advice and payment notifications, and prey on security’s trust of text documents to get onto machines. These older Dridex campaigns targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others. Source
-
Kaspersky malware probers have uncovered a new 'operating system'-like platform that was developed and used by the National Security Agency (NSA) in its Equation spying arsenal. The EquationDrug or Equestre platform is used to deploy 116 modules to target computers that can siphon data and spy on victims. "It's important to note that EquationDrug is not just a trojan, but a full espionage platform, which includes a framework for conducting cyberespionage activities by deploying specific modules on the machines of selected victims," Kaspersky researchers say in a report. "Other threat actors known to use such sophisticated platforms include Regin and Epic Turla. "The architecture of the whole framework resembles a mini-operating system with kernel-mode and user-mode components carefully interacting with each other via a custom message-passing interface." The platform is part of the NSA's possibly ongoing campaign to infect hard disk firmware. It replaces the older EquationLaser and is itself superseded by the GrayFish platform. Kaspersky says the newly-identified wares are as "sophisticated as a space station" thanks to the sheer number of included espionage tools. Extra modules can be added through a custom encrypted file system containing dozens of executables that together baffle most security bods. Most of the unique identifiers and codenames tied to modules is encrypted and obfuscated. Some modules capabilities can be determined with unique identification numbers. Others are dependent on other plugins to function. Each plugin has a unique ID and version number that defines a set of functions it can provide. Some of the plugins depend on others and might not work unless dependencies are resolved. Kaspersky bods have found 30 of the 116 modules estimated to exist. "The plugins we discovered probably represent just a fraction of the attackers' potential," the researchers say. Executable timestamps reveal NSA developers likely work hardest on the platform on Tuesdays to Fridays, perhaps having late starts to Monday. Modules detected in the tool include code for: Network traffic interception for stealing or re-routing Reverse DNS resolution (DNS PTR records) Computer management Start/stop processes Load drivers and libraries Manage files and directories System information gathering OS version detection Computer name detection User name detection Locale detection Keyboard layout detection Timezone detection Process list Browsing network resources and enumerating and accessing shares WMI information gathering Collection of cached passwords Enumeration of processes and other system objects Monitoring LIVE user activity in web browsers Low-level NTFS filesystem access based on the popular Sleuthkit framework Monitoring removable storage drives Passive network backdoor (runs Equation shellcode from raw traffic) HDD and SSD firmware manipulation Keylogging and clipboard monitoring Browser history, cached passwords and form auto-fill data collection. Source
-
Shell Scanner v1.o is a PHP shell detection script that will scan a server looking for web shells uploaded by other hackers. After locating the path to the shell you can choose the option to SAVE/DELETE. This is useful if you want to save private shells add a backdoor or remove their shit all together keeping full pwnage of the shelled target. Hidden or suspected Shells will be highlighted in blue Click on shell path and Save/Delete shell. Download : http://pastebin.com/bAN9ndkj
-
CONTENTS I. Worms A. What are Worms ……………………………………………………....... 1 B. Few Popular Worms ………………………………………………….… 2 C. Propagation of Worms ……………………………………………….…. 3 D. Worm Signatures and Detection Strategies …………………………...... 5 II. Metamorphic Worms A. Introduction …………………………………………………………….. 6 B. Polymorphic vs. Metamorphic Worms ……………………………….... 6 C. Challenges faced during Detection …………………………………….. 7 D. Detection Strategies ……………………………………………………. 8 III. Result A. Metamorphic Engines ………………………………………………….. 9 B. Research Answer ……………………………………………………… 14 IV. Conclusion ………………………………………………………………... 15 V. References ………………………………………………………………… 16 Read more: http://dl.packetstormsecurity.net/papers/worms/fia_ppr.pdf
-
- detection
- metamorphic
-
(and 3 more)
Tagged with:
-
Current Release: http://www.rfxn.com/downloads/bfd-current.tar.gz http://www.rfxn.com/appdocs/README.bfd http://www.rfxn.com/appdocs/CHANGELOG.bfd Description BFD is a modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format. The regular expressions are parsed against logs using the ‘sed’ tool (stream editor) which allows for excellent performance in all environments. In addition to the benefits of parsing logs in a single stream with sed, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file. You can leverage BFD to block attackers using any number of tools such as APF, Shorewall, raw iptables, ip route or execute any custom command. There is also a fully customizable e-mail alerting system with an e-mail template that is well suited for every day use or you can open it up and modify it. The attacker tracking in BFD is handled using simple flat text files that are size-controlled to prevent space constraints over time, ideal for diskless devices. There is also an attack pool where trending data is stored on all hosts that have been blocked including which rule the block was triggered by. In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute). Although cron execution does not permit BFD to act in real time, the log tracking system ensures it never misses a beat in authentication failures. Further, using cron provides a reliable frame work for consistent execution of BFD in a very simplified fashion across all *nix platforms. https://www.rfxn.com/projects/brute-force-detection/