Realtime C&C Zeus Packet Detection Based on RC4 Decryption of Packet Length Field

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Realtime C&C Zeus Packet Detection Based on RC4 Decryption of Packet Length Field"

Transcription

1 , pp Realtime C&C Zeus Packet Detection Based on RC4 Decryption of Packet Length Field ChulWoo Park 1, HyoSung Park 1, KiChang Kim 1 1 Information and Communication Engineering Dept., Inha University Abstract. Zeus is one of the will-published malwares. It infects PC s via s or vulnerable applications and extracts private information such as user ID, encryption key, etc., causing considerable damages. Zeus, when it was first found in 2006, started as a C&C (Command and Control) style botnet and is now moving to P2P (Peer-to-Peer) style. This paper describes techniques to detect and classify C&C Zeus packets, however the suggested technique should be able to be adapted to P2P Zeus packets also. Keywords: Zeus, Malware, Botnet, C&C, RC4, Report packet 1 Introduction Malware is a short form of Malicious software. Malware is widely spread in the internet and causing various problems such as exposing personal information. Zeus is one of such malwares and is especially notorious for its role in financial exploiting feature. Zeus infects a set of numerous PC s or Bots and connects them into a Botnet. The first Zeus-infected PC s found in 2006 have communicated through C&C server, but now they are evolving into P2P network [1]. This paper analyzes the C&C Zeus source code (Ver ) to identify the characteristics of a Zeus packet. We were able to establish a technique with which we can detect a Zeus packet in real time. 2 Zeus Report Packet Structure C&C Zeus client has to send several types of control packets periodically for the server-bot communication. One of them is called Report packet. Report packet is used to send personal information collected in the client to the server and has the structure shown in Fig. 1 and 2. It consists of Header and Body. Header (Fig. 1) contains the entire packet size, number of items, etc. Body (Fig. 2) contains information specific to each item. Zeus packets are transmitted in encrypted format and Report packet is no exception. We capture Report packet and detect whether it is a Zeus packet or not by examining its body size field and compare it with the entire packet size. If they match, there is a high probability that it is a Zeus packet. However in the presence of encryption how can we know the value of body size field? Our technique matches ISSN: ASTL Copyright 2014 SERSC

2 body size field with the entire packet size without decryption and, thus, can detect Zeus packet even when it is encrypted. Fig. 1. Zeus Report packet header Fig. 2. Zeus Report packet item 3 Zeus Encryption Algorithm C&C Zeus uses two different kinds of encryption algorithm. One is RC4 and the other is Zeus-specific algorithm consisting of visualencrypt and visualdecrypt [2][6]. Fig. 3 and 4 shows encryption and decryption process in Zeus. Fig. 3. Encryption process in Zeus Fig. 4. Decryption process in Zeus visualencrypt and visualdecrypt algorithm both consist of a successive application of XOR operations. The transmitted packets are encrypted and it is hard to find the corresponding RC4 key. In early Zeus version, the stream key was located in certain location of memory [4], but it is no longer true especially in version which we are looking at. However due to the characteristics of XOR operation, we can extract the portion of stream key used for "body size" as in Fig. 5. First starting with the cipher text for "body size" field, we apply "visualdecrypt" algorithm to obtain "New Text". If we had known the "new stream key" for this field, we could obtain "Plain Text" by XORing "New Text" with it. We don't have it. However because of the duality of XOR operation, we can obtain "new stream key" by XORing "New Text" with "Plain Text". Note that we know "Plain Text" since it is the entire packet length and is reported in the IP packet header. 56 Copyright 2014 SERSC

3 Fig. 5. Modified Zeus decryption process 4 Detecting Zeus Report Packet The "item" packet shown in Fig. 2 has Item ID in the first 4 byte. This Item ID has many types [2]. Among them, "SBCID_BOT_ID" (ID 10001) is the mandatory item that should be transmitted first. Therefore we can detect Zeus packet by observing whether it has ID or not at offset 49. In the presence of encryption, since the same client will use the same RC4 key, we can expect the Report packets from the same client will contain the same cipher text at offset 49 if they are SBCID_BOT_ID items. Therefore if a client is transmitting a number of packets that have the same cipher text at offset 49, we can suspect they are SBCID_BOT_ID Report Item packet from the same client [4]. The problem of this approach is that we have to collect a fairly large number of Report packets before we can say the possibility of Zeus infection. Our technique is superior in that even with two Report packets it can predict the presence of Zeus infection. It extracts the 4-byte cipher text at offset 21 in the Header packet and collect all Item packets of this Report packet. The total size becomes the plain text and by XORing these two 4-bytes after proper conversion of them through visualencryption or visualdecryption, we can obtain the "new stream key". If we can find the same "new stream key" for two different Report packets from the same client, we can say with high probability that the client is infected with Zeus. 5 Experimental Results In this section, we show an example that explains the process of producing the "new stream key". Copyright 2014 SERSC 57

4 Fig. 6. Experimental results Fig. 6 shows three different Report packets. The packet lengths are all different: first one has 0x527 bytes, second one 0x15a bytes, and the last one 0x57c bytes. We extract the "body size" field of each packet, apply visualdecrypt and XOR it with the size to obtain the "new stream key". For example, for the first packet, the cipher text for the "body size" is 0x2e22c8c6. After applying visualdecrypt, it becomes 0xe30cea0e. XORing it with the packet size, 0x , we obtain 0xc409ea0e, the "new stream key". Now when we apply the same process for the second and third packets, we obtain the same "new stream key", 0xc409ea0e as shown in Fig. 6. We cannot recover the whole stream key used in encrypting the entire packet. However at least we were able to recover the portion of the stream key that is used to encrypt the "body size" field. Now if two different Report packets from the same client contains cipher text at offset 21 in their Header packets that produce the same "new stream key" when the above procedure is applied, we can be sure with a very high probability that the client is infected with Zeus. 6 Conclusion Since 2006, Zeus is infecting a large number of PC's causing various security problems. Zeus packets are not easy to detect since they are encrypted and show random pattern. This paper presents a technique that can detect Zeus packets with relatively small number of collected packets. The technique is based on the observation that certain field of Zeus packet contains packet size information and that when this field is encrypted we still have the corresponding plain text for it by computing the entire packet length directly. The weakness of RC4 allows us to detect Zeus packets via XORing the cipher and plain text of this field. This paper shows that this technique is effective and can detect Zeus packets even in the presence of encryption. 58 Copyright 2014 SERSC

5 References 1. Binsalleeh, Hamad, et al. On the analysis of the zeus botnet crimeware toolkit. Privacy Security and Trust (PST), 2010 Eighth Annual International Conference on. IEEE, (2010) 2. https://github.com/visgean/zeus Riccardi, Marco, et al. Titans revenge: Detecting Zeus via its own flaws. Computer Networks (2013) 5. Klein, Andreas. "Attacks on the RC4 stream cipher." Designs, Codes and Cryptography (2008) 6. Wyke, James. What is Zeus?. Sophos, May (2011) 7. Steel, Graham. Deduction with XOR constraints in security API modelling. Automated Deduction CADE-20. Springer Berlin Heidelberg, (2005) Copyright 2014 SERSC 59

Traceback Attacks in Cloud Pebbletrace Botnet nd International Conference on Distributed Computing Systems Workshops Wenjie Lin, David Lee

Traceback Attacks in Cloud Pebbletrace Botnet nd International Conference on Distributed Computing Systems Workshops Wenjie Lin, David Lee Traceback Attacks in Cloud Pebbletrace Botnet 2012 32nd International Conference on Distributed Computing Systems Workshops Wenjie Lin, David Lee Outline Introduction Key Identification Botnet attack in

More information

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher

Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher Enhancing Security of Improved RC4 Stream Cipher by Converting into Product Cipher Nishith Sinha Mallika Chawda Kishore Bhamidipati Assistant Professor ABSTRACT RC4 is one of the most widely used stream

More information

The Final Nail in WEP s Coffin

The Final Nail in WEP s Coffin 1/19 The Final Nail in WEP s Coffin Andrea Bittau 1 Mark Handley 1 Joshua Lackey 2 May 24, 2006 1 University College London. 2 Microsoft. Wired Equivalent Privacy 2/19 WEP is the 802.11 standard for encryption.

More information

4MMSR-Network Security Seminar. Peer-to-Peer Botnets: Overview and Case Study

4MMSR-Network Security Seminar. Peer-to-Peer Botnets: Overview and Case Study 4MMSR-Network Security 2011-2012 Seminar Peer-to-Peer Botnets: Overview and Case Study Julian B. Grizzard, Vikram Sharma, Chris Nunnery, and Brent ByungHoon Kang, David Dagon USENIX, 2007 1 Index Introduction

More information

Peer-to-Peer Botnet Detection Using NetFlow. Connor Dillon

Peer-to-Peer Botnet Detection Using NetFlow. Connor Dillon Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large

More information

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P)) CHAPTER 6. SYMMETRIC CIPHERS Multiple encryption is a technique in which an encryption algorithm is used multiple times. In the first instance, plaintext is converted to ciphertext using the encryption

More information

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner Analysis of 802.11 Security or Wired Equivalent Privacy Isn t Nikita Borisov, Ian Goldberg, and David Wagner WEP Protocol Wired Equivalent Privacy Part of the 802.11 Link-layer security protocol Security

More information

AKAMAI THREAT ADVISORY. Satori Mirai Variant Alert

AKAMAI THREAT ADVISORY. Satori Mirai Variant Alert AKAMAI THREAT ADVISORY Satori Mirai Variant Alert Version: V002 Date: December 6, 2017 1.0 / Summary / Akamai, along with industry peers, has identified an updated variant of Mirai (Satori) that has activated

More information

Design and Implementation of Secure OTP Generation for IoT Devices

Design and Implementation of Secure OTP Generation for IoT Devices , pp.75-80 http://dx.doi.org/10.14257/astl.2017.146.15 Design and Implementation of Secure OTP Generation for IoT Devices Young-Sae Kim 1 and Jeong-Nyeo Kim 1 1 Electronics and Telecommunications Research

More information

HAI Network Communication Protocol Description

HAI Network Communication Protocol Description Home Automation, Inc. HAI Network Communication Protocol Description This document contains the intellectual property of Home Automation, Inc. (HAI). HAI authorizes the use of this information for the

More information

Request for Comments: 2420 Category: Standards Track September The PPP Triple-DES Encryption Protocol (3DESE)

Request for Comments: 2420 Category: Standards Track September The PPP Triple-DES Encryption Protocol (3DESE) Network Working Group H. Kummert Request for Comments: 2420 Nentec GmbH Category: Standards Track September 1998 Status of this Memo The PPP Triple-DES Encryption Protocol (3DESE) This document specifies

More information

Secret Key Cryptography

Secret Key Cryptography Secret Key Cryptography 1 Block Cipher Scheme Encrypt Plaintext block of length N Decrypt Secret key Cipher block of length N 2 Generic Block Encryption Convert a plaintext block into an encrypted block:

More information

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers Introduction to Modern Cryptography Lecture 2 Symmetric Encryption: Stream & Block Ciphers Stream Ciphers Start with a secret key ( seed ) Generate a keying stream i-th bit/byte of keying stream is a function

More information

Encrypting the Auto Detected Face Part of Human in a Image Using RC4 and Hiding the Data in Image

Encrypting the Auto Detected Face Part of Human in a Image Using RC4 and Hiding the Data in Image Encrypting the Auto Detected Face Part of Human in a Image Using RC4 and Hiding the Data in Image N.Mahesh Chandra M.Tech Student, Sreenidhi Institute of Science and Technology. Abstract: In this paper,

More information

How to Predict Viruses Under Uncertainty

How to Predict  Viruses Under Uncertainty How to Predict Email Viruses Under Uncertainty InSeon Yoo and Ulrich Ultes-Nitsche Department of Informatics, University of Fribourg, Chemin du Musee 3, Fribourg, CH-1700, Switzerland. phone: +41 (0)26

More information

Activating Intrusion Prevention Service

Activating Intrusion Prevention Service Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers

More information

Findings for

Findings for Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp

More information

Network Security Essentials

Network Security Essentials Network Security Essentials Applications and Standards Third Edition William Stallings Chapter 2 Symmetric Encryption and Message Confidentiality Dr. BHARGAVI H. GOSWAMI Department of Computer Science

More information

A New ShiftColumn Transformation: An Enhancement of Rijndael Key Scheduling

A New ShiftColumn Transformation: An Enhancement of Rijndael Key Scheduling A New ShiftColumn Transformation: An Enhancement of Rijndael Key Scheduling Salasiah Sulaiman Zaiton Muda Julia Juremi Ramlan Mahmod Sharifah Md. Yasin Department of Computer Science, Faculty of Computer

More information

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step RC4 RC4 1 RC4 Invented by Ron Rivest o RC is Ron s Code or Rivest Cipher A stream cipher Generate keystream byte at a step o Efficient in software o Simple and elegant o Diffie: RC4 is too good to be true

More information

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016 Abstract The Mirai botnet struck the security industry in three massive attacks that shook traditional DDoS protection paradigms, proving that the Internet of Things (IoT) threat is real and the grounds

More information

Journal of Global Research in Computer Science A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION

Journal of Global Research in Computer Science A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION Volume 2, No. 7, July 2011 Journal of Global Research in Computer Science RESEARCH PAPER Available Online at www.jgrcs.info A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION Manikandan. G *1, Krishnan.G

More information

Security I exercises

Security I exercises Security I exercises Markus Kuhn Lent 2013 Part IB 1 Cryptography 1.1 Some mathematical prerequisites 1.2 Historic ciphers Exercise 1 Decipher the shift cipher text LUXDZNUAMNDODJUDTUZDGYQDLUXDGOJDCKDTKKJDOZ

More information

Most Common Security Threats (cont.)

Most Common Security Threats (cont.) Most Common Security Threats (cont.) Denial of service (DoS) attack Distributed denial of service (DDoS) attack Insider attacks. Any examples? Poorly designed software What is a zero-day vulnerability?

More information

BCA III Network security and Cryptography Examination-2016 Model Paper 1

BCA III Network security and Cryptography Examination-2016 Model Paper 1 Time: 3hrs BCA III Network security and Cryptography Examination-2016 Model Paper 1 M.M:50 The question paper contains 40 multiple choice questions with four choices and student will have to pick the correct

More information

Application of ESA in the CAVE Mode Authentication

Application of ESA in the CAVE Mode Authentication Application of ESA in the Mode Authentication Keonwoo Kim, Dowon Hong, and Kyoil Chung Abstract This paper proposes the authentication method using ESA algorithm instead of using algorithm in the CDMA

More information

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536) Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536) Prepared by Dr. Samia Chelloug E-mail: samia_chelloug@yahoo.fr Content

More information

Block Cipher Modes of Operation

Block Cipher Modes of Operation Block Cipher Modes of Operation Luke Anderson luke@lukeanderson.com.au 24th March 2016 University Of Sydney Overview 1. Crypto-Bulletin 2. Modes Of Operation 2.1 Evaluating Modes 2.2 Electronic Code Book

More information

Detection of DNS Traffic Anomalies in Large Networks

Detection of DNS Traffic Anomalies in Large Networks Detection of Traffic Anomalies in Large Networks Milan Čermák, Pavel Čeleda, Jan Vykopal {cermak celeda vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014,

More information

Secret Key Cryptography

Secret Key Cryptography Secret Key Cryptography General Block Encryption: The general way of encrypting a 64-bit block is to take each of the: 2 64 input values and map it to a unique one of the 2 64 output values. This would

More information

Performance Study of COPS over TLS and IPsec Secure Session

Performance Study of COPS over TLS and IPsec Secure Session Performance Study of COPS over TLS and IPsec Secure Session Yijun Zeng and Omar Cherkaoui Université du Québec à Montréal CP. 8888 Suc. A, Montréal yj_zeng@hotmail.com, cherkaoui.omar@uqam.ca Abstract.

More information

Cryptography BITS F463 S.K. Sahay

Cryptography BITS F463 S.K. Sahay Cryptography BITS F463 S.K. Sahay BITS-Pilani, K.K. Birla Goa Campus, Goa S.K. Sahay Cryptography 1 Terminology Cryptography: science of secret writing with the goal of hiding the meaning of a message.

More information

The Linux Kernel Cryptographic API

The Linux Kernel Cryptographic API Published on Linux Journal (http://www.linuxjournal.com) The Linux Kernel Cryptographic API By James Morris Created 2003-04-01 02:00 This article provides a brief overview of the new cryptographic API

More information

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS Mathy Vanhoef and Frank Piessens, KU Leuven USENIX Security 2015 RC4 Intriguingly simple stream cipher WEP WPA-TKIP SSL / TLS PPP/MPPE And

More information

Introduction Skype analysis Enforcing anti-skype policies. Skype uncovered. Security study of Skype. Desclaux Fabrice 1 EADS CCR/STI/C

Introduction Skype analysis Enforcing anti-skype policies. Skype uncovered. Security study of Skype. Desclaux Fabrice 1 EADS CCR/STI/C Security study of Skype 1 1 EADS CCR/STI/C Should we be afraid of Skype? 1 Introduction Should we be afraid of Skype? 2 3 Skype detection Quick overview of Skype Should we be afraid of Skype? End-user

More information

Overview of IEEE b Security

Overview of IEEE b Security Overview of IEEE 802.11b Security Sultan Weatherspoon, Network Communications Group, Intel Corporation Index words: 802.11b, wireless, WLAN, encryption, security ABSTRACT There is much regulatory and standards

More information

FOURIER MASKING ENCRYPTION ALGORITHM FOR POLYALPHABETIC SYMMETRIC KEY CRYPTOGRAPHY

FOURIER MASKING ENCRYPTION ALGORITHM FOR POLYALPHABETIC SYMMETRIC KEY CRYPTOGRAPHY Daffodil International University Institutional Repository DIU Journal of Science and Technology Volume,Issue,January 007 007-0-0 FOURIER MASKING ENCRYPTION ALGORITHM FOR POLYALPHABETIC SYMMETRIC KEY CRYPTOGRAPHY

More information

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING

A GUIDE TO CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING A GUIDE TO 12 CYBERSECURITY METRICS YOUR VENDORS (AND YOU) SHOULD BE WATCHING There is a major difference between perceived and actual security. Perceived security is what you believe to be in place at

More information

Wireless LAN Security. Gabriel Clothier

Wireless LAN Security. Gabriel Clothier Wireless LAN Security Gabriel Clothier Timeline 1997: 802.11 standard released 1999: 802.11b released, WEP proposed [1] 2003: WiFi alliance certifies for WPA 2004: 802.11i released 2005: 802.11w task group

More information

Sankeeth Kumar Chinta.

Sankeeth Kumar Chinta. Sankeeth Kumar Chinta. # 991730264 Sept 18, 2015 Contents 1 Introduction 2 2 History 4 3 Description of Algorithm: 4 3.1 Key Expansion.......................... 5 3.2 Data Encryption.........................

More information

IDS: Signature Detection

IDS: Signature Detection IDS: Signature Detection Idea: What is bad, is known What is not bad, is good Determines whether a sequence of instructions being executed is known to violate the site security policy Signatures: Descriptions

More information

Is Your Wireless Network Being Hacked?

Is Your Wireless Network Being Hacked? The ITB Journal Volume 9 Issue 1 Article 5 2008 Is Your Wireless Network Being Hacked? Paul King Ivan Smyth Anthony Keane Follow this and additional works at: http://arrow.dit.ie/itbj Part of the Computer

More information

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture preview 802.11 Security IEEE

More information

ARM European Technical Symposium The security challenges that IoT and Mobile Computing Devices are facing. Pierre Garnier, COO

ARM European Technical Symposium The security challenges that IoT and Mobile Computing Devices are facing. Pierre Garnier, COO ARM European Technical Symposium The security challenges that IoT and Mobile Computing Devices are facing Pierre Garnier, COO 1 INVESTORS INSIDE Secure PRESENTATION ARM European Technical SEPTEMBER Symposium

More information

Double-DES, Triple-DES & Modes of Operation

Double-DES, Triple-DES & Modes of Operation Double-DES, Triple-DES & Modes of Operation Prepared by: Dr. Mohamed Abd-Eldayem Ref.: Cryptography and Network Security by William Stallings & Lecture slides by Lawrie Brown Multiple Encryption & DES

More information

Panda Security 2010 Page 1

Panda Security 2010 Page 1 Panda Security 2010 Page 1 Executive Summary The malware economy is flourishing and affecting both consumers and businesses of all sizes. The reality is that cybercrime is growing exponentially in frequency

More information

Overview. SSL Cryptography Overview CHAPTER 1

Overview. SSL Cryptography Overview CHAPTER 1 CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through

More information

An Efficient Flow Table Management Scheme for SDNs Based On Flow Forwarding Paths

An Efficient Flow Table Management Scheme for SDNs Based On Flow Forwarding Paths , pp.88-93 http://dx.doi.org/10.14257/astl.2016.135.23 An Efficient Flow Table Management Scheme for SDNs Based On Flow Forwarding Paths Dongryeol Kim, Byoung-Dai Lee Kyonggi university, Department of

More information

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic. 15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS

More information

Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users

Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users ANT 2011 Dusan Stevanovic York University, Toronto, Canada September 19 th, 2011 Outline Denial-of-Service and

More information

A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN

A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua CHEN 2017 International Conference on Computer, Electronics and Communication Engineering (CECE 2017) ISBN: 978-1-60595-476-9 A Power Attack Method Based on Clustering Ruo-nan ZHANG, Qi-ming ZHANG and Ji-hua

More information

Detecting P2P Botnets through Network Behavior Analysis and Machine Learning

Detecting P2P Botnets through Network Behavior Analysis and Machine Learning Detecting P2P Botnets through Network Behavior Analysis and Machine Learning Sherif Saad Email: shsaad@ece.uvic.ca Bassam Sayed Email: bassam@ece.uvic.ca Issa Traore Email: itraore@ece.uvic.ca David Zhao

More information

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422

Lecture 12 Malware Defenses. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Bailey s ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse?

More information

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster) Author(s) Citation Wei, Lei; Rechberger,

More information

Delegation Scheme based on Proxy Re-encryption in Cloud Environment

Delegation Scheme based on Proxy Re-encryption in Cloud Environment Vol.133 (Information Technology and Computer Science 2016), pp.122-126 http://dx.doi.org/10.14257/astl.2016. Delegation Scheme based on Proxy Re-encryption in Cloud Environment You-Jin Song Department

More information

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals This course contains copyrighted material used by permission of Logical Operations, Inc. Slide 1 Course 01: Security Fundamentals The Information

More information

Partial Image Encryption using RC4 Stream Cipher Approach and Embedded in an Image

Partial Image Encryption using RC4 Stream Cipher Approach and Embedded in an Image 40 Academic Journal of Nawroz University (AJNU) Partial Image Encryption using RC4 Stream Cipher Approach and Embedded in an Image Renas R. Asaad, Saman M. Abdulrahman and Ahmad A. Hani Department of Computer

More information

Botnet Behaviour Analysis using IP Flows

Botnet Behaviour Analysis using IP Flows 2014 28th International Conference on Advanced Information Networking and Applications Workshops Botnet Behaviour Analysis using IP Flows With HTTP filters using classifiers Fariba Haddadi, Jillian Morgan,

More information

Sales Training

Sales Training Sales Training Extensible Content Security 16.03.2010 2009 WatchGuard Technologies Market Opportunity Total Addressable Market, ($M) Total Addressable Market by Segment, ($M) 16,000 14,000 11.2% CAGR 16,000

More information

Block Cipher Operation. CS 6313 Fall ASU

Block Cipher Operation. CS 6313 Fall ASU Chapter 7 Block Cipher Operation 1 Outline q Multiple Encryption and Triple DES q Electronic Codebook q Cipher Block Chaining Mode q Cipher Feedback Mode q Output Feedback Mode q Counter Mode q XTS-AES

More information

Characterisation of the Kelihos.B Botnet

Characterisation of the Kelihos.B Botnet Characterisation of the Kelihos.B Botnet Max Kerkers, José Jair Santanna and Anna Sperotto Design and Analysis of Communication Systems (DACS) University of Twente Enschede, The Netherlands m.kerkers@student.utwente.nl,

More information

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection

White Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection White Paper New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection The latest version of the flagship McAfee Gateway Anti-Malware technology adapts to new threats and plans for future

More information

Virtual Dispersive Networking Spread Spectrum IP

Virtual Dispersive Networking Spread Spectrum IP Virtual Dispersive Networking Spread Spectrum IP DSI Proprietary 1 DSI Proprietary 2 Problem Lies Outside of Existing Security: On the Internet Internet Routers Virus Software Phishing Software etc POLICY

More information

Modes of Operation. Raj Jain. Washington University in St. Louis

Modes of Operation. Raj Jain. Washington University in St. Louis Modes of Operation Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at : http://www.cse.wustl.edu/~jain/cse567-06/

More information

International Journal of Computer Science Trends and Technology (IJCST) Volume 5 Issue 4, Jul Aug 2017

International Journal of Computer Science Trends and Technology (IJCST) Volume 5 Issue 4, Jul Aug 2017 RESEARCH ARTICLE OPEN ACCESS Optimizing Fully Homomorphic Encryption Algorithm using Greedy Approach in Cloud Computing Kirandeep Kaur [1], Jyotsna Sengupta [2] Department of Computer Science Punjabi University,

More information

WAP Security. Helsinki University of Technology S Security of Communication Protocols

WAP Security. Helsinki University of Technology S Security of Communication Protocols WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP

More information

CHAPTER 8 SECURING INFORMATION SYSTEMS

CHAPTER 8 SECURING INFORMATION SYSTEMS CHAPTER 8 SECURING INFORMATION SYSTEMS BY: S. SABRAZ NAWAZ SENIOR LECTURER IN MANAGEMENT & IT SEUSL Learning Objectives Why are information systems vulnerable to destruction, error, and abuse? What is

More information

Symantec Ransomware Protection

Symantec Ransomware Protection Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway

More information

(2½ hours) Total Marks: 75

(2½ hours) Total Marks: 75 (2½ hours) Total Marks: 75 N. B.: (1) All questions are compulsory. (2) Makesuitable assumptions wherever necessary and state the assumptions made. (3) Answers to the same question must be written together.

More information

Some Thoughts on Time-Memory-Data Tradeoffs

Some Thoughts on Time-Memory-Data Tradeoffs Some Thoughts on Time-Memory-Data Tradeoffs Alex Biryukov Katholieke Universiteit Leuven, Dept. ESAT/SCD-COSIC, Kasteelpark Arenberg 10, B 3001 Heverlee, Belgium Abstract. In this paper we show that Time-Memory

More information

Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks

Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks An abridged version of this paper appears in the Proc. of the Third IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom 2005 Workshops), 8-12 March 2005, Kauai Island,

More information

Covert channels in TCP/IP: attack and defence

Covert channels in TCP/IP: attack and defence Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/{sjm217,

More information

BOTNET DETECTION IN VIRTUAL ENVIRONMENTS USING NETFLOW

BOTNET DETECTION IN VIRTUAL ENVIRONMENTS USING NETFLOW BOTNET DETECTION IN VIRTUAL ENVIRONMENTS USING NETFLOW Mark Graham Adrian Winckles Andrew Moore mark.graham@anglia.ac.uk adrian.winckles@anglia.ac.uk andrew.moore@anglia.ac.uk Department of Computing and

More information

Related-key Attacks on Triple-DES and DESX Variants

Related-key Attacks on Triple-DES and DESX Variants Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my

More information

Partial Caching Scheme for Streaming Multimedia Data in Ad-hoc Network

Partial Caching Scheme for Streaming Multimedia Data in Ad-hoc Network , pp.106-110 http://dx.doi.org/10.14257/astl.2014.51.25 Partial Caching Scheme for Streaming Multimedia Data in Ad-hoc Network Backhyun Kim and Iksoo Kim 1 Faculty of Liberal Education, Incheon National

More information

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,

More information

Artificial Neural Network To Detect Know And Unknown DDOS Attack

Artificial Neural Network To Detect Know And Unknown DDOS Attack IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661,p-ISSN: 2278-8727, Volume 19, Issue 2, Ver. II (Mar.-Apr. 2017), PP 56-61 www.iosrjournals.org Artificial Neural Network To Detect Know

More information

Hybrid Obfuscated Javascript Strength Analysis System for Detection of Malicious Websites

Hybrid Obfuscated Javascript Strength Analysis System for Detection of Malicious Websites Hybrid Obfuscated Javascript Strength Analysis System for Detection of Malicious Websites R. Krishnaveni, C. Chellappan, and R. Dhanalakshmi Department of Computer Science & Engineering, Anna University,

More information

Sophos Central Admin. help

Sophos Central Admin. help help Contents About Sophos Central... 1 Activate Your License...2 Endpoint Protection...3 Dashboard...3 Alerts...4 Root Cause Analysis...9 Logs & Reports... 11 People... 24 Computers...33 Computer Groups...40

More information

Network Intrusion Forensics System based on Collection and Preservation of Attack Evidence

Network Intrusion Forensics System based on Collection and Preservation of Attack Evidence , pp.354-359 http://dx.doi.org/10.14257/astl.2016.139.71 Network Intrusion Forensics System based on Collection and Preservation of Attack Evidence Jong-Hyun Kim, Yangseo Choi, Joo-Young Lee, Sunoh Choi,

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 9 Encryption and Firewalls By Whitman, Mattord & Austin 2008 Course Technology Learning Objectives Describe the role encryption

More information

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and

More information

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK MORE RANDOMNESS OF IMPROVED RC4 (IRC4) THAN ORIGINAL RC4 HEMANTA DEY 1, DR. UTTAM

More information

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security 1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security Dr. L. Christofi 1 0. Overview As the knowledge of computer networking and protocols has become more widespread, so the threat of

More information

arxiv:quant-ph/ v2 2 Apr 2006

arxiv:quant-ph/ v2 2 Apr 2006 QKD Quantum Channel Authentication J.T. Kosloski National Security Agency, 9800 Savage Road, Fort George G. Meade, Maryland 20755 (Dated: February 1, 2008) arxiv:quant-ph/0603101v2 2 Apr 2006 Abstract

More information

Sophos Central Admin. help

Sophos Central Admin. help help Contents About Sophos Central... 1 Activate Your License...2 Overview... 3 Dashboard...3 Alerts...4 Logs & Reports... 10 People... 25 Devices... 34 Global Settings...50 Protect Devices...78 Endpoint

More information

CS 43: Computer Networks Security. Kevin Webb Swarthmore College December 7, 2017

CS 43: Computer Networks Security. Kevin Webb Swarthmore College December 7, 2017 CS 43: Computer Networks Security Kevin Webb Swarthmore College December 7, 2017 Topics Spying on network traffic Classic problem: buffer overflow attack Monetizing botnets Once upon a time The Internet

More information

IP Security. Have a range of application specific security mechanisms

IP Security. Have a range of application specific security mechanisms IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security

More information

Introduction to Security. Computer Networks Term A15

Introduction to Security. Computer Networks Term A15 Introduction to Security Computer Networks Term A15 Intro to Security Outline Network Security Malware Spyware, viruses, worms and trojan horses, botnets Denial of Service and Distributed DOS Attacks Packet

More information

Service Provider View of Cyber Security. July 2017

Service Provider View of Cyber Security. July 2017 Service Provider View of Cyber Security July 2017 Quick Stats Caribbean and LatAm: 3 rd largest population of Internet Users You Are Here Visualization from the Opte Project of the various routes through

More information

CODESSEAL: Compiler/FPGA Approach to Secure Applications

CODESSEAL: Compiler/FPGA Approach to Secure Applications CODESSEAL: Compiler/FPGA Approach to Secure Applications Olga Gelbart 1, Paul Ott 1, Bhagirath Narahari 1, Rahul Simha 1, Alok Choudhary 2, and Joseph Zambreno 2 1 The George Washington University, Washington,

More information

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some 3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some popular block ciphers Triple DES Advanced Encryption

More information

Whitenoise Laboratories Inc.

Whitenoise Laboratories Inc. Whitenoise Laboratories Inc. Software Specifications For Tinnitus Utilizing Whitenoise Substitution Stream Cipher (Revised) Written by Stephen Boren email: sboren@bsbutil.com Andre Brisson email: brisson@bsbutil.com

More information

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Outline More Security Protocols CS 239 Computer Security February 6, 2006 Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication

More information

Cybersecurity: Incident Response Short

Cybersecurity: Incident Response Short Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability

More information

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography Principles of Information Security, Fourth Edition Chapter 8 Cryptography Learning Objectives Upon completion of this material, you should be able to: Chronicle the most significant events and discoveries

More information

Lecture III : Communication Security Mechanisms

Lecture III : Communication Security Mechanisms Lecture III : Communication Security Mechanisms Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University 2 X.800 : Security

More information

RC4 Stream Cipher with a Random Initial State

RC4 Stream Cipher with a Random Initial State RC4 Stream Cipher with a Random Initial State Maytham M. Hammood, Kenji Yoshigoe and Ali M. Sagheer Abstract Rivest Cipher 4 (RC4) is one of the modern encryption techniques utilized in many real time

More information

Symmetric key cryptography

Symmetric key cryptography The best system is to use a simple, well understood algorithm which relies on the security of a key rather than the algorithm itself. This means if anybody steals a key, you could just roll another and

More information

Bluetooth. March 28, 2005 Patrick Lui

Bluetooth. March 28, 2005 Patrick Lui Bluetooth March 28, 2005 Patrick Lui 0053252 1. Introduction As our everyday lives move closer towards complete digital age, connectivity between devices is an important aspect that has not been emphasized

More information