Hidden Markov model for malicious hosts detection in a computer network

The problem of malicious host detection in a computer network is reviewed. Activity of computer network hosts is tracking by a noisy detector. The paper suggests method for detection malicious hosts using activity timeseries classification. The approach is based on hidden Markov chain model that analyses timeseries and consecutive search of the most probable final state of the model. Efficiency of the approach is based on assumption that advanced persisted threats are localised in time, therefore malicious hosts in a computer network can be detected by virtue of activity comparison with reliable safe hosts.

Using FDAD to Prevent DAD Attack in SEcure Neighbor Discovery Protocol

The It is very important for the corresponding author to have a linked ORCID (Open Researcher and Contributor ID) account on MTS. To register a linked ORCID account, please go to the Account Update page (http://mts.hindawi.com/update/) in our Manuscript Tracking System and after you have logged in click on the ORCID link at the top of the page. This link will take you to the ORCID website where you will be able to create an account for yourself. Once you have done so, your new ORCID will be saved in our Manuscript Tracking System automatically."?>SEND uses CGA as its address configuration method. CGA binds the IPv6 address with multiple auxiliary parameters, thereby making the dependency relationship between IPv6 address and host provable, which prevents address embezzlement. Owing to the considerable overhead in CGA parameter verification, the malicious host can use this point to carry out DoS attacks. To prevent DoS, the paper proposes a new duplicate address detection method in an SDN environment called FDAD. Two additional mechanisms are added to the FDAD, namely, query and feedback; messages used by the new mechanisms are also designed. Through these two mechanisms, on the one hand, the host can query the MAC address of the suspect host to the controller. On the other hand, if the CGA parameter verification fails, the controller will use feedback information to suppress malicious host from its source port in order to prevent subsequent attacks. Experiments show that the CPU overhead of FDAD is much lower than the normal CGA when suffering Denial of Service attack. The increased CPU consumption and memory overhead of the controller are also within acceptable range, and the network communication overhead is greatly reduced.

Identifikasi Malicious Host dalam Local Area Network Menggunakan Teknik Graph Clustering dan Filtering

<p>Keamanan pada <em>Local Area Network</em> (LAN) sekarang ini adalah masalah serius yang harus diperhatikan. Penyebab LAN menjadi tidak aman dikarenakan teknologi <em>firewall </em>tidak mampu melindungi <em>host</em> (komputer) dalam LAN dari penyebaran <em>malware</em>. Penyebaran <em>malware</em> yang terdapat dalam LAN dilakukan oleh <em>host</em> di dalam LAN yang disebut sebagai <em>malicious host</em>. Tindakan untuk mengurangi penyebaran <em>malware</em> dalam LAN dapat dilakukan dengan mengidentifikasi <em>malicious host</em>. Penelitian ini mengusulkan metode identifikasi <em>malicious host</em> berdasarkan aktivitas ARP <em>request</em> dengan menggunakan teknik <em>graph clustering-filtering</em>. Teknik <em>graph clustering</em>-<em>filtering</em> merupakan langkah-langkah pengelompokan serta penyaringan <em>node</em> dan <em>edge</em> berdasarkan parameter dari <em>graph</em> seperti <em>weight edge</em>, <em>out-degree node</em> dan <em>weight out-degree node </em>yang bertujuan untuk mengidentifikasi <em>malicious host</em>. Berdasarkan parameter dari <em>graph </em>seperti <em>out-degree node </em>dan <em>weight out-degree node, </em>penghitungan persentase aktivitas<em> host</em> dapat dilakukan untuk menunjukkan seberapa besar tingkat aktivitas <em>host</em> dalam melakukan <em>broadcast</em> ARP <em>request, </em>sehingga hasil penghitungan persentase aktivitas <em>host </em>dapat menentukan <em>host</em> yang diidentifikasi sebagai <em>malicious host. </em>Hasil penerapan teknik <em>graph</em> <em>clustering</em>-<em>filtering</em> terhadap 511 <em>node</em> dan 4144 <em>edge </em>didapatkan melalui pengamatan dan pengambilan data selama 3 jam dalam LAN kampus dapat divisualisasikan menjadi hanya 22 <em>node</em> dan 328 <em>edge</em>. Hasil penghitungan berdasarkan persentase jumlah aktivitas <em>host</em> menunjukkan 22 <em>node</em> menjadi 6 <em>node</em> yang diperkirakan sebagai <em>malicious host</em>. Dengan demikian, visualisasi <em>graph</em> menggunakan teknik <em>graph clustering-filtering</em> dan persentase aktivitas <em>host</em> dapat mengidentifikasi jumlah <em>host</em> yang dicurigai sebagai <em>malicious</em> <em>host</em>.</p><p><strong><em><br /></em></strong></p><p><strong><em>Abstract</em></strong></p><p><em>Local Area Network (LAN) security is a serious problem to consider. The cause of LAN becomes insecure because firewall technology is not able to protect the host (computer) in LAN from spreading malware. The spread of malware contained within a LAN is carried out by hosts in the LAN which are referred to as malicious hosts. Actions to reduce the spread of malware in the LAN can be done by identifying malicious hosts. This paper proposes a method of identifying malicious hosts based on ARP request activities using graph clustering-filtering techniques. Graph clustering-filtering techniques are steps of grouping and filtering nodes and edges based on graph parameters such as weight edges, out-degree nodes and weight out-degree nodes that aim to identify malicious hosts. Based on parameters from the graph such as out-degree node and weight out-degree node, the calculation of the percentage of host activity can be done to show how much the level of host activity in broadcasting an ARP request, so that the result of calculating the percentage of host activity can determine a host that is categorized as a malicious host. The results of graph visualization using graph clustering-filtering technique can display fewer nodes and edges, from 511 nodes and 4144 edges to 22 nodes and 328 edges observed and collected in a LAN within 3 hour in the campus LAN. The results of the calculation of the percentage of host activity show hosts from 22 nodes become only 6 nodes which are suspected as malicious hosts. Overall, graph visualization with graph clustering-filtering techniques and the percentage of host activity can find a number of hosts identified as malicious hosts.</em></p>

Security for Mobile Agents: Trust Estimate for Platforms

The mobile agent has been seen as a promising distributed computing technology. The mobility characteristic of mobile agent makes it to travel often in open network. In this scenario, it is obvious that the mobile agents are vulnerable to various security threats. Protecting free-roaming mobile agents from malicious host and from other mobile agents has drawn much attention in recent years. The protection of mobile agents is considered as one of the greatest challenges of security, because the platform of execution has access to all the components of the mobile agent. In this paper, we present a new architecture paradigm of mobile agents, which allows the separation of the implementation tasks of the agent and its security mechanisms. Our approach is based on using two strategies of adaptation to adapt the mobile agent security at runtime, depending on the sensitivity of the services required to perform the duties of the agent and the degree of confidence of the visited platforms.