Publication Details

Features for Behavioral Anomaly Detection of Connectionless Network Buffer Overflow Attacks

HOMOLIAK Ivan, ŠULÁK Ladislav and HANÁČEK Petr. Features for Behavioral Anomaly Detection of Connectionless Network Buffer Overflow Attacks. In: Information Security Applications - 17th International Workshop, WISA 2016, Jeju Island, Korea, August 25-27, 2016, Revised Selected Papers. Lecture Notes in Computer Science, vol. 10144. Jeju Island: Springer International Publishing, 2017, pp. 66-78. ISBN 978-3-319-56549-1. ISSN 0302-9743. Available from: https://link.springer.com/chapter/10.1007%2F978-3-319-56549-1_6
Czech title
Anomální Behaviorální Analýza Nespojově Orientovaných Síťových Útoků Prováděných Prostřednictvím Zneužití Zranitelností Přetečení Zásobníku
Type
conference paper
Language
english
Authors
Homoliak Ivan, Ing., Ph.D. (DITS FIT BUT)
Šulák Ladislav, Ing. (FIT BUT)
Hanáček Petr, doc. Dr. Ing. (DITS FIT BUT)
URL
Keywords

Buffer overflow, Connectionless traffic, SIP, TFTP, UDP vulnerabilities, NBAD, Naive Bayes

Abstract

Buffer overflow (BO) attacks are one of the most dangerous threads in the area of network security. Methods for detection of BO attacks basically use two approaches: signature matching against packets' payload versus analysis of packets' headers with the behavioral analysis of the connection's flow. The second approach is intended for detection of BO attacks regardless of packets' content which can be ciphered. In this paper, we propose a technique based on Network Behavioral Anomaly Detection (NBAD) aimed at connectionless network traffic. A similar approach has already been used in related works, but focused on connection-oriented traffic. All principles of connection-oriented NBAD cannot be applied in connectionless anomaly detection. There is designed a set of features describing the behavior of connectionless BO attacks and the tool implemented for their offline extraction from network traffic dumps. Next, we describe experiments performed in the virtual network environment utilizing SIP and TFTP network services exploitation and further data mining experiments employing supervised machine learning (ML) and Naive Bayes classifier. The exploitation of services is performed using network traffic modifications with intention to simulate real network conditions. The experimental results show the proposed approach is capable of distinguishing BO attacks from regular network traffic with high precision and class recall.

Published
2017
Pages
66-78
Journal
Lecture Notes in Computer Science, vol. 10144, no. 1, ISSN 0302-9743
Proceedings
Information Security Applications - 17th International Workshop, WISA 2016, Jeju Island, Korea, August 25-27, 2016, Revised Selected Papers
Series
Lecture Notes in Computer Science
Conference
The 17th World Conference on Information Security Applications, Jeju Island, South Korea, KR
ISBN
978-3-319-56549-1
Publisher
Springer International Publishing
Place
Jeju Island, KR
DOI
UT WoS
000426125100006
EID Scopus
BibTeX
@INPROCEEDINGS{FITPUB10931,
   author = "Ivan Homoliak and Ladislav \v{S}ul\'{a}k and Petr Han\'{a}\v{c}ek",
   title = "Features for Behavioral Anomaly Detection of Connectionless Network Buffer Overflow Attacks",
   pages = "66--78",
   booktitle = "Information Security Applications - 17th International Workshop, WISA 2016, Jeju Island, Korea, August 25-27, 2016, Revised Selected Papers",
   series = "Lecture Notes in Computer Science",
   journal = "Lecture Notes in Computer Science",
   volume = 10144,
   number = 1,
   year = 2017,
   location = "Jeju Island, KR",
   publisher = "Springer International Publishing",
   ISBN = "978-3-319-56549-1",
   ISSN = "0302-9743",
   doi = "10.1007/978-3-319-56549-1\_6",
   language = "english",
   url = "https://www.fit.vut.cz/research/publication/10931"
}
Files
Back to top