Automatic Detection of Internet-based Cyberattacks

Over the last few years, the Internet has been repeatedly used as a medium to launch attacks against computer and communication subsystems. Such attacks, which are usually called cyber-attacks may disable a large number of computers, which may in turn paralyze critical infrastructures including telecommunications, provision of electric power, transportation, water supplies, athletic infrastructure, and commerce. Such cyber-attacks propagate rapidly and may have profound impact.

Our research targets the creation of early warning systems that can detect cyber-attacks quickly and can respond to them efficiently. Our recent focus has been on the direction of designing, implementing, and deploying early-warning systems that are able to detect computer attacks at their infancy.

Proposal

E. Markatos et al. "EAR: Early Warning System fot the automatic detection of Internet-based Cyberattacks", project proposal submitted to GSRT, Call "Cooperation with R & D Organizations outside Europe, Action 4.3.6.1b, Structural Fund #3, Operational Program Competitiveness" , December 2002 (pdf).

Publications

Spiros Antonatos, Periklis Akritidis, Evangelos P. Markatos and Kostas G. Anagnostakis. Defending against Hitlist Worms using Network Address Space Randomization In Computer Networks, to appear, 2007 (pdf)
Spiros Antonatos and Kostas G. Anagnostakis. TAO: Protecting against Hitlist Worms using Transparent Address Obfuscation. In Proceedings of the 10th IFIP Open Conference on Communications and Multimedia Security (CMS'06) (to appear)
Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Network-level Polymorphic Shellcode Detection using Emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). July 2006, Berlin, Germany. (pdf)
Demetres Antoniades, Manos Athanatos, Antonis Papadogiannakis, Evangelos P. Markatos, Constantine Dovrolis: Available bandwidth measurement as simple as running wget. In Proceedings of the Passive and Active Measurement Conference (PAM2006), March 2006 (pdf)
Kostas G. Anagnostakis, Stelios Sidiroglou, Periklis Akritidis, Konstantinos Xinidis, Evangelos Markatos, and Angelos D. Keromytis: Detecting Targeted Attacks Using Shadow Honeypots. In the Proceedings of the 14th USENIX Security Symposium. August 2005, Baltimore, MD. (pdf)
P. Akritidis, Kostas Anagnostakis, and E.P. Markatos: Efficient Content-Based Fingerprinting of Zero-Day Worms. Proceedings of the International Conference on Communications (ICC 2005), Seoul, Korea, 16-20 May 2005 (pdf)
Kostas Xinidis, Kostas D. Anagnostakis, and Evangelos P. Markatos: Design and Implementation of a High-Performance Network Intrusion Prevention System In the Proceedings 20th IFIP International Information Security Conference (SEC 2005), May 2005 (pdf)
P. Akritidis, Evangelos P. Markatos, M. Polychronakis, and Kostas D. Anagnostakis: STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis In the Proceedings 20th IFIP International Information Security Conference (SEC 2005), May 2005 (pdf)
S. Antonatos, K. G. Anagnostakis, E. P. Markatos. Generating Realistic Workloads for Network Intrusion Detection Systems. Proceedings of the Fourth International Workshop on Software and Performance (WOSP2004), January 2004 (to appear). (pre-final draft pdf | compressed postscript)

Tools

Cassandra is a utility that takes as an input a trace file and reports suspicious packets based on distinct destination counts.
Packetgrep is a utility that given a trace file, a payload hash, and a payload length, reports all matching packets.

If you would like a copy of the tool, please contact akritid AT ics.forth.gr


ICS > DCS > R & D Activities > Automatic Detection of Internet-based Cyberattacks


	Automatic Detection of Internet-based Cyberattacks Over the last few years, the Internet has been repeatedly used as a medium to launch attacks against computer and communication subsystems. Such attacks, which are usually called cyber-attacks may disable a large number of computers, which may in turn paralyze critical infrastructures including telecommunications, provision of electric power, transportation, water supplies, athletic infrastructure, and commerce. Such cyber-attacks propagate rapidly and may have profound impact. Our research targets the creation of early warning systems that can detect cyber-attacks quickly and can respond to them efficiently. Our recent focus has been on the direction of designing, implementing, and deploying early-warning systems that are able to detect computer attacks at their infancy. Proposal E. Markatos et al. "EAR: Early Warning System fot the automatic detection of Internet-based Cyberattacks", project proposal submitted to GSRT, Call "Cooperation with R & D Organizations outside Europe, Action 4.3.6.1b, Structural Fund #3, Operational Program Competitiveness" , December 2002 (pdf). Publications Spiros Antonatos, Periklis Akritidis, Evangelos P. Markatos and Kostas G. Anagnostakis. Defending against Hitlist Worms using Network Address Space Randomization In Computer Networks, to appear, 2007 (pdf) Spiros Antonatos and Kostas G. Anagnostakis. TAO: Protecting against Hitlist Worms using Transparent Address Obfuscation. In Proceedings of the 10th IFIP Open Conference on Communications and Multimedia Security (CMS'06) (to appear) Michalis Polychronakis, Kostas G. Anagnostakis, and Evangelos P. Markatos. Network-level Polymorphic Shellcode Detection using Emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). July 2006, Berlin, Germany. (pdf) Demetres Antoniades, Manos Athanatos, Antonis Papadogiannakis, Evangelos P. Markatos, Constantine Dovrolis: Available bandwidth measurement as simple as running wget. In Proceedings of the Passive and Active Measurement Conference (PAM2006), March 2006 (pdf) Kostas G. Anagnostakis, Stelios Sidiroglou, Periklis Akritidis, Konstantinos Xinidis, Evangelos Markatos, and Angelos D. Keromytis: Detecting Targeted Attacks Using Shadow Honeypots. In the Proceedings of the 14th USENIX Security Symposium. August 2005, Baltimore, MD. (pdf) P. Akritidis, Kostas Anagnostakis, and E.P. Markatos: Efficient Content-Based Fingerprinting of Zero-Day Worms. Proceedings of the International Conference on Communications (ICC 2005), Seoul, Korea, 16-20 May 2005 (pdf) Kostas Xinidis, Kostas D. Anagnostakis, and Evangelos P. Markatos: Design and Implementation of a High-Performance Network Intrusion Prevention System In the Proceedings 20th IFIP International Information Security Conference (SEC 2005), May 2005 (pdf) P. Akritidis, Evangelos P. Markatos, M. Polychronakis, and Kostas D. Anagnostakis: STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis In the Proceedings 20th IFIP International Information Security Conference (SEC 2005), May 2005 (pdf) S. Antonatos, K. G. Anagnostakis, E. P. Markatos. Generating Realistic Workloads for Network Intrusion Detection Systems. Proceedings of the Fourth International Workshop on Software and Performance (WOSP2004), January 2004 (to appear). (pre-final draft pdf \| compressed postscript) Tools Cassandra is a utility that takes as an input a trace file and reports suspicious packets based on distinct destination counts. Packetgrep is a utility that given a trace file, a payload hash, and a payload length, reports all matching packets. If you would like a copy of the tool, please contact akritid AT ics.forth.gr Members Evangelos P. Markatos Constantinos Dovrolis Manolis Petsagourakis Periklis Akritidis Links References Computer immunology S. Forrest, S. Hofmeyr, and A. Somayaji. Communications of the ACM, 40(10), pp. 88-96, 1997. Computer virus-antivirus coevolution Carey Nachenberg. Communications of the ACM, 40(1):47-51, Jan. 1997. New Directions in Traffic Measurement and Accounting C. Estan and G. Varghese, in Proceedings of the ACM SIGGCOMM Conference, 2002. Deliverables D1.1 - Requirements analysis D2.1 - System Design D3.1 - System Implementation D4.1 - System Deployment and Evaluation D5.1 - Commercial Viability Study

	Distributed Computing Systems \| R & D Activities \| Projects \| Events \| People \| Publications \| Publicity \| Photos \| Colloquia \| Contact Info Site Map \| Search \| Help \| Greek \| English
Last revision date: 6 August, 2007 by webmaster@ics.forth.gr
Last Content revision date: URL: http://www.ics.forth.gr/dcs/Activities/Projects/ear.html

Automatic Detection of Internet-based Cyberattacks

Proposal

Publications

Tools

Members

Links

References

Deliverables