Your search keyword '"Vuletić, Pavle"' showing total 2 results

1. DNS exfiltration detection in the presence of adversarial attacks and modified exfiltrator behaviour.

Author

Žiža, Kristijan, Tadić, Predrag, and Vuletić, Pavle

Subjects

INTERNET domain naming system, SCIENTIFIC community

Abstract

The Domain Name System (DNS) exfiltration is an activity in which an infected device sends data to the attacker's server by encoding it in DNS request messages. Because of the frequent use of DNS exfiltration for malicious purposes, exfiltration detection gained attention from the research community which proposed several predominantly machine learning-based methods. The majority of previous studies used publicly available DNS exfiltration tools with the default configuration parameters, resulting in datasets created from DNS exfiltration requests that are usually significantly longer, have more DNS name labels, and higher character entropy than average regular DNS requests. This further led to overly optimistic detection rates. In this paper, we have explored some of the strategies an attacker could use to avoid exfiltration detection. First, we have explored the impact of DNS exfiltration tools' parameter variation on the exfiltration detection accuracy. Second, we have modified the DNSExfiltrator tool to produce exfiltration requests which have significantly lower character entropy. This approach proved to be capable of deceiving classifiers based on single DNS request features. Only around 1% of modified DNS requests shorter or equal to 9 bytes, and less than one third of DNS exfiltration requests in the overall population were accurately detected. In addition, we present a methodology and an aggregated feature set (including inter-request timing statistics) which can be used for accurate DNS exfiltration in this kind of adversarial settings. [ABSTRACT FROM AUTHOR]

Published

2023

2. Early web application attack detection using network traffic analysis.

Author

Rajić, Branislav, Stanisavljević, Žarko, and Vuletić, Pavle

Subjects

WEB-based user interfaces, SUPERVISED learning, MACHINE learning, HTTP (Computer network protocol), INTERNET traffic, TRAFFIC monitoring, COMPUTER networks, SCANNING systems

Abstract

The number of deployed web applications and the number of web-based attacks in the last decade are constantly increasing. One group of tools that gained the attention of cyber security specialists are Dynamic Application Security Testing (DAST) tools, which is used to assess the security posture of web applications. DAST tools have similar purpose for web applications as network scanners and mappers have for local networks and computers—to scan web applications, enumerate as much as possible information from them and this way potentially reveal existing vulnerabilities. The tools are not only used by security analysts but also by the attackers in the reconnaissance and enumeration phases of the attack. This paper analyses DAST tools' network behaviour patterns, characteristic features that distinguish them from other traffic and methods to detect their operation using classical supervised machine learning methods. Unlike most of the work related to web application security and web application attack detection, which relies on HTTP logs, the research presented here is based on network traffic traces and flow statistics. This allows malicious scanning detection on the network traffic path even in the case of encrypted web traffic. Experimental results show that an accurate and reliable detection of four analysed DAST tools, ZAP, Nikto, Vega and Arachni, is possible. Flow classification of the existing DAST tools has high precision because DAST tools still do not deploy any mechanisms to hide their operation and mimic web application browsing by human users. Additionally, the paper contains an analysis of fast malicious behaviour detection through an analysis of the detection of malicious behaviour, while the flows are still active. The experimental results show that it is possible to detect malicious behaviour with a relatively high accuracy after only 15 packets in a flow. [ABSTRACT FROM AUTHOR]

Published

2023