Deakin University
Browse

File(s) under permanent embargo

Fool me if you can: mimicking attacks and anti-attacks in cyberspace

Version 2 2024-06-05, 05:25
Version 1 2015-08-28, 13:17
journal contribution
posted on 2024-06-05, 05:25 authored by S Yu, S Guo, I Stojmenovic
Botnets have become major engines for malicious activities in cyberspace nowadays. To sustain their botnets and disguise their malicious actions, botnet owners are mimicking legitimate cyber behavior to fly under the radar. This poses a critical challenge in anomaly detection. In this paper, we use web browsing on popular web sites as an example to tackle this problem. First of all, we establish a semi-Markov model for browsing behavior. Based on this model, we find that it is impossible to detect mimicking attacks based on statistics if the number of active bots of the attacking botnet is sufficiently large (no less than the number of active legitimate users). However, we also find it is hard for botnet owners to satisfy the condition to carry out a mimicking attack most of the time. With this new finding, we conclude that mimicking attacks can be discriminated from genuine flash crowds using second order statistical metrics. We define a new fine correntropy metrics and show its effectiveness compared to others. Our real world data set experiments and simulations confirm our theoretical claims. Furthermore, the findings can be widely applied to similar situations in other research fields.

History

Journal

IEEE Transactions on Computers

Volume

64

Pagination

139-151

Location

Piscataway, N.J.

ISSN

0018-9340

Publication classification

C Journal article, C1 Refereed article in a scholarly journal

Copyright notice

2015, IEEE

Issue

1

Publisher

IEEE