Researchers develop algorithm to rapidly track down malicious cyber content

Mar 17, 2014

Cyber attacks are the primary domestic security threat facing the United States, FBI Director James Comey told the Senate Homeland Security Committee last year. In our brave new world, traditional warfare is now inextricably linked to economic and cyber warfare. In just one example, cyber strikes have the potential to derail a nation's power grid, causing widespread damage, chaos, and loss of life. That's why surveillance programs must keep one step ahead of the perpetrators to secure civilian networks, cyberspace, and infrastructures essential to daily life.

Prof. Yehuda Afek and Shir Landau-Feibish of Tel Aviv University's Blavatnik School of Computer Sciences have joined forces with Prof. Anat Bremler-Barr of the Interdisciplinary Center in Herzliya to develop that combats high-volume attacks by armies of "computer zombies." The researchers have devised an algorithm that identifies malicious content related to distributed denial of service (DDoS) attacks—attacks that direct high volume to a single targeted site to shut down websites, banks, companies, and essential government and civil infrastructure functions.

The researchers' "double heavy hitters algorithm," presented last October at the annual Symposium on Architectures for Networking and Communications Systems conference in California and published in IEEE Xplore, is capable of finding even the smallest set of cyber clues or footprints (known as "signatures") required to detect attacks that may currently slip under the radar. Their work is supported by the Israeli Industry, Trade and Labor Ministry's Kabarnit-Cyber Consortium Magnet Program.

Zombies on the march

"Security is like electronic warfare. They get smarter and we have to get smarter with them," says Landau-Feibish. "The only way to identify the signature of the new attackers is to devise new technology that will automatically review huge amounts of data in real time and find common patterns that the human eye would easily miss.

"We are focused on 'zero-day' attacks, attacks about which we have no prior knowledge, perpetrated by huge armies of computer zombies called 'botnets'—computers that have been unknowingly programmed to participate in a larger strike without their owners' knowledge," Landau-Feibish said. "In the past, source verification methods combined with traffic behavioral analysis were enough to identify and distinguish the source of the malicious attack. But now, in the face of huge zombie-armies, these methods are insufficient. A new method is required."

Security companies today painstakingly conduct real-time analysis of web traffic to identify cyber attackers. But since terrorists now hide behind the guise of seemingly legitimate traffic and countless "innocent" computer sources, analysts are forced to change their tactics to become more efficient.

Malicious traffic

In their study, the researchers compared content extracted from normal traffic with content from attack traffic to identify the telltale footprints of attackers. The well-known "heavy hitters" streaming algorithm, which functions only with numerical values, served as a base for the new algorithm, which is able to detect frequent and varying sequences of characters in the traffic.

"A footprint can be so very small—even a single character that is out of place in a certain context," said Landau-Feibish. "Security companies need time to sift through traffic to identify these footprints. In the meantime, the customers' sites are gridlocked. We were able to cut down that time as well as decrease false positives, peaceful traffic misidentified as malicious, and false negatives—malicious traffic originally identified as safe."

The team is currently working on a "triple heavy hitter" algorithm, which will identify combinations of footprints to further improve the identification of DDoS strikes. The researchers are also exploring ways of expanding their methods to identify other types of attacks.

Explore further: Hacker threats rise, with defenders lacking, report says

add to favorites email to friend print save as pdf

Related Stories

Iran blamed for cyber onslaught on US banks

Jan 09, 2013

US financial institutions are being pounded with high-powered cyber attacks that some suspect are being orchestrated by Iran as payback for political sanctions.

Israeli defence computer hit in cyber attack

Jan 27, 2014

Hackers attacked Israeli computers including one used by the defence ministry department dealing with civilians in the occupied West Bank, an Israeli data protection expert said on Monday.

Researchers simulate cyber soldiers for sale

Oct 26, 2010

(PhysOrg.com) -- Researchers, who are mimicking the debilitating attacks of cyber robot armies to help defend the Australian and Indian governments, will discuss their work tomorrow (October 27) at Queensland University of ...

Recommended for you

Hoverbike drone project for air transport takes off

7 hours ago

What happens when you cross a helicopter with a motorbike? The crew at Malloy Aeronautics has been focused on a viable answer and has launched a crowdfunding campaign to support its Hoverbike project, "The ...

Study shows role of media in sharing life events

8 hours ago

To share is human. And the means to share personal news—good and bad—have exploded over the last decade, particularly social media and texting. But until now, all research about what is known as "social sharing," or the ...

User comments : 0