Cyber-Attack Detection and Defense Based on Spectral Analysis and Community Structure Recognition

  • 王 子夏

Student thesis: Doctoral Thesis


With the ever-growing number of online services nowadays and the proliferation of wireless access services more and more users are connecting to the Internet However the increasing reliance on the Internet and associated network services exposes users to the risk of malicious attacks by third parties intent on causing short-term disruption or more serious long-term damage Among the various network security concerns botnets are regarded as one of the leading threats to network security and are used to conduct a wide range of malicious activities including information theft phishing spam mail distribution and Distributed Denial of Service (DDoS) attacks Of the various forms of botnet DGA-based botnets which utilize a Domain Generation Algorithm (DGA) to avoid detection are one of the most disruptive and difficult to detect In addition to botnets attacks on social network sites have also emerged as a major concern in recent years One of the most common and harmful types of attack is the Sybil attack in which the attacker creates multiple identities and uses these identities to breech a running system with fake information Although botnets and Sybil attacks are both difficult to detect they leave behind several important clues which can be used to identify their presence For example when mapping the communication patterns of a botnet or the relationships among the sybil nodes and the honest nodes on to a graph the graph shows a unique characteristic in terms of the community structure Accordingly this dissertation proposes a clustering algorithm for detecting the community structure of cyber-attacks More specifically to address the problem of DGA-based botnets a scheme is proposed for detecting botnet activity by analyzing the query behavior of the DNS traffic The proposed scheme exploits the fact that hosts compromised by the same DGA-based malware query the same sets of domains in the domain list and most of these queries fail since only a very small number of the domains are actually associated with an active C&C The evaluation results show that the proposed scheme provides an accurate and effective means of detecting both existing and new DGA-based botnet patterns in real-world networks To counter the problem of Sybil attacks the dissertation additionally proposes a defense mechanism based on the characteristic structural properties of honest and sybil groups Notably in contrast to most existing Sybil defense schemes which require a knowledge of at least one honest node in advance the scheme proposed in this dissertation has the ability to detect sybil groups in a network without the need for any prior knowledge regarding the honest nodes The performance of the proposed defense scheme is evaluated using data obtained from a real-world social network (Facebook) The results show that the proposed scheme has the ability to detect Sybil attacks in real social networks with a low false positive ratio
Date of Award2017 Feb 2
Original languageEnglish
SupervisorHui-Tang Lin (Supervisor)

Cite this