Fool me if you can: Mimicking attacks and anti-attacks in cyberspace

Shui Yu, Song Guo, Ivan Stojmenovic

Research output: Journal article publicationJournal articleAcademic researchpeer-review

65 Citations (Scopus)

Abstract

Botnets have become major engines for malicious activities in cyberspace nowadays. To sustain their botnets and disguise their malicious actions, botnet owners are mimicking legitimate cyber behavior to fly under the radar. This poses a critical challenge in anomaly detection. In this paper, we use web browsing on popular web sites as an example to tackle this problem. First of all, we establish a semi-Markov model for browsing behavior. Based on this model, we find that it is impossible to detect mimicking attacks based on statistics if the number of active bots of the attacking botnet is sufficiently large (no less than the number of active legitimate users). However, we also find it is hard for botnet owners to satisfy the condition to carry out a mimicking attack most of the time. With this new finding, we conclude that mimicking attacks can be discriminated from genuine flash crowds using second order statistical metrics. We define a new fine correntropy metrics and show its effectiveness compared to others. Our real world data set experiments and simulations confirm our theoretical claims. Furthermore, the findings can be widely applied to similar situations in other research fields.
Original languageEnglish
Article number6601602
Pages (from-to)139-151
Number of pages13
JournalIEEE Transactions on Computers
Volume64
Issue number1
DOIs
Publication statusPublished - 1 Jan 2015
Externally publishedYes

Keywords

  • detection
  • flash crowd attack
  • Mimicking
  • second order metrics

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Software
  • Hardware and Architecture
  • Computational Theory and Mathematics

Fingerprint

Dive into the research topics of 'Fool me if you can: Mimicking attacks and anti-attacks in cyberspace'. Together they form a unique fingerprint.

Cite this