NIAD+ML
Context
Cyber Attacks

Cyber Attacks

Types of cyber threats:

  • Unauthorised Access: An attacker gains unauthorised access to a network or specific systems, often exploiting vulnerabilities in software or weak authentication mechanisms
  • Malware Attacks: Malicious software, such as viruses, worms, Trojans, or ransomware, can infiltrate networks and infect devices to cause harm or steal sensitive information
  • DoS and DDoS Attacks: These attacks overwhelm network resources or services, rendering them unavailable to legitimate users
  • Insider Threats: Malicious or negligent actions by authorized individuals within an organization can lead to network breaches
  • Zero-day attacks: These attacks exploit vulnerabilities that are unknown to the software vendor or the victim

Unauthorised access

Unauthorised access is a type of network intrusion where an individual or entity gains unauthorised entry into a computer system, network, or specific resources without proper authorisation.

This breach of security can lead to various consequences, such as data theft, data manipulation, service disruption, and potential harm to an organisation’s reputation.

Methods of unauthorised access

  • Exploiting Vulnerabilities: Attackers may exploit software or hardware vulnerabilities in the target system. These vulnerabilities could be in the operating system, applications, or network devices.
  • Social Engineering: Social engineering involves manipulating individuals into revealing sensitive information or performing actions that compromise security. This could be through phishing emails, phone calls, or physical impersonation. Some examples can be found at: https://www.tessian.com/blog/examples-of-social-engineering-attacks
  • Default or Weak Credentials: Many devices and systems come with default usernames and passwords that users often fail to change, providing an easy entry point for attackers (https://grahamcluley.com/mirai-botnet-password/).
  • Password Cracking: Attackers may use password-cracking techniques to discover weak or poorly encrypted passwords to gain unauthorised access. It is usually carried out by using automated tools or scripts that try various combinations of usernames and passwords until a successful match is found. Common methods for password-cracking include: brute-force, dictionary attacks, hybrid attacks, phishing**.**
  • Insider Threats: Employees or individuals with authorised access to the network may abuse their privileges to gain unauthorised access to resources they are not supposed to access. E.g., a dissatisfied employee decides to use his/her elevated privileges to gain unauthorised access to sensitive data and resources within the organisation.

Detection of unauthorised access

Unauthorised access can be prevented by combining various techniques, such as: access control policies, two-factor authentication, network segmentation, etc.

network intrusion and anomaly detection can be employed to monitor network traffic for suspicious activity to identify deviations from typical network behaviour, which can indicate unauthorised access attempts

Malware attacks

Malware, short for “malicious software”, refers to any software intentionally designed to harm, exploit, or compromise computer systems, networks, or user devices. These attacks can have severe consequences, including data breaches, financial losses, and compromised privacy

Analysing memory dumps and binary files can provide valuable insights into various types of malware (e.g., signature-based methods)

We will focus on types of malicious software that can be detected by inspecting the network traffic they generate

Types of Malware

  • Spyware and keyloggers are designed to monitor user activities by tracking browsing habits, capturing keystrokes, and stealing sensitive information such as passwords and personal data.
    • They generate network traffic to send the stolen information to C&C servers controlled by the attackers. Monitoring network traffic can detect unusual data transmissions or communications with known malicious destinations
  • Worms are self-replicating malware that spread through networks without needing user interaction.
    • They often generate significant network traffic as they scan for and attempt to exploit vulnerabilities in other systems to infect them
  • Trojan Horses (Trojans) masquerade as legitimate software, enticing users to download and install them. Once inside a system, Trojans create backdoors, allowing unauthorised access and control for attackers.
    • This involves establishing communication with a remote server or a C&C server to receive commands or exfiltrate stolen data
  • Ransomware is a particularly destructive type of malware that encrypts the victim’s data, rendering it inaccessible until a ransom is paid to the attackers. It often spreads through phishing emails or malicious downloads
    • Ransomware generates network traffic during the infection process and when communicating with the C&C server (if it uses one). It may also attempt to communicate with remote servers to obtain encryption keys or to exfiltrate sensitive data before encryption
  • Botnets consist of a large number of infected computers (bots) under the control of a single attacker (botmaster)
    • These bots can be remotely commanded to perform various tasks, such as launching distributed denial-of-service (DDoS) attacks, sending spam emails, or spreading malware to other systems

Botnets

  • Botnets are the most relevant type of Malware in the context of network intrusion. Botnets are a significant threat on the internet, and they are used for various malicious activities, as the collective power of multiple bots allows attackers to perform large-scale and coordinated attacks. Botnet phases can be classified as follows:
    • Infection (email attachments, infected web sites, sw vulnerabilities, weak credentials)
    • Command and Control (C&C): After a computer is infected and joins the botnet, it establishes communication with the botmaster’s C&C server
    • Attack Phase: Once the botnet is established and under the botmaster’s control, it can be used to carry out various malicious activities, including but not limited to: DoS/DDoS attacks, spam and phishing campaigns, brute-force attacks, etc.

Detection of malware and botnets

Monitor and record network traffic during typical operations to understand what is considered normal for your network. This baseline will serve as a reference point for identifying anomalies and potential malware activities

  • Monitor DNS (Domain Name System) traffic for suspicious domain name requests. Some malware uses domain generation algorithms (DGAs) to generate pseudo-random domains for C&C communication
    • DGAs make it difficult for security researchers and defenders to predict and block the domains used for C&C communication by malware
  • Implement behaviour-based analysis to identify anomalies in network traffic. For instance, if a device suddenly starts generating excessive login attempts, it could be indicative of a brute-force attack or a compromised account

DoS/DDoS attacks

DoS and DDoS attacks are two types of cyberattacks aimed at disrupting the normal functioning of a target system or network. These attacks overload the target with an excessive amount of traffic, making it difficult or impossible for legitimate users to access the resources or services provided by the target.

A DDoS is a type of DoS attack that involves multiple connected online devices (botnet) which are used to overwhelm a target host or network.

  • DoS attacks can be broadly categorised into two main types based on the methods they use to overwhelm the target: Bandwidth-based and resourcebased

Bandwidth-based (volumetric) DoS attacks

Name Type Description
Flood Attacks Volumetric Attack built with high rates of ICMP, SYN,
HTTP, and UDP packets with the aim to
consume the victim’s network resources.
DNS, NTP,
SSDP, SNMP,
LDAP,
NetBIOS and
TFTP		 Volumetric
(reflection)		 DDoS attacks exploit a specific UDP-based
network service to overwhelm the victim with
responses to queries sent by the attacker to
UDP servers (reflectors) using the spoofed
victim’s IP address.		 Source: cloudflare.com

Resource-based DoS attacks

Application Layer Attacks: These attacks target vulnerabilities in the application layer of a system. Instead of overwhelming the network with traffic, they exploit the application’s weaknesses to consume server resources or cause it to crash.

Name Description
Slowloris Attack based on partial HTTP requests against a Web server and on keeping those connections open as
long as it can. This type of attack uses a low amount of bandwidth, with requests that mimic regular traffic
HTTP POST attacks
(Cross-site scripting
(XSS))		 In an XSS attack, the attacker injects malicious scripts into data sent via an HTTP POST request. When the
server processes this data and displays it back to other users, the injected script is executed in the context of
their browsers (e.g., to steal browsing cookies to hijack the user’s session and take over the account)
HTTP POST attacks
(SQL injection)		 The attacker manipulates the data sent via an HTTP POST request to inject malicious SQL code into the
backend database query. If the application does not properly validate and sanitise user inputs before
constructing database queries, the injected SQL code can lead to unauthorised access, data leakage, or
even complete control of the database
HTTP DoS attacks HTTP Flood attacks use legitimate HTTP GET or POST requests to force the HTTP server to allocate all its
resources, overloading the server and causing it to become unresponsive or crash. These attacks can lead
to service disruption or resource exhaustion
Buffer overflow These attacks occur when a program writes data into a buffer, but the data exceeds the buffer’s allocated
size. When the program processes the malicious input, it writes data beyond the boundaries of the buffer. As
a result, the overflowed data corrupts adjacent memory locations, which may include data structures, control
flow pointers, or even executable code

Protocol Exploitation: Exploiting flaws in network protocols to overload the target

Name Description
Syn Flood The attacker sends a large number of SYN packets (the initial synchronisation
request) with spoofed IPs.
Since the attacker does not complete the handshake, the target system is left
waiting for the connection to be established, preventing legitimate users from
establishing connections.
TCP SYN
ACK
Reflection		 The attacker sends SYN packets with a spoofed source IP address (the
victim’s IP address) to various systems, which then send SYN-ACK packets to
the victim. This causes a flood of traffic, leading to a DoS condition for the
victim.		 Source: cloudflare.com
Ping of Death The attacker sends oversized packets to the victim machine, i.e. packets
larger than the maximum IPv4 packet size (65535 bytes), causing it to become
unresponsive or crash.
Ping of Death attack itself is not a significant threat today		 15

Detection of DoS/DDoS attacks

  • Monitor your network traffic continuously to identify any sudden spikes or abnormal patterns (volumetric attacks)
  • Track the number of incoming connections per second. A significant increase in connection rates from specific IP addresses or subnets could be an indication of a DoS/DDoS attack
  • Observe the distribution of traffic across various services, ports, and protocols. A sudden shift in traffic patterns can be a sign of a DoS/DDoS attack
  • Inspect the TCP flags in TCP packets to detect SYN flood attacks or TCP-based DoS attacks. Analyse the size of individual packets
  • DDoS attacks, especially those involving amplification techniques, may produce packets significantly larger than normal traffic

Trend of DDoS attacks

Insider Cyber Threats

Definition: An insider cyber threat refers to a security risk posed to an organisation’s information systems and data by individuals who have authorised access to the organization’s resources

These individuals can be current or former employees, contractors, partners, or anyone else with legitimate access privileges. The danger arises from the fact that these insiders have high knowledge of the organisation’s systems, making them potentially more dangerous than external attackers

Categories of Insider Cyber Threats

  • Malicious Insiders: These are individuals who deliberately and knowingly exploit their access privileges to carry out harmful activities. Their motivations may vary, ranging from financial gain and revenge to ideological reasons. Examples of malicious insider actions include stealing sensitive data, selling proprietary information to competitors, intentionally causing data breaches, or disrupting critical systems.
  • Unintentional Insiders: These individuals inadvertently pose a threat due to carelessness, lack of awareness, or negligence. They might fall victim to phishing attacks, download malware unknowingly, or accidentally disclose sensitive information.

Detection of insider attacks

  • Track and log user actions across the network. This includes monitoring file access, login attempts, data transfers, and changes to sensitive files. Unusual or unauthorised activities could be indicative of an insider threat
  • Utilise anomaly detection methods to identify abnormal behaviour in real-time. These tools can establish a baseline of normal behaviour for each user and raise alerts when deviations occur

Zero-day attacks

Definition: Zero-day network attacks target undisclosed and unpatched vulnerabilities in software, operating systems, or network infrastructure, for which no security patches or fixes are available

The term “zero-day” refers to the fact that from the moment a vulnerability is discovered (or zero days after), the clock starts ticking for the targeted organisation to find a way to defend against the attack. Since there is no prior knowledge of the flaw, victims have zero days to prepare or protect themselves

Examples of zero-day attacks

  • Stuxnet (discussed earlier) is perhaps one of the most infamous zero-day attacks in history. Stuxnet exploited multiple zero-day vulnerabilities in Windows and Siemens industrial software to propagate and manipulate centrifuges, causing physical damage to Iran’s uranium enrichment facilities.
  • WhatsApp Zero-Day Vulnerability (2019). In 2019, a zero-day vulnerability was discovered in WhatsApp, a popular messaging application owned by Facebook. The vulnerability allowed attackers to install spyware on targeted devices by exploiting a bug in the app’s voice call feature. The spyware could collect sensitive data and even turn on the device’s camera and microphone without the user’s knowledge.

Detection of zero-day attacks

Zero-day attacks are particularly challenging for traditional signaturebased security solutions because there are no known patterns or signatures for these exploits. Machine learning, on the other hand, has the potential to analyse large amounts of data, detect anomalies, and identify previously unknown attack patterns, making it better suited for zero-day attack detection

  • Anomaly Detection: Machine learning algorithms can be trained on normal network behaviour, allowing them to identify deviations from the expected patterns. When an attack occurs, the behaviour is likely to differ from the norm, triggering an alert

ML-based detection of zero-day attacks

To maximize the benefits of machine learning for zero-day attack detection, a comprehensive approach that combines multiple cybersecurity techniques, including:

  • human expertise
  • traditional security measures (e.g., signatures, rules and heuristics)
  • staying up-to-date with the latest security research
DatasetsMachine Learning in Cybersecurity