Detection of network buffer overflow attacks: A case study

Barabas, Maroš; Homoliak, Ivan; Kacic, Matej; Hanáček, Petr

doi:10.1109/ccst.2013.6922067

Cited by 2 publications

(2 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…ASNM features [10] are network connection features that describe various properties of TCP connections and were designed with the intention to distinguish between legitimate traffic and remote buffer overflow attacks. We studied behavioral characteristics of remote buffer overflow attacks in our previous work [24], and our findings inspired the design of ASNM features. We can interpret ASNM features like an extended protocol NetFlow [18] but describing more than statistical properties of network connections.…”

Section: Asnm Features and Context Analysismentioning

confidence: 99%

ASNM Datasets: A Collection of Network Attacks for Testing of Adversarial Classifiers and Intrusion Detectors

Homoliak¹,

Malinka²,

Hanáček³

2020

IEEE Access

Self Cite

View full text Add to dashboard Cite

In this paper, we present three datasets that have been built from network traffic traces using ASNM (Advanced Security Network Metrics) features, designed in our previous work. The first dataset was built using a state-of-the-art dataset CDX 2009 that was collected during a cyber defense exercise, while the remaining two datasets were collected by us in 2015 and 2018 using publicly available network services containing buffer overflow and other high severity vulnerabilities. These two datasets contain several adversarial obfuscation techniques that were applied onto malicious as well as legitimate traffic samples during "the execution" of their TCP network connections. Adversarial obfuscation techniques were used for evading machine learning-based network intrusion detection classifiers. We show that the performance of such classifiers can be improved when partially augmenting their training data by samples obtained from obfuscation techniques. In detail, we utilized tunneling obfuscation in HTTP(S) protocol and non-payload-based obfuscations modifying various properties of network traffic by, e.g., TCP segmentation, re-transmissions, corrupting and reordering of packets, etc. To the best of our knowledge, this is the first collection of network traffic data that contains adversarial techniques and is intended for non-payload-based network intrusion detection and adversarial classification. Provided datasets enable testing of the evasion resistance of arbitrary machine learning-based classifiers. INDEX TERMS Dataset, network intrusion detection, adversarial classification, evasions, ASNM features, buffer overflow, non-payload-based obfuscations, tunneling obfuscations.

show abstract

Section: Asnm Features and Context Analysismentioning

confidence: 99%

ASNM Datasets: A Collection of Network Attacks for Testing of Adversarial Classifiers and Intrusion Detectors

Homoliak¹,

Malinka²,

Hanáček³

2020

IEEE Access

Self Cite

View full text Add to dashboard Cite

show abstract

“…ASNM features [4] are network connection features that describe various properties of TCP connections and were designed with the intention to distinguish between legitimate traffic and remote buffer overflow attacks. 6 We studied behavioral characteristics of remote buffer overflow attacks in our previous work [17], and our findings inspired the design of ASNM features. We can interpret ASNM features like an extended protocol NetFlow [11] but describing more than statistical properties of network connections.…”

Section: Asnm Features and Context Analysismentioning

confidence: 99%

ASNM Datasets: A Collection of Network Traffic Features for Testing of Adversarial Classifiers and Network Intrusion Detectors

Homoliak,

Hanacek

2019

Preprint

Self Cite

View full text Add to dashboard Cite

In this paper, we present three datasets that have been built from network traffic traces using ASNM features, designed in our previous work. The first dataset was built using a state-of-the-art dataset called CDX 2009, while the remaining two datasets were collected by us in 2015 and 2018, respectively. These two datasets contain several adversarial obfuscation techniques that were applied onto malicious as well as legitimate traffic samples during "the execution" of particular TCP network connections. Adversarial obfuscation techniques were used for evading machine learning-based network intrusion detection classifiers. Further, we showed that the performance of such classifiers can be improved when partially augmenting their training data by samples obtained from obfuscation techniques. In detail, we utilized tunneling obfuscation in HTTP(S) protocol and non-payload-based obfuscations modifying various properties of network traffic by, e.g., TCP segmentation, retransmissions, corrupting and reordering of packets, etc. To the best of our knowledge, this is the first collection of network traffic metadata that contains adversarial techniques and is intended for non-payload-based network intrusion detection and adversarial classification. Provided datasets enable testing of the evasion resistance of arbitrary classifier that is using ASNM features.

show abstract

Detection of network buffer overflow attacks: A case study

Cited by 2 publications

References 3 publications

ASNM Datasets: A Collection of Network Attacks for Testing of Adversarial Classifiers and Intrusion Detectors

ASNM Datasets: A Collection of Network Attacks for Testing of Adversarial Classifiers and Intrusion Detectors

ASNM Datasets: A Collection of Network Traffic Features for Testing of Adversarial Classifiers and Network Intrusion Detectors

Contact Info

Product

Resources

About