Loading [MathJax]/extensions/MathZoom.js
Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >2014 IEEE 38th Annual Compute...

Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks

PDF
Soshi Hirono; Yukiko Yamaguchi; Hajime Shimada; Hiroki Takakura
All Authors

Abstract:

In contrast to conventional cyber attacks such as mass infection malware, targeted attacks take a long time to complete their mission. By using a dedicated malware for ev...Show More

Metadata

Abstract:

In contrast to conventional cyber attacks such as mass infection malware, targeted attacks take a long time to complete their mission. By using a dedicated malware for evading detection at the initial attack, an attacker quietly succeeds in setting up a front-line base in the target organization. Communication between the attacker and the base adopts popular protocols to hide its existence. Because conventional countermeasures deployed on the boundary between the Internet and the internal network will not work adequately, monitoring on the internal network becomes indispensable. In this paper, we propose an integrated sandbox system that deploys a secure and transparent proxy to analyze internal malicious network traffic. The adoption of software defined networking technology makes it possible to redirect any internal traffic from/to a suspicious host to the system for an examination of its insidiousness. When our system finds malicious activity, the traffic is blocked. If the malicious traffic is regarded as mandatory, e.g., For controlled delivery, the system works as a transparent proxy to bypass it. For benign traffic, the system works as a transparent proxy, as well. If binary programs are found in traffic, they are automatically extracted and submitted to a malware analysis module of the sandbox. In this way, we can safely identify the intention of the attackers without making them aware of our surveillance.
Published in: 2014 IEEE 38th Annual Computer Software and Applications Conference
Date of Conference: 21-25 July 2014
Date Added to IEEE Xplore: 22 September 2014
Electronic ISBN:978-1-4799-3575-8
Electronic ISSN: 0730-3157
DOI: 10.1109/COMPSAC.2014.41
Conference Location: Vasteras, Sweden
Contents

1. Introduction

In recent years, the increasing number of sophisticated and targeted attacks has become a growing concern. In contrast to conventional cyber attacks, these attacks set goals for gaining access to intellectual property, retrieving personally identifiable information, and sometimes destroying information systems. To evade detection of their existence, it takes long time to complete their mission: as long as months or even years in some cases. A typical targeted cyber attack exhibits the following pattern. First, the attackers exhaustively investigate their target organization via social engineering. In order to obtain initial access to the victim's network, the attackers start with a phishing attack against the targeted company. Selected employees of the victim companies receive an email disguised as a legitimate e-mail from a trusted source. This e-mail contains illegal content such as malware and/or a link to a Web site that hosts a malicious code. If employees open the contents or click the link, thus executing the malware, their host is compromised as a front-line base of the attackers. The attackers initially install a remote administration tool (RAT) into the host to obtain its control. At the base, the attackers silently monitor the activities of the infected host and listen to the communication of the network, thereby obtaining useful information related to the relationships among employees, the workflow of their business, the service running on other hosts, and the structure of the network. Based on such reconnaissance, they move to VIP victims who have authority to access highly valued assets. Eventually, these assets are sabotaged or stolen.

Contact IEEE to Subscribe
More Like This
Adaptive replica-management and concurrency-control protocols for indexes in page-server DBMS

2013 World Congress on Computer and Information Technology (WCCIT)

Published: 2013

Voice Over Internet Protocol: Custom SIP Server with QoS Optimization for Real-Time Communication

2025 3rd International Conference on Intelligent Data Communication Technologies and Internet of Things (IDCIoT)

Published: 2025

Show More

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.