Abstract
Cyberspace is a borderless new universe in which all actors, including States, share information and communications technologies, now indispensable to the modern lifestyle. Starting from the beginning of the 21st century, the ability to leverage the cyberspace has become the most important source of power. Due to the proliferation of ICT systems into all aspects of life, the importance of information for political matters has increased awfully. State and non-State actors can use this power to achieve objectives into cyberspace and physical world. Low cost and high potential impact make cyber-power attractive to all actors. In fact, cyber threats have grown exponentially with the proliferation of the cyberspace infrastructures. Consequently, cyberspace has become a war-fighting domain with the potential to destroy or make useless logical, physical, technical, and virtual infrastructure, damaging in fact critical National capabilities.
This scenario forces all national institutions to a review of their defense strategies, because of the difficulties to identify the actors of a cyber-attack. It then becomes necessary to gain a broader view of the problem to acquire more detailed information, useful to identify such sources of cyber-attacks. This new point of view can be achieved by using the analytical method developed by the authors and applied to data streams flowing across the cyberspace. In this way we can collect, detect, isolate and analyze the behavior of those malware that are acting as cyber weapons, through the implementation of an honeypot-based system such as the one presented in this paper.
Chapter PDF
Similar content being viewed by others
References
U.S. Department of Defense: Joint Publication 1-02, Dictionary of Military and Associated Terms, http://www.dtic.mil/doctrine/new_pubs/jp1_02.pdf (November 2010)
Fahrenkrug, D.T.: Countering the Offensive Advantage in Cyber-space: An Integrated Defensive Strategy. In: 4th International Conference on Cyber Conflict, NATO CCD COE Publications, Tallinn, pp. 197–207 (2012)
Klimburg, A.: National Cyber Security Framework Manual. NATO CCD COE Publications (December 2012), http://www.ccdcoe.org/369.html
Saalbach, K.: Cyber-war. Methods and Practice, version 6.0 (January 2013), http://www.dirk-koentopp.com/downloads/saalbach-cyberwar-methods-and-practice.pdf
Colombini, C., Colella, A., Mattiucci, M.: Cyber-war Profiling, a new Method for the Analysis of a Cyber-Conflict. To appear on NATO CCD COE, Tallinn (January 2013)
Palmieri, F., Fiore, U.: Containing large-scale worm spreading in the Internet by cooperative distribution of traffic filtering policies. Computers & Security 27(1-2), 48–62 (2008)
Palmieri, F., Fiore, U., Castiglione, A.: Automatic security assessment for next generation wireless mobile networks. Mobile Information Systems 7(3), 217–239 (2011)
Palmieri, F., Fiore, U.: Audit-Based Access Control in Nomadic Wireless Environments. In: Gavrilova, M., Gervasi, O., Kumar, V., Tan, C.J.K., Taniar, D., Laganá, A., Mun, Y., Choo, H. (eds.) ICCSA 2006. LNCS, vol. 3982, pp. 537–545. Springer, Heidelberg (2006)
Palmieri, F., Fiore, U.: Network anomaly detection through nonlinear analysis. Computers & Security 29(7), 737–755 (2010)
Fiore, U., Palmieri, F., Castiglione, A., De Santis, A.: Network anomaly detection with the restricted Boltzmann machine. Neurocomputing (2013), http://dx.doi.org/10.1016/j.neucom.2012.11.050 , doi:10.1016/j.neucom.2012.11.050
Vidulich, M., Dominguez, C., Vogel, E., McMillian, G.: Situation Awareness: Papers and Annotated Bibliography, U.S. Department of Defense, Defense Technical Information Center (DTIC) (June 1994), http://www.dtic.mil/dtic/tr/fulltext/u2/a284752.pdf
Colombini, C.M., Colella, A.: Digital Profiling: A Computer Forensics Approach. In: Tjoa, A.M., Quirchmayr, G., You, I., Xu, L. (eds.) ARES 2011. LNCS, vol. 6908, pp. 330–343. Springer, Heidelberg (2011)
Colombini, C., Colella, A., Castiglione, A., Scognamiglio, V.: The Digital Profiling Techniques Applied to the Analysis of a GPS Navigation Device. In: 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 591–596 (2012)
Castiglione, A., De Santis, A., Fiore, U., Palmieri, F.: Device Tracking in Private Networks via NAPT Log Analysis. In: 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 603–608 (2012)
Colombini, C.M., Colella, A., Mattiucci, M., Castiglione, A.: Network Profiling: Content Analysis of Users Behavior in Digital Communication Channel. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds.) CD-ARES 2012. LNCS, vol. 7465, pp. 416–429. Springer, Heidelberg (2012)
Matrosov, A., Rodionov, E., Harley, D., Malcho, J.: Stuxnet Under the Microscope, rev. 1.31, ESET LLC (2012), http://ece.wpi.edu/~dchasaki/papers/Stuxnet_Under_the_Microscope.pdf
Castiglione, A., De Prisco, R., De Santis, A., Fiore, U., Palmieri, F.: A botnet-based command and control approach relying on swarm intelligence. Journal of Network and Computer Applications (2013), http://dx.doi.org/10.1016/j.jnca.2013.05.002 , doi:10.1016/j.jnca.2013.05.002
Ziolkowski, K.: Ius ad bellum in Cyberspace - Some Thoughts on the “Schmitt-Criteria” for Use of Force. In: 4th International Conference on Cyber Conflict, NATO CCD COE Publications, Tallinn, pp. 295–309 (2012)
Fanelli, R., Conti, G.: A methodology for cyber operations targeting and control of collateral damage in the context of lawful armed conflict. In: 2012 4th International Conference on Cyber Conflict (CYCON), pp. 1–13 (2012)
CrySyS Lab: sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks (May 2012), http://www.crysys.hu/skywiper/skywiper.pdf
Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M.: Duqu: A Stuxnet-like malware found in the wild (October 2011), http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf
Kaspersky Lab, Global Research and Analysis Team: Gauss: Abnormal Distribution (August 2012), http://www.securelist.com/en/analysis/204792238/
Kaspersky Lab, Global Research and Analysis Team: The Mahdi Campaign (July 2012), http://www.securelist.com/en/blog/208193691/The_Madi_Campaign_Part_II
Infosec Institute: Honeypots Resources (October 2012), http://resources.infosecinstitute.com/honeypots/
Moore, J.: Mercury Live DVD (2013), http://mercurylivedvd.sourceforge.net/
Castiglione, A., Cattaneo, G., De Prisco, R., De Santis, A., Yim, K.: How to Forge a Digital Alibi on Mac OS X. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds.) CD-ARES 2012. LNCS, vol. 7465, pp. 430–444. Springer, Heidelberg (2012)
Albano, P., Castiglione, A., Cattaneo, G., De Maio, G., De Santis, A.: On the Construction of a False Digital Alibi on the Android OS. In: Xhafa, F., Barolli, L., Köppen, M. (eds.) INCoS, pp. 685–690. IEEE (2011)
Castiglione, A., Cattaneo, G., De Maio, G., De Santis, A.: Automated Production of Predetermined Digital Evidence. IEEE Access 1, 216–231 (2013)
De Santis, A., Castiglione, A., Cattaneo, G., De Maio, G., Ianulardo, M.: Automated Construction of a False Digital Alibi. In: Tjoa, A.M., Quirchmayr, G., You, I., Xu, L. (eds.) ARES 2011. LNCS, vol. 6908, pp. 359–373. Springer, Heidelberg (2011)
Castiglione, A., Cattaneo, G., De Maio, G., De Santis, A., Costabile, G., Epifani, M.: The Forensic Analysis of a False Digital Alibi. In: 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), pp. 114–121 (2012)
Nicomette, V., Kaâniche, M., Alata, E., Herrb, M.: Set-up and deployment of a high-interaction honeypot: experiment and lessons learned. Journal in Computer Virology 7(2), 143–157 (2011)
Li, C., Parsioan, T.: Profiling Honeynet Attackers. In: Proceedings of the Class of 2006 Senior Conference, pp. 19–26 (2005)
Seifert, C.: Analyzing Malicious SSH Login Attempts (November 2010), http://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts
Threat Expert Ltd.: Backdoor:Win32/Ixeshe.E (2013), http://www.threatexpert.com/report.aspx?md5=d1e7c8a8d857e097eef8922f41074e80
Sancho, D., dela Torre, J., Bakuei, M., Villeneuve, N., McArdle, R.: IXESHE An APT Campaign (2012), http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf
Tyugu, E.: Command and control of cyber weapons. In: 2012 4th International Conference on Cyber Conflict (CYCON), pp. 1–11 (2012)
Castiglione, A., De Santis, A., Soriente, C.: Security and privacy issues in the Portable Document Format. Journal of Systems and Software 83(10), 1813–1822 (2010)
Armando, A., Merlo, A., Migliardi, M., Verderame, L.: Would You Mind Forking This Process? A Denial of Service Attack on Android (and Some Countermeasures). In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 13–24. Springer, Heidelberg (2012)
Armando, A., Merlo, A., Migliardi, M., Verderame, L.: Breaking and fixing the Android Launching Flow. Computers & Security (2013)
Castiglione, A., Cattaneo, G., De Maio, G., De Santis, A.: Forensically-Sound Methods to Collect Live Network Evidence. In: 2013 IEEE 27th International Conference on Advanced Information Networking and Applications (AINA), pp. 405–412 (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Colombini, C.M., Colella, A., Mattiucci, M., Castiglione, A. (2013). Cyber Threats Monitoring: Experimental Analysis of Malware Behavior in Cyberspace. In: Cuzzocrea, A., Kittl, C., Simos, D.E., Weippl, E., Xu, L. (eds) Security Engineering and Intelligence Informatics. CD-ARES 2013. Lecture Notes in Computer Science, vol 8128. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40588-4_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-40588-4_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40587-7
Online ISBN: 978-3-642-40588-4
eBook Packages: Computer ScienceComputer Science (R0)