Biblio

Web applications, as a conventional platform for sensitive data and important transactions, are of great significance to human society. But with its open source framework, the existing security vulnerabilities can easily be exploited by malicious users, especially when web developers fail to follow the secure practices. Here we present a distributed scanning system, FalconEye, with great precision and high performance, it will help prevent potential threats to Web applications. Besides, our system is also capable of covering basically all the web vulnerabilities registered in the Common Vulnerabilities and Exposures (CVE). The FalconEye system is consists of three modules, an input source module, a scanner module and a support platform module. The input module is used to improve the coverage of target server, and other modules make the system capable of generic vulnerabilities scanning. We then experimentally demonstrate this system in some of the most common vulnerabilities test environment. The results proved that the FalconEye system can be a strong contender among the various detection systems in existence today.

Zero-day polymorphic worms pose a serious threat to the Internet security. With their ability to rapidly propagate, these worms increasingly threaten the Internet hosts and services. Not only can they exploit unknown vulnerabilities but can also change their own representations on each new infection or can encrypt their payloads using a different key per infection. They have many variations in the signatures of the same worm thus, making their fingerprinting very difficult. Therefore, signature-based defenses and traditional security layers miss these stealthy and persistent threats. This paper provides a detailed survey to outline the research efforts in relation to detection of modern zero-day malware in form of zero-day polymorphic worms.

Reduction of Quality (RoQ) attack is a stealthy denial of service attack. It can decrease or inhibit normal TCP flows in network. Victims are hard to perceive it as the final network throughput is decreasing instead of increasing during the attack. Therefore, the attack is strongly hidden and it is difficult to be detected by existing detection systems. Based on the principle of Time-Frequency analysis, we propose a two-stage detection algorithm which combines anomaly detection with misuse detection. In the first stage, we try to detect the potential anomaly by analyzing network traffic through Wavelet multiresolution analysis method. According to different time-domain characteristics, we locate the abrupt change points. In the second stage, we further analyze the local traffic around the abrupt change point. We extract the potential attack characteristics by autocorrelation analysis. By the two-stage detection, we can ultimately confirm whether the network is affected by the attack. Results of simulations and real network experiments demonstrate that our algorithm can detect RoQ attacks, with high accuracy and high efficiency.