5-100

The university scholars have suggested a "vaccination" from hacker attacks

03.04.2018, 11:25

At the international conference "RusCrypto" the scholars of Samara University presented a new development - the system of prevention and protection of Internet services from hacker attacks.
During the year the employees of Department of Supercomputers and General Informatics of Samara University have been conducting the research, on the results of which the system of prevention and protection of Internet services from security breach was created.
A year ago the scholars set four honeypots with real IP addresses in Samara Region, the Republic of Crimea, Rostov Region and the USA. "The system of honeypots is a technology known from 1990s. It involves the set of software imitating the work of ten Internet services most popular among users on absolutely empty servers", Andrey Sukhov, Professor of Department of Supercomputers and General Informatics (Samara University), explains.

Then, during the year the scholars have been following different types of attacks on the prepared honeypots (port scanners, access attempts to web-servers, servers of IP telephony, email, databases management, attempts to override OS), then systematized them and as a result created IP block list of suspicious addresses in every service.   To get in the IP block list it is necessary to correspond to two criteria: to "be registered" at least on two honeypots and attack the service three times (three calls or three attempts to guess a password). Thus, for example, in "attack" on IP telephony service 1063 IP addresses "turned up" in a year. 
For protection of Internet services from hackers the university scholars suggested taking prophylactic measures on the basis of the following algorithm: to spread the received database with the addresses of abusers with the help of Software Defined Network (SDN).
"Due to the SDN we can "vaccinate" it with the made by us database of suspicious IP addresses, after this it will be able to analyse the traffic, determine the ways of attacks from IP Block list and as a result block the actions of abusers", Evgeniy Sagatov, Associate Professor of Department of Supercomputers and General Informatics, says.
Moreover, the algorithm suggested by scholars allows transmitting databases to the above standing providers via secure channels, as well as to set security filters from hackers two levels higher than the provider in the network architecture. 
This complex of measures will help the network administrator not only to stop the hacked working station in time, but to prevent the attempt of security breach itself.
"Here the analogy is appropriate: a criminal can be caught because of the traces left on a crime site, or a crime itself can be prevented", Andrey Sukhov says. "A row of computers, on which multiple system applications are functioning in background mode, is connected to the net of any organisation, and users usually do not pay attention to their work. An abuser looks for computers, on which these system applications are open, and tries to attack. He "pierces" the machine, i.e. sends the protocol data unit with a request, and, thus, finds out if there is a necessary service on the computer and if it is open for any interference. Users even do not notice that their computer is already hacked and turned into the source of security breach of the next victims and for spam spreading. If certain prophylactic measures are taken, then it is possible to find out from where the attack is being made and to safeguard".