Hire writer

Logic Bomb as Cyberattack: Algorithm to Detect and Steps to Recover

Pages: 3 (1252 words)

Views: 599

Grade: 5

Download

Abstract:

Cyberattacks are one of the biggest threats to the Computer World. Security researchers and professionals are continuously making various efforts to prevent such attacks. Most of the time these attacks come from outside, but sometimes it can be insider attacks. Insider attacks can be more lethal, as the malicious person will have authorized system access. A logic Bomb is one of such example of an insider attack; a successfully triggered logic bomb can cause system failure, auto-deletion of hard drives, manipulation of data, etc. Logic Bombs are generally hidden or embedded in genuine code where they stay dormant till their conditions are not satisfied, this makes them very hard to detect. This malware is normally programmed by developers of software. Attackers usually exploit the software development lifecycle to insert a logic bomb. Such a type of hidden malicious code in the system software can be a serious threat to their IT infrastructure security. This paper involves the study of a logic bomb attack, its prevention measures, proposed detection algorithm, and steps to recover from it.

Do not use plagiarized sources. Get your custom paper at "Logic Bomb as Cyberattack: Algorithm to Detect and Steps to Recover" Get custom paper

NEW! Smart match with writer

Introduction:

Cyberattacks are performed by both outsider and insider entities. In a comparison of both; insider attacks can be more dangerous as the malicious person will have authorized access to the system and network. One such effective insider attack is the Logic bomb attack.

A logic bomb is a piece of malicious code that lies dormant hidden within legitimate software until a condition is satisfied to trigger its payload. This malware is normally embedded by developers into genuine software. A logic bomb has a flaw that it only works for software for which it has been designed, it doesn’t replicate on other applications. The presence of a Logic bomb in the system poses great risks to their security and integrity.

Richard Clarke (Former White House counterterrorism expert) shares his concerns about the cyber war in his book named “Cyber War: The Next Threat to National Security and What to do about it.” In this book, Clarke mentions that the U.S. is very vulnerable to this type of attack because its infrastructure is much more dependent on computer networks in comparison with other countries. He showed concern that malicious code developers could trigger logic bombs, shutting down the banking and various other systems.

One such cyberattack occurred in South Korea on 2013-3-20 at 14:00:00 local time, a logic bomb in the code erased the hard drives of banks and media companies. It triggered on a specific time and date and started wiping all data from machines. At least two broadcasting companies and three banks were attacked by wiping their hard drives and master boot record. This attack prevented South Koreans from making ATM transactions as the attack put some ATMs out of operation. According to security researchers, the malicious code also included a module to connect remote Linux machines for deleting their master boot record.

A time Bomb is the subclass of a logic bomb. It is programmed to get executed at a specific time and date. It will stay inactive until its specific condition is not met. The execution of a time bomb will result in destructive effects on the system and network. Time bomb like “Friday the 13th” activates on a specified day and date and deletes the files from infected computers.

It is very hard to detect a logic bomb in the testing phase. Functional testing cannot detect such malicious code as a tester are unlikely to supply values which will trigger the bomb. Static analysis tools are unable to detect this bomb as they are aimed at finding programming mistakes like failure to validate a user input or failing to protect against a buffer overflow. Requirements-based testing also fails to detect bombs, as a tester is unlikely to enter the values required to trigger them. It cannot be detected by dynamic tools either, because their execution may not result in runtime errors, which is usually detected by dynamic analysis.

Antivirus based on anomaly detection may not detect logic bombs as it will not cause events which are externally observable such as unusual system calls. Signature detection is also not a full-proof solution, as the malicious code is custom embedded to its host software, and may not have a unique signature.

Prevention against Logic Bomb:

As logic bombs are mostly planted by software developers of the same company or externally hired contractors, the best practices that involve putting procedural and technical controls should be in place. Following are some necessary steps to prevent a logic bomb attack:

  • Conduct a complete background check of developers at the time of joining.
  • Keeping an eye on employees having signs of dissatisfaction, anger, revenge, etc.
  • Provide only the necessary access to developers to avoid any misuse of resources.
  • Implementing the principle of least privilege. It will ensure less possible targets for an attacker.
  • Keep the system up to date. Patching system regularly will make it more difficult for a malicious developer to attack system.
  • Prepare a baseline for the known process and regularly compare it to the current view. This will be useful to find rogue processes.
  • Secure account management and password controls. Ensure different password for each host systems.
  • Monitoring auto-updating software. Use Integrity checker to validate if any software has been modified.
  • Perform regular backups, use endpoint protection and use business email screening functionality for mails.
  • Log all activities of system users and monitor log files for unusual patterns.
  • Separation of development and testing process.
  • Manual inspection of critical program code.

Detection against Logic Bomb:

When a logic bomb is triggered, it can show many destructive symptoms like system failure, file deletion, etc. This proposed theoretical logic bomb detection algorithm works on the host level. It scans the system for common symptoms of the logic bomb attack and then calculates the number of occurrences. If the frequency of symptoms goes beyond its predefined threshold value then according to the algorithm it is a suspected logic bomb attack.

Input:

Let S be the set of logic bomb attack symptoms.

S= {s1, s2, s3…. sn}; For example: s1 = system/software failure and s2 = auto-deletion of file.

Let T be the set of threshold frequency of all symptoms.

T= {t1, t2, t3…. tn}

BEGIN

scan log file for symptoms

calculate frequency of individual symptoms (i.e. s1f, s2f, s3f…. snf)

IF (s1f > t1 OR s2f > t2 OR s3f > t3…. snf > tn) THEN

Print “suspected logic bomb attack”

ELSE

Print “no suspicious activity found”

END IF

END

Recovering from Logic Bomb attack:

I. Quarantine (Isolate) the infected system from the network to prevent more damage. If the network has been attacked then disconnect the whole network or at least part of the network where critical data resides.

II. Look for symptoms and review all relevant log files to find the start of an attack. In this way, you will be able to locate the logic bomb in the infected host system.

III. Collect the evidence for the Investigation of the Incident. This will help to find the attacker behind the logic bomb attack.

IV. Remove the logic bomb from the system in a safe mode. Perform various checks to make sure malware has been removed from the system.

V. Restore the system with your last backup (If available). Make sure that your last backup doesn’t have the same logic bomb.

VI. Plug in the system to the network.

VII. Monitor the system/software for a few months to make sure that everything is working properly.

Conclusion:

This paper discusses in detail logic bomb attacks by disgruntled or greedy developers. It also explains various ways to prevent the system from such an attack. A theoretical algorithm is proposed in this paper to detect such an attack. Finally, steps to recover from such type of attack are explained.

01 August 2022

Found a great essay sample but want a unique one?

Request writing assistance from a top writer in the field! Get your paper
Get to Know The Price Estimate For Your Paper
Topic
Number of pages
Email Invalid email
Write My Paper

You won’t be charged yet!

Related Topics

Social Studies Essays

Mountains Essays

Humanities Essays

Black Hole Essays

Renewable Energy Essays

Related Essays

Significance Of Cyber Security In Modern World Essay
1 Page | 505 Words
The Importance Of Skills And Professionalism In Cyber Security Essay
4 Pages | 1659 Words
Cyberterrorism: Threats, Prevention, And Prosecution Essay
2 Pages | 869 Words
Ways of How Microsoft Deal With Cyber Attack Essay
2 Pages | 917 Words
The Importance Of Proper Cyber Security Essay
4 Pages | 1893 Words
The Analysis Of The Article "I’M Being Followed: How Google - & 104 Other Companies – Are Tracking Me On The Web" By Alexis C. Madrigal Essay
1 Page | 556 Words
The Concept Of “Defense Evasion” And Its Specific Tactical Techniques Essay
1 Page | 524 Words
Overview Of The Malware Treats Of High, Medium And Low Risk Essay
3 Pages | 1180 Words
close
Sorry,

We are glad that you like it, but you cannot copy from our website. Just insert your email and this sample will be sent to you.

Your Email

By clicking “Send”, you agree to our Terms of service and  Privacy statement. We will occasionally send you account related emails.

close thanks-icon
Thanks!

Your essay sample has been sent.

In fact, there is a way to get an original essay! Turn to our writers and order a plagiarism-free paper.

Order now
exit-popup-close
exit-popup-image
Still can’t find what you need?

Order custom paper and save your time
for priority classes!

Order paper now