Data mining for detecting Bitcoin Ponzi schemes

Soon after its introduction in 2009, Bitcoin has been adopted by cyber-criminals, which rely on its pseudonymity to implement virtually untraceable scams. One of the typical scams that operate on Bitcoin are the so-called Ponzi schemes. These are fraudulent investments which repay users with the funds invested by new users that join the scheme, and implode when it is no longer possible to find new investments. Despite being illegal in many countries, Ponzi schemes are now proliferating on Bitcoin, and they keep alluring new victims, who are plundered of millions of dollars. We apply data mining techniques to detect Bitcoin addresses related to Ponzi schemes. Our starting point is a dataset of features of real-world Ponzi schemes, that we construct by analysing, on the Bitcoin blockchain, the transactions used to perform the scams. We use this dataset to experiment with various machine learning algorithms, and we assess their effectiveness through standard validation protocols and performance metrics. The best of the classifiers we have experimented can identify most of the Ponzi schemes in the dataset, with a low number of false positives

Phishing Detection: Analysis of Visual Similarity Based Approaches

Phishing is one of the major problems faced by cyber-world and leads to financial losses for both industries and individuals. Detection of phishing attack with high accuracy has always been a challenging issue. At present, visual similarities based techniques are very useful for detecting phishing websites efficiently. Phishing website looks very similar in appearance to its corresponding legitimate website to deceive users into believing that they are browsing the correct website. Visual similarity based phishing detection techniques utilise the feature set like text content, text format, HTML tags, Cascading Style Sheet (CSS), image, and so forth, to make the decision. These approaches compare the suspicious website with the corresponding legitimate website by using various features and if the similarity is greater than the predefined threshold value then it is declared phishing. This paper presents a comprehensive analysis of phishing attacks, their exploitation, some of the recent visual similarity based approaches for phishing detection, and its comparative study. Our survey provides a better understanding of the problem, current solution space, and scope of future research to deal with phishing attacks efficiently using visual similarity based approaches

Identifying and combating cyber-threats in the field of online banking

This thesis has been carried out in the industrial environment external to the University, as an industrial PhD. The results of this PhD have been tested, validated, and implemented in the production environment of Caixabank and have been used as models for others who have followed the same ideas. The most burning threats against banks throughout the Internet environment are based on software tools developed by criminal groups, applications running on web environment either on the computer of the victim (Malware) or on their mobile device itself through downloading rogue applications (fake app's with Malware APP). Method of the thesis has been used is an approximation of qualitative exploratory research on the problem, the answer to this problem and the use of preventive methods to this problem like used authentication systems. This method is based on samples, events, surveys, laboratory tests, experiments, proof of concept; ultimately actual data that has been able to deduce the thesis proposal, using both laboratory research and grounded theory methods of data pilot experiments conducted in real environments. I've been researching the various aspects related to e-crime following a line of research focusing on intrinsically related topics: - The methods, means and systems of attack: Malware, Malware families of banker Trojans, Malware cases of use, Zeus as case of use. - The fixed platforms, mobile applications and as a means for malware attacks. - forensic methods to analyze the malware and infrastructure attacks. - Continuous improvement of methods of authentication of customers and users as a first line of defense anti- malware. - Using biometrics as innovative factor authentication.The line investigating Malware and attack systems intrinsically is closed related to authentication methods and systems to infect customer (executables, APP's, etc.), because the main purpose of malware is precisely steal data entered in the "logon "authentication system, to operate and thus, fraudulently, steal money from online banking customers. Experiments in the Malware allowed establishing a new method of decryption establishing guidelines to combat its effects describing his fraudulent scheme and operation infection. I propose a general methodology to break the encryption communications malware (keystream), extracting the system used to encrypt such communications and a general approach of the Keystream technique. We show that this methodology can be used to respond to the threat of Zeus and finally provide lessons learned highlighting some general principles of Malware (in general) and in particular proposing Zeus Cronus, an IDS that specifically seeks the Zeus malware, testing it experimentally in a network production and providing an effective skills to combat the Malware are discussed. The thesis is a research interrelated progressive evolution between malware infection systems and authentication methods, reflected in the research work cumulatively, showing an evolution of research output and looking for a progressive improvement of methods authentication and recommendations for prevention and preventing infections, a review of the main app stores for mobile financial services and a proposal to these stores. The most common methods eIDAMS (authentication methods and electronic identification) implemented in Europe and its robustness are analyzed. An analysis of adequacy is presented in terms of efficiency, usability, costs, types of operations and segments including possibilities of use as authentication method with biometrics as innovation.Este trabajo de tesis se ha realizado en el entorno industrial externo a la Universidad como un PhD industrial Los resultados de este PhD han sido testeados, validados, e implementados en el entorno de producción de Caixabank y han sido utilizados como modelos por otras que han seguido las mismas ideas. Las amenazas más candentes contra los bancos en todo el entorno Internet, se basan en herramientas software desarrolladas por los grupos delincuentes, aplicaciones que se ejecutan tanto en entornos web ya sea en el propio ordenador de la víctima (Malware) o en sus dispositivos móviles mediante la descarga de falsas aplicaciones (APP falsa con Malware). Como método se ha utilizado una aproximación de investigación exploratoria cualitativa sobre el problema, la respuesta a este problema y el uso de métodos preventivos a este problema a través de la autenticación. Este método se ha basado en muestras, hechos, encuestas, pruebas de laboratorio, experimentos, pruebas de concepto; en definitiva datos reales de los que se ha podido deducir la tesis propuesta, utilizando tanto investigación de laboratorio como métodos de teoría fundamentada en datos de experimentos pilotos realizados en entornos reales. He estado investigando los diversos aspectos relacionados con e-crime siguiendo una línea de investigación focalizada en temas intrínsecamente relacionadas: - Los métodos, medios y sistemas de ataque: Malware, familias de Malware de troyanos bancarios, casos de usos de Malware, Zeus como caso de uso. - Las plataformas fijas, los móviles y sus aplicaciones como medio para realizar los ataques de Malware. - Métodos forenses para analizar el Malware y su infraestructura de ataque. - Mejora continuada de los métodos de autenticación de los clientes y usuarios como primera barrera de defensa anti- malware. - Uso de la biometría como factor de autenticación innovador. La línea investiga el Malware y sus sistemas de ataque intrínsecamente relacionada con los métodos de autenticación y los sistemas para infectar al cliente (ejecutables, APP's, etc.) porque el objetivo principal del malware es robar precisamente los datos que se introducen en el "logon" del sistema de autenticación para operar de forma fraudulenta y sustraer así el dinero de los clientes de banca electrónica. Los experimentos realizados en el Malware permitieron establecer un método novedoso de descifrado que estableció pautas para combatir sus efectos fraudulentos describiendo su esquema de infección y funcionamiento Propongo una metodología general para romper el cifrado de comunicaciones del malware (keystream) extrayendo el sistema utilizado para cifrar dichas comunicaciones y una generalización de la técnica de Keystream. Se demuestra que esta metodología puede usarse para responder a la amenaza de Zeus y finalmente proveemos lecciones aprendidas resaltando algunos principios generales del Malware (en general) y Zeus en particular proponiendo Cronus, un IDS que persigue específicamente el Malware Zeus, probándolo experimentalmente en una red de producción y se discuten sus habilidades y efectividad. En la tesis hay una evolución investigativa progresiva interrelacionada entre el Malware, sistemas de infección y los métodos de autenticación, que se refleja en los trabajos de investigación de manera acumulativa, mostrando una evolución del output de investigación y buscando una mejora progresiva de los métodos de autenticación y de la prevención y recomendaciones para evitar las infecciones, una revisión de las principales tiendas de Apps para servicios financieros para móviles y una propuesta para estas tiendas. Se analizan los métodos más comunes eIDAMS (Métodos de Autenticación e Identificación electrónica) implementados en Europa y su robustez y presentamos un análisis de adecuación en función de eficiencia, usabilidad, costes, tipos de operación y segmentos incluyendo un análisis de posibilidades con métodos biométricos como innovación.Postprint (published version

Digital fingerprinting for identifying malicious collusive groups on Twitter

Propagation of malicious code on online social networks (OSN) is often a coordinated effort by collusive groups of malicious actors hiding behind multiple online identities (or digital personas). Increased interaction in OSN have made them reliable for the efficient orchestration of cyber-attacks such as phishing click bait and drive-by downloads. URL shortening enables obfuscation of such links to malicious websites and massive interaction with such embedded malicious links in OSN guarantees maximum reach. These malicious links lure users to malicious endpoints where attackers can exploit system vulnerabilities. Identifying the organised groups colluding to spread malware is non-trivial owing to the fluidity and anonymity of criminal digital personas on OSN. This paper proposes a methodology for identifying such organised groups of criminal actors working together to spread malicious links on OSN. Our approach focuses on understanding malicious users as ‘digital criminal personas’ and characteristics of their online existence. We first identify those users engaged in propagating malicious links on OSN platforms, and further develop a methodology to create a digital fingerprint for each malicious OSN account/digital persona. We create similarity clusters of malicious actors based on these unique digital fingerprints to establish ‘collusive’ behaviour. We evaluate the ability of a cluster-based approach on OSN digital fingerprinting to identify collusive behaviour in OSN by estimating within-cluster similarity measures and testing it on a ground truth dataset of five known colluding groups on Twitter. Our results show that our digital fingerprints can identify 90% of cyber-personas engaged in collusive behaviour 75% of collusion in a given sample set

An Ensemble Self-Structuring Neural Network Approach to Solving Classification Problems with Virtual Concept Drift and its Application to Phishing Websites

Classification in data mining is one of the well-known tasks that aim to construct a classification model from a labelled input data set. Most classification models are devoted to a static environment where the complete training data set is presented to the classification algorithm. This data set is assumed to cover all information needed to learn the pertinent concepts (rules and patterns) related to how to classify unseen examples to predefined classes. However, in dynamic (non-stationary) domains, the set of features (input data attributes) may change over time. For instance, some features that are considered significant at time Ti might become useless or irrelevant at time Ti+j. This situation results in a phenomena called Virtual Concept Drift. Yet, the set of features that are dropped at time Ti+j might return to become significant again in the future. Such a situation results in the so-called Cyclical Concept Drift, which is a direct result of the frequently called catastrophic forgetting dilemma. Catastrophic forgetting happens when the learning of new knowledge completely removes the previously learned knowledge. Phishing is a dynamic classification problem where a virtual concept drift might occur. Yet, the virtual concept drift that occurs in phishing might be guided by some malevolent intelligent agent rather than occurring naturally. One reason why phishers keep changing the features combination when creating phishing websites might be that they have the ability to interpret the anti-phishing tool and thus they pick a new set of features that can circumvent it. However, besides the generalisation capability, fault tolerance, and strong ability to learn, a Neural Network (NN) classification model is considered as a black box. Hence, if someone has the skills to hack into the NN based classification model, he might face difficulties to interpret and understand how the NN processes the input data in order to produce the final decision (assign class value). In this thesis, we investigate the problem of virtual concept drift by proposing a framework that can keep pace with the continuous changes in the input features. The proposed framework has been applied to phishing websites classification problem and it shows competitive results with respect to various evaluation measures (Harmonic Mean (F1-score), precision, accuracy, etc.) when compared to several other data mining techniques. The framework creates an ensemble of classifiers (group of classifiers) and it offers a balance between stability (maintaining previously learned knowledge) and plasticity (learning knowledge from the newly offered training data set). Hence, the framework can also handle the cyclical concept drift. The classifiers that constitute the ensemble are created using an improved Self-Structuring Neural Networks algorithm (SSNN). Traditionally, NN modelling techniques rely on trial and error, which is a tedious and time-consuming process. The SSNN simplifies structuring NN classifiers with minimum intervention from the user. The framework evaluates the ensemble whenever a new data set chunk is collected. If the overall accuracy of the combined results from the ensemble drops significantly, a new classifier is created using the SSNN and added to the ensemble. Overall, the experimental results show that the proposed framework affords a balance between stability and plasticity and can effectively handle the virtual concept drift when applied to phishing websites classification problem. Most of the chapters of this thesis have been subject to publicatio

Labeled bipolar argumentation frameworks

An essential part of argumentation-based reasoning is to identify arguments in favor and against a statement or query, select the acceptable ones, and then determine whether or not the original statement should be accepted. We present here an abstract framework that considers two independent forms of argument interaction-support and conflict-and is able to represent distinctive information associated with these arguments. This information can enable additional actions such as: (i) a more in-depth analysis of the relations between the arguments; (ii) a representation of the user's posture to help in focusing the argumentative process, optimizing the values of attributes associated with certain arguments; and (iii) an enhancement of the semantics taking advantage of the availability of richer information about argument acceptability. Thus, the classical semantic definitions are enhanced by analyzing a set of postulates they satisfy. Finally, a polynomial-time algorithm to perform the labeling process is introduced, in which the argument interactions are considered.Fil: Escañuela Gonzalez, Melisa Gisselle. Universidad Nacional de Santiago del Estero; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Tucumán; ArgentinaFil: Budan, Maximiliano Celmo David. Universidad Nacional de Santiago del Estero; Argentina. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Tucumán; ArgentinaFil: Simari, Gerardo. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Bahía Blanca. Instituto de Ciencias e Ingeniería de la Computación. Universidad Nacional del Sur. Departamento de Ciencias e Ingeniería de la Computación. Instituto de Ciencias e Ingeniería de la Computación; ArgentinaFil: Simari, Guillermo Ricardo. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - Bahía Blanca. Instituto de Ciencias e Ingeniería de la Computación. Universidad Nacional del Sur. Departamento de Ciencias e Ingeniería de la Computación. Instituto de Ciencias e Ingeniería de la Computación; Argentin

Measuring for privacy: From tracking to cloaking

We rely on various types of online services to access information for different uses, and often provide sensitive information during the interactions with these services. These online services are of different types; e.g. commercial websites (e.g., banking, education, news, shopping, dating, social media), essential websites (e.g., government). Online services are available through websites as well as mobile apps. The growth of web sites, mobile devices and apps that run on those devices, have resulted in the proliferation of online services. This whole ecosystem of online services had created an environment where everyone using it are being tracked. Several past studies have performed privacy measurements to assess the prevalence of tracking in online services. Most of these studies used institutional (i.e., non-residential) resources for their measurements, and lacked global perspective. Tracking on online services and its impact to privacy may differ at various locations. Therefore, to fill in this gap, we perform a privacy measurement study of popular commercial websites, using residential networks from various locations. Unlike commercial online services, there are different categories (e.g., government, hospital, religion) of essential online services where users do not expect to be tracked. The users of these essential online services often use information of extreme personal and sensitive in nature (e.g., social insurance number, health information, prayer requests/confessions made to a religious minister) when interacting with those services. However, contrary to the expectations of users, these essential services include user tracking capabilities. We built frameworks to perform privacy measurements of these online services (include both web sites and Android apps) that are of different types (i.e., governments, hospitals and religious services in jurisdictions around the world). The instrumented tracking metrics (i.e., stateless, stateful, session replaying) from the privacy measurements of these online services are then analyzed. Malicious sites (e.g., phishing) mimic online services to deceive users, causing them harm. We found 80% of analyzed malicious sites are cloaked, and not blocked by search engine crawlers. Therefore, sensitive information collected from users through these sites is exposed. In addition, underlying Internet-connected infrastructure (e.g., networked devices such as routers, modems) used by online users, can suffer from security issues due to nonuse of TLS or use of weak SSL/TLS certificates. Such security issues (e.g., spying on a CCTV camera) can compromise data integrity, confidentiality and user privacy. Overall, we found tracking on commercial websites differ based on the location of corresponding residential users. We also observed widespread use of tracking by commercial trackers, and session replay services that expose sensitive information from essential online services. Sensitive information are also exposed due to vulnerabilities in online services (e.g., Cross Site Scripting). Furthermore, a significant proportion of malicious sites evade detection by security/search engine crawlers, which may make such sites readily available to users. We also detect weaknesses in the TLS ecosystem of Internet-connected infrastructure that supports running these online services. These observations require more research on privacy of online services, as well as information exposure from malicious online services, to understand the significance of privacy issues, and to adopt appropriate mitigation strategies

Cyber Security and Critical Infrastructures 2nd Volume

The second volume of the book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles, including an editorial that explains the current challenges, innovative solutions and real-world experiences that include critical infrastructure and 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems