Pattern Programmable Kernel Filter for Bot Detection

Bots earn their unique name as they perform a wide variety of automated task. These tasks include stealing sensitive user information. Detection of bots using solutions such as behavioral correlation of flow records, group activity in DNS traffic, observing the periodic repeatability in communication, etc., lead to monitoring the network traffic and then classifying them as Bot or normal traffic. Other solutions for Bot detection include kernel level key stroke verification, system call initialization, IP black listing, etc. In the first two solutions there is no assurance that the packet carrying user information is prevented from being sent to the attacker and the latter suffers from the problem of IP spoofing. This motivated us to think of a solution that would filter out the malicious packets before being put onto the network. To come out with such a solution, a real time bot attack was generated with SpyEye Exploit kit and traffic characteristics were analyzed. The analysis revealed the existence of a unique repeated communication between the Zombie machine and the botmaster. This motivated us to propose, a Pattern Programmable Kernel Filter (PPKF) for filtering out the malicious packets generated by bots. PPKF was developed using the windows filtering platform (WFP) filter engine. PPKF was programmed to filter out the packets with unique pattern which were observed from the bot attack experiments. Further PPKF was found to completely suppress the flow of packets having the programmed uniqueness in them thus preventing the functioning of bots in terms of user information being sent to the Botmaster.Defence Science Journal, 2012, 62(1), pp.174-179, DOI:http://dx.doi.org/10.14429/dsj.62.142

A Typology Of Social Engineering Attacks – An Information Science Perspective

Hackers are increasingly exploiting the social movement on the Internet, which is responsible for domestication of the web and its associated technologies, by using novel methods of online social engineering. However, there is not enough support in the form of published research that can help us gain a holistic understanding of human vulnerabilities that are central to online social engineering attacks. This paper extends prior published classifications and presents a new typology of online social engineering methods that manifest during the various information seeking contexts that users engage while online. Concepts borrowed from the field of information science hel p us to build this typology that groups attack vectors with different human information seeking modes. The typology can be readily used as educational material to improve end user awareness about online social engineering. In addition, the typology can be used as a conceptual starting point for future empirical research on human vulnerabilities in different information seeking contexts which in turn can informsystems designers to design more effective solutions that can help mitigate the effects of such attacks

Secure Android Code Helper (Sach): A Tool For Assisting Secure Android Application Development

Mobile devices now store a lot of sensitive data. With many users adapting to the technical advancement of mobile devices, security of the user\u27s sensitive data becomes imperative. Security vulnerabilities in the mobile apps will lead to leakage of user’s sensitive data. The goal of this research is to propose a tool to help programmers create secure Android applications. The tool will warn developers about specific classes or methods that include security vulnerabilities such as data leakage and access control vulnerabilities. The tool analyzes Android source code using two approaches: 1) Parse the source code and XML to report vulnerabilities based on CERT secure coding rules for Android application development and 2) Run FlowDroid on source code, parse the output of FlowDroid and look for device ID, GPS location data being leaked to a log file or through implicit intent. The results from these approaches are combined into reports that inform developers of security vulnerabilities. The proof of concept of the tool has been implemented and tested. Future work includes completing implementation of the tool and running tests on a large number of source codes to evaluate its effectiveness

Secure Android Code Helper (Sach): A Tool For Assisting Secure Android Application Development

Mobile devices now store a lot of sensitive data. With many users adapting to the technical advancement of mobile devices, security of the user\u27s sensitive data becomes imperative. Security vulnerabilities in the mobile apps will lead to leakage of user’s sensitive data. The goal of this research is to propose a tool to help programmers create secure Android applications. The tool will warn developers about specific classes or methods that include security vulnerabilities such as data leakage and access control vulnerabilities. The tool analyzes Android source code using two approaches: 1) Parse the source code and XML to report vulnerabilities based on CERT secure coding rules for Android application development and 2) Run FlowDroid on source code, parse the output of FlowDroid and look for device ID, GPS location data being leaked to a log file or through implicit intent. The results from these approaches are combined into reports that inform developers of security vulnerabilities. The proof of concept of the tool has been implemented and tested. Future work includes completing implementation of the tool and running tests on a large number of source codes to evaluate its effectiveness

Fireguard - A Secure Browser with Reduced Forensic Footprint

Fireguard is a secure portable browser designed to reduce both data leakage from browser data remnants and cyber attacks from malicious code exploiting vulnerabilites in browser plug-ins, extensions and software updates. A browser can leave data remnants on a host PC hard disk drive, often unbeknown to a user, in the form of cookies, histories, saved passwords, cached web pages and downloaded objects. Forensic analysis, using freely available computer forensic tools, may reveal sensitive and confidential information. A browser’s capability to increase its features through plug-ins and extensions and perform patch management or upgrade to a new release via a software update provides an opportunity for an attacker to embed malicious software and subsequently launch a cyber attack. Fireguard has been implemented using both Mozilla Firefox and the storage and protection capabilities of the Mini-SDV, a secure Portable Execution and Storage Environment (PESE). In this paper the design and development of Fireguard is discussed. The requirement for a secure PESE and the functionality of the Mini-SDV is presented. An overview is given of the motivation for the development of Fireguard. The reasons Firefox was selected and the Firefox structure and security vulnerabilities are summarised. The implementation approach adopted is discussed and the results of an analysis of the Firefox implementation are presented. The Mini-SDV configuration for Fireguard and an outline of the concept of operation is given. The changes made to Firefox to implement Fireguard as a browser that reduces the opportunity for data leakage and cyber attack, and minimises its forensic footprint are discussed. The paper concludes by considering the strengths and limitations of the Fireguard implementation

The approaches to quantify web application security scanners quality: A review

The web application security scanner is a computer program that assessed web application security with penetration testing technique. The benefit of automated web application penetration testing is huge, which web application security scanner not only reduced the time, cost, and resource required for web application penetration testing but also eliminate test engineer reliance on human knowledge. Nevertheless, web application security scanners are possessing weaknesses of low test coverage, and the scanners are generating inaccurate test results. Consequently, experimentations are frequently held to quantitatively quantify web application security scanner's quality to investigate the web application security scanner's strengths and limitations. However, there is a discovery that neither a standard methodology nor criterion is available for quantifying the web application security scanner's quality. Hence, in this paper systematic review is conducted and analysed the methodology and criterion used for quantifying web application security scanners' quality. In this survey, the experiment methodologies and criterions that had been used to quantify web application security scanner's quality is classified and review using the preferred reporting items for systematic reviews and meta-analyses (PRISMA) protocol. The objectives are to provide practitioners with the understanding of methodologies and criterions that available for measuring web application security scanners' test coverage, attack coverage, and vulnerability detection rate, while provides the critical hint for development of the next testing framework, model, methodology, or criterions, to measure web application security scanner quality

Twitter Malware Collection System: An Automated URL Extraction and Examination Platform

As the world becomes more interconnected through various technological services and methods, the threat of malware is increasingly looming overhead. One avenue in particular that is examined in this research is the social networking service Twitter. This research develops the Twitter Malware Collection System (TMCS). This system gathers Uniform Resource Locators (URLs) posted on Twitter and scans them to determine if any are hosting malware. This scanning process is performed by a cluster of Virtual Machines (VMs) running a specified software configuration and the execution prevention system known as ESCAPE, which detects malicious code. When a URL is detected by a TMCS VM instance to be hosting malware, a dump of the web browser is created to determine what kind of malicious activity has taken place and also how this activity was allowed. After collecting over a period of 40 days, and processing a total of 466,237 URLs twice in two different configurations, one consisting of a vulnerable Windows XP SP2 setup and the other consisting of a fully patched and updated Windows Vista setup, a total of 2,989 dumps were created by TMCS based on the results generated by ESCAPE

Improving Desktop System Security Using Compartmentalization

abstract: Compartmentalizing access to content, be it websites accessed in a browser or documents and applications accessed outside the browser, is an established method for protecting information integrity [12, 19, 21, 60]. Compartmentalization solutions change the user experience, introduce performance overhead and provide varying degrees of security. Striking a balance between usability and security is not an easy task. If the usability aspects are neglected or sacrificed in favor of more security, the resulting solution would have a hard time being adopted by end-users. The usability is affected by factors including (1) the generality of the solution in supporting various applications, (2) the type of changes required, (3) the performance overhead introduced by the solution, and (4) how much the user experience is preserved. The security is affected by factors including (1) the attack surface of the compartmentalization mechanism, and (2) the security decisions offloaded to the user. This dissertation evaluates existing solutions based on the above factors and presents two novel compartmentalization solutions that are arguably more practical than their existing counterparts. The first solution, called FlexICon, is an attractive alternative in the design space of compartmentalization solutions on the desktop. FlexICon allows for the creation of a large number of containers with small memory footprint and low disk overhead. This is achieved by using lightweight virtualization based on Linux namespaces. FlexICon uses two mechanisms to reduce user mistakes: 1) a trusted file dialog for selecting files for opening and launching it in the appropriate containers, and 2) a secure URL redirection mechanism that detects the user’s intent and opens the URL in the proper container. FlexICon also provides a language to specify the access constraints that should be enforced by various containers. The second solution called Auto-FBI, deals with web-based attacks by creating multiple instances of the browser and providing mechanisms for switching between the browser instances. The prototype implementation for Firefox and Chrome uses system call interposition to control the browser’s network access. Auto-FBI can be ported to other platforms easily due to simple design and the ubiquity of system call interposition methods on all major desktop platforms.Dissertation/ThesisDoctoral Dissertation Computer Science 201

TOWARDS REDESIGNING WEB BROWSERS WITH SECURITY PRINCIPLES

Ph.DDOCTOR OF PHILOSOPH