A Framework for Hybrid Intrusion Detection Systems

Web application security is a definite threat to the world’s information technology infrastructure. The Open Web Application Security Project (OWASP), generally defines web application security violations as unauthorized or unintentional exposure, disclosure, or loss of personal information. These breaches occur without the company’s knowledge and it often takes a while before the web application attack is revealed to the public, specifically because the security violations are fixed. Due to the need to protect their reputation, organizations have begun researching solutions to these problems. The most widely accepted solution is the use of an Intrusion Detection System (IDS). Such systems currently rely on either signatures of the attack used for the data breach or changes in the behavior patterns of the system to identify an intruder. These systems, either signature-based or anomaly-based, are readily understood by attackers. Issues arise when attacks are not noticed by an existing IDS because the attack does not fit the pre-defined attack signatures the IDS is implemented to discover. Despite current IDSs capabilities, little research has identified a method to detect all potential attacks on a system. This thesis intends to address this problem. A particular emphasis will be placed on detecting advanced attacks, such as those that take place at the application layer. These types of attacks are able to bypass existing IDSs, increase the potential for a web application security breach to occur and not be detected. In particular, the attacks under study are all web application layer attacks. Those included in this thesis are SQL injection, cross-site scripting, directory traversal and remote file inclusion. This work identifies common and existing data breach detection methods as well as the necessary improvements for IDS models. Ultimately, the proposed approach combines an anomaly detection technique measured by cross entropy and a signature-based attack detection framework utilizing genetic algorithm. The proposed hybrid model for data breach detection benefits organizations by increasing security measures and allowing attacks to be identified in less time and more efficiently

SOCIAL NETWORKING FOR BOTNET COMMAND AND CONTROL

A botnet is a group of compromised computers which is often a large group under the command and control of a malicious user, known as a botmaster. Botnets are generally recognized as a serious Internet threat. Botnets can be used for a wide variety of malicious attacks including spamming, distributed denial of service, and obtaining sensitive information such as authentication credentials or credit card information. This project involves building a botnet centered on Twitter. Our botnet uses individual bots controlled by commands tweeted by botmaster; the botnet can expand in a viral manner by following affected Twitter user’s friends. This botnet is only intended as a proof of concept and it does not perform any malicious actions

Dynamic Fraud Detection via Sequential Modeling

The impacts of information revolution are omnipresent from life to work. The web services have signicantly changed our living styles in daily life, such as Facebook for communication and Wikipedia for knowledge acquirement. Besides, varieties of information systems, such as data management system and management information system, make us work more eciently. However, it is usually a double-edged sword. With the popularity of web services, relevant security issues are arising, such as fake news on Facebook and vandalism on Wikipedia, which denitely impose severe security threats to OSNs and their legitimate participants. Likewise, oce automation incurs another challenging security issue, insider threat, which may involve the theft of condential information, the theft of intellectual property, or the sabotage of computer systems. A recent survey says that 27% of all cyber crime incidents are suspected to be committed by the insiders. As a result, how to ag out these malicious web users or insiders is urgent. The fast development of machine learning (ML) techniques oers an unprecedented opportunity to build some ML models that can assist humans to detect the individuals who conduct misbehaviors automatically. However, unlike some static outlier detection scenarios where ML models have achieved promising performance, the malicious behaviors conducted by humans are often dynamic. Such dynamic behaviors lead to various unique challenges of dynamic fraud detection: Unavailability of sucient labeled data - traditional machine learning approaches usually require a balanced training dataset consisting of normal and abnormal samples. In practice, however, there are far fewer abnormal labeled samples than normal ones. Lack of high quality labels - the labeled training records often have the time gap between the time that fraudulent users commit fraudulent actions and the time that they are suspended by the platforms. Time-evolving nature - users are always changing their behaviors over time. To address the aforementioned challenges, in this dissertation, we conduct a systematic study for dynamic fraud detection, with a focus on: (1) Unavailability of labeled data: we present (a) a few-shot learning framework to handle the extremely imbalanced dataset that abnormal samples are far fewer than the normal ones and (b) a one-class fraud detection method using a complementary GAN (Generative Adversarial Network) to adaptively generate potential abnormal samples; (2) Lack of high-quality labels: we develop a neural survival analysis model for fraud early detection to deal with the time gap; (3) Time-evolving nature: we propose (a) a hierarchical neural temporal point process model and (b) a dynamic Dirichlet marked Hawkes process model for fraud detection

Simulated User Bots: Real Time Testing of Insider Threat Detection Systems

The insider threat is one of the most serious security problems faced by modern organizations. High profile cases demonstrate the serious consequences of successful attacks. The problem has been studied for many years leading to a number of technologies and products that have been widely deployed in government and commercial enterprises. A fundamental question is how well do these systems work? How may they be tested and how computationally expensive a widely deployed monitoring infrastructure cost? Measuring real systems that are dynamic in nature, encounter unknown configuration bugs and have sensitivities to the vagaries of human nature and adversarial behavior require a formal means to continuously test and evaluate deployed detection systems. We present a framework to deploy in situ simulated user bots (SUBs) that can emulate the actions of real users. By creating a user account and running a host in the enterprise network, a SUB can be introduced into an enterprise system that runs at a realistic pace and does not interfere with normal operations. Infusing malicious behavior into the SUB should be detected by the insider threat monitoring infrastructure. The SUB framework can be controlled to explore the limits of deployed systems and to test the effectiveness of insider evasion tactics, especially low and slow behaviors. We demonstrate our framework by generating user data to test the detection of malicious users and our ability to produce variable ground truths through intrusion detection testing using several commonly used machine learning techniques

Securing the Next Generation Web

With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)\ua0 directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where\ua0 there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We\ua0 accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to\ua0 further improve the coverage and vulnerability detection rate of scanners.In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password\ua0 managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new\ua0 static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions\ua0 solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This\ua0 is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we\ua0 create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found

All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android

Security of authentication protocols heavily relies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own management. We find that most apps simply locate their authenticators into the persistent storage and entrust underlying Android OS for mediation. Consequently, these authenticators can be leaked through compromised backup channels. In this work, we conduct the first systematic investigation on this previously overlooked attack vector. We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with internet and SD card permissions. With this exposure, the malicious apps can steal other apps' authenticators and obtain complete control over the authenticated sessions. We show that this can be stealthily and efficiently done by building a proof-of-concept app named AuthSniffer. We find that 80 (68.4%) out of the 117 tested top-ranked apps which have implemented authentication schemes are subject to this threat. Our study should raise the awareness of app developers and protocol analysts about this attack vector.No Full Tex

Cyber Security

This open access book constitutes the refereed proceedings of the 16th International Annual Conference on Cyber Security, CNCERT 2020, held in Beijing, China, in August 2020. The 17 papers presented were carefully reviewed and selected from 58 submissions. The papers are organized according to the following topical sections: access control; cryptography; denial-of-service attacks; hardware security implementation; intrusion/anomaly detection and malware mitigation; social network security and privacy; systems security

An Analysis of Modern Password Manager Security and Usage on Desktop and Mobile Devices

Security experts recommend password managers to help users generate, store, and enter strong, unique passwords. Prior research confirms that managers do help users move towards these objectives, but it also identified usability and security issues that had the potential to leak user data or prevent users from making full use of their manager. In this dissertation, I set out to measure to what extent modern managers have addressed these security issues on both desktop and mobile environments. Additionally, I have interviewed individuals to understand their password management behavior. I begin my analysis by conducting the first security evaluation of the full password manager lifecycle (generation, storage, and autofill) on desktop devices, including the creation and analysis of a corpus of 147 million generated passwords. My results show that a small percentage of generated passwords are weak against both online and offline attacks, and that attacks against autofill mechanisms are still possible in modern managers. Next, I present a comparative analysis of autofill frameworks on iOS and Android. I find that these frameworks fail to properly verify webpage security and identify a new class of phishing attacks enabled by incorrect handling of autofill within WebView controls hosted in apps. Finally, I interview users of third-party password managers to understand both how and why they use their managers as they do. I find evidence that many users leverage multiple password managers to address issues with existing managers, as well as provide explanations for why password reuse continues even in the presence of a password manager. Based on these results, I conclude with recommendations addressing the attacks and usability issues identified in this work

Multimodal Data Fusion and Behavioral Analysis Tooling for Exploring Trust, Trust-propensity, and Phishing Victimization in Online Environments

Online environments, including email and social media platforms, are continuously threatened by malicious content designed by attackers to install malware on unsuspecting users and/or phish them into revealing sensitive data about themselves. Often slipping past technical mitigations (e.g. spam filters), attacks target the human element and seek to elicit trust as a means of achieving their nefarious ends. Victimized end-users lack the discernment, visual acuity, training, and/or experience to correctly identify the nefarious antecedents of trust that should prompt suspicion. Existing literature has explored trust, trust-propensity, and victimization, but studies lack data capture richness, realism, and/or the ability to investigate active user interactions. This paper defines a data collection and fusion approach alongside new open-sourced behavioral analysis tooling that addresses all three factors to provide researchers with empirical, evidence-based, insights into active end-user trust behaviors. The approach is evaluated in terms of comparative analysis, run-time performance, and fused data accuracy