Detecting Zero-day Polymorphic Worms with Jaccard Similarity Algorithm

Zero-day polymorphic worms pose a serious threat to the security of Mobile systems and Internet infrastructure. In many cases, it is difficult to detect worm attacks at an early stage. There is typically little or no time to develop a well-constructed solution during such a worm outbreak. This is because the worms act only to spread from node to node and they bring security concerns to everyone using Internet via any static or mobile node. No system is safe from an aggressive worm crisis. However, many of the characteristics of a worm can be used to defeat it, including its predictable behavior and shared signatures. In this paper, we propose an efficient signature generation method based on string similarity algorithms to generate signatures for Zero-day polymorphic worms. Then, these signatures are practically applied to an Intrusion Detection System (IDS) to prevent the network from such attacks. The experimental results show the efficiency of the proposed approach compared to other existing mechanisms

Malware: A future framework for Device, Network and Service Management

While worms and their propagation have been a major security threat over the past years, causing major financial losses and down times for many enterprises connected to the Internet, we will argue in this paper that valuable lessons can be learned from them and that network management, which is the activity supposed to prevent them, can actually benefit from their use. We focus on five lessons learned from current malware that can benefit to the network management community. For each topic, we analyse how it is been addressed in standard management frameworks, we identify their limits and describe how current malware already provides efficient solutions to these limits. We illustrate our claim through a case study on a realistic application of worm based network management, which is currently developed in our group

The malSource dataset: quantifying complexity and code reuse in malware development

During the last decades, the problem of malicious and unwanted software (malware) has surged in numbers and sophistication. Malware plays a key role in most of today's cyberattacks and has consolidated as a commodity in the underground economy. In this paper, we analyze the evolution of malware from 1975 to date from a software engineering perspective. We analyze the source code of 456 samples from 428 unique families and obtain measures of their size, code quality, and estimates of the development costs (effort, time, and number of people). Our results suggest an exponential increment of nearly one order of magnitude per decade in aspects such as size and estimated effort, with code quality metrics similar to those of benign software. We also study the extent to which code reuse is present in our dataset. We detect a significant number of code clones across malware families and report which features and functionalities are more commonly shared. Overall, our results support claims about the increasing complexity of malware and its production progressively becoming an industry.This work was supported in part by the Spanish Government through MINECO grants SMOG-DEV (TIN2016-79095-C2-2-R) and DEDETIS (TIN2015-7013-R), and in part by the Regional Government of Madrid through grantsCIBERDINE (S2013/ICE-3095) and N-GREENS (S2013/ICE-2731)

Botnets IRC et P2P pour une supervision à large échelle

National audienceAlors que le nombre d'équipements à superviser ne cesse de croître, le passage à l'échelle de la supervision des réseaux et services est un véritable enjeu. Un tel challenge semble avoir été par le passé surmonté par les botnets connus actuellement pour être une des principales menaces sur internet car un attaquant peut contrôler des milliers de machines. D'un point de vue technique, il serait très utile de les utiliser dans le cadre de la supervision des réseaux. Cet article propose une nouvelle solution de supervision basée sur les botnets et évalue les performances associées de manière à établir un comparatif détaillé des différents types de botnets utilisables pour la supervision

Análise comportamental multi-nível de Botnets

Mestrado em Engenharia de Computadores e TelemáticaNowadays, computer networks are, more than ever, major targets of security attacks. These attacks became very complex, and with different kinds of motivations. A major part of the network attacks is linked to Botnets. Botnets can be described as a group of bots that run malicious software autonomously. They mainly infect personal computers, and start performing automatic tasks, without the awareness of the users. Computers then become “part” of the Botnet. This dissertation will describe and analyse different types of spam Botnets, by installing them, capturing the generated traffic and characterizing it, in order to identify differentiating characteristics that can be used to detect their activity. Different levels of analysis are conducted, in order to understand all the functioning mechanisms of these types of networks.Hoje em dia, as redes de computadores têm sido, mais do que nunca, alvo de ataques de segurança. Estes ataques tornaram-se bastante complexos, e com diferentes tipos de motivações. Uma grande parte destes ataques está ligado a Botnets. As Botnets podem ser descritas como um grupo de bots que executam software malicioso autonomamente. Infectam maioritariamente computadores pessoais, e começam a executar tarefas automáticamente, sem o conhecimento dos utilizadores. Os computadores tornamse então “parte” da Botnet. Nesta dissertação, são descritos e analisados diferentes tipos de Botnets dedicadas ao envio de spam. Após serem instaladas, o tráfego gerado é capturado, processado e analisado, por forma a identificar características que possam diferenciar cada um dos tipos de Botnets. São efectuados diferentes níveis de análise, de forma a compreender todos os mecanismos de funcionamento destes tipos de redes

Detecting worm mutations using machine learning

Worms are malicious programs that spread over the Internet without human intervention. Since worms generally spread faster than humans can respond, the only viable defence is to automate their detection. Network intrusion detection systems typically detect worms by examining packet or flow logs for known signatures. Not only does this approach mean that new worms cannot be detected until the corresponding signatures are created, but that mutations of known worms will remain undetected because each mutation will usually have a different signature. The intuitive and seemingly most effective solution is to write more generic signatures, but this has been found to increase false alarm rates and is thus impractical. This dissertation investigates the feasibility of using machine learning to automatically detect mutations of known worms. First, it investigates whether Support Vector Machines can detect mutations of known worms. Support Vector Machines have been shown to be well suited to pattern recognition tasks such as text categorisation and hand-written digit recognition. Since detecting worms is effectively a pattern recognition problem, this work investigates how well Support Vector Machines perform at this task. The second part of this dissertation compares Support Vector Machines to other machine learning techniques in detecting worm mutations. Gaussian Processes, unlike Support Vector Machines, automatically return confidence values as part of their result. Since confidence values can be used to reduce false alarm rates, this dissertation determines how Gaussian Process compare to Support Vector Machines in terms of detection accuracy. For further comparison, this work also compares Support Vector Machines to K-nearest neighbours, known for its simplicity and solid results in other domains. The third part of this dissertation investigates the automatic generation of training data. Classifier accuracy depends on good quality training data -- the wider the training data spectrum, the higher the classifier's accuracy. This dissertation describes the design and implementation of a worm mutation generator whose output is fed to the machine learning techniques as training data. This dissertation then evaluates whether the training data can be used to train classifiers of sufficiently high quality to detect worm mutations. The findings of this work demonstrate that Support Vector Machines can be used to detect worm mutations, and that the optimal configuration for detection of worm mutations is to use a linear kernel with unnormalised bi-gram frequency counts. Moreover, the results show that Gaussian Processes and Support Vector Machines exhibit similar accuracy on average in detecting worm mutations, while K-nearest neighbours consistently produces lower quality predictions. The generated worm mutations are shown to be of sufficiently high quality to serve as training data. Combined, the results demonstrate that machine learning is capable of accurately detecting mutations of known worms