Detection and Analysis of Drive-by Downloads and Malicious Websites

A drive by download is a download that occurs without users action or knowledge. It usually triggers an exploit of vulnerability in a browser to downloads an unknown file. The malicious program in the downloaded file installs itself on the victims machine. Moreover, the downloaded file can be camouflaged as an installer that would further install malicious software. Drive by downloads is a very good example of the exponential increase in malicious activity over the Internet and how it affects the daily use of the web. In this paper, we try to address the problem caused by drive by downloads from different standpoints. We provide in depth understanding of the difficulties in dealing with drive by downloads and suggest appropriate solutions. We propose machine learning and feature selection solutions to remedy the the drive-by download problem. Experimental results reported 98.2% precision, 98.2% F-Measure and 97.2% ROC area

Measuring Youth Program Quality: A Guide to Assessment Tools

Thanks to growing interest in the subject of youth program quality, many tools are now available to help organizations and systems assess and improve quality. Given the size and diversity of the youth-serving sector, it is unrealistic to expect that any one tool or process will fit all programs or circumstances. This report compares the purpose, history, structure, methodology, content and technical properties of nine different program observation tools

A Dynamic Model of Sponsored Search Advertising

Sponsored search advertising is ascendant Jupiter Research reports expenditures rose 28% in 2007 to $8.9B and will continue to rise at a 15landscape. Yet little, if any empirical research focuses upon search engine marketing strategy by integrating the behavior of various agents in sponsored search advertising (i.e., searchers, advertisers, and the search engine platform). The dynamic structural model we propose serves as a foundation to explore these and other sponsored search advertising phenomena. Fitting the model to a proprietary data set provided by an anonymous search engine, we conduct several policy simulations to illustrate the bene ts of our approach. First, we explore how information asymmetries between search engines and advertisers can be exploited to enhance platform revenues. This has consequences for the pricing of market intelligence. Second, we assess the effect of allowing advertisers to bid not only on key words, but also by consumers searching histories and demographics thereby creating a more targeted model of advertising. Third, we explore several different auction pricing mechanisms and assess the role of each on engine and advertiser profits and revenues. Finally, we consider the role of consumer search tools such as sorting on consumer and advertiser behavior and engine revenues. One key finding is that the estimated advertiser value for a click on its sponsored link averages about 24 cents. Given the typical$22 retail price of the software products advertised on the considered search engine, this implies a conversion rate (sales per click) of about 1.1%, well within common estimates of 1-2% (gamedaily.com). Hence our approach appears to yield valid estimates of advertiser click valuations. Another finding is that customers appear to be segmented by their clicking frequency, with frequent clickers placing a greater emphasis on the position of the sponsored advertising link. Estimation of the policy simulations is in progress

Emerging & Unconventional Malware Detection Using a Hybrid Approach

Advancement in computing technologies made malware development easier for malware authors. Unconventional computing paradigms such as cloud computing, the internet of things, In-memory computing, etc. introduced new ways to develop more complex and effective malware. To demonstrate this, we designed and implemented a fileless malware that could infect any device that supports JavaScript and HTML5. In addition, another proof-of-concept is implemented that signifies the security threat of in-memory malware for in-memory data storage and computing platforms. Furthermore, a detailed analysis of unconventional malware has been performed using current state-of-the-art malware analysis and detection techniques. Our analysis shows that, by utilizing the unique characteristics of emerging technologies, malware attacks could easily deceive the anti-malware tools and evade themselves from detection. This clearly demonstrates the need for an innovative and effective detection mechanism. Because of the limitations of existing techniques, we propose a hybrid approach using specification-based and behavioral analysis techniques together as an effective solution against unconventional and emerging malware instances. Our approach begins with the specification development where we present the way of writing it in a succinct manner to describe the expected behavior of the application. Moreover, the behavior monitoring component of our approach makes the detection mechanism effective enough by matching the actual behavior with pre-defined specifications at run-time and alarms the system if any action violates the expected behavior. We demonstrate the effectiveness of the proposed approach by applying it for the detection of in-memory malware that threatens the HazelCast in-memory data grid platform. In our experiments, we evaluated the performance and effectiveness of the approach by considering the possible use cases where in-memory malware could affect the data present in the storage space of HazelCast IMDG

Using Botnet Technologies to Counteract Network Traffic Analysis

Botnets have been problematic for over a decade. They are used to launch malicious activities including DDoS (Distributed-Denial-of-Service), spamming, identity theft, unauthorized bitcoin mining and malware distribution. A recent nation-wide DDoS attacks caused by the Mirai botnet on 10/21/2016 involving 10s of millions of IP addresses took down Twitter, Spotify, Reddit, The New York Times, Pinterest, PayPal and other major websites. In response to take-down campaigns by security personnel, botmasters have developed technologies to evade detection. The most widely used evasion technique is DNS fast-flux, where the botmaster frequently changes the mapping between domain names and IP addresses of the C&C server so that it will be too late or too costly to trace the C&C server locations. Domain names generated with Domain Generation Algorithms (DGAs) are used as the \u27rendezvous\u27 points between botmasters and bots. This work focuses on how to apply botnet technologies (fast-flux and DGA) to counteract network traffic analysis, therefore protecting user privacy. A better understanding of botnet technologies also helps us be pro-active in defending against botnets. First, we proposed two new DGAs using hidden Markov models (HMMs) and Probabilistic Context-Free Grammars (PCFGs) which can evade current detection methods and systems. Also, we developed two HMM-based DGA detection methods that can detect the botnet DGA-generated domain names with/without training sets. This helps security personnel understand the botnet phenomenon and develop pro-active tools to detect botnets. Second, we developed a distributed proxy system using fast-flux to evade national censorship and surveillance. The goal is to help journalists, human right advocates and NGOs in West Africa to have a secure and free Internet. Then we developed a covert data transport protocol to transform arbitrary message into real DNS traffic. We encode the message into benign-looking domain names generated by an HMM, which represents the statistical features of legitimate domain names. This can be used to evade Deep Packet Inspection (DPI) and protect user privacy in a two-way communication. Both applications serve as examples of applying botnet technologies to legitimate use. Finally, we proposed a new protocol obfuscation technique by transforming arbitrary network protocol into another (Network Time Protocol and a video game protocol of Minecraft as examples) in terms of packet syntax and side-channel features (inter-packet delay and packet size). This research uses botnet technologies to help normal users have secure and private communications over the Internet. From our botnet research, we conclude that network traffic is a malleable and artificial construct. Although existing patterns are easy to detect and characterize, they are also subject to modification and mimicry. This means that we can construct transducers to make any communication pattern look like any other communication pattern. This is neither bad nor good for security. It is a fact that we need to accept and use as best we can

Network Traffic Measurements, Applications to Internet Services and Security

The Internet has become along the years a pervasive network interconnecting billions of users and is now playing the role of collector for a multitude of tasks, ranging from professional activities to personal interactions. From a technical standpoint, novel architectures, e.g., cloud-based services and content delivery networks, innovative devices, e.g., smartphones and connected wearables, and security threats, e.g., DDoS attacks, are posing new challenges in understanding network dynamics. In such complex scenario, network measurements play a central role to guide traffic management, improve network design, and evaluate application requirements. In addition, increasing importance is devoted to the quality of experience provided to final users, which requires thorough investigations on both the transport network and the design of Internet services. In this thesis, we stress the importance of users’ centrality by focusing on the traffic they exchange with the network. To do so, we design methodologies complementing passive and active measurements, as well as post-processing techniques belonging to the machine learning and statistics domains. Traffic exchanged by Internet users can be classified in three macro-groups: (i) Outbound, produced by users’ devices and pushed to the network; (ii) unsolicited, part of malicious attacks threatening users’ security; and (iii) inbound, directed to users’ devices and retrieved from remote servers. For each of the above categories, we address specific research topics consisting in the benchmarking of personal cloud storage services, the automatic identification of Internet threats, and the assessment of quality of experience in the Web domain, respectively. Results comprise several contributions in the scope of each research topic. In short, they shed light on (i) the interplay among design choices of cloud storage services, which severely impact the performance provided to end users; (ii) the feasibility of designing a general purpose classifier to detect malicious attacks, without chasing threat specificities; and (iii) the relevance of appropriate means to evaluate the perceived quality of Web pages delivery, strengthening the need of users’ feedbacks for a factual assessment

Intrusion detection using probabilistic graphical models

Modern computer systems are plagued by security vulnerabilities and flaws on many levels. Those vulnerabilities and flaws are discovered and exploited by attackers for their various intrusion purposes, such as eavesdropping, data modification, identity spoofing, password based attack, and denial of service attack, etc. The security of our computer systems and data is always at risk because of the open society of the internet. Due to the rapid growth of the internet applications, intrusion detection and prevention have become increasingly important research topics, in order to protect networking systems, such as the Web servers, database servers, cloud servers and so on, from threats. In this thesis, we attempt to build more efficient Intrusion Detection System through three different approaches, from different perspectives and based on different situations. Firstly, we propose Bayesian Model Averaging of Bayesian Network (BNMA) Classifiers for intrusion detection. In this work, we compare our BNMA classifier with Bayesian Network classifier and Naive Bayes classifier, which were shown be good models for detecting intrusion with reasonable accuracy and efficiency in the literature. From the experiment results, we see that BNMA can be more efficient and reliable than its competitors, i.e., the Bayesian network classifier and Naive Bayesian Network classifier, for all different sizes of training dataset. The advantage of BNMA is more pronounced when the training dataset size is small. Secondly, we introduce the Situational Data Model as a method for collecting dataset to train intrusion detection models. Unlike previously discussed static features as in the KDD CUP 99 data, which were collected without time stamps, Situational Data are collected in chronological sequence. Therefore, they can capture not only the dependency relationships among different features, but also relationships of values collected over time for the same features. The experiment results show that the intrusion detection model trained by Situational Dataset outperforms that trained by action-only sequences. Thirdly, we introduce the Situation Aware with Conditional Random Fields Intrusion Detection System (SA-CRF-IDS). The SA-CRF-IDS is trained by probabilistic graphical model Conditional Random Fields (CRF) over the Situational Dataset. The experiment results show that the CRF outperforms HMM with significantly better detection accuracy, and better ROC curve when we run the experiment on the non-Situational dataset. On the other hand, the two training methods have very similar performance when the Situational Dataset is adopted