731 research outputs found
User-Behavior Based Detection of Infection Onset
A major vector of computer infection is through exploiting software or design flaws in networked applications such as the browser. Malicious code can be fetched and executed on a victim’s machine without the user’s permission, as in drive-by download (DBD) attacks. In this paper, we describe a new tool called DeWare for detecting the onset of infection delivered through vulnerable applications. DeWare explores and enforces causal relationships between computer-related human behaviors and system properties, such as file-system access and process execution. Our tool can be used to provide real time protection of a personal computer, as well as for diagnosing and evaluating untrusted websites for forensic purposes. Besides the concrete DBD detection solution, we also formally define causal relationships between user actions and system events on a host. Identifying and enforcing correct causal relationships have important applications in realizing advanced and secure operating systems. We perform extensive experimental evaluation, including a user study with 21 participants, thousands of legitimate websites (for testing false alarms), as well as 84 malicious websites in the wild. Our results show that DeWare is able to correctly distinguish legitimate download events from unauthorized system events with a low false positive rate (< 1%)
The Security Analysis of Browser Extensions
Paljud tänapäevased brauserid võimaldavad funktsionaalsuse lisamist või
muutmist laienduste kaudu. Rohkete võimaluste tõttu on laiendused muutunud
kasutajate hulgas populaarseks ja see on toonud kaasa uued ründevektorid,
mis ohustavad kasutajate turvalisust. Töös analüüsime populaarsemate
veebibrauserite laienduste turvaarhitektuuri. Vaatleme Firefox 3.6, Google
Chrome 5.0.360 ja Internet Explorer 8 laienduste ehitust ja nende turvalisust.
Töö annab ülevaate vastavate brauserite laienduste arhitektuurilisest
turvalisusest ja kirjeldab võimalikke ründevektoreid. Selgitame, kuidas on
vastavate veebibrauserite koodiruum ja mälu kaitstud ja teeme kindlaks missuguseid
õiguseid brauserite laiendused omavad. Uurime, kuidas on praegust
laienduste arhitektuuri kasutades võimalik brausereid kompromiteerida
ja kirjeldame sellega kaasnevaid riske. Selleks demonstreerime laiendusi, mis
kompromiteerivad brauseri, näitamaks olemasoleva arhitektuuri puudujääke.
Näitame erinevaid ründevektoreid ja kirjeldame nendele vastavaid ründestsenaariumeid.
Töö tulemusena selguvad brauserite laienduste turvaarhitektuuri
nõrkused. Nende leevendamiseks pakume välja lahendusi, mis parandavad
turvaarhitektuuri. Töö tulemusena on võimalik brauserite kasutajaid
informeerida olemasolevatest ohtudest ja teadvustada turvalisuse olulisusest.In this work, we analyse the security models of browser extensions. We
view the extension models of Mozilla Firefox 3.6, Internet Explorer 8 and
Google Chrome 5.0.360. Because browsers are providing functionalities similar
to operating systems, we analyse these extension models as we would
analyse an operating system. We show that the current security models can
be abused with little effort. A browser with a compromised extension may
result in the whole computer being compromised. To support our claims, we
tested most of the attacks that are described in this analysis. The source code
of these attacks is not included in the thesis. Thus, due to previously mentioned
risks, we want to stress the importance of the threat that extensions
pose to the security of browsers. The feasibility of creating malware extensions is analysed
for each browser individually. Based on the analysis we propose possible
attack vectors for each browser. Finally, we suggest ways to improve the
current security models and give advice to the users
Master of sheets: A tale of compromised cloud documents
As of 2014, a fifth of EU citizens relied on cloud accounts to store their documents according to a Eurostat report. Although useful, there are downsides to the use of cloud documents. They often accumulate sensitive information over time, including financial information. This makes them attractive targets to cybercriminals. To understand what happens to compromised cloud documents that contain financial information, we set up 100 fake payroll sheets comprising 1000 fake records of fictional individuals. We populated the sheets with traditional bank payment information, cryptocurrency details, and payment URLs. To lure cybercriminals and other visitors into visiting the sheets, we leaked links pointing to the sheets via paste sites. We collected data from the sheets for a month, during which we observed 235 accesses across 98 sheets. Two sheets were not opened. We also recorded 38 modifications in 7 sheets. We present detailed measurements and analysis of accesses, modifications, edits, and devices that visited payment URLs in the sheets. Contrary to our expectations, bank payment URLs received many more clicks than cryptocurrency payment URLs despite the popularity of cryptocurrencies and emerging blockchain technologies. On the other hand, sheets that contained cryptocurrency details recorded more modifications than sheets that contained traditional banking information. In summary, we present a comprehensive picture of what happens to compromised cloud spreadsheets.Accepted manuscrip
A Deep-dive into Cryptojacking Malware: From an Empirical Analysis to a Detection Method for Computationally Weak Devices
Cryptojacking is an act of using a victim\u27s computation power without his/her consent. Unauthorized mining costs extra electricity consumption and decreases the victim host\u27s computational efficiency dramatically. In this thesis, we perform an extensive research on cryptojacking malware from every aspects. First, we present a systematic overview of cryptojacking malware based on the information obtained from the combination of academic research papers, two large cryptojacking datasets of samples, and numerous major attack instances. Second, we created a dataset of 6269 websites containing cryptomining scripts in their source codes to characterize the in-browser cryptomining ecosystem by differentiating permissioned and permissionless cryptomining samples. Third, we introduce an accurate and efficient IoT cryptojacking detection mechanism based on network traffic features that achieves an accuracy of 99%. Finally, we believe this thesis will greatly expand the scope of research and facilitate other novel solutions in the cryptojacking domain
Flooding attacks to internet threat monitors (ITM): Modeling and counter measures using botnet and honeypots
The Internet Threat Monitoring (ITM),is a globally scoped Internet monitoring
system whose goal is to measure, detect, characterize, and track threats such
as distribute denial of service(DDoS) attacks and worms. To block the
monitoring system in the internet the attackers are targeted the ITM system. In
this paper we address flooding attack against ITM system in which the attacker
attempt to exhaust the network and ITM's resources, such as network bandwidth,
computing power, or operating system data structures by sending the malicious
traffic. We propose an information-theoretic frame work that models the
flooding attacks using Botnet on ITM. Based on this model we generalize the
flooding attacks and propose an effective attack detection using Honeypots
- …