User-Behavior Based Detection of Infection Onset

A major vector of computer infection is through exploiting software or design flaws in networked applications such as the browser. Malicious code can be fetched and executed on a victim’s machine without the user’s permission, as in drive-by download (DBD) attacks. In this paper, we describe a new tool called DeWare for detecting the onset of infection delivered through vulnerable applications. DeWare explores and enforces causal relationships between computer-related human behaviors and system properties, such as file-system access and process execution. Our tool can be used to provide real time protection of a personal computer, as well as for diagnosing and evaluating untrusted websites for forensic purposes. Besides the concrete DBD detection solution, we also formally define causal relationships between user actions and system events on a host. Identifying and enforcing correct causal relationships have important applications in realizing advanced and secure operating systems. We perform extensive experimental evaluation, including a user study with 21 participants, thousands of legitimate websites (for testing false alarms), as well as 84 malicious websites in the wild. Our results show that DeWare is able to correctly distinguish legitimate download events from unauthorized system events with a low false positive rate (< 1%)

The Security Analysis of Browser Extensions

Paljud tänapäevased brauserid võimaldavad funktsionaalsuse lisamist või muutmist laienduste kaudu. Rohkete võimaluste tõttu on laiendused muutunud kasutajate hulgas populaarseks ja see on toonud kaasa uued ründevektorid, mis ohustavad kasutajate turvalisust. Töös analüüsime populaarsemate veebibrauserite laienduste turvaarhitektuuri. Vaatleme Firefox 3.6, Google Chrome 5.0.360 ja Internet Explorer 8 laienduste ehitust ja nende turvalisust. Töö annab ülevaate vastavate brauserite laienduste arhitektuurilisest turvalisusest ja kirjeldab võimalikke ründevektoreid. Selgitame, kuidas on vastavate veebibrauserite koodiruum ja mälu kaitstud ja teeme kindlaks missuguseid õiguseid brauserite laiendused omavad. Uurime, kuidas on praegust laienduste arhitektuuri kasutades võimalik brausereid kompromiteerida ja kirjeldame sellega kaasnevaid riske. Selleks demonstreerime laiendusi, mis kompromiteerivad brauseri, näitamaks olemasoleva arhitektuuri puudujääke. Näitame erinevaid ründevektoreid ja kirjeldame nendele vastavaid ründestsenaariumeid. Töö tulemusena selguvad brauserite laienduste turvaarhitektuuri nõrkused. Nende leevendamiseks pakume välja lahendusi, mis parandavad turvaarhitektuuri. Töö tulemusena on võimalik brauserite kasutajaid informeerida olemasolevatest ohtudest ja teadvustada turvalisuse olulisusest.In this work, we analyse the security models of browser extensions. We view the extension models of Mozilla Firefox 3.6, Internet Explorer 8 and Google Chrome 5.0.360. Because browsers are providing functionalities similar to operating systems, we analyse these extension models as we would analyse an operating system. We show that the current security models can be abused with little effort. A browser with a compromised extension may result in the whole computer being compromised. To support our claims, we tested most of the attacks that are described in this analysis. The source code of these attacks is not included in the thesis. Thus, due to previously mentioned risks, we want to stress the importance of the threat that extensions pose to the security of browsers. The feasibility of creating malware extensions is analysed for each browser individually. Based on the analysis we propose possible attack vectors for each browser. Finally, we suggest ways to improve the current security models and give advice to the users

Master of sheets: A tale of compromised cloud documents

As of 2014, a fifth of EU citizens relied on cloud accounts to store their documents according to a Eurostat report. Although useful, there are downsides to the use of cloud documents. They often accumulate sensitive information over time, including financial information. This makes them attractive targets to cybercriminals. To understand what happens to compromised cloud documents that contain financial information, we set up 100 fake payroll sheets comprising 1000 fake records of fictional individuals. We populated the sheets with traditional bank payment information, cryptocurrency details, and payment URLs. To lure cybercriminals and other visitors into visiting the sheets, we leaked links pointing to the sheets via paste sites. We collected data from the sheets for a month, during which we observed 235 accesses across 98 sheets. Two sheets were not opened. We also recorded 38 modifications in 7 sheets. We present detailed measurements and analysis of accesses, modifications, edits, and devices that visited payment URLs in the sheets. Contrary to our expectations, bank payment URLs received many more clicks than cryptocurrency payment URLs despite the popularity of cryptocurrencies and emerging blockchain technologies. On the other hand, sheets that contained cryptocurrency details recorded more modifications than sheets that contained traditional banking information. In summary, we present a comprehensive picture of what happens to compromised cloud spreadsheets.Accepted manuscrip

A Deep-dive into Cryptojacking Malware: From an Empirical Analysis to a Detection Method for Computationally Weak Devices

Cryptojacking is an act of using a victim\u27s computation power without his/her consent. Unauthorized mining costs extra electricity consumption and decreases the victim host\u27s computational efficiency dramatically. In this thesis, we perform an extensive research on cryptojacking malware from every aspects. First, we present a systematic overview of cryptojacking malware based on the information obtained from the combination of academic research papers, two large cryptojacking datasets of samples, and numerous major attack instances. Second, we created a dataset of 6269 websites containing cryptomining scripts in their source codes to characterize the in-browser cryptomining ecosystem by differentiating permissioned and permissionless cryptomining samples. Third, we introduce an accurate and efficient IoT cryptojacking detection mechanism based on network traffic features that achieves an accuracy of 99%. Finally, we believe this thesis will greatly expand the scope of research and facilitate other novel solutions in the cryptojacking domain

Flooding attacks to internet threat monitors (ITM): Modeling and counter measures using botnet and honeypots

The Internet Threat Monitoring (ITM),is a globally scoped Internet monitoring system whose goal is to measure, detect, characterize, and track threats such as distribute denial of service(DDoS) attacks and worms. To block the monitoring system in the internet the attackers are targeted the ITM system. In this paper we address flooding attack against ITM system in which the attacker attempt to exhaust the network and ITM's resources, such as network bandwidth, computing power, or operating system data structures by sending the malicious traffic. We propose an information-theoretic frame work that models the flooding attacks using Botnet on ITM. Based on this model we generalize the flooding attacks and propose an effective attack detection using Honeypots