An Innovative Signature Detection System for Polymorphic and Monomorphic Internet Worms Detection and Containment

Most current anti-worm systems and intrusion-detection systems use signature-based technology instead of anomaly-based technology. Signature-based technology can only detect known attacks with identified signatures. Existing anti-worm systems cannot detect unknown Internet scanning worms automatically because these systems do not depend upon worm behaviour but upon the worm’s signature. Most detection algorithms used in current detection systems target only monomorphic worm payloads and offer no defence against polymorphic worms, which changes the payload dynamically. Anomaly detection systems can detect unknown worms but usually suffer from a high false alarm rate. Detecting unknown worms is challenging, and the worm defence must be automated because worms spread quickly and can flood the Internet in a short time. This research proposes an accurate, robust and fast technique to detect and contain Internet worms (monomorphic and polymorphic). The detection technique uses specific failure connection statuses on specific protocols such as UDP, TCP, ICMP, TCP slow scanning and stealth scanning as characteristics of the worms. Whereas the containment utilizes flags and labels of the segment header and the source and destination ports to generate the traffic signature of the worms. Experiments using eight different worms (monomorphic and polymorphic) in a testbed environment were conducted to verify the performance of the proposed technique. The experiment results showed that the proposed technique could detect stealth scanning up to 30 times faster than the technique proposed by another researcher and had no false-positive alarms for all scanning detection cases. The experiments showed the proposed technique was capable of containing the worm because of the traffic signature’s uniqueness

Towards secure message systems

Message systems, which transfer information from sender to recipient via communication networks, are indispensable to our modern society. The enormous user base of message systems and their critical role in information delivery make it the top priority to secure message systems. This dissertation focuses on securing the two most representative and dominant messages systems---e-mail and instant messaging (IM)---from two complementary aspects: defending against unwanted messages and ensuring reliable delivery of wanted messages.;To curtail unwanted messages and protect e-mail and instant messaging users, this dissertation proposes two mechanisms DBSpam and HoneyIM, which can effectively thwart e-mail spam laundering and foil malicious instant message spreading, respectively. DBSpam exploits the distinct characteristics of connection correlation and packet symmetry embedded in the behavior of spam laundering and utilizes a simple statistical method, Sequential Probability Ratio Test, to detect and break spam laundering activities inside a customer network in a timely manner. The experimental results demonstrate that DBSpam is effective in quickly and accurately capturing and suppressing e-mail spam laundering activities and is capable of coping with high speed network traffic. HoneyIM leverages the inherent characteristic of spreading of IM malware and applies the honey-pot technology to the detection of malicious instant messages. More specifically, HoneyIM uses decoy accounts in normal users\u27 contact lists as honey-pots to capture malicious messages sent by IM malware and suppresses the spread of malicious instant messages by performing network-wide blocking. The efficacy of HoneyIM has been validated through both simulations and real experiments.;To improve e-mail reliability, that is, prevent losses of wanted e-mail, this dissertation proposes a collaboration-based autonomous e-mail reputation system called CARE. CARE introduces inter-domain collaboration without central authority or third party and enables each e-mail service provider to independently build its reputation database, including frequently contacted and unacquainted sending domains, based on the local e-mail history and the information exchanged with other collaborating domains. The effectiveness of CARE on improving e-mail reliability has been validated through a number of experiments, including a comparison of two large e-mail log traces from two universities, a real experiment of DNS snooping on more than 36,000 domains, and extensive simulation experiments in a large-scale environment

Data for Cybersecurity Research: Process and ‘Wish List’

This document identifies data needs of the security research community. This document is in response to a request for a “data wish list”. Because specific data needs will evolve in conjunction with evolving threats and research problems, we augment the wish list with commentary about some of the broader issues for data usage

Statistical methods used for intrusion detection

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2006Includes bibliographical references (leaves: 58-64)Text in English; Abstract: Turkish and Englishx, 71 leavesComputer networks are being attacked everyday. Intrusion detection systems are used to detect and reduce effects of these attacks. Signature based intrusion detection systems can only identify known attacks and are ineffective against novel and unknown attacks. Intrusion detection using anomaly detection aims to detect unknown attacks and there exist algorithms developed for this goal. In this study, performance of five anomaly detection algorithms and a signature based intrusion detection system is demonstrated on synthetic and real data sets. A portion of attacks are detected using Snort and SPADE algorithms. PHAD and other algorithms could not detect considerable portion of the attacks in tests due to lack of sufficiently long enough training data

Essays on Flood Disaster Relief Recovery Practices and Policy: Applying the Lens of Service Operations Strategy

This dissertation uses a service operations lens to investigate flood disasters’ recovery phase, the least-studied area of Humanitarian Operations and Crisis Management (HOCM). Comprising three essays, my dissertation deepens our knowledge of disaster recovery by using two different units of analysis, including province (state) and household levels. In Essay 1, entitled “The Influence of Industrialization and Internet Usage on Per-Capita Income: A Longitudinal Analysis of Flood Events in Thai Provinces,” we introduce a novel approach to research HOCM by using econometric analyses. We use panel data as a tool to guide decision makers in understanding the notion of flood recovery, broadly measured by a province’s per-capita income at any given time. Using panel data from 2006-2012 across 75 Thai provinces, we empirically address the question of how industrialization level and Internet usage affect per-capita income changes during and after a flood incident. Using these results, we then identify groups of provinces that recovered “best” and “worst” in order to further evaluate other identifying factors that contribute to “best-worst” recovery performance. Essay 2, entitled “Antecedents of Financial Recovery Effectiveness from Floods: A Structural Econometric Analysis of Flooding in Thailand,” uses a sample survey of approximately 34,000 households in Thailand with data pre-, during-, and post-flood disaster in 2011. Using a service operations lens, our study aims to identify where and how in the flood cycle various stakeholders—individuals, communities and governments—can act to increase the likelihood of a successful service recovery. More specifically, this research asks what type of strategic actions policy makers can take to better allocate precious resources in all three flood phases to improve the overall recovery effectiveness. Essay 3, entitled “The Influence of Water, Sanitation and Hygiene Factors on the Utilization of Healthcare Services During Floods,” proposes a research framework that examines flood-response healthcare service delivery in developing countries. Because resources are scarce, service operations’ strategies with regards to household water, sanitation, and hygiene (WASH) are critical for improving the post-disaster flood recovery phase. Using field and archival data, we empirically investigate the influence of WASH strategies on households’ decisions and access to healthcare services during floods. Collectively, these essays argue for the importance of a service operations strategy perspective for disasters, providing a research blueprint to improve recovery effectiveness

Assessing Behavioral Intention to Use Low Social Presence ICTs for Interpersonal Task Completion Among College Students: With Special Consideration Toward Short Message Service (SMS) Text-Messaging

This study sought to investigate whether the popularity of Information Communication Technologies (ICTs) would impact the behavioral intention (BI) to use of these technologies to aid in interpersonal task completion. Out of the ICTs available today, the most popular is textmessaging, especially among a sizable percentage of the college population. Approximately 600 students at a small, private junior college in eastern North Carolina were invited to participate in this study with a target of 248 responses needed to comprise an adequate sample. A total of 259 usable surveys (n = 259) were received and analyzed. Qualitative data collection instruments consisted of an openended questionnaire and other openended responses that were solicited throughout the data collection phase. Quantitative data collection instruments consisted of a 22item Likertscale survey and a forcedchoice ordinal scale instrument that measured computer user selfefficacy (CUSE) and experience using technology (EUT). Situated in the context of academic helpseeking (AHS), vignettes were developed, validated and administered to offer AHS scenarios where a problem was presented and the participants were then asked to reveal which type of ICT he or she would utilize to seek academic help (AH) in that particular situation

Three-dimensional security framework for BYOD enabled banking institutions in Nigeria.

Doctoral Degree. University of KwaZulu-Natal, Durban.Bring your own device (BYOD) has become a trend in the present day, giving employees the freedom to bring personal mobile devices to access corporate networks. In Nigeria, most banking institutions are increasingly allowing their employees the flexibility to utilize mobile devices for work-related activities. However, as they do so, the risk of corporate data being exposed to threats increases. Hence, the study considered developing a security framework for mitigating BYOD security challenges. The study was guided by organizational, socio-technical and mobility theories in developing a conceptual framework. The study was conducted in two phases, the threat identification and the framework evaluation, using a mixed-methods approach. The main research strategies used for the threat identification were a questionnaire and interviews while closed and open-ended questions were used for the framework evaluation. A sample consisted of 380 banking employees from four banks were involved in the study. In addition, the study conducted in-depth interviews with twelve management officials from the participating banks. As for the framework evaluation, the study sampled twelve respondents to assess the developed security framework for viability as far as mitigating security threats emanating from BYOD in the banking sector is concerned. The sample consisted of eight executive managers of the bank and four academic experts in information security. Quantitative data was analysed using SPSS version 21 while qualitative data was thematically analysed. Findings from the threat identification revealed that banking institutions must develop security systems that not only identify threats associated with technical, social and mobility domains but also provide adequate mitigation of the threats. For the framework evaluation, the findings revealed that the security framework is appropriate in mitigating BYOD security threats. Based on the findings of the study, the developed security framework will help banks in Nigeria to mitigate against BYOD security threats. Furthermore, this security framework will contribute towards the generation of new knowledge in the field of information security as far as BYODs are concerned. The study recommends ongoing training for banks’ employees as it relates to mitigation of security threats posed by mobile devices

Information Systems Security Countermeasures: An Assessment of Older Workers in Indonesian Small and Medium-Sized Businesses

Information Systems (IS) misuse can result in cyberattacks such as denial-of-service, phishing, malware, and business email compromise. The study of factors that contribute to the misuse of IS resources is well-documented and empirical research has supported the value of approaches that can be used to deter IS misuse among employees; however, age and cultural nuances exist. Research focusing on older workers and how they can help to deter IS misuse among employees and support cybersecurity countermeasures within developing countries is in its nascent stages. The goal of this study was two-fold. The first goal was to assess what older workers within Indonesian Small to Medium-sized Businesses (SMBs) do to acquire, apply, and share information security countermeasures aimed at mitigating cyberattacks. The second goal was to assess if and how younger workers share information security countermeasures with their older colleagues. Using a qualitative case study approach, semi-structured interviews were conducted with five dyads of older (50-55 years) and younger (25-45 years) workers from five SMBs in Jakarta, Indonesia. A thematic analysis approach was used to analyze the interview data, where each dyad represented a unit of analysis. The data were organized into three main themes including 1) Indonesian government IS policy and oversight, which included one topic (stronger government IS oversight needed); 2) SMB IS practices, which included three topics (SMB management issues, SMB budget constraints, SMB diligent IS practices, and IS insider threat); and 3) SMB worker IS practices, which included three topics (younger worker job performance, IS worker compliance issues, older worker IS practices) and five sub-topics under older worker IS practices (older worker diligent in IS, older worker IS challenged, older worker riskier IS practices, older worker more IS dependent, and older worker more forgetful on IS practices). Results indicated that older and younger workers at Indonesian SMBs acquire, apply, and share information security countermeasures in a similar manner: through IS information dissemination from the SMB and through communication from co-workers. Also, while younger workers share IS countermeasures freely with their older co-workers, some have negative perceptions that older co-workers are slower and less proficient in IS. Overall, participants reported positive and cohesive teamwork between older and younger workers at SMBs through strong IS collaboration and transparent information sharing. The contribution of this research is that it provides valuable empirical data on older worker behavior and social dynamics in Indonesian organizations. This was a context-specific study aimed at better understanding the situationalities of older workers within organizations in the developing country of Indonesia and how knowledge is shared within the organization. This assessment of cybersecurity knowledge acquisition, skill implementation, and knowledge sharing contributes to the development of organization-wide cybersecurity practices that can be used to strengthen Indonesian SMBs and other organizations in developing countries. This study also provides a blueprint for researchers to replicate and extend this line of inquiry. Finally, the results could shed light on how older workers can be a productive part of the solution to information security issues in the workplace

Criminal Victimisation in Taiwan: an opportunity perspective

Environmental criminology concerns the role of opportunities (both people and objects) existing in the environment that make crimes more likely to occur. Research consistently shows that opportunity perspectives (particularly with regard to individuals’ lifestyles and routines) help in explaining the prevalence and concentration of crimes. However, there is a paucity of studies investigating crime patterns from an opportunity perspective both outside western countries and in relation to cybercrimes. Hence, it is not clear whether non-Western and online contexts exhibit similar patterns of crime as would be predicted by an opportunity perspective. This thesis is concerned with criminal victimisation in Taiwan – a less researched setting in the field of environmental criminology. It covers both offline victimisation (with a focus on burglary) and online victimisation from the aforementioned opportunity perspective. The goal of this thesis is to identify individual- and area-level characteristics that affect the patterns of victimisation in Taiwan. To achieve this, the thesis draws on a range of secondary datasets, including police recorded crime statistics, the Taiwan Area Victimisation Survey, and the Digital Opportunity Survey for Individuals and Households. With the application of quantitative modelling, the thesis suggests that the generalisability the lifestyle-routine activity approach in explaining crime patterns in Taiwan should be taken with caution. The findings provide partial support for its applicability in relation to burglary and cybercrime in Taiwan. Furthermore, the findings reported here in relation to patterns of repeat and near repeat victimisation depart from those observed in the western literature. The thesis concludes by discussing the implications of the findings for academic research and practice in crime prevention