Empirical study to fingerprint public malware analysis services

The evolution of malicious software (malware) analysis tools provided controlled, isolated, and virtual environments to analyze malware samples. Several services are found on the Internet that provide to users automatic system to analyze malware samples, as VirusTotal, Jotti, or ClamAV, to name a few. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment. When analysis environment is detected, malware behave as a benign application or even show no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services. In particular, we consider 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments. Finally, we propose a method to mitigate fingerprinting

Analysis and Concealment of Malware in an Adversarial Environment

Nowadays, users and devices are rapidly growing, and there is a massive migration of data and infrastructure from physical systems to virtual ones. Moreover, people are always connected and deeply dependent on information and communications. Thanks to the massive growth of Internet of Things applications, this phenomenon also affects everyday objects such as home appliances and vehicles. This extensive interconnection implies a significant rate of potential security threats for systems, devices, and virtual identities. For this reason, malware detection and analysis is one of the most critical security topics. The used detection strategies are well suited to analyze and respond to potential threats, but they are vulnerable and can be bypassed under specific conditions. In light of this scenario, this thesis highlights the existent detection strategies and how it is possible to deceive them using malicious contents concealment strategies, such as code obfuscation and adversarial attacks. Moreover, the ultimate goal is to explore new viable ways to detect and analyze embedded malware and study the feasibility of generating adversarial attacks. In line with these two goals, in this thesis, I present two research contributions. The first one proposes a new viable way to detect and analyze the malicious contents inside Microsoft Office documents (even when concealed). The second one proposes a study about the feasibility of generating Android malicious applications capable of bypassing a real-world detection system. Firstly, I present Oblivion, a static and dynamic system for large-scale analysis of Office documents with embedded (and most of the time concealed) malicious contents. Oblivion performs instrumentation of the code and executes the Office documents in a virtualized environment to de-obfuscate and reconstruct their behavior. In particular, Oblivion can systematically extract embedded PowerShell and non-PowerShell attacks and reconstruct the employed obfuscation strategies. This research work aims to provide a scalable system that allows analysts to go beyond simple malware detection by performing a real, in-depth inspection of macros. To evaluate the system, a large-scale analysis of more than 40,000 Office documents has been performed. The attained results show that Oblivion can efficiently de-obfuscate malicious macro-files by revealing a large corpus of PowerShell and non-PowerShell attacks in a short amount of time. Then, the focus is on presenting an Android adversarial attack framework. This research work aims to understand the feasibility of generating adversarial samples specifically through the injection of Android system API calls only. In particular, the constraints necessary to generate actual adversarial samples are discussed. To evaluate the system, I employ an interpretability technique to assess the impact of specific API calls on the evasion. It is also assessed the vulnerability of the used detection system against mimicry and random noise attacks. Finally, it is proposed a basic implementation to generate concrete and working adversarial samples. The attained results suggest that injecting system API calls could be a viable strategy for attackers to generate concrete adversarial samples. This thesis aims to improve the security landscape in both the research and industrial world by exploring a hot security topic and proposing two novel research works about embedded malware. The main conclusion of this research experience is that systems and devices can be secured with the most robust security processes. At the same time, it is fundamental to improve user awareness and education in detecting and preventing possible attempts of malicious infections

A Comparison of Adult Black and White Male Killers\u27 Behaviors, Their Motives for Murder, and What They Do With Their Victims\u27 Bodies

Studies involving murder are often focused on one offender group or a specific victim type. Due to focused research on this topic, there is a need to explore homicidal research between two offender groups in order to compare deviant behaviors of persons who commit murder. The comparison of adult black male offenders and adult white male offenders, their motivations for murder, and what offenders do with their victims’ bodies is explored in the study. A total of 300 solved homicide cases, which consists primarily of adult male and female victims, and several child murders was collected. Such murder motivations of the offenders included domestic, robbery, sexually assault and other types of motivations. These events occur within the United States between 1972 and 2022, and were analyzed based upon 11 different variables, including victim gender and race preference, offender death methods, victim concealment, disposal locations, and whether victims’ bodies remained at the crime scene, or were moved to a secondary location for disposal purposes. The results reveal remarkable differences between the two offender groups. A discussion of motivations, and how white males are “expressive” killers and black males are “instrumental” killers is discussed. Victim race and victim disposal locations are the most predictive variables, which showed compelling outcomes. White males selected white victims almost exclusively, and often moved their victims’ body away from the crime scene. In comparison, black males murdered mostly black victims, but also some white victims, leaving both race victims primarily at the crime scene

The effects of second-generation antipsychotics in borderline personality disorder - a systematic review.

A perturbação de personalidade borderline (PPB) é uma doença psiquiátrica complexa que requer uma quantidade considerável de recursos de saúde para ser tratada adequadamente. Estudos anteriores mostraram que a farmacoterapia pode ser vantajosa para a PPB. Dos fármacos testados, os antipsicóticos de segunda geração (ASGs) mostraram um efeito positivo mais consistente em pacientes com PPB. No entanto, a evidência disponível na época era insuficiente para justificar a sua recomendação. O objetivo desta revisão sistemática é avaliar qualitativamente ensaios clínicos randomizados (ECR) de ASGs em pacientes com PPB atualmente disponíveis. Foram realizadas pesquisas nos bancos de dados da MEDLINE, SCOPUS, ISI Web of Knowledge e PsycInfo. A seleção dos estudos e a recolha de dados foram realizadas de forma independente por dois investigadores. De 1294 registos encontrados (sem duplicados), nove estudos foram incluídos nesta revisão. Os resultados confirmam os achados da revisão anterior. A maioria dos ASGs mostram uma diminuição significativa em vários sintomas de PPB em comparação com o placebo. No entanto, houve apenas um novo estudo em comparação com a revisão anterior. Os achados atuais sugerem que os ASGs são eficazes contra o BPD e podem servir como terapia adjuvante. Mais ECTs são necessários com amostras maiores e com múltiplos braços de intervenção.Borderline personality disorder (BPD) is a convoluted psychiatric disease that requires a considerable amount of health resources to be adequately treated. Previous studies have shown that pharmacotherapy can be advantageous for BPD. Within the drugs tested, second-generation antipsychotics (SGAs) showed a more consistent positive effect in patients with BPD. However, the amount of evidence available at the time was insufficient to justify its recommendation. The aim of this systematic review is to qualitatively assess the randomized controlled trials (RCTs) of SGAs in BPD patients currently available. Database searches were performed using MEDLINE, SCOPUS, ISI Web of Knowledge and PsycInfo. Study selection and data collection were carried out independently by two researchers. Out of 1294 records (without duplicates), nine studies were included in this review. The results confirm the findings of a previous review. Most SGAs show a significant decrease in various BPD symptoms in comparison to placebo. However, there was only one new study compared to the last review. Current findings suggest SGAs are effective against BPD and can serve as adjuvant therapy. Further RCTs are needed with larger samples and with several intervention arms

CCTV as an automated sensor for firearms detection: human-derived performance as a precursor to automatic recognition

CCTV operators are able to detect firearms, via CCTV, but their capacity for surveillance is limited. Thus, it is desirable to automate the monitoring of CCTV cameras for firearms using machine vision techniques. The abilities of CCTV operators to detect concealed and unconcealed firearms in CCTV footage were quantified within a signal detection framework. Additionally, the visual search strategies adopted by the CCTV operators were elicited and their efficacies indexed with respect to signal detection performance, separately for concealed and unconcealed firearms. Future work will automate effective, human visual search strategies using image processing algorithms

Buying drugs on a Darknet market: A better deal? Studying the online illicit drug market through the analysis of digital, physical and chemical data.

Darknet markets, also known as cryptomarkets, are websites located on the Darknet and designed to allow the trafficking of illicit products, mainly drugs. This study aims at presenting the added value of combining digital, chemical and physical information to reconstruct sellers' activities. In particular, this research focuses on Evolution, one of the most popular cryptomarkets active from January 2014 to March 2015. Evolution source code files were analysed using Python scripts based on regular expressions to extract information about listings (i.e., sales proposals) and sellers. The results revealed more than 48,000 listings and around 2700 vendors claiming to send illicit drug products from 70 countries. The most frequent categories of illicit drugs offered by vendors were cannabis-related products (around 25%) followed by ecstasy (MDA, MDMA) and stimulants (cocaine, speed). The cryptomarket was then especially studied from a Swiss point of view. Illicit drugs were purchased from three sellers located in Switzerland. The purchases were carried out to confront digital information (e.g., the type of drug, the purity, the shipping country and the concealment methods mentioned on listings) with the physical analysis of the shipment packaging and the chemical analysis of the received product (purity, cutting agents, chemical profile based on minor and major alkaloids, chemical class). The results show that digital information, such as concealment methods and shipping country, seems accurate. But the illicit drugs purity is found to be different from the information indicated on their respective listings. Moreover, chemical profiling highlighted links between cocaine sold online and specimens seized in Western Switzerland. This study highlights that (1) the forensic analysis of the received products allows the evaluation of the accuracy of digital data collected on the website, and (2) the information from digital and physical/chemical traces are complementary to evaluate the practices of the online selling of illicit drugs on cryptomarkets

Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware

This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress

Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware

This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we will present new detection methods which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows’ memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware, to speed-up memory forensics. All three ideas are currently a work in progress. Keywords: rootkit detection, anti-forensics, memory analysis, scattered fragments, anticipatory enhancement, CUDA

The importance of fraud detection techniques from the Enron case and the T.J. Maxx data breach

This thesis examines the issue of fraud detection and its causes and solutions. After a description of two fraudulent cases Enron scandal (internal fraud), and T.J. Maxx Data Breach (external fraud), it discusses the causes of these two fraud cases using Cressey’s “fraud triangle” theory and Albrecht’s three-stage theory. It then describes various fraud detection techniques in internal and external fraud. Finally, the recommendations for the improvements of both internal and external fraud detection systems are explained

Enhancement of perceived quality of service for voice over internet protocol systems

Voice over Internet Protocol (WIP) applications are becoming more and more popular in the telecommunication market. Packet switched V61P systems have many technical advantages over conventional Public Switched Telephone Network (PSTN), including its efficient and flexible use of the bandwidth, lower cost and enhanced security. However, due to the IP network's "Best Effort" nature, voice quality are not naturally guaranteed in the VoIP services. In fact, most current Vol]P services can not provide as good a voice quality as PSTN. IP Network impairments such as packet loss, delay and jitter affect perceived speech quality as do application layer impairment factors, such as codec rate and audio features. Current perceived Quality of Service (QoS) methods are mainly designed to be used in a PSTN/TDM environment and their performance in V6IP environment is unknown. It is a challenge to measure perceived speech quality correctly in V61P system and to enhance user perceived speech quality for VoIP system. The main goal of this project is to evaluate the accuracy of the existing ITU-T speech quality measurement method (Perceptual Evaluation of Speech Quality - PESQ) in mobile wireless systems in the context of V61P, and to develop novel and efficient methods to enhance the user perceived speech quality for emerging V61P services especially in mobile V61P environment. The main contributions of the thesis are threefold: (1) A new discovery of PESQ errors in mobile VoIP environment. A detailed investigation of PESQ performance in mobile VoIP environment was undertaken and included setting up a PESQ performance evaluation platform and testing over 1800 mobile-to-mobile and mobileto- PSTN calls over a period of three months. The accuracy issues of PESQ algorithm was investigated and main problems causing inaccurate PESQ score (improper time-alignment in the PESQ algorithm) were discovered . Calibration issues for a safe and proper PESQ testing in mobile environment were also discussed in the thesis. (2) A new, simple-to-use, V611Pjit ter buffer algorithm. This was developed and implemented in a commercial mobile handset. The algorithm, called "Play Late Algorithm", adaptively alters the playout delay inside a speech talkspurt without introducing unnecessary extra end-to-end delay. It can be used as a front-end to conventional static or adaptive jitter buffer algorithms to provide improved performance. Results show that the proposed algorithm can increase user perceived quality without consuming too much processing power when tested in live wireless VbIP networks. (3) A new QoS enhancement scheme. The new scheme combines the strengths of adaptive codec bit rate (i. e. AMR 8-modes bit rate) and speech priority marking (i. e. giving high priority for the beginning of a voiced segment). The results gathered on a simulation and emulation test platform shows that the combined method provides a better user perceived speech quality than separate adaptive sender bit rate or packet priority marking methods