Detecting Targeted Malicious Email Through Mail Client

Sharing and storing of data in the web world is with the help of social networks. Messages are exchanged between hosts using the Simple Mail Transfer Protocol (SMTP). While the email messages are transporting between systems, SMTP communicates delivery parameters using a message envelope separate from the message (header and body) itself. A malicious email message is the one which have been deliberately crafted to cause problems on the server or at the client side. This message may contain a virus. A filtering technique is applied on messaging string contents by applying tokenization and then applying naïve bayesian classifier we classify targeted and non targeted malicious email. A network defender encounters different classes of threat actors with varying intents and capabilities. Conventional computer network attacks exploit network-based listening services such as Web servers. Traditional decision-tree classification algorithms split each node using the best split from all available features. With random forests, each node splits from a randomly selected set of features at that node. It is only focus on mail body not on hyperlinks and attachments. Proposed extension is feature extraction to file attachment metadata. Threat actors might inadvertently leave remnants of infor-mation such as file paths, time zones, or even author names. In addi¬tion, organizations can track features that characterize the types and amounts of email received by a particular email address

A Survey of Email Spam Filtering Methods

E-mail is one of the most secure medium for online communication and transferring data or messages through the web. An overgrowing increase in popularity, the number of unsolicited data has also increased rapidly. To filtering data, different approaches exist which automatically detect and remove these untenable messages. There are several numbers of email spam filtering technique such as Knowledge-based technique, Clustering techniques, Learning based technique, Heuristic processes and so on. This paper illustrates a survey of different existing email spam filtering system regarding Machine Learning Technique (MLT) such as Naive Bayes, SVM, K-Nearest Neighbor, Bayes Additive Regression, KNN Tree, and rules. However, here we present the classification, evaluation and comparison of different email spam filtering system Keywords: e-mail spam, spam filtering methods, machine learning technique, classification, SVM, AN

Guest Editorial Special Issue on: Big Data Analytics in Intelligent Systems

The amount of information that is being created, every day, is quickly growing. As such, it is now more common than ever to deal with extremely large datasets. As systems develop and become more intelligent and adaptive, analysing their behaviour is a challenge. The heterogeneity, volume and speed of data generation are increasing rapidly. This is further exacerbated by the use of wireless networks, sensors, smartphones and the Internet. Such systems are capable of generating a phenomenal amount of information and the need to analyse their behaviour, to detect security anomalies or predict future demands for example, is becoming harder. Furthermore, securing such systems is a challenge. As threats evolve, so should security measures develop and adopt increasingly intelligent security techniques. Adaptive systems must be employed and existing methods built upon to provide well-structured defence in depth. Despite the clear need to develop effective protection methods, the task is a difficult one, as there are significant weaknesses in the existing security currently in place. Consequently, this special issue of the Journal of Computer Sciences and Applications discusses big data analytics in intelligent systems. The specific topics of discussion include the Internet of Things, Web Services, Cloud Computing, Security and Interconnected Systems

Emotional Tendency Analysis of Twitter Data Streams

The web now seems to be an alive and dynamic arena in which billions of people across the globe connect, share, publish, and engage in a broad range of everyday activities. Using social media, individuals may connect and communicate with each other at any time and from any location. More than 500 million individuals across the globe post their thoughts and opinions on the internet every day. There is a huge amount of information created from a variety of social media platforms in a variety of formats and languages throughout the globe. Individuals define emotions as powerful feelings directed toward something or someone as a result of internal or external events that have a personal meaning. Emotional recognition in text has several applications in human-computer interface and natural language processing (NLP). Emotion classification has previously been studied using bag-of words classifiers or deep learning methods on static Twitter data. For real-time textual emotion identification, the proposed model combines a mix of keyword-based and learning-based models, as well as a real-time Emotional Tendency Analysi

Achieving a consensual definition of phishing based on a systematic review of the literature

Background:\ud Phishing is a widely known phenomenon, but currently lacks a commonly accepted definition. As a result, many studies about phishing use their own definition. The lack of a common definition prevents knowledge accumulation and makes analysing studies or aggregating data about phishing a difficult task.\ud Method:\ud To develop a definition, we used existing definitions as input and combined them using crime science theories as the theoretical framework. A systematic review of the literature up to August 2013 was conducted, resulting in 2458 publications mentioning the word phishing. All journal articles, together with both highly cited and recent conference papers were selected, giving a total of 536 peer-reviewed publications (22%) to be manually reviewed. This resulted in 113 distinct definitions to be analysed.\ud Results:\ud An analysis identified key concepts that were found in most definitions and formed the building blocks for a consensual definition. We propose a new definition that is based upon current ones, which defines phishing in a comprehensive way and - in our opinion - addresses all important elements of phishing: 'phishing is a scalable act of deception whereby impersonation is used to obtain information from a target'.\ud Conclusions:\ud A consensual definition allows future research to be aligned and it facilitates the interpretation and comparison of existing research. The findings suggest that the routine activity approach can be applied to the digital world. Finally, the 'scalability' concept of our definition provides a new theoretical notion to digital crime that is independent of the employed channel

E-mail encryption framework for Malaysian public sector

Securing confidential data shared through the electronic mail is depending on the current encryption method deployed by the E-mail service provider as well as the current procedures and regulation of the organization. Hence, the E-mail encryption framework is a fundamental factor in designing a secure E-mail service in the Malaysian Public Sector. Therefore, the purpose of this study is to develop the Email encryption framework for Malaysian Public Sector in order to secure the E-mail system. In this study, the qualitative study has been conducted in order to understand the criteria of the E-mail encryption framework for the Malaysian Public Sector. Thus, the descriptive design is conducted to discover the features E-mail encryption framework for Malaysian Public Sector from the E-mail administrator and related personnel. Therefore, in-depth interview with the semi-structured method of interview is used in this study. The E-mail encryption framework has been proposed which comprising of organizational, operational, technological, legal and ethical components. The proposed framework was evaluated to measure its effectiveness towards an existing e-mail system. Findings on the proposed e-mail encryption framework will benefit the Malaysian Public Sector in providing secure e-mail service thus deciding applicable security control. Finally, this study generally contributes to enhance the current secure e-mail system implementation in Malaysian public sector agencies

Advanced persistent threats

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2015Os sistemas computacionais tornaram-se uma parte importante da nossa sociedade, para além de estarmos intrinsecamente ligados a eles, a maioria da informação que utilizamos no nosso dia-a-dia está no seu formato digital. Ao contrário de um documento físico, um documento digital está exposto a uma maior variedade de ameaças, principalmente se estiver de alguma forma disponível `a Internet. Informação é poder, por isso não é de admirar que alguém, algures esteja a tentar roubá-la, assim, é facto que os adversários já operam neste novo mundo. Ladrões, terroristas e mesmo a máfia começaram a utilizar a internet como um meio para alcançar os seus fins. A cibersegurança tenta proteger a informação e os sistemas contra estes e outros tipos de ameaças, utilizando anti-vírus, firewalls ou detetores de intrusões, entre outros. Infelizmente as notícias continuam a sair, milhões de euros roubados a bancos por via informática, empresas saqueadas da sua propriedade intelectual e governos envergonhados por os seus segredos serem expostos ao mundo. A questão coloca-se, porque é que os sistemas de segurança estão a falhar? Como está o adversário a ultrapassá-los? A verdade hoje em dia é que os atacantes não só adquiriram talentos avançados na área como também têm acesso a ferramentas extremamente sofisticadas e vão fazer uso delas para serem bem-sucedidos nos seus objetivos, sejam estes o roubo de informação, o objetivo mais comum e por isso o mais abordado neste trabalho, seja o ataque a infraestruturas críticas. Advanced Persistent Threat(APT), ou ameaça avançada persistente, é um termo utilizado para caracterizar atacantes sofisticados, organizados e com recursos para concretizar ataques informáticos. Inventado pela força aérea Americana em 2006, o termo era uma forma de discutir intrusões informáticas com pessoal não militar. Nas suas origens, a palavra Ameaça indica que o adversário não é um pedaço de código automático, ou seja, o adversário ´e humano e ´e este humano que controla parte do ataque e contribui para o seu sucesso, avançada porque este humano é treinado e especializado na utilização de todo o espectro informático de forma a melhor conseguir atingir o seu objectivo e persistente, pois esse objectivo é formalmente definido, ou seja, o ataque só está concluído quando atingir o alvo em pleno. Infelizmente, o termo passou a ser utilizado para descrever qualquer ataque informático e a ter uma conotação extremamente comercial devido aos sistemas anti-APT que invadiram o mercado pouco tempo depois do ataque sofrido pela Google em 2010. Neste trabalho abordamos estes pressupostos, e explica-se o verdadeiro significado do termo juntamente com uma forma mais científica, claramente mais útil do ponto das abordagens da engenharia. Nomeadamente, sugere-se uma visão mais abrangente da campanha de ataque, não se focando apenas no software utilizado pelo adversário, mas tentando olhar para a campanha como um todo; equipas, organização, manutenção e orçamento, entre outros. Mostramos também porque estes ataques são diferentes, relativamente às suas tácticas, técnicas e procedimentos, e porque merecem ser distinguidos com a sua própria designação e o seu próprio ciclo de vida. Para além de identificarmos vários ciclos de vida associados às APTs, o ciclo de vida mais utilizado para caracterizar estas campanhas de ataque foi analisado em detalhe, desde as primeiras etapas de reconhecimento até à conclusão dos objectivos. Discute-se também a essência de cada passo e porque são, ou não, importantes. De seguida realiza-se uma análise ao tipo de atacante por trás destas campanhas, quem são, quais as suas histórias e objectivos. Avalia-se também porque é que os mecanismos de defesa tradicionais continuam a ser ultrapassados e n˜ao conseguem acompanhar o passo rápido dos atacantes. Isto acontece principalmente devido à utilização de listas do que é malicioso e o bloqueio apenas do que se encontra nessa lista, chamado de black listing. Ainda que se tenha já realizado trabalho na área de deteccão de anomalias, mostra-se também o porquê de esses sistemas continuarem a não ser suficientes, nomeadamente devido ao facto de definirem os seus pressupostos base erroneamente. Durante a realização deste trabalho percebeu-se a falta de estatísticas que pudessem responder a algumas questões. E por isso foi realizado um estudo aos relatórios disponíveis relativos a este tipo de ataques e apresentados os resultados de uma forma simples, organizada e resumida. Este estudo veio ajudar a perceber quais os maiores objectivos neste tipo de ataque, nomeadamente a espionagem e o roubo de informação confidencial; quais os maiores vectores de ataque (sendo o e-mail o grande vencedor devido à facilidade de explorar o vector humano); quais as aplicações alvo e a utilização, ou não, de vulnerabilidades desconhecidas. Esperamos que esta recolha de informação seja útil para trabalhos futuros ou para interessados no tema. Só depois de realizado este estudo foi possível pensar em formas de contribuir para a solução do problema imposto pelas APTs. Uma distinção ficou clara, existe não só a necessidade de detectar APTs, mas também a criticalidade da sua prevenção. A melhor forma de não ser vítima de infeção é a aplicação de boas práticas de segurança e, neste caso, a formação de todo o pessoal relativamente ao seu papel na segurança geral da organização. Aborda-se também a importância da preparação; segurança não é apenas proteger-se dos atacantes, mas principalmente saber como recuperar. Relativamente à deteção, foi realizado trabalho em duas vertentes, primeiramente e visto o trabalho ter sido realizado em ambiente de empresa, foi elaborado um plano para um sistema capaz de detectar campanhas de ataque que utilizassem o vetor de infeção do e-mail, fazendo uso dos sistemas já desenvolvidos pela AnubisNetworks que, sendo uma empresa de segurança informática com fortes ligações ao e-mail, tinha o conhecimento e as ferramentas necessárias para a concretização do sistema. O sistema faz uso de uma caracterização de pessoas, chamado de people mapping, que visa a identificar os principais alvos dentro da empresa e quem exibe maiores comportamentos de risco. Esta caracterização possibilita a criação de uma lista de pessoal prioritário, que teria o seu e-mail (caso tivesse anexos ou endereços) analisado em ambiente de sandbox. Este sistema acabou por não ser construído e é apenas deixada aqui a sua esquematização, sendo que fica lançado o desafio para a sua realização. De forma a contribuir não só para a empresa, mas também para a comunidade científica de segurança, foi de seguida realizado trabalho de deteção em vários pontos de qualquer rede informática seguindo os quatro principais passos na execução de uma campanha APT. Decidimos então utilizar um ciclo de vida composto por quatro etapas, sendo elas, a fase de reconhecimento, a infeção inicial, o controlo e o roubo de informação. Neste modelo, procuraram-se possíveis sistemas para a deteção de eventos relacionados com APTs nos três principais pontos de qualquer rede: a Internet, a Intranet e a máquina cliente. Ao analisar cada fase em cada ponto da rede, foi possível perceber realmente quais as principais áreas de estudo e desenvolvimento para melhor detectar APTs. Mais concretamente, concluiu-se que a internet seria o ponto ideal de deteção das fases de reconhecimento, a intranet para detetar controlo e roubo de informação e a máquina cliente para detetar infeção inicial. Conclui-se o trabalho apresentando o nosso ponto de vista relativamente ao futuro, isto é, quem vai fazer uso das táticas utilizadas nas campanhas APT visto serem extremamente bem sucedidas, como vão os atacantes adaptar-se aos novos mecanismos de defesa e quais os novos possíveis vetores de infeção.Computer systems have become a very important part of our society, most of the information we use in our everyday lives is in its digital form, and since information is power it only makes sense that someone, somewhere will try to steal it. Attackers are adapting and now have access to highly sophisticated tools and expertise to conduct highly targeted and very complex attack campaigns. Advanced Persistent Threat, or APT, is a term coined by the United States Air Force around 2006 as a way to talk about classified intrusions with uncleared personnel. It wrongly and quickly became the standard acronym to describe every sort of attack. This work tries to demystify the problem of APTs, why they are called as such, and what are the most common tactics, techniques and procedures. It also discusses previously proposed life-cycles, profile the most common adversaries and takes a look at why traditional defences will not stop them. A big problem encountered while developing this work was the lack of statistics regarding APT attacks. One of the big contributions here consists on the search for publicly available reports, its analysis, and presentation of relevant information gathered in a summarised fashion. From the most targeted applications to the most typical infection vector, insight is given on how and why the adversaries conduct these attacks. Only after a clear understanding of the problem is reached, prevention and detection schemes were discussed. Specifically, blueprints for a system to be used by AnubisNetworks are presented, capable of detecting these attacks at the e-mail level. It is based on sandboxing and people mapping, which is a way to better understand people, one of the weakest links in security. The work is concluded by trying to understand how the threat landscape will shape itself in upcoming years

Mustererkennungsbasierte Verteidgung gegen gezielte Angriffe

The speed at which everything and everyone is being connected considerably outstrips the rate at which effective security mechanisms are introduced to protect them. This has created an opportunity for resourceful threat actors which have specialized in conducting low-volume persistent attacks through sophisticated techniques that are tailored to specific valuable targets. Consequently, traditional approaches are rendered ineffective against targeted attacks, creating an acute need for innovative defense mechanisms. This thesis aims at supporting the security practitioner in bridging this gap by introducing a holistic strategy against targeted attacks that addresses key challenges encountered during the phases of detection, analysis and response. The structure of this thesis is therefore aligned to these three phases, with each one of its central chapters taking on a particular problem and proposing a solution built on a strong foundation on pattern recognition and machine learning. In particular, we propose a detection approach that, in the absence of additional authentication mechanisms, allows to identify spear-phishing emails without relying on their content. Next, we introduce an analysis approach for malware triage based on the structural characterization of malicious code. Finally, we introduce MANTIS, an open-source platform for authoring, sharing and collecting threat intelligence, whose data model is based on an innovative unified representation for threat intelligence standards based on attributed graphs. As a whole, these ideas open new avenues for research on defense mechanisms and represent an attempt to counteract the imbalance between resourceful actors and society at large.In unserer heutigen Welt sind alle und alles miteinander vernetzt. Dies bietet mächtigen Angreifern die Möglichkeit, komplexe Verfahren zu entwickeln, die auf spezifische Ziele angepasst sind. Traditionelle Ansätze zur Bekämpfung solcher Angriffe werden damit ineffektiv, was die Entwicklung innovativer Methoden unabdingbar macht. Die vorliegende Dissertation verfolgt das Ziel, den Sicherheitsanalysten durch eine umfassende Strategie gegen gezielte Angriffe zu unterstützen. Diese Strategie beschäftigt sich mit den hauptsächlichen Herausforderungen in den drei Phasen der Erkennung und Analyse von sowie der Reaktion auf gezielte Angriffe. Der Aufbau dieser Arbeit orientiert sich daher an den genannten drei Phasen. In jedem Kapitel wird ein Problem aufgegriffen und eine entsprechende Lösung vorgeschlagen, die stark auf maschinellem Lernen und Mustererkennung basiert. Insbesondere schlagen wir einen Ansatz vor, der eine Identifizierung von Spear-Phishing-Emails ermöglicht, ohne ihren Inhalt zu betrachten. Anschliessend stellen wir einen Analyseansatz für Malware Triage vor, der auf der strukturierten Darstellung von Code basiert. Zum Schluss stellen wir MANTIS vor, eine Open-Source-Plattform für Authoring, Verteilung und Sammlung von Threat Intelligence, deren Datenmodell auf einer innovativen konsolidierten Graphen-Darstellung für Threat Intelligence Stardards basiert. Wir evaluieren unsere Ansätze in verschiedenen Experimenten, die ihren potentiellen Nutzen in echten Szenarien beweisen. Insgesamt bereiten diese Ideen neue Wege für die Forschung zu Abwehrmechanismen und erstreben, das Ungleichgewicht zwischen mächtigen Angreifern und der Gesellschaft zu minimieren

Unmanned Aircraft Systems in the Cyber Domain

Unmanned Aircraft Systems are an integral part of the US national critical infrastructure. The authors have endeavored to bring a breadth and quality of information to the reader that is unparalleled in the unclassified sphere. This textbook will fully immerse and engage the reader / student in the cyber-security considerations of this rapidly emerging technology that we know as unmanned aircraft systems (UAS). The first edition topics covered National Airspace (NAS) policy issues, information security (INFOSEC), UAS vulnerabilities in key systems (Sense and Avoid / SCADA), navigation and collision avoidance systems, stealth design, intelligence, surveillance and reconnaissance (ISR) platforms; weapons systems security; electronic warfare considerations; data-links, jamming, operational vulnerabilities and still-emerging political scenarios that affect US military / commercial decisions. This second edition discusses state-of-the-art technology issues facing US UAS designers. It focuses on counter unmanned aircraft systems (C-UAS) – especially research designed to mitigate and terminate threats by SWARMS. Topics include high-altitude platforms (HAPS) for wireless communications; C-UAS and large scale threats; acoustic countermeasures against SWARMS and building an Identify Friend or Foe (IFF) acoustic library; updates to the legal / regulatory landscape; UAS proliferation along the Chinese New Silk Road Sea / Land routes; and ethics in this new age of autonomous systems and artificial intelligence (AI).https://newprairiepress.org/ebooks/1027/thumbnail.jp

Behavioural Observation for Critical Infrastructure Security Support

Critical infrastructures include sectors such as energy resources, finance, food and water distribution, health, manufacturing and government services. In recent years, critical infrastructures have become increasingly dependent on ICT; more interconnected and are often, as a result, linked to the Internet. Consequently, this makes these systems more vulnerable and increases the threat of cyber-attack. In addition, the growing use of wireless networks means that infrastructures can be more susceptible to a direct digital attack than ever before. Traditionally, protecting against environmental threats was the main focus of critical infrastructure preservation. Now, however, with the emergence of cyber-attacks, the focus has changed and infrastructures are facing a different danger with potentially debilitating consequences. Current security techniques are struggling to keep up to date with the sheer volume of innovative and emerging attacks; therefore, considering fresh and adaptive solutions to existing computer security approaches is crucial. The research presented in this thesis, details the use of behavioural observation for critical infrastructure security support. Our observer system monitors an infrastructure’s behaviour and detects abnormalities, which are the result of a cyber-attack taking place. By observing subtle changes in system behaviours, an additional level of support for critical infrastructure security is provided through a plug-in device, which operates autonomously and has no negative impact on data flow. Behaviour is evaluated using mathematical classifications to assess the data and detect changes. The subsequent results achieved during the data classification process were high and successful. Our observer approach was able to accurately classify 98.138 % of the normal and abnormal system behaviours produced by a simulation of a critical infrastructure, using nine data classifiers