Identification and Recognition of Remote-Controlled Malware

This thesis encapsulates research on the detection of botnets. First, we design and implement Sandnet, an observation and monitoring infrastructure to study the botnet phenomenon. Using Sandnet, we evaluate detection approaches based on traffic analysis and rogue visual monetization. Therefore, we identify and recognize botnet C&C channels by help of traffic analysis. To a large degree, our clustering and classification leverage the sequence of message lengths per flow. As a result, our implementation, CoCoSpot, proves to reliably detect active C&C communication of a variety of botnet families, even in face of fully encrypted C&C messages. Furthermore, we found a botnet that uses DNS as carrier protocol for its command and control channel. By help of statistical entropy as well as behavioral features, we design and implement a classifier that detects DNS-based C&C, even in mixed network traffic of benign users. Finally, perceptual clustering of Sandnet screenshots enables us to group malware into rogue visual monetization campaigns and study their monetization properties

Looking for Archetypes: Applying Game Data Mining to Hearthstone Decks

Digital Collectible Cards Games such as Hearthstone have become a very proli c test-bed for Arti cial Intelligence algorithms. The main researches have focused on the implementation of autonomous agents (bots) able to effectively play the game. However, this environment is also very attractive for the use of Data Mining (DM) and Machine Learning (ML) techniques, for analysing and extracting useful knowledge from game data. The objective of this work is to apply existing Game Mining techniques in order to study more than 600,000 real decks (groups of cards) created by players with many di erent skill levels. Data visualisation and analysis tools have been applied, namely, Graph representations and Clustering techniques. Then, an expert player has conducted a deep analysis of the results yielded by these methods, aiming to identify the use of standard - and well-known - archetypes de ned by the players. The used methods will also make it possible for the expert to discover hidden relationships between cards that could lead to nding better combinations of them, enhancing players' decks or, otherwise, identify unbalanced cards that could lead to a disappointing game experience. Moreover, although this work is mostly focused on data analysis and visualization, the obtained results can be applied to improve Hearthstone Bots' behaviour, e.g. predicting opponent's actions after identifying a speci c archetype in his/her deck.Spanish Government PID2020-113462RB-I00 PID2020-115570 GB-C22Junta de Andalucia B-TIC-402-UGR18 P18-RT-4830 A-TIC-608-UGR2

Pahs, Ionized Gas, and Molecular Hydrogen in Brightest Cluster Galaxies of Cool Core Clusters of Galaxies

We present measurements of 5-25 {\mu}m emission features of brightest cluster galaxies (BCGs) with strong optical emission lines in a sample of 9 cool-core clusters of galaxies observed with the Infrared Spectrograph on board the Spitzer Space Telescope. These systems provide a view of dusty molecular gas and star formation, surrounded by dense, X-ray emitting intracluster gas. Past work has shown that BCGs in cool-core clusters may host powerful radio sources, luminous optical emission line systems, and excess UV, while BCGs in other clusters never show this activity. In this sample, we detect polycyclic aromatic hydrocarbons (PAHs), extremely luminous, rotationally-excited molecular hydrogen line emission, forbidden line emission from ionized gas ([Ne II] and [Ne III]), and infrared continuum emission from warm dust and cool stars. We show here that these BCGs exhibit more luminous forbidden neon and H2 rotational line emission than star-forming galaxies with similar total infrared luminosities, as well as somewhat higher ratios of 70 {\mu}m / 24 {\mu}m luminosities. Our analysis suggests that while star formation processes dominate the heating of the dust and PAHs, a heating process consistent with suprathermal electron heating from the hot gas, distinct from star formation, is heating the molecular gas and contributing to the heating of the ionized gas in the galaxies. The survival of PAHs and dust suggests that dusty gas is somehow shielded from significant interaction with the X-ray gas.Comment: 27 preprint pages, 18 figures, accepted by Astrophysical Journa

Cyber Security Concerns in Social Networking Service

Today’s world is unimaginable without online social networks. Nowadays, millions of people connect with their friends and families by sharing their personal information with the help of different forms of social media. Sometimes, individuals face different types of issues while maintaining the multimedia contents like, audios, videos, photos because it is difficult to maintain the security and privacy of these multimedia contents uploaded on a daily basis. In fact, sometimes personal or sensitive information could get viral if that leaks out even unintentionally. Any leaked out content can be shared and made a topic of popular talk all over the world within few seconds with the help of the social networking sites. In the setting of Internet of Things (IoT) that would connect millions of devices, such contents could be shared from anywhere anytime. Considering such a setting, in this work, we investigate the key security and privacy concerns faced by individuals who use different social networking sites differently for different reasons. We also discuss the current state-of-the-art defense mechanisms that can bring somewhat long-term solutions to tackling these threats

The stylometry of film dialogue : pros and pitfalls

We examine film dialogue with quantitative textual analysis (stylometry, sentiment analysis, distant reading). Working with transcribed dialogue in almost 300 productions, we explore the complex way in which most-frequent-words-based stylometry and lexicon-based sentiment analysis produce patterns of similarity and difference between screenwriters and/or a priori IMDB-defined genres. In fact, some of our results show that counting and comparing very frequent word lists reveals further similarities: of theme, implied audience, stylistic patternings. The results are encouraging enough to suggest that such quantitative approach to film dialogue may become a welcome addition to the arsenal of film studies methodology

Reinforcing the weakest link in cyber security: securing systems and software against attacks targeting unwary users

Unwary computer users are often blamed as the weakest link on the security chain, for unknowingly facilitating incoming cyber attacks and jeopardizing the efforts to secure systems and networks. However, in my opinion, average users should not bear the blame because of their lack of expertise to predict the security consequence of every action they perform, such as browsing a webpage, downloading software to their computers, or installing an application to their mobile devices. My thesis work aims to secure software and systems by reducing or eliminating the chances where users’ mere action can unintentionally enable external exploits and attacks. In achieving this goal, I follow two complementary paths: (i) building runtime monitors to identify and interrupt the attack-triggering user actions; (ii) designing offline detectors for the software vulnerabilities that allow for such actions. To maximize the impact, I focus on securing software that either serve the largest number of users (e.g. web browsers) or experience the fastest user growth (e.g. smartphone apps), despite the platform distinctions. I have addressed the two dominant attacks through which most malicious software (a.k.a. malware) infections happen on the web: drive-by download and rogue websites. BLADE, an OS kernel extension, infers user intent through OS-level events and prevents the execution of download files that cannot be attributed to any user intent. Operating as a browser extension and identifying malicious post-search redirections, SURF protects search engine users from falling into the trap of poisoned search results that lead to fraudulent websites. In the infancy of security problems on mobile devices, I built Dalysis, the first comprehensive static program analysis framework for vetting Android apps in bytecode form. Based on Dalysis, CHEX detects the component hijacking vulnerability in large volumes of apps. My thesis as a whole explores, realizes, and evaluates a new perspective of securing software and system, which limits or avoids the unwanted security consequences caused by unwary users. It shows that, with the proposed approaches, software can be reasonably well protected against attacks targeting its unwary users. The knowledge and insights gained throughout the course of developing the thesis have advanced the community’s awareness of the threats and the increasing importance of considering unwary users when designing and securing systems. Each work included in this thesis has yielded at least one practical threat mitigation system. Evaluated by the large-scale real-world experiments, these systems have demonstrated the effectiveness at thwarting the security threats faced by most unwary users today. The threats addressed by this thesis have span multiple computing platforms, such as desktop operating systems, the Web, and smartphone devices, which highlight the broad impact of the thesis.Ph.D

Distributed detection of anomalous internet sessions

Financial service providers are moving many services online reducing their costs and facilitating customers¿ interaction. Unfortunately criminals have quickly found several ways to avoid most security measures applied to browsers and banking sites. The use of highly dangerous malware has become the most significant threat and traditional signature-detection methods are nowadays easily circumvented due to the amount of new samples and the use of sophisticated evasion techniques. Antivirus vendors and malware experts are pushed to seek for new methodologies to improve the identification and understanding of malicious applications behavior and their targets. Financial institutions are now playing an important role by deploying their own detection tools against malware that specifically affect their customers. However, most detection approaches tend to base on sequence of bytes in order to create new signatures. This thesis approach is based on new sources of information: the web logs generated from each banking session, the normal browser execution and customers mobile phone behavior. The thesis can be divided in four parts: The first part involves the introduction of the thesis along with the presentation of the problems and the methodology used to perform the experimentation. The second part describes our contributions to the research, which are based in two areas: *Server side: Weblogs analysis. We first focus on the real time detection of anomalies through the analysis of web logs and the challenges introduced due to the amount of information generated daily. We propose different techniques to detect multiple threats by deploying per user and global models in a graph based environment that will allow increase performance of a set of highly related data. *Customer side: Browser analysis. We deal with the detection of malicious behaviors from the other side of a banking session: the browser. Malware samples must interact with the browser in order to retrieve or add information. Such relation interferes with the normal behavior of the browser. We propose to develop models capable of detecting unusual patterns of function calls in order to detect if a given sample is targeting an specific financial entity. In the third part, we propose to adapt our approaches to mobile phones and Critical Infrastructures environments. The latest online banking attack techniques circumvent protection schemes such password verification systems send via SMS. Man in the Mobile attacks are capable of compromising mobile devices and gaining access to SMS traffic. Once the Transaction Authentication Number is obtained, criminals are free to make fraudulent transfers. We propose to model the behavior of the applications related messaging services to automatically detect suspicious actions. Real time detection of unwanted SMS forwarding can improve the effectiveness of second channel authentication and build on detection techniques applied to browsers and Web servers. Finally, we describe possible adaptations of our techniques to another area outside the scope of online banking: critical infrastructures, an environment with similar features since the applications involved can also be profiled. Just as financial entities, critical infrastructures are experiencing an increase in the number of cyber attacks, but the sophistication of the malware samples utilized forces to new detection approaches. The aim of the last proposal is to demonstrate the validity of out approach in different scenarios. Conclusions. Finally, we conclude with a summary of our findings and the directions for future work