11,654 research outputs found
Analyzing Social and Stylometric Features to Identify Spear phishing Emails
Spear phishing is a complex targeted attack in which, an attacker harvests
information about the victim prior to the attack. This information is then used
to create sophisticated, genuine-looking attack vectors, drawing the victim to
compromise confidential information. What makes spear phishing different, and
more powerful than normal phishing, is this contextual information about the
victim. Online social media services can be one such source for gathering vital
information about an individual. In this paper, we characterize and examine a
true positive dataset of spear phishing, spam, and normal phishing emails from
Symantec's enterprise email scanning service. We then present a model to detect
spear phishing emails sent to employees of 14 international organizations, by
using social features extracted from LinkedIn. Our dataset consists of 4,742
targeted attack emails sent to 2,434 victims, and 9,353 non targeted attack
emails sent to 5,912 non victims; and publicly available information from their
LinkedIn profiles. We applied various machine learning algorithms to this
labeled data, and achieved an overall maximum accuracy of 97.76% in identifying
spear phishing emails. We used a combination of social features from LinkedIn
profiles, and stylometric features extracted from email subjects, bodies, and
attachments. However, we achieved a slightly better accuracy of 98.28% without
the social features. Our analysis revealed that social features extracted from
LinkedIn do not help in identifying spear phishing emails. To the best of our
knowledge, this is one of the first attempts to make use of a combination of
stylometric features extracted from emails, and social features extracted from
an online social network to detect targeted spear phishing emails.Comment: Detection of spear phishing using social media feature
Crime mapping and spatial analysis
Crime maps are becoming significant tools in crime and justice. Advances in the areas of information
technology and Geographic Information Systems (GIS) have opened new opportunities
for the use of digital mapping in crime control and prevention programs. Crime maps are also
valuable for the study of the ecology and the locational aspects of crime. Maps enable areas of
unusually high or low concentration of crime to be visually identified. Maps are however only
pictorial representations of the results of more or less complex spatial data analyses.
A hierarchical model dealing with crime analysis is proposed and applied to the regional analysis
of crime in Tehran, the model helps to identify spatial concentration of crimes in specific
area (area based method). In area-based methods, crime data are aggregated into geographical
areas such as blocks, precincts, and for each area, the analyst computes a measure of crime
value. Multicriteria evaluation concept has been used to assess the crime rate in various blocks a
discrete (part) of Tehran city. In this part we used two methods for crime density assessment:
• Crime assessment based on crime per block,
• Crime assessment based on density of crime per population.
After determination of hot spots based on two methods mentioned above spatial function is
used to find suitable location to establish new police station or direct patrol to the hot spots to
reduce of crime
A GENERIC ARCHITECTURE FOR INSIDER MISUSE MONITORING IN IT SYSTEMS
Intrusion Detection Systems (IDS) have been widely deployed within many
organisations' IT nenvorks to delect network penetration attacks by outsiders and
privilege escalation attacks by insiders. However, traditional IDS are ineffective for
detecting o f abuse o f legitimate privileges by authorised users within the organisation i.e.
the detection of misfeasance. In essence insider IT abuse does not violate system level
controls, yet violates acceptable usage policy, business controls, or code of conduct
defined by the organisation. However, the acceptable usage policy can vary from one
organisation to another, and the acceptability o f user activities can also change depending
upon the user(s), application, machine, data, and other contextual conditions associated
with the entities involved. The fact that the perpetrators are authorised users and that the
insider misuse activities do not violate system level controls makes detection of insider
abuse more complicated than detection o f attacks by outsiders.
The overall aim o f the research is to determine novel methods by which monitoring and
detection may be improved to enable successful detection of insider IT abuse. The
discussion begins with a comprehensive investigation o f insider IT misuse, encompassing
the breadth and scale of the problem. Consideration is then given to the sufficiency of
existing safeguards, with the conclusion that they provide an inadequate basis for
detecting many o f the problems. This finding is used as the justification for considering
research into alternative approaches.
The realisation of the research objective includes the development of a taxonomy for
identification o f various levels within the system from which the relevant data associated
with each type of misuse can be collected, and formulation of a checklist for
identification of applications that requires misfeasor monitoring. Based upon this
foundation a novel architecture for monitoring o f insider IT misuse, has been designed.
The design offers new analysis procedures to be added, while providing methods to
include relevant contextual parameters from dispersed systems for analysis and reference.
The proposed system differs from existing IDS in the way that it focuses on detecting
contextual misuse of authorised privileges and legitimate operations, rather than detecting
exploitation o f network protocols and system level \ailnerabilities.
The main concepts of the new architecture were validated through a proof-of-concept
prototype system. A number o f case scenarios were used to demonstrate the validity of
analysis procedures developed and how the contextual data from dispersed databases can
be used for analysis of various types of insider activities. This helped prove that the
existing detection technologies can be adopted for detection o f insider IT misuse, and that
the research has thus provided valuable contribution to the domain
Research of Data Mining Algorithm Based on Cloud Database
There is an immense amount of data in the cloud database and among these data, much potential and valuable knowledge are implicit. The key point is to discover and pick out the useful knowledge, and to do so automatically. In this paper, the data model of the cloud database is analyzed. Through analyzing and classifying, the common features of the data are extracted to form a feature data set. The relationships among different areas in the data are then analyzed, from which the new knowledge can be found. In the paper, the basic data mining model based on the cloud database is defined, and the discovery algorithm is presented
A Survey on Cybercrime Using Social Media
There is growing interest in automating crime detection and prevention for large populations as a result of the increased usage of social media for victimization and criminal activities. This area is frequently researched due to its potential for enabling criminals to reach a large audience. While several studies have investigated specific crimes on social media, a comprehensive review paper that examines all types of social media crimes, their similarities, and detection methods is still lacking. The identification of similarities among crimes and detection methods can facilitate knowledge and data transfer across domains. The goal of this study is to collect a library of social media crimes and establish their connections using a crime taxonomy. The survey also identifies publicly accessible datasets and offers areas for additional study in this area
A Machine Learning based Empirical Evaluation of Cyber Threat Actors High Level Attack Patterns over Low level Attack Patterns in Attributing Attacks
Cyber threat attribution is the process of identifying the actor of an attack
incident in cyberspace. An accurate and timely threat attribution plays an
important role in deterring future attacks by applying appropriate and timely
defense mechanisms. Manual analysis of attack patterns gathered by honeypot
deployments, intrusion detection systems, firewalls, and via trace-back
procedures is still the preferred method of security analysts for cyber threat
attribution. Such attack patterns are low-level Indicators of Compromise (IOC).
They represent Tactics, Techniques, Procedures (TTP), and software tools used
by the adversaries in their campaigns. The adversaries rarely re-use them. They
can also be manipulated, resulting in false and unfair attribution. To
empirically evaluate and compare the effectiveness of both kinds of IOC, there
are two problems that need to be addressed. The first problem is that in recent
research works, the ineffectiveness of low-level IOC for cyber threat
attribution has been discussed intuitively. An empirical evaluation for the
measure of the effectiveness of low-level IOC based on a real-world dataset is
missing. The second problem is that the available dataset for high-level IOC
has a single instance for each predictive class label that cannot be used
directly for training machine learning models. To address these problems in
this research work, we empirically evaluate the effectiveness of low-level IOC
based on a real-world dataset that is specifically built for comparative
analysis with high-level IOC. The experimental results show that the high-level
IOC trained models effectively attribute cyberattacks with an accuracy of 95%
as compared to the low-level IOC trained models where accuracy is 40%.Comment: 20 page
- …