MAGMA network behavior classifier for malware traffic

Malware is a major threat to security and privacy of network users. A large variety of malware is typically spread over the Internet, hiding in benign traffic. New types of malware appear every day, challenging both the research community and security companies to improve malware identification techniques. In this paper we present MAGMA, MultilAyer Graphs for MAlware detection, a novel malware behavioral classifier. Our system is based on a Big Data methodology, driven by real-world data obtained from traffic traces collected in an operational network. The methodology we propose automatically extracts patterns related to a specific input event, i.e., a seed, from the enormous amount of events the network carries. By correlating such activities over (i) time, (ii) space, and (iii) network protocols, we build a Network Connectivity Graph that captures the overall “network behavior” of the seed. We next extract features from the Connectivity Graph and design a supervised classifier. We run MAGMA on a large dataset collected from a commercial Internet Provider where 20,000 Internet users generated more than 330 million events. Only 42,000 are flagged as malicious by a commercial IDS, which we consider as an oracle. Using this dataset, we experimentally evaluate MAGMA accuracy and robustness to parameter settings. Results indicate that MAGMA reaches 95% accuracy, with limited false positives. Furthermore, MAGMA proves able to identify suspicious network events that the IDS ignored

Network Traffic Measurements, Applications to Internet Services and Security

The Internet has become along the years a pervasive network interconnecting billions of users and is now playing the role of collector for a multitude of tasks, ranging from professional activities to personal interactions. From a technical standpoint, novel architectures, e.g., cloud-based services and content delivery networks, innovative devices, e.g., smartphones and connected wearables, and security threats, e.g., DDoS attacks, are posing new challenges in understanding network dynamics. In such complex scenario, network measurements play a central role to guide traffic management, improve network design, and evaluate application requirements. In addition, increasing importance is devoted to the quality of experience provided to final users, which requires thorough investigations on both the transport network and the design of Internet services. In this thesis, we stress the importance of users’ centrality by focusing on the traffic they exchange with the network. To do so, we design methodologies complementing passive and active measurements, as well as post-processing techniques belonging to the machine learning and statistics domains. Traffic exchanged by Internet users can be classified in three macro-groups: (i) Outbound, produced by users’ devices and pushed to the network; (ii) unsolicited, part of malicious attacks threatening users’ security; and (iii) inbound, directed to users’ devices and retrieved from remote servers. For each of the above categories, we address specific research topics consisting in the benchmarking of personal cloud storage services, the automatic identification of Internet threats, and the assessment of quality of experience in the Web domain, respectively. Results comprise several contributions in the scope of each research topic. In short, they shed light on (i) the interplay among design choices of cloud storage services, which severely impact the performance provided to end users; (ii) the feasibility of designing a general purpose classifier to detect malicious attacks, without chasing threat specificities; and (iii) the relevance of appropriate means to evaluate the perceived quality of Web pages delivery, strengthening the need of users’ feedbacks for a factual assessment

End-User Awareness of and Adherence to Crisis Preparedness of the Information Systems in New Zealand Organisations

A crisis is a specific, unanticipated, and non-routine event that generates high levels of uncertainty and jeopardizes high value priorities such as life, economic well-being, or physical infrastructures. Some scholars observe that our computing environment has dramatically changed and is now defined by greater use and dependence on technology, while simultaneously it is hampered by technological failures and security vulnerability, which have perhaps led to an increase in the incidence of organisational crises. Because of the high occurrence of crises and the increased dependence on information systems (IS) in organisations, one would assume that most firms would have established measures to counteract these events, however the literature indicated otherwise. The purpose of this research was to explore and understand the factors that contribute to crisis preparedness of the information systems. A comprehensive review of the literature indicated that the IS field has a large volume of publications on information systems disaster recovery, business continuity, information systems risk management and information systems security but little on crisis preparedness of the information systems. This study comprehensively reviewed relevant literature on the nature of crises, crisis preparedness and information systems. The literature review established groundwork necessary for the development of the research hypotheses which were tested during this investigation. A quantitative positivist research approach was proposed. The study utilized a web-based survey to collect quantifiable information on the subject matter from study participants. The survey instrument was developed based on seven research dimensions. From these dimensions descriptive questions were created which formed part of the survey instrument. The collected data was analysed using three different approaches: descriptive statistics, correlation and percentage responses. From the data, facts about crisis preparedness of the information systems in New Zealand organisations were revealed. In total 90 responses were received, 72 of which were eligible for data analyses. The study findings indicate some degree of end-user awareness of and adherence to crisis preparedness of the information systems in New Zealand organisations. However, more emphasis is needed in the understanding of the processes that bring about successful CPIS strategies across varying organisation structures. The academic value of this research is the review of discourse in the fields of crisis preparedness and Information Systems, and the application of some of the theoretical concepts from those fields. These were necessary to test the research hypotheses and their findings can be used to explain the crisis-preparedness phenomenon in future studies. The practical value of this research is the development of a tool that can be used by managers and senior executives to undertake informed decisions with regard to the status or progress of the crisis preparedness of the information systems initiatives in their respective organisations from the end-user perspective

An integrated networkbased mobile botnet detection system

The increase in the use of mobile devices has made them target for attackers, through the use of sophisticated malware. One of the most significant types of such malware is mobile botnets. Due to their continually evolving nature, botnets are difficult to tackle through signature and traditional anomaly based detection methods. Machine learning techniques have also been used for this purpose. However, the study of their effectiveness has shown methodological weaknesses that have prevented the emergence of conclusive and thorough evidence about their merit. To address this problem, in this thesis we propose a mobile botnet detection system, called MBotCS and report the outcomes of a comprehensive experimental study of mobile botnet detection using supervised machine learning techniques to analyse network traffic and system calls on Android mobile devices. The research covers a range of botnet detection scenarios that is wider from what explored so far, explores atomic and box learning algorithms, and investigates thoroughly the sensitivity of the algorithm performance on different factors (algorithms, features of network traffic, system call data aggregation periods, and botnets vs normal applications and so on). These experiments have been evaluated using real mobile device traffic, and system call captured from Android mobile devices, running normal apps and mobile botnets. The experiments study has several superiorities comparing with existing research. Firstly, experiments use not only atomic but also box ML classifiers. Secondly, a comprehensive set of Android mobile botnets, which had not been considered previously, without relying on any form of synthetic training data. Thirdly, experiments contain a wider set of detection scenarios including unknown botnets and normal applications. Finally, experiments include the statistical significance of differences in detection performance measures with respect to different factors. The study resulted in positive evidence about the effectiveness of the supervised learning approach, as a solution to the mobile botnet detection problem