725 research outputs found
Battlefield malware and the fight against cyber crime
Relatório apresentado à Universidade Fernando Pessoa como parte dos requisitos para o cumprimento do programa de Pós-Doutoramento em Ciências da InformaçãoOur cyber space is quickly becoming over-whelmed with ever-evolving malware that breaches all security defenses, works viciously in the background without user awareness or interaction, and secretly leaks of confidential business data. One of the most pressing challenges faced by business organizations when they experience a cyber-attack is that, more often than not, those organizations do not have the knowledge nor readiness of how to analyze malware once it has been discovered on their production computer networks. The objective of this six months post-doctoral project is to present the fundamentals of malware reverse-engineering, the tools and techniques needed to properly analyze malicious programs to determine their characteristics which can prove extremely helpful when investigating data breaches. Those tools and techniques will provide insights to incident response teams and digital investigation professionals. In order to stop hackers in their tracks and beat cyber criminals in their own game, we need to equip cyber security professionals with the knowledge and skills necessary to detect and respond to malware attacks. Learning and mastering the inner workings of malware will help in the fight against the ever-changing malware landscape.N/
Graphical Security Sandbox For Linux Systems
It has become extremely difficult to distinguish a benign application from a malicious one as the
number of untrusted applications on the Internet increases rapidly every year. In this project,
we develop a lightweight application confinement mechanism for Linux systems in order to aid
most users to increase their confidence in various applications that they stumble upon and use
on a daily basis. Developed sandboxing facility monitors a targeted application’s activity and
imposes restrictions on its access to operating system resources during its execution. Using a
simple but expressive policy language, users are able to create security policies. During the
course of the traced application’s execution, sandboxing facility makes execution decisions
according to the security policy specified and terminates the traced application if necessary.
In the case of an activity that is not covered by the policy, the facility asks for user input
through an user interface with a simple human readable format of the activity and uses that
user input to make execution decisions and to improve the security policy. Our ultimate goal
is to create a facility such that even casual users with minimal technical knowledge can use
the tool without getting overwhelmed by it. We base our tool on system call interposition
which has been a popular research area over the past fifteen years. Developed sandboxing
facility offers an user-friendly, easy to use user-interface. It monitors the given application and
detects activities that might possibly be system intrusions. Moreover, the tool offers logging
and auditing mechanisms for post-execution analysis. We present our evaluation of the tool
in terms of performance and overhead it generates when confining applications. We conclude
that developed system is successful in detecting abnormal application activity according to
specified security policies. It has been obtained that the tool adds a significant overhead to the
target applications. However, this overhead does not pose usability issues as our target domain
is personal use cases with small applications
Graphical Security Sandbox For Linux Systems
It has become extremely difficult to distinguish a benign application from a malicious one as the
number of untrusted applications on the Internet increases rapidly every year. In this project,
we develop a lightweight application confinement mechanism for Linux systems in order to aid
most users to increase their confidence in various applications that they stumble upon and use
on a daily basis. Developed sandboxing facility monitors a targeted application’s activity and
imposes restrictions on its access to operating system resources during its execution. Using a
simple but expressive policy language, users are able to create security policies. During the
course of the traced application’s execution, sandboxing facility makes execution decisions
according to the security policy specified and terminates the traced application if necessary.
In the case of an activity that is not covered by the policy, the facility asks for user input
through an user interface with a simple human readable format of the activity and uses that
user input to make execution decisions and to improve the security policy. Our ultimate goal
is to create a facility such that even casual users with minimal technical knowledge can use
the tool without getting overwhelmed by it. We base our tool on system call interposition
which has been a popular research area over the past fifteen years. Developed sandboxing
facility offers an user-friendly, easy to use user-interface. It monitors the given application and
detects activities that might possibly be system intrusions. Moreover, the tool offers logging
and auditing mechanisms for post-execution analysis. We present our evaluation of the tool
in terms of performance and overhead it generates when confining applications. We conclude
that developed system is successful in detecting abnormal application activity according to
specified security policies. It has been obtained that the tool adds a significant overhead to the
target applications. However, this overhead does not pose usability issues as our target domain
is personal use cases with small applications
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
Web attack risk awareness with lessons learned from high interaction honeypots
Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Com a evolução da web 2.0, a maioria das empresas elabora negócios através da Internet usando aplicações web. Estas aplicações detêm dados importantes com requisitos cruciais como confidencialidade, integridade e disponibilidade. A perda destas propriedades influencia directamente o negócio colocando-o em risco. A percepção de risco providencia o necessário conhecimento de modo a agir para a sua mitigação. Nesta tese foi concretizada uma colecção de honeypots web de alta interacção utilizando diversas aplicações e sistemas operativos para analisar o comportamento do atacante. A utilização de ambientes de virtualização assim como ferramentas de monitorização de honeypots amplamente utilizadas providencia a informação forense necessária para ajudar a comunidade de investigação no estudo do modus operandi do atacante, armazenando os últimos exploits e ferramentas maliciosas, e a desenvolver as necessárias medidas de protecção que lidam com a maioria das técnicas de ataque. Utilizando a informação detalhada de ataque obtida com os honeypots web, o comportamento do atacante é classificado entre diferentes perfis de ataque para poderem ser analisadas as medidas de mitigação de risco que lidam com as perdas de negócio. Diferentes frameworks de segurança são analisadas para avaliar os benefícios que os conceitos básicos de segurança dos honeypots podem trazer na resposta aos requisitos de cada uma e a consequente mitigação de risco.With the evolution of web 2.0, the majority of enterprises deploy their business over the Internet using web applications. These applications carry important data with crucial requirements such as confidentiality, integrity and availability. The loss of those properties influences directly the business putting it at risk. Risk awareness provides the necessary know-how on how to act to achieve its mitigation. In this thesis a collection of high interaction web honeypots is deployed using multiple applications and diverse operating systems in order to analyse the attacker behaviour. The use of virtualization environments along with widely used honeypot monitoring tools provide the necessary forensic information that helps the research community to study the modus operandi of the attacker gathering the latest exploits and malicious tools and to develop adequate safeguards that deal with the majority of attacking techniques. Using the detailed attacking information gathered with the web honeypots, the attacking behaviour will be classified across different attacking profiles to analyse the necessary risk mitigation safeguards to deal with business losses. Different security frameworks commonly used by enterprises are analysed to evaluate the benefits of the honeypots security concepts in responding to each framework’s requirements and consequently mitigating the risk
Machine Learning based Anomaly Detection for Cybersecurity Monitoring of Critical Infrastructures
openManaging critical infrastructures requires to increasingly rely on Information and Communi-
cation Technologies. The last past years showed an incredible increase in the sophistication
of attacks. For this reason, it is necessary to develop new algorithms for monitoring these
infrastructures. In this scenario, Machine Learning can represent a very useful ally. After a
brief introduction on the issue of cybersecurity in Industrial Control Systems and an overview
of the state of the art regarding Machine Learning based cybersecurity monitoring, the
present work proposes three approaches that target different layers of the control network
architecture. The first one focuses on covert channels based on the DNS protocol, which can
be used to establish a command and control channel, allowing attackers to send malicious
commands. The second one focuses on the field layer of electrical power systems, proposing
a physics-based anomaly detection algorithm for Distributed Energy Resources. The third
one proposed a first attempt to integrate physical and cyber security systems, in order to face
complex threats. All these three approaches are supported by promising results, which gives
hope to practical applications in the next future.openXXXIV CICLO - SCIENZE E TECNOLOGIE PER L'INGEGNERIA ELETTRONICA E DELLE TELECOMUNICAZIONI - Elettromagnetismo, elettronica, telecomunicazioniGaggero, GIOVANNI BATTIST
- …