12 research outputs found
An anti-malvertising model for university students to increase security awareness
Accessing the website through the Internet has introduced a new way of
advertising information to the users. The term “malvertising” comes from the word
malware and advertising. It is one type of attack that performs malware or scareware
injection into the online advertisements. The purpose of this study is to investigate
security awareness on malvertising attack among university students, propose an
anti-malvertising model to improve security awareness, and to evaluate the security
awareness of the proposed model. The data collection of the research starts with
preliminary study in understanding the malvertising issue. Then, survey
questionnaire is distributed to university students from two different local
universities (UTM, Kuala Lumpur and UMP, Pahang) from two different
backgrounds (IT related and non-IT related courses) to investigate current security
awareness on malvertising attack. The study proposes theoretical model on antimalvertising
and the security awareness will be analyzed through the survey. The
proposed model consists of protection, behavior and monitoring components,
identified as independent variables and the security awareness on the antimalvertising
will is identified as the dependent variable. The study had found that
more than half of the students are aware with the malvertising attack by practicing
protection measures, security behavior, and security monitoring that give positive
impact to the students’ security awareness. This proposed theoretical model may be
beneficial for the students as a basis of reference for anti-malvertising exercise, while
promoting the security awareness among university students. Besides, the theoretical
model can be used as a reference for the researchers in this field as well as other
security practitioners in practicing the suitable components that constitute security
awareness for malvertising
Early Warning System on a National Level
We present the architecture of an automatic early warning system (EWS) that
aims at providing predictions and advice regarding security threats in information and communication technology without incorporation of cognitive abilities of humans and forms the basis for drawing a situation picture. Our EWS particularly targets the growing malware threat and shall achieve the required capabilities by combining malware collectors, malware analysis systems, malware behavior clustering, signature generation and distribution and malware/misuse detection system into an integrated process chain. The quality and timeliness of the results delivered by theEWS are influenced by the number and location of participating partners that share information on security incidents. In order to enable such a cooperation and an effective deployment of the EWS, interests and confidentiality requirements of the parties involved need to be carefully examined. We discuss technical details of the EWS components, evaluate alternatives and examine the interests of all parties involved in the anticipated deployment scenario
A Technique for Classifying and Retrieving of Malware Detials in Signtures Based
Signature based is one of the common techniques that are used to detect malware attack. The problem of the signature based is about the management of large database that has a new signature, in this paper we will create a new method to classify and fast retrieve malware of database, the size of database increase database is dependent on the number of signatures that are based on malware file , to solve classify database by using the concept of room based, we use this concept “room based” to manage the database. Each room based that has content Prohibition privileges of signature based on malware files, or pattern of collections of signature based of malware files
Detecting malware with information complexity
Malware concealment is the predominant strategy for malware propagation. Black hats create variants of malware based on polymorphism and metamorphism. Malware variants, by definition, share some information. Although the concealment strategy alters this information, there are still patterns on the software. Given a zoo of labelled malware and benign-ware, we ask whether a suspect program is more similar to our malware or to our benign-ware. Normalized Compression Distance (NCD) is a generic metric that measures the shared information content of two strings. This measure opens a new front in the malware arms race, one where the countermeasures promise to be more costly for malware writers, who must now obfuscate patterns as strings qua strings, without reference to execution, in their variants. Our approach classifies disk-resident malware with 97.4% accuracy and a false positive rate of 3%. We demonstrate that its accuracy can be improved by combining NCD with the compressibility rates of executables using decision forests, paving the way for future improvements. We demonstrate that malware reported within a narrow time frame of a few days is more homogeneous than malware reported over two years, but that our method still classifies the latter with 95.2% accuracy and a 5% false positive rate. Due to its use of compression, the time and computation cost of our method is nontrivial. We show that simple approximation techniques can improve its running time by up to 63%. We compare our results to the results of applying the 59 anti-malware programs used on the VirusTotal website to our malware. Our approach outperforms each one used alone and matches that of all of them used collectively
Evolving decision trees for the categorization of software
Current manual techniques of static reverse engineering are inefficient at providing semantic program understanding. An automated method to categorize applications was developed in order to quickly determine pertinent characteristics. Prior work in this area has had some success, but a major strength of the approach detailed in this thesis is that it produces heuristics that can be reused for quick analysis of new data. The method relies on a genetic programming algorithm to evolve decision trees which can be used to categorize software. The terminals, or leaf nodes, within the trees each contain values based on selected features from one of several attributes: system calls, byte N-grams, opcode N-grams, registers, opcode collocation, cyclomatic complexity, and bonding. The evolved decision trees are reusable and achieve average accuracies above 90% when categorizing programs based on compiler origin, authorship, and versions. Developing new decision trees simply requires more labeled datasets and potentially different feature selection algorithms for other attributes, depending on the data being classified. The genetic programming algorithm used to evolve the decision trees was compared against C4.5, a classic decision tree technique.In all experiments, the genetic programming approach outperformed C4.5.
This thesis is an extension and expansion of the work published in the Computer Forensics in Software Engineering workshop at COMPSAC 2014 - the Annual 38th IEEE International Conference on Computer Software and Applications. This thesis is also being prepared as a journal article to be submitted for publication. --Abstract, page iii
Behavior Abstraction in Malware Analysis - Extended Version
We present an approach for proactive malware detection by working on an abstract representation of a program behavior. Our technique consists in abstracting program traces, by rewriting given subtraces into abstract symbols representing their functionality. Traces are captured dynamically by code instrumentation in order to handle packed or self-modifying malware. Suspicious behaviors are detected by comparing trace abstractions to reference malicious behaviors. The expressive power of abstraction allows us to handle general suspicious behaviors rather than specific malware code and then, to detect malware mutations. We present and discuss an implementation validating our approach
Machine Learning and other Computational-Intelligence Techniques for Security Applications
L'abstract è presente nell'allegato / the abstract is in the attachmen
The Effect of Code Obfuscation on Authorship Attribution of Binary Computer Files
In many forensic investigations, questions linger regarding the identity of the authors of the software specimen. Research has identified methods for the attribution of binary files that have not been obfuscated, but a significant percentage of malicious software has been obfuscated in an effort to hide both the details of its origin and its true intent. Little research has been done around analyzing obfuscated code for attribution. In part, the reason for this gap in the research is that deobfuscation of an unknown program is a challenging task. Further, the additional transformation of the executable file introduced by the obfuscator modifies or removes features from the original executable that would have been used in the author attribution process. Existing research has demonstrated good success in attributing the authorship of an executable file of unknown provenance using methods based on static analysis of the specimen file. With the addition of file obfuscation, static analysis of files becomes difficult, time consuming, and in some cases, may lead to inaccurate findings. This paper presents a novel process for authorship attribution using dynamic analysis methods. A software emulated system was fully instrumented to become a test harness for a specimen of unknown provenance, allowing for supervised control, monitoring, and trace data collection during execution. This trace data was used as input into a supervised machine learning algorithm trained to identify stylometric differences in the specimen under test and provide predictions on who wrote the specimen. The specimen files were also analyzed for authorship using static analysis methods to compare prediction accuracies with prediction accuracies gathered from this new, dynamic analysis based method. Experiments indicate that this new method can provide better accuracy of author attribution for files of unknown provenance, especially in the case where the specimen file has been obfuscated