An anti-malvertising model for university students to increase security awareness

Accessing the website through the Internet has introduced a new way of advertising information to the users. The term “malvertising” comes from the word malware and advertising. It is one type of attack that performs malware or scareware injection into the online advertisements. The purpose of this study is to investigate security awareness on malvertising attack among university students, propose an anti-malvertising model to improve security awareness, and to evaluate the security awareness of the proposed model. The data collection of the research starts with preliminary study in understanding the malvertising issue. Then, survey questionnaire is distributed to university students from two different local universities (UTM, Kuala Lumpur and UMP, Pahang) from two different backgrounds (IT related and non-IT related courses) to investigate current security awareness on malvertising attack. The study proposes theoretical model on antimalvertising and the security awareness will be analyzed through the survey. The proposed model consists of protection, behavior and monitoring components, identified as independent variables and the security awareness on the antimalvertising will is identified as the dependent variable. The study had found that more than half of the students are aware with the malvertising attack by practicing protection measures, security behavior, and security monitoring that give positive impact to the students’ security awareness. This proposed theoretical model may be beneficial for the students as a basis of reference for anti-malvertising exercise, while promoting the security awareness among university students. Besides, the theoretical model can be used as a reference for the researchers in this field as well as other security practitioners in practicing the suitable components that constitute security awareness for malvertising

Early Warning System on a National Level

We present the architecture of an automatic early warning system (EWS) that aims at providing predictions and advice regarding security threats in information and communication technology without incorporation of cognitive abilities of humans and forms the basis for drawing a situation picture. Our EWS particularly targets the growing malware threat and shall achieve the required capabilities by combining malware collectors, malware analysis systems, malware behavior clustering, signature generation and distribution and malware/misuse detection system into an integrated process chain. The quality and timeliness of the results delivered by theEWS are influenced by the number and location of participating partners that share information on security incidents. In order to enable such a cooperation and an effective deployment of the EWS, interests and confidentiality requirements of the parties involved need to be carefully examined. We discuss technical details of the EWS components, evaluate alternatives and examine the interests of all parties involved in the anticipated deployment scenario

A Technique for Classifying and Retrieving of Malware Detials in Signtures Based

Signature based is one of the common techniques that are used to detect malware attack. The problem of the signature based is about the management of large  database that has a new signature, in this paper we will create a new method to classify and  fast retrieve malware of  database, the size of database increase database is dependent on  the number of signatures that are based on malware file , to solve classify database by using the concept of room based, we use this concept “room based” to manage the database. Each room based that has content Prohibition privileges of signature based on malware files, or pattern of collections of  signature based of malware files

Detecting malware with information complexity

Malware concealment is the predominant strategy for malware propagation. Black hats create variants of malware based on polymorphism and metamorphism. Malware variants, by definition, share some information. Although the concealment strategy alters this information, there are still patterns on the software. Given a zoo of labelled malware and benign-ware, we ask whether a suspect program is more similar to our malware or to our benign-ware. Normalized Compression Distance (NCD) is a generic metric that measures the shared information content of two strings. This measure opens a new front in the malware arms race, one where the countermeasures promise to be more costly for malware writers, who must now obfuscate patterns as strings qua strings, without reference to execution, in their variants. Our approach classifies disk-resident malware with 97.4% accuracy and a false positive rate of 3%. We demonstrate that its accuracy can be improved by combining NCD with the compressibility rates of executables using decision forests, paving the way for future improvements. We demonstrate that malware reported within a narrow time frame of a few days is more homogeneous than malware reported over two years, but that our method still classifies the latter with 95.2% accuracy and a 5% false positive rate. Due to its use of compression, the time and computation cost of our method is nontrivial. We show that simple approximation techniques can improve its running time by up to 63%. We compare our results to the results of applying the 59 anti-malware programs used on the VirusTotal website to our malware. Our approach outperforms each one used alone and matches that of all of them used collectively

Evolving decision trees for the categorization of software

Current manual techniques of static reverse engineering are inefficient at providing semantic program understanding. An automated method to categorize applications was developed in order to quickly determine pertinent characteristics. Prior work in this area has had some success, but a major strength of the approach detailed in this thesis is that it produces heuristics that can be reused for quick analysis of new data. The method relies on a genetic programming algorithm to evolve decision trees which can be used to categorize software. The terminals, or leaf nodes, within the trees each contain values based on selected features from one of several attributes: system calls, byte N-grams, opcode N-grams, registers, opcode collocation, cyclomatic complexity, and bonding. The evolved decision trees are reusable and achieve average accuracies above 90% when categorizing programs based on compiler origin, authorship, and versions. Developing new decision trees simply requires more labeled datasets and potentially different feature selection algorithms for other attributes, depending on the data being classified. The genetic programming algorithm used to evolve the decision trees was compared against C4.5, a classic decision tree technique.In all experiments, the genetic programming approach outperformed C4.5. This thesis is an extension and expansion of the work published in the Computer Forensics in Software Engineering workshop at COMPSAC 2014 - the Annual 38th IEEE International Conference on Computer Software and Applications. This thesis is also being prepared as a journal article to be submitted for publication. --Abstract, page iii

Behavior Abstraction in Malware Analysis - Extended Version

We present an approach for proactive malware detection by working on an abstract representation of a program behavior. Our technique consists in abstracting program traces, by rewriting given subtraces into abstract symbols representing their functionality. Traces are captured dynamically by code instrumentation in order to handle packed or self-modifying malware. Suspicious behaviors are detected by comparing trace abstractions to reference malicious behaviors. The expressive power of abstraction allows us to handle general suspicious behaviors rather than specific malware code and then, to detect malware mutations. We present and discuss an implementation validating our approach

Machine Learning and other Computational-Intelligence Techniques for Security Applications

L'abstract è presente nell'allegato / the abstract is in the attachmen

The Effect of Code Obfuscation on Authorship Attribution of Binary Computer Files

In many forensic investigations, questions linger regarding the identity of the authors of the software specimen. Research has identified methods for the attribution of binary files that have not been obfuscated, but a significant percentage of malicious software has been obfuscated in an effort to hide both the details of its origin and its true intent. Little research has been done around analyzing obfuscated code for attribution. In part, the reason for this gap in the research is that deobfuscation of an unknown program is a challenging task. Further, the additional transformation of the executable file introduced by the obfuscator modifies or removes features from the original executable that would have been used in the author attribution process. Existing research has demonstrated good success in attributing the authorship of an executable file of unknown provenance using methods based on static analysis of the specimen file. With the addition of file obfuscation, static analysis of files becomes difficult, time consuming, and in some cases, may lead to inaccurate findings. This paper presents a novel process for authorship attribution using dynamic analysis methods. A software emulated system was fully instrumented to become a test harness for a specimen of unknown provenance, allowing for supervised control, monitoring, and trace data collection during execution. This trace data was used as input into a supervised machine learning algorithm trained to identify stylometric differences in the specimen under test and provide predictions on who wrote the specimen. The specimen files were also analyzed for authorship using static analysis methods to compare prediction accuracies with prediction accuracies gathered from this new, dynamic analysis based method. Experiments indicate that this new method can provide better accuracy of author attribution for files of unknown provenance, especially in the case where the specimen file has been obfuscated