65 research outputs found
The Most Dangerous Cyber Security Threat Ransomware Prevention
Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way,[1] and demands that the user pay a ransom to the malware operators to remove the restriction. The cryptovirology form of the attack has ransomware systematically encrypt files on the system's hard drive, which becomes difficult or impossible to decrypt without paying the ransom for the decryption key. Other attacks may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan, whose payload is disguised as a seemingly legitimate file. This research will protect the system from this dangerous attack by making the operating system very strong
The Automation of the Extraction of Evidence masked by Steganographic Techniques in WAV and MP3 Audio Files
Antiforensics techniques and particularly steganography and cryptography have
become increasingly pressing issues that affect the current digital forensics
practice, both techniques are widely researched and developed as considered in
the heart of the modern digital era but remain double edged swords standing
between the privacy conscious and the criminally malicious, dependent on the
severity of the methods deployed. This paper advances the automation of hidden
evidence extraction in the context of audio files enabling the correlation
between unprocessed evidence artefacts and extreme Steganographic and
Cryptographic techniques using the Least Significant Bits extraction method
(LSB). The research generates an in-depth review of current digital forensic
toolkit and systems and formally address their capabilities in handling
steganography-related cases, we opted for experimental research methodology in
the form of quantitative analysis of the efficiency of detecting and extraction
of hidden artefacts in WAV and MP3 audio files by comparing standard industry
software. This work establishes an environment for the practical implementation
and testing of the proposed approach and the new toolkit for extracting
evidence hidden by Cryptographic and Steganographic techniques during forensics
investigations. The proposed multi-approach automation demonstrated a huge
positive impact in terms of efficiency and accuracy and notably on large audio
files (MP3 and WAV) which the forensics analysis is time-consuming and requires
significant computational resources and memory. However, the proposed
automation may occasionally produce false positives (detecting steganography
where none exists) or false negatives (failing to detect steganography that is
present) but overall achieve a balance between detecting hidden data accurately
along with minimising the false alarms.Comment: Wires Forensics Sciences Under Revie
Mal-Netminer: Malware Classification Approach based on Social Network Analysis of System Call Graph
As the security landscape evolves over time, where thousands of species of
malicious codes are seen every day, antivirus vendors strive to detect and
classify malware families for efficient and effective responses against malware
campaigns. To enrich this effort, and by capitalizing on ideas from the social
network analysis domain, we build a tool that can help classify malware
families using features driven from the graph structure of their system calls.
To achieve that, we first construct a system call graph that consists of system
calls found in the execution of the individual malware families. To explore
distinguishing features of various malware species, we study social network
properties as applied to the call graph, including the degree distribution,
degree centrality, average distance, clustering coefficient, network density,
and component ratio. We utilize features driven from those properties to build
a classifier for malware families. Our experimental results show that
influence-based graph metrics such as the degree centrality are effective for
classifying malware, whereas the general structural metrics of malware are less
effective for classifying malware. Our experiments demonstrate that the
proposed system performs well in detecting and classifying malware families
within each malware class with accuracy greater than 96%.Comment: Mathematical Problems in Engineering, Vol 201
Crypto-ransomware Detection through Quantitative API-based Behavioral Profiling
With crypto-ransomware's unprecedented scope of impact and evolving level of
sophistication, there is an urgent need to pinpoint the security gap and
improve the effectiveness of defenses by identifying new detection approaches.
Based on our characterization results on dynamic API behaviors of ransomware,
we present a new API profiling-based detection mechanism. Our method involves
two operations, namely consistency analysis and refinement. We evaluate it
against a set of real-world ransomware and also benign samples. We are able to
detect all ransomware executions in consistency analysis and reduce the false
positive case in refinement. We also conduct in-depth case studies on the most
informative API for detection with context
Blackberry playbook backup forensic analysis
Abstract. Due to the numerous complicating factors in the field of small scale digital device forensics, physical acquisition of the storage of such devices is often not possible (at least not without destroying the device). As an alternative, forensic examiners often gather digital evidence from small scale digital devices through logical acquisition. This paper focuses on analyzing the backup file generated for the BlackBerry PlayBook device, using the BlackBerry Desktop Management software to perform the logical acquisition. Our work involved analyzing the generated ".bbb" file looking for traces and artifacts of user activity on the device. Our results identified key files that can assist in creating a profile of the device's usage. Information about BlackBerry smart phone devices connected to the tablet was also recovered
Differential Area Analysis for Ransomware Attack Detection within Mixed File Datasets
The threat from ransomware continues to grow both in the number of affected victims as well as the cost incurred by the people and organisations impacted in a successful attack. In the majority of cases, once a victim has been attacked there remain only two courses of action open to them; either pay the ransom or lose their data. One common behaviour shared between all crypto ransomware strains is that at some point during their execution they will attempt to encrypt the users' files. This paper demonstrates a technique that can identify when these encrypted files are being generated and is independent of the strain of the ransomware. An enhanced mixed file ransomware data set of more than 130,000 files was developed based on the govdocs corpus. This data set was enriched to contain examples of files that reflect the more modern Microsoft file formats, as well as examples of high entropy file formats such as compressed files and archives. The data set also contained eight different sets of files that were generated as the result of different real-world high profile ransomware attacks such as WannaCry, Ryuk, Phobos, Sodinokibi and NetWalker. Previous research has highlighted the difficulty in differentiating between compressed and encrypted files using Shannon entropy as both file types exhibit similar values. One of the experiments described in this paper shows a unique characteristic for the Shannon entropy of encrypted file header fragments. This characteristic was used to differentiate between encrypted files and other high entropy files such as archives. This discovery was leveraged in the development of a file classification model that used the differential area between the entropy curve of a file under analysis and one generated from random data. When comparing the entropy plot values of a file under analysis against one generated by a file containing purely random numbers, the greater the correlation of the plots is, the higher the confidence that the file under analysis contains encrypted data. The experiments demonstrate a high degree of confidence in the accuracy of the model achieving a success rate of more than 99.96% when examining only the first 192 bytes of a file, using a mixed data set of more than 80,000 files. This technique successfully addresses the problem of using file entropy to differentiate compressed and archived files from files encrypted by ransomware in a timely manner
A Novel Hybrid Method for Effective Identification and Extraction of Digital Evidence Masked by Steganographic Techniques in WAV and MP3 Files
Anti-forensics techniques, particularly steganography and cryptography, have become increasingly pressing issues affecting current digital forensics practices. This paper advances the automation of hidden evidence extraction in audio files by proposing a novel multi-approach method. This method facilitates the correlation between unprocessed artefacts, indexed and live forensics analysis, and traditional steganographic and cryptographic detection techniques. In this work, we opted for experimental research methodology in the form of a quantitative analysis of the efficiency of the proposed automation in detecting and extracting hidden artefacts in WAV and MP3 audio files. This comparison is made against standard industry systems. This work advances the current automation in extracting evidence hidden by cryptographic and steganographic techniques during forensic investigations. The proposed multi-approach demonstrates a clear enhancement in terms of coverage and accuracy, notably on large audio files (MP3 and WAV), where manual forensic analysis is complex, time-consuming and requires significant expertise. Nonetheless, the proposed multi-approach automation may occasionally produce false positives (detecting steganography where none exists) or false negatives (failing to detect steganography that is present). However, it strikes a good balance between efficiently and effectively detecting hidden evidence, minimising false negatives and validating its reliability
Speeding Up OMD Instantiations in Hardware
Particular instantiations of the Offset Merkle Damgaard authenticated encryption scheme (OMD) represent highly secure alternatives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding-up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD
- …