The Most Dangerous Cyber Security Threat Ransomware Prevention

Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way,[1] and demands that the user pay a ransom to the malware operators to remove the restriction. The cryptovirology form of the attack has ransomware systematically encrypt files on the system's hard drive, which becomes difficult or impossible to decrypt without paying the ransom for the decryption key. Other attacks may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a Trojan, whose payload is disguised as a seemingly legitimate file. This research will protect the system from this dangerous attack by making the operating system very strong

The Automation of the Extraction of Evidence masked by Steganographic Techniques in WAV and MP3 Audio Files

Antiforensics techniques and particularly steganography and cryptography have become increasingly pressing issues that affect the current digital forensics practice, both techniques are widely researched and developed as considered in the heart of the modern digital era but remain double edged swords standing between the privacy conscious and the criminally malicious, dependent on the severity of the methods deployed. This paper advances the automation of hidden evidence extraction in the context of audio files enabling the correlation between unprocessed evidence artefacts and extreme Steganographic and Cryptographic techniques using the Least Significant Bits extraction method (LSB). The research generates an in-depth review of current digital forensic toolkit and systems and formally address their capabilities in handling steganography-related cases, we opted for experimental research methodology in the form of quantitative analysis of the efficiency of detecting and extraction of hidden artefacts in WAV and MP3 audio files by comparing standard industry software. This work establishes an environment for the practical implementation and testing of the proposed approach and the new toolkit for extracting evidence hidden by Cryptographic and Steganographic techniques during forensics investigations. The proposed multi-approach automation demonstrated a huge positive impact in terms of efficiency and accuracy and notably on large audio files (MP3 and WAV) which the forensics analysis is time-consuming and requires significant computational resources and memory. However, the proposed automation may occasionally produce false positives (detecting steganography where none exists) or false negatives (failing to detect steganography that is present) but overall achieve a balance between detecting hidden data accurately along with minimising the false alarms.Comment: Wires Forensics Sciences Under Revie

Mal-Netminer: Malware Classification Approach based on Social Network Analysis of System Call Graph

As the security landscape evolves over time, where thousands of species of malicious codes are seen every day, antivirus vendors strive to detect and classify malware families for efficient and effective responses against malware campaigns. To enrich this effort, and by capitalizing on ideas from the social network analysis domain, we build a tool that can help classify malware families using features driven from the graph structure of their system calls. To achieve that, we first construct a system call graph that consists of system calls found in the execution of the individual malware families. To explore distinguishing features of various malware species, we study social network properties as applied to the call graph, including the degree distribution, degree centrality, average distance, clustering coefficient, network density, and component ratio. We utilize features driven from those properties to build a classifier for malware families. Our experimental results show that influence-based graph metrics such as the degree centrality are effective for classifying malware, whereas the general structural metrics of malware are less effective for classifying malware. Our experiments demonstrate that the proposed system performs well in detecting and classifying malware families within each malware class with accuracy greater than 96%.Comment: Mathematical Problems in Engineering, Vol 201

Crypto-ransomware Detection through Quantitative API-based Behavioral Profiling

With crypto-ransomware's unprecedented scope of impact and evolving level of sophistication, there is an urgent need to pinpoint the security gap and improve the effectiveness of defenses by identifying new detection approaches. Based on our characterization results on dynamic API behaviors of ransomware, we present a new API profiling-based detection mechanism. Our method involves two operations, namely consistency analysis and refinement. We evaluate it against a set of real-world ransomware and also benign samples. We are able to detect all ransomware executions in consistency analysis and reduce the false positive case in refinement. We also conduct in-depth case studies on the most informative API for detection with context

Blackberry playbook backup forensic analysis

Abstract. Due to the numerous complicating factors in the field of small scale digital device forensics, physical acquisition of the storage of such devices is often not possible (at least not without destroying the device). As an alternative, forensic examiners often gather digital evidence from small scale digital devices through logical acquisition. This paper focuses on analyzing the backup file generated for the BlackBerry PlayBook device, using the BlackBerry Desktop Management software to perform the logical acquisition. Our work involved analyzing the generated ".bbb" file looking for traces and artifacts of user activity on the device. Our results identified key files that can assist in creating a profile of the device's usage. Information about BlackBerry smart phone devices connected to the tablet was also recovered

Differential Area Analysis for Ransomware Attack Detection within Mixed File Datasets

The threat from ransomware continues to grow both in the number of affected victims as well as the cost incurred by the people and organisations impacted in a successful attack. In the majority of cases, once a victim has been attacked there remain only two courses of action open to them; either pay the ransom or lose their data. One common behaviour shared between all crypto ransomware strains is that at some point during their execution they will attempt to encrypt the users' files. This paper demonstrates a technique that can identify when these encrypted files are being generated and is independent of the strain of the ransomware. An enhanced mixed file ransomware data set of more than 130,000 files was developed based on the govdocs corpus. This data set was enriched to contain examples of files that reflect the more modern Microsoft file formats, as well as examples of high entropy file formats such as compressed files and archives. The data set also contained eight different sets of files that were generated as the result of different real-world high profile ransomware attacks such as WannaCry, Ryuk, Phobos, Sodinokibi and NetWalker. Previous research has highlighted the difficulty in differentiating between compressed and encrypted files using Shannon entropy as both file types exhibit similar values. One of the experiments described in this paper shows a unique characteristic for the Shannon entropy of encrypted file header fragments. This characteristic was used to differentiate between encrypted files and other high entropy files such as archives. This discovery was leveraged in the development of a file classification model that used the differential area between the entropy curve of a file under analysis and one generated from random data. When comparing the entropy plot values of a file under analysis against one generated by a file containing purely random numbers, the greater the correlation of the plots is, the higher the confidence that the file under analysis contains encrypted data. The experiments demonstrate a high degree of confidence in the accuracy of the model achieving a success rate of more than 99.96% when examining only the first 192 bytes of a file, using a mixed data set of more than 80,000 files. This technique successfully addresses the problem of using file entropy to differentiate compressed and archived files from files encrypted by ransomware in a timely manner

A Novel Hybrid Method for Effective Identification and Extraction of Digital Evidence Masked by Steganographic Techniques in WAV and MP3 Files

Anti-forensics techniques, particularly steganography and cryptography, have become increasingly pressing issues affecting current digital forensics practices. This paper advances the automation of hidden evidence extraction in audio files by proposing a novel multi-approach method. This method facilitates the correlation between unprocessed artefacts, indexed and live forensics analysis, and traditional steganographic and cryptographic detection techniques. In this work, we opted for experimental research methodology in the form of a quantitative analysis of the efficiency of the proposed automation in detecting and extracting hidden artefacts in WAV and MP3 audio files. This comparison is made against standard industry systems. This work advances the current automation in extracting evidence hidden by cryptographic and steganographic techniques during forensic investigations. The proposed multi-approach demonstrates a clear enhancement in terms of coverage and accuracy, notably on large audio files (MP3 and WAV), where manual forensic analysis is complex, time-consuming and requires significant expertise. Nonetheless, the proposed multi-approach automation may occasionally produce false positives (detecting steganography where none exists) or false negatives (failing to detect steganography that is present). However, it strikes a good balance between efficiently and effectively detecting hidden evidence, minimising false negatives and validating its reliability

Speeding Up OMD Instantiations in Hardware

Particular instantiations of the Offset Merkle Damgaard authenticated encryption scheme (OMD) represent highly secure alternatives for AES-GCM. It is already a fact that OMD can be efficiently implemented in software. Given this, in our paper we focus on speeding-up OMD in hardware, more precisely on FPGA platforms. Thus, we propose a new OMD instantiation based on the compression function of BLAKE2b. Moreover, to the best of our knowledge, we present the first FPGA implementation results for the SHA-512 instantiation of OMD as well as the first architecture of an online authenticated encryption system based on OMD