Real-time classification of malicious URLs on Twitter using Machine Activity Data

Massive online social networks with hundreds of millions of active users are increasingly being used by Cyber criminals to spread malicious software (malware) to exploit vulnerabilities on the machines of users for personal gain. Twitter is particularly susceptible to such activity as, with its 140 character limit, it is common for people to include URLs in their tweets to link to more detailed information, evidence, news reports and so on. URLs are often shortened so the endpoint is not obvious before a person clicks the link. Cyber criminals can exploit this to propagate malicious URLs on Twitter, for which the endpoint is a malicious server that performs unwanted actions on the person’s machine. This is known as a drive-by-download. In this paper we develop a machine classification system to distinguish between malicious and benign URLs within seconds of the URL being clicked (i.e. ‘real-time’). We train the classifier using machine activity logs created while interacting with URLs extracted from Twitter data collected during a large global event – the Superbowl – and test it using data from another large sporting event – the Cricket World Cup. The results show that machine activity logs produce precision performances of up to 0.975 on training data from the first event and 0.747 on a test data from a second event. Furthermore, we examine the properties of the learned model to explain the relationship between machine activity and malicious software behaviour, and build a learning curve for the classifier to illustrate that very small samples of training data can be used with only a small detriment to performance

Analysis of intrusion prevention methods

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2004Includes bibliographical references (leaves: 105-108)Text in English; Abstract: Turkish and Englishviii, 108 leavesToday, the pace of the technological development and improvements has compelled the development of new and more complex applications. The obligatory of application development in a short time to rapidly changing requirements causes skipping of some stages, mostly the testing stage, in the software development cycle thus, leads to the production of applications with defects. These defects are, later, discovered by intruders to be used to penetrate into computer systems. Current security technologies, such as firewalls, intrusion detection systems, honeypots, network-based antivirus systems, are insufficient to protect systems against those, continuously increasing and rapid-spreading attacks. Intrusion Prevention System (IPS) is a new technology developed to block today.s application-specific, data-driven attacks that spread in the speed of communication. IPS is the evolved and integrated state of the existing technologies; it is not a new approach to network security. In this thesis, IPS products of various computer security appliance developer companies have been analyzed in details. At the end of these analyses, the requirements of network-based IPSs have been identified and an architecture that fits those requirements has been proposed. Also, a sample network-based IPS has been developed by modifying the open source application Snort

TORKAMELEON. IMPROVING TOR’S CENSORSHIP RESISTANCE WITH K-ANONYMIZATION MEDIA MORPHING COVERT INPUT CHANNELS

Anonymity networks such as Tor and other related tools are powerful means of increas- ing the anonymity and privacy of Internet users’ communications. Tor is currently the most widely used solution by whistleblowers to disclose confidential information and denounce censorship measures, including violations of civil rights, freedom of expres- sion, or guarantees of free access to information. However, recent research studies have shown that Tor is vulnerable to so-called powerful correlation attacks carried out by global adversaries or collaborative Internet censorship parties. In the Tor ”arms race” scenario, we can see that as new censorship, surveillance, and deep correlation tools have been researched, new, improved solutions for preserving anonymity have also emerged. In recent research proposals, unobservable encapsulation of IP packets in covert media channels is one of the most promising defenses against such threat models. They leverage WebRTC-based covert channels as a robust and practical approach against powerful traf- fic correlation analysis. At the same time, these solutions are difficult to combat through the traffic-blocking measures commonly used by censorship authorities. In this dissertation, we propose TorKameleon, a censorship evasion solution de- signed to protect Tor users with increased censorship resistance against powerful traffic correlation attacks executed by global adversaries. The system is based on flexible K- anonymization input circuits that can support TLS tunneling and WebRTC-based covert channels before forwarding users’ original input traffic to the Tor network. Our goal is to protect users from machine and deep learning correlation attacks between incom- ing user traffic and observed traffic at different Tor network relays, such as middle and egress relays. TorKameleon is the first system to implement a Tor pluggable transport based on parameterizable TLS tunneling and WebRTC-based covert channels. We have implemented the TorKameleon prototype and performed extensive validations to ob- serve the correctness and experimental performance of the proposed solution in the Tor environment. With these evaluations, we analyze the necessary tradeoffs between the performance of the standard Tor network and the achieved effectiveness and performance of TorKameleon, capable of preserving the required unobservability properties.Redes de anonimização como o Tor e soluções ou ferramentas semelhantes são meios poderosos de aumentar a anonimidade e a privacidade das comunicações de utilizadores da Internet . O Tor é atualmente a rede de anonimato mais utilizada por delatores para divulgar informações confidenciais e denunciar medidas de censura tais como violações de direitos civis e da liberdade de expressão, ou falhas nas garantias de livre acesso à informação. No entanto, estudos recentes mostram que o Tor é vulnerável a adversários globais ou a entidades que colaboram entre si para garantir a censura online. Neste cenário competitivo e de jogo do “gato e do rato”, é possível verificar que à medida que novas soluções de censura e vigilância são investigadas, novos sistemas melhorados para a preservação de anonimato são também apresentados e refinados. O encapsulamento de pacotes IP em túneis encapsulados em protocolos de media são uma das mais promissoras soluções contra os novos modelos de ataque à anonimidade. Estas soluções alavancam canais encobertos em protocolos de media baseados em WebRTC para resistir a poderosos ataques de correlação de tráfego e a medidas de bloqueios normalmente usadas pelos censores. Nesta dissertação propomos o TorKameleon, uma solução desenhada para protoger os utilizadores da rede Tor contra os mais recentes ataques de correlação feitos por um modelo de adversário global. O sistema é baseado em estratégias de anonimização e reencaminhamento do tráfego do utilizador através de K nós, utilizando também encap- sulamento do tráfego em canais encobertos em túneis TLS ou WebRTC. O nosso objetivo é proteger os utilizadores da rede Tor de ataques de correlação implementados através de modelos de aprendizagem automática feitos entre o tráfego do utilizador que entra na rede Tor e esse mesmo tráfego noutro segmento da rede, como por exemplo nos nós de saída da rede. O TorKameleon é o primeiro sistema a implementar um Tor pluggable transport parametrizável, baseado em túneis TLS ou em canais encobertos em protocolos media. Implementamos um protótipo do sistema e realizamos uma extensa avalição expe- rimental, inserindo a solução no ambiente da rede Tor. Com base nestas avaliações, anali- zamos o tradeoff necessário entre a performance da rede Tor e a eficácia e a performance obtida do TorKameleon, que garante as propriedades de preservação de anonimato

Developing Cyberspace Data Understanding: Using CRISP-DM for Host-based IDS Feature Mining

Current intrusion detection systems generate a large number of specific alerts, but do not provide actionable information. Many times, these alerts must be analyzed by a network defender, a time consuming and tedious task which can occur hours or days after an attack occurs. Improved understanding of the cyberspace domain can lead to great advancements in Cyberspace situational awareness research and development. This thesis applies the Cross Industry Standard Process for Data Mining (CRISP-DM) to develop an understanding about a host system under attack. Data is generated by launching scans and exploits at a machine outfitted with a set of host-based data collectors. Through knowledge discovery, features are identified within the data collected which can be used to enhance host-based intrusion detection. By discovering relationships between the data collected and the events, human understanding of the activity is shown. This method of searching for hidden relationships between sensors greatly enhances understanding of new attacks and vulnerabilities, bolstering our ability to defend the cyberspace domain

Robust health stream processing

2014 Fall.Includes bibliographical references.As the cost of personal health sensors decrease along with improvements in battery life and connectivity, it becomes more feasible to allow patients to leave full-time care environments sooner. Such devices could lead to greater independence for the elderly, as well as for others who would normally require full-time care. It would also allow surgery patients to spend less time in the hospital, both pre- and post-operation, as all data could be gathered via remote sensors in the patients home. While sensor technology is rapidly approaching the point where this is a feasible option, we still lack in processing frameworks which would make such a leap not only feasible but safe. This work focuses on developing a framework which is robust to both failures of processing elements as well as interference from other computations processing health sensor data. We work with 3 disparate data streams and accompanying computations: electroencephalogram (EEG) data gathered for a brain-computer interface (BCI) application, electrocardiogram (ECG) data gathered for arrhythmia detection, and thorax data gathered from monitoring patient sleep status

Detection of encrypted traffic generated by peer-to-peer live streaming applications using deep packet inspection

The number of applications using the peer-to-peer (P2P) networking paradigm and their popularity has substantially grown over the last decade. They evolved from the le-sharing applications to media streaming ones. Nowadays these applications commonly encrypt the communication contents or employ protocol obfuscation techniques. In this dissertation, it was conducted an investigation to identify encrypted traf c ows generated by three of the most popular P2P live streaming applications: TVUPlayer, Livestation and GoalBit. For this work, a test-bed that could simulate a near real scenario was created, and traf c was captured from a great variety of applications. The method proposed resort to Deep Packet Inspection (DPI), so we needed to analyse the payload of the packets in order to nd repeated patterns, that later were used to create a set of SNORT rules that can be used to detect key network packets generated by these applications. The method was evaluated experimentally on the test-bed created for that purpose, being shown that its accuracy is of 97% for GoalBit.A popularidade e o número de aplicações que usam o paradigma de redes par-a-par (P2P) têm crescido substancialmente na última década. Estas aplicações deixaram de serem usadas simplesmente para partilha de ficheiros e são agora usadas também para distribuir conteúdo multimédia. Hoje em dia, estas aplicações têm meios de cifrar o conteúdo da comunicação ou empregar técnicas de ofuscação directamente no protocolo. Nesta dissertação, foi realizada uma investigação para identificar fluxos de tráfego encriptados, que foram gerados por três aplicações populares de distribuição de conteúdo multimédia em redes P2P: TVUPlayer, Livestation e GoalBit. Para este trabalho, foi criada uma plataforma de testes que pretendia simular um cenário quase real, e o tráfego que foi capturado, continha uma grande variedade de aplicações. O método proposto nesta dissertação recorre à técnica de Inspecção Profunda de Pacotes (DPI), e por isso, foi necessário 21nalisar o conteúdo dos pacotes a fim de encontrar padrões que se repetissem, e que iriam mais tarde ser usados para criar um conjunto de regras SNORT para detecção de pacotes chave· na rede, gerados por estas aplicações, afim de se poder correctamente classificar os fluxos de tráfego. Após descobrir que a aplicação Livestation deixou de funcionar com P2P, apenas as duas regras criadas até esse momento foram usadas. Quanto à aplicação TVUPlayer, foram criadas várias regras a partir do tráfego gerado por ela mesma e que tiveram uma boa taxa de precisão. Várias regras foram também criadas para a aplicação GoalBit em que foram usados quatro cenários: com e sem encriptação usando a opção de transmissão tracker, e com e sem encriptação usando a opção de transmissão sem necessidade de tracker (aqui foi usado o protocolo Kademlia). O método foi avaliado experimentalmente na plataforma de testes criada para o efeito, sendo demonstrado que a precisão do conjunto de regras para a aplicação GoallBit é de 97%.Fundação para a Ciência e a Tecnologia (FCT

Artificial Intelligence-based Cybersecurity for Connected and Automated Vehicles

The damaging effects of cyberattacks to an industry like the Cooperative Connected and Automated Mobility (CCAM) can be tremendous. From the least important to the worst ones, one can mention for example the damage in the reputation of vehicle manufacturers, the increased denial of customers to adopt CCAM, the loss of working hours (having direct impact on the European GDP), material damages, increased environmental pollution due e.g., to traffic jams or malicious modifications in sensors’ firmware, and ultimately, the great danger for human lives, either they are drivers, passengers or pedestrians. Connected vehicles will soon become a reality on our roads, bringing along new services and capabilities, but also technical challenges and security threats. To overcome these risks, the CARAMEL project has developed several anti-hacking solutions for the new generation of vehicles. CARAMEL (Artificial Intelligence-based Cybersecurity for Connected and Automated Vehicles), a research project co-funded by the European Union under the Horizon 2020 framework programme, is a project consortium with 15 organizations from 8 European countries together with 3 Korean partners. The project applies a proactive approach based on Artificial Intelligence and Machine Learning techniques to detect and prevent potential cybersecurity threats to autonomous and connected vehicles. This approach has been addressed based on four fundamental pillars, namely: Autonomous Mobility, Connected Mobility, Electromobility, and Remote Control Vehicle. This book presents theory and results from each of these technical directions

Analytics over Encrypted Traffic and Defenses

Encrypted traffic flows have been known to leak information about their underlying content through statistical properties such as packet lengths and timing. While traffic fingerprinting attacks exploit such information leaks and threaten user privacy by disclosing website visits, videos streamed, and user activity on messaging platforms, they can also be helpful in network management and intelligence services. Most recent and best-performing such attacks are based on deep learning models. In this thesis, we identify multiple limitations in the currently available attacks and defenses against them. First, these deep learning models do not provide any insights into their decision-making process. Second, most attacks that have achieved very high accuracies are still limited by unrealistic assumptions that affect their practicality. For example, most attacks assume a closed world setting and focus on traffic classification after event completion. Finally, current state-of-the-art defenses still incur high overheads to provide reasonable privacy, which limits their applicability in real-world applications. In order to address these limitations, we first propose an inline traffic fingerprinting attack based on variable-length sequence modeling to facilitate real-time analytics. Next, we attempt to understand the inner workings of deep learning-based attacks with the dual goals of further improving attacks and designing efficient defenses against such attacks. Then, based on the observations from this analysis, we propose two novel defenses against traffic fingerprinting attacks that provide privacy under more realistic constraints and at lower bandwidth overheads. Finally, we propose a robust framework for open set classification that targets network traffic with this added advantage of being more suitable for deployment in resource-constrained in-network devices

Side-channel timing attack on content privacy of named data networking

Tese de Doutoramento em Engenharia Electrónica e de ComputadoresA diversity of current applications, such as Netflix, YouTube, and social media, have used the Internet mainly as a content distribution network. Named Data Networking (NDN) is a network paradigm that attempts to answer today’s applications need by naming the content. NDN promises an optimized content distribution through a named content-centric design. One of the NDN key features is the use of in-network caching to improve network efficiency in terms of content distribution. However, the cached contents may put the consumer privacy at risk. Since the time response of cached contents is different from un-cached contents, the adversary may distinguish the cached contents (targets) from un-cached ones, through the side-channel timing responses. The scope of attack can be towards the content, the name, or the signature. For instance, the adversary may obtain the call history, the callee or caller location on a trusted Voice over NDN (VoNDN) and the popularity of contents in streaming applications (e.g. NDNtube, NDNlive) through side-channel timing responses of the cache. The side-channel timing attack can be mitigated by manipulating the time of the router responses. The countermeasures proposed by other researches, such as additional delay, random/probabilistic caching, group signatures, and no-caching can effectively be used to mitigate the attack. However, the content distribution may be affected by pre-configured countermeasures which may go against the goal of the original NDN paradigm. In this work, the detection and defense (DaD) approach is proposed to mitigate the attack efficiently and effectively. With the DaD usage, an attack can be detected by a multi-level detection mechanism, in order to apply the countermeasures against the adversarial faces. Also, the detections can be used to determine the severity of the attack. In order to detect the behavior of an adversary, a brute-force timing attack was implemented and simulated with the following applications and testbeds: i. a trusted application that mimics the VoNDN and identifies the cached certificate on a worldwide NDN testbed, and ii. a streaming-like NDNtube application to identify the popularity of videos on the NDN testbed and AT&T company. In simulation primary results showed that the multi-level detection based on DaD mitigated the attack about 39.1% in best-route, and 36.6% in multicast communications. Additionally, the results showed that DaD preserves privacy without compromising the efficiency benefits of in-network caching in NDNtube and VoNDN applications.Várias aplicações atuais, como o Netflix e o YouTube, têm vindo a usar a Internet como uma rede de distribuição de conteúdos. O Named Data Networking (NDN) é um paradigma recente nas redes de comunicações que tenta responder às necessidades das aplicações modernas, através da nomeação dos conteúdos. O NDN promete uma otimização da distribuição dos conteúdos usando uma rede centrada nos conteúdos. Uma das características principais do NDN é o uso da cache disponivel nos nós da rede para melhorar a eficiência desta em termos de distribuição de conteúdos. No entanto, a colocação dos conteúdos em cache pode colocar em risco a privacidade dos consumidores. Uma vez que a resposta temporal de um conteúdo em cache é diferente do de um conteúdo que não está em cache, o adversário pode distinguir os conteúdos que estão em cache dos que não estão em cache, através das respostas de side-channel. O objectivo do ataque pode ser direcionado para o conteúdo, o nome ou a assinatura da mensagem. Por exemplo, o adversário pode obter o histórico de chamadas, a localização do callee ou do caller num serviço seguro de voz sobre NDN (VoNDN) e a popularidade do conteúdos em aplicações de streaming (e.g. NDNtube, NDNlive) através das respostas temporais de side-channel. O side-channel timing attack pode ser mitigado manipulando o tempo das respostas dos routers. As contramedidas propostas por outros pesquisadores, tais como o atraso adicional, o cache aleatório /probabilístico, as assinaturas de grupo e não fazer cache, podem ser efetivamente usadas para mitigar um ataque. No entanto, a distribuição de conteúdos pode ser afetada por contramedidas pré-configuradas que podem ir contra o propósito original do paradigma NDN. Neste trabalho, a abordagem de detecção e defesa (DaD) é proposta para mitigar o ataque de forma eficiente e eficaz. Com o uso do DaD, um ataque pode ser detectado por um mecanismo de detecção multi-nível, a fim de aplicar as contramedidas contra as interfaces dos adversários. Além disso, as detecções podem ser usadas para determinar a gravidade do ataque. A fim de detectar o comportamento de um adversário, um timing attack de força-bruta foi implementado e simulado com as seguintes aplicações e plataformas (testbeds): i. uma aplicação segura que implementa o VoNDN e identifica o certificado em cache numa plataforma NDN mundial; e ii. uma aplicação de streaming do tipo NDNtube para identificar a popularidade de vídeos na plataforma NDN da empresa AT&T. Os resultados da simulação mostraram que a detecção multi-nível oferecida pelo DaD atenuou o ataque cerca de 39,1% em best-route e 36,5% em comunicações multicast. Para avaliar o efeito nos pedidos legítimos, comparou-se o DaD com uma contramedida estática, tendo-se verificado que o DaD foi capaz de preservar todos os pedidos legítimos