Pattern for malware remediation – A last line of defence tool against Malware in the global communication platform

Malware is becoming a major problem to every organization that operates on the global communication platform. The malicious software programs are advancing in sophistication in many ways in order to defeat harden deployed defenses. When an organization’s defense fails to keep this malice invasion out, the organization would incur significant amount of risks and damages. Risks include data leakage, inability to operate and tarnished corporate image. Damages include compensation costs to customers and partners, service unavailability and loss of customers’ and partners’ confidence in the organization. This in turn will affect the organization’s business continuity. In order to manage the risks and damages induced by Malware incidents, incident responders are called upon to be the last line of defense against the digital onslaught assault. However incident responders are challenged too by the deep levels of knowledge, skills and experience required to contain the ever advancing and persistent Malware. This paper proposes the establishment of a Pattern template for Malware Remediation to aid incident responders to overcome their competency limitations in order to provide organizations the tool to repel Malware and to reduce the associated risks. Examples and details of the proposed patters are provided with discussions on future direction of the research work

Applications of Temporal Graph Metrics to Real-World Networks

Real world networks exhibit rich temporal information: friends are added and removed over time in online social networks; the seasons dictate the predator-prey relationship in food webs; and the propagation of a virus depends on the network of human contacts throughout the day. Recent studies have demonstrated that static network analysis is perhaps unsuitable in the study of real world network since static paths ignore time order, which, in turn, results in static shortest paths overestimating available links and underestimating their true corresponding lengths. Temporal extensions to centrality and efficiency metrics based on temporal shortest paths have also been proposed. Firstly, we analyse the roles of key individuals of a corporate network ranked according to temporal centrality within the context of a bankruptcy scandal; secondly, we present how such temporal metrics can be used to study the robustness of temporal networks in presence of random errors and intelligent attacks; thirdly, we study containment schemes for mobile phone malware which can spread via short range radio, similar to biological viruses; finally, we study how the temporal network structure of human interactions can be exploited to effectively immunise human populations. Through these applications we demonstrate that temporal metrics provide a more accurate and effective analysis of real-world networks compared to their static counterparts.Comment: 25 page

Software Engineering Challenges for Investigating Cyber-Physical Incidents

Cyber-Physical Systems (CPS) are characterized by the interplay between digital and physical spaces. This characteristic has extended the attack surface that could be exploited by an offender to cause harm. An increasing number of cyber-physical incidents may occur depending on the configuration of the physical and digital spaces and their interplay. Traditional investigation processes are not adequate to investigate these incidents, as they may overlook the extended attack surface resulting from such interplay, leading to relevant evidence being missed and testing flawed hypotheses explaining the incidents. The software engineering research community can contribute to addressing this problem, by deploying existing formalisms to model digital and physical spaces, and using analysis techniques to reason about their interplay and evolution. In this paper, supported by a motivating example, we describe some emerging software engineering challenges to support investigations of cyber-physical incidents. We review and critique existing research proposed to address these challenges, and sketch an initial solution based on a meta-model to represent cyber-physical incidents and a representation of the topology of digital and physical spaces that supports reasoning about their interplay

A Study of the Relationship Between Antivirus Regressions and Label Changes

AntiVirus (AV) products use multiple components to detect malware. A component which is found in virtually all AVs is the signature-based detection engine: this component assigns a particular signature label to a malware that the AV detects. In previous analysis [1-3], we observed cases of regressions in several different AVs: i.e. cases where on a particular date a given AV detects a given malware but on a later date the same AV fails to detect the same malware. We studied this aspect further by analyzing the only externally observable behaviors from these AVs, namely whether AV engines detect a malware and what labels they assign to the detected malware. In this paper we present the results of the analysis about the relationship between the changing of the labels with which AV vendors recognize malware and the AV regressions

NEDAC: A worm countermeasure mechanism

This article presents an Internet worm countermeasure mechanism that uses DNS activities as a behavioural technique to detect worm propagation. The mechanism also uses a data-link containment solution to block traffic from an infected host. The concept has been demonstrated using a developed prototype and tested in a virtualised network environment. An empirical analysis of network worm propagation has been conducted to test the capabilities of the developed countermeasure mechanism. The results show that the developed mechanism is sensitive in containing Internet worms.Keywords: Worm Detection, Malware, cyber defens

SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

The dependability community has expressed a growing interest in the recent years for the effects of malicious, ex-ternal, operational faults in computing systems, ie. intru-sions. The term intrusion tolerance has been introduced to emphasize the need to go beyond what classical fault toler-ant systems were able to offer. Unfortunately, as opposed to well understood accidental faults, the domain is still lack-ing sound data sets and models to offer rationales in the design of intrusion tolerant solutions. In this paper, we de-scribe a framework similar in its spirit to so called honey-farms but built in a way that makes its large-scale deploy-ment easily feasible. Furthermore, it offers a very rich level of interaction with the attackers without suffering from the drawbacks of expensive high interaction systems. The sys-tem is described, a prototype is presented as well as some preliminary results that highlight the feasibility as well as the usefulness of the approach.

Cybersecurity Games: Mathematical Approaches for Cyber Attack and Defense Modeling

Cyber-attacks targeting individuals and enterprises have become a predominant part of the computer/information age. Such attacks are becoming more sophisticated and prevalent on a day-to-day basis. The exponential growth of cyber plays and cyber players necessitate the inauguration of new methods and research for better understanding the cyber kill chain, particularly with the rise of advanced and novel malware and the extraordinary growth in the population of Internet residents, especially connected Internet of Things (IoT) devices. Mathematical modeling could be used to represent real-world cyber-attack situations. Such models play a beneficial role when it comes to the secure design and evaluation of systems/infrastructures by providing a better understanding of the threat itself and the attacker\u27s conduct during the lifetime of a cyber attack. Therefore, the main goal of this dissertation is to construct a proper theoretical framework to be able to model and thus evaluate the defensive strategies/technologies\u27 effectiveness from a security standpoint. To this end, we first present a Markov-based general framework to model the interactions between the two famous players of (network) security games, i.e., a system defender and an attacker taking actions to reach its attack objective(s) in the game. We mainly focus on the most significant and tangible aspects of sophisticated cyber attacks: (1) the amount of time it takes for the adversary to accomplish its mission and (2) the success probabilities of fulfilling the attack objective(s) by translating attacker-defender interactions into well-defined games and providing rigorous cryptographic security guarantees for a system given both players\u27 tactics and strategies. We study various attack-defense scenarios, including Moving Target Defense (MTD) strategies, multi-stage attacks, and Advanced Persistent Threats (APT). We provide general theorems about how the probability of a successful adversary defeating a defender’s strategy is related to the amount of time (or any measure of cost) spent by the adversary in such scenarios. We also introduce the notion of learning in cybersecurity games and describe a general game of consequences meaning that each player\u27s chances of making a progressive move in the game depend on its previous actions. Finally, we walk through a malware propagation and botnet construction game in which we investigate the importance of defense systems\u27 learning rates to fight against the self-propagating class of malware such as worms and bots. We introduce a new propagation modeling and containment strategy called the learning-based model and study the containment criterion for the propagation of the malware based on theoretical and simulation analysis