User-Behavior Based Detection of Infection Onset

A major vector of computer infection is through exploiting software or design flaws in networked applications such as the browser. Malicious code can be fetched and executed on a victim’s machine without the user’s permission, as in drive-by download (DBD) attacks. In this paper, we describe a new tool called DeWare for detecting the onset of infection delivered through vulnerable applications. DeWare explores and enforces causal relationships between computer-related human behaviors and system properties, such as file-system access and process execution. Our tool can be used to provide real time protection of a personal computer, as well as for diagnosing and evaluating untrusted websites for forensic purposes. Besides the concrete DBD detection solution, we also formally define causal relationships between user actions and system events on a host. Identifying and enforcing correct causal relationships have important applications in realizing advanced and secure operating systems. We perform extensive experimental evaluation, including a user study with 21 participants, thousands of legitimate websites (for testing false alarms), as well as 84 malicious websites in the wild. Our results show that DeWare is able to correctly distinguish legitimate download events from unauthorized system events with a low false positive rate (< 1%)

Leveraging Artificial Intelligence and Machine Learning for Enhanced Cybersecurity: A Proposal to Defeat Malware

Cybersecurity is very crucial in the digital age in order to safeguard the availability, confidentiality, and integrity of data and systems. Mitigation techniques used in the industry include Multi-factor Authentication (MFA), Incident Response Planning (IRP), Security Information and Event Management (SIEM), and Signature-based and Heuristic Detection. MFA is employed as an additional layer of protection in several sectors to help prevent unauthorized access to sensitive data. IRP is a plan in place to address cybersecurity problems efficiently and expeditiously. SIEM offers real-time analysis and alerts the system of threats and vulnerabilities. Heuristic-based detection relies on detecting anomalies when it comes to the behavior of files and domains, whereas signature-based detection uses predefined malware codes and known signatures to help identify malware. Artificial intelligence along with machine learning could enhance cyber detection and response by utilizing a vast amount of data and algorithms to help identify trends, make predictions, and take actions without human supervision. This paper discusses how this proposal can be accomplished and could help defeat malware

Intelligent zero-day intrusion detection framework for internet of things

Zero-day intrusion detection system faces serious challenges as hundreds of thousands of new instances of malware are being created every day to cause harm or damage to the computer system. Cyber-attacks are becoming more sophisticated, leading to challenges in intrusion detection. There are many Intrusion Detection Systems (IDSs), which are proposed to identify abnormal activities, but most of these IDSs produce a large number of false positives and low detection accuracy. Hence, a significant quantity of false positives could generate a high-level of alerts in a short period of time as the normal activities are classified as intrusion activities. This thesis proposes a novel framework of hybrid intrusion detection system that integrates the Signature Intrusion Detection System (SIDS) with the Anomaly Intrusion Detection System (AIDS) to detect zero-day attacks with high accuracy. SIDS has been used to identify previously known intrusions, and AIDS has been applied to detect unknown zero-day intrusions. The goal of this research is to combine the strengths of each technique toward the development of a hybrid framework for the efficient intrusion detection system. A number of performance measures including accuracy, F-measure and area under ROC curve have been used to evaluate the efficacy of our proposed models and to compare and contrast with existing approaches. Extensive simulation results conducted in this thesis show that the proposed framework is capable of yielding excellent detection performance when tested with a number of widely used benchmark datasets in the intrusion detection system domain. Experiments show that the proposed hybrid IDS provides higher detection rate and lower false-positive rate in detecting intrusions as compared to the SIDS and AIDS techniques individually.Doctor of Philosoph

Learning Fast and Slow: PROPEDEUTICA for Real-time Malware Detection

In this paper, we introduce and evaluate PROPEDEUTICA, a novel methodology and framework for efficient and effective real-time malware detection, leveraging the best of conventional machine learning (ML) and deep learning (DL) algorithms. In PROPEDEUTICA, all software processes in the system start execution subjected to a conventional ML detector for fast classification. If a piece of software receives a borderline classification, it is subjected to further analysis via more performance expensive and more accurate DL methods, via our newly proposed DL algorithm DEEPMALWARE. Further, we introduce delays to the execution of software subjected to deep learning analysis as a way to "buy time" for DL analysis and to rate-limit the impact of possible malware in the system. We evaluated PROPEDEUTICA with a set of 9,115 malware samples and 877 commonly used benign software samples from various categories for the Windows OS. Our results show that the false positive rate for conventional ML methods can reach 20%, and for modern DL methods it is usually below 6%. However, the classification time for DL can be 100X longer than conventional ML methods. PROPEDEUTICA improved the detection F1-score from 77.54% (conventional ML method) to 90.25%, and reduced the detection time by 54.86%. Further, the percentage of software subjected to DL analysis was approximately 40% on average. Further, the application of delays in software subjected to ML reduced the detection time by approximately 10%. Finally, we found and discussed a discrepancy between the detection accuracy offline (analysis after all traces are collected) and on-the-fly (analysis in tandem with trace collection). Our insights show that conventional ML and modern DL-based malware detectors in isolation cannot meet the needs of efficient and effective malware detection: high accuracy, low false positive rate, and short classification time.Comment: 17 pages, 7 figure

RanAware, analysis and detection of ransomware on Windows systems

These past years the use of the computers increased significantly with the introduction of the home office policy caused by the pandemic. This grow has been accompanied by malware attacks and ransomware in particular. Therefore, it is mandatory to have a system able to protect, to prevent and to reduce the impact that this type of malware has in an organization. RanAware is a tool that performs an early ransomware detection based on recording file system operations. This information allows RanAware to monitor activity on the file system, collect and process statistics used to determine the presence of a ransomware in the system. After detection, RanAware handles the termination and isolation of the malicious program as well as the creation of an activity report of the ransomware operations. In addition, this project performs an evaluation of the impact that RanAware has in a system

Security-centric ranking algorithm and two privacy scores to mitigate intrusive apps

Smartphone users are constantly facing the risks of losing their private information to third-party mobile applications. Studies have revealed that the vast majority of users either do not pay attention to privacy or unable to comprehend privacy messages. Developers though have exploited this fact by asking users to grant their apps an enormous number of permissions. In this article, we propose and evaluate a new security-centric ranking algorithm built on top of the Elasticsearch engine to help users evade such apps. The algorithm calculates an intrusiveness score for an app based on its requested permissions, received system actions, and users' privacy preferences. As such, we further propose a new approach to capture these preferences. We evaluate the ranking algorithm using a million Android applications, contextual data and APK files, that we collect from the Google Play store. The results show that the scoring and reranking steps add minor overhead. Moreover, participants of the user studies gave positive feedback for the ranking algorithm and the privacy preferences solicitation approach. These results suggest that our proposed system would definitely protect the privacy of mobile users and pushes developers into requesting least amount of privileges. Still, there are many risks that endanger the users' privacy

A Study of Rootkit Stealth Techniques and Associated Detection Methods

In today\u27s world of advanced computing power at the fingertips of any user, we must constantly think of computer security. Information is power and this power is had within our computer systems. If we cannot trust the information within our computer systems then we cannot properly wield the power that comes from such information. Rootkits are software programs that are designed to develop and maintain an environment in which malware may hide on a computer system after successful compromise of that computer system. Rootkits cut at the very foundation of the trust that we put in our information and subsequent power. This thesis seeks to understand rootkit hiding techniques, rootkit finding techniques and develops attack trees and defense trees in order to help us identify deficiencies in detection to further increase the trust in our information systems

A Survey on Malware Analysis Techniques: Static, Dynamic, Hybrid and Memory Analysis

Now a day the threat of malware is increasing rapidly. A software that sneaks to your computer system without your knowledge with a harmful intent to disrupt your computer operations. Due to the vast number of malware, it is impossible to handle malware by human engineers. Therefore, security researchers are taking great efforts to develop accurate and effective techniques to detect malware. This paper presents a semantic and detailed survey of methods used for malware detection like signature-based and heuristic-based. The Signature-based technique is largely used today by anti-virus software to detect malware, is fast and capable to detect known malware. However, it is not effective in detecting zero-day malware and it is easily defeated by malware that use obfuscation techniques. Likewise, a considerable false positive rate and high amount of scanning time are the main limitations of heuristic-based techniques. Alternatively, memory analysis is a promising technique that gives a comprehensive view of malware and it is expected to become more popular in malware analysis. The main contributions of this paper are: (1) providing an overview of malware types and malware detection approaches, (2) discussing the current malware analysis techniques, their findings and limitations, (3) studying the malware obfuscation, attacking and anti-analysis techniques, and (4) exploring the structure of memory-based analysis in malware detection. The detection approaches have been compared with each other according to their techniques, selected features, accuracy rates, and their advantages and disadvantages. This paper aims to help the researchers to have a general view of malware detection field and to discuss the importance of memory-based analysis in malware detection