Android Permission Classifier: a deep learning algorithmic framework based on protection and threat levels

Recent works demonstrated that Android is the fastest growing mobile OS with the highest number of users worldwide. Android's popularity is facilitated by factors such as ease of use, open‐source, and cheap to purchase compared to mobile OS like iOS. The widespread of Android has brought an exponential increase in the complexity and number of malicious applications targeting Android. Malware deploys different attack vectors to exploit Android vulnerability and attack the OS. One way to thwart malware attacks on Android is the use of Android security patches, antivirus software, and layer security. However, the fact that the permission request dynamic is different from other attack vectors, makes it difficult to identify which permission request is malicious or not especially when constructing permission request profiles for Android users. The aforementioned challenge is tackled by our research. This article proposed a framework called Android Permission Classifier for the classification of Android malware permission requests based on threat levels. This article is the first to classify Android permission based on their protection and threat levels. With the framework, out of the 113 permissions extracted, 23 were classified as more dangerous. Our model shows classification accuracy of 97% and an FPR value of 0.2% with high diversity capacity when compared with the performance of those of other similar existing metho

Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation

Ransomware continues to grow in both scale, cost, complexity and impact since its initial discovery nearly 30 years ago. Security practitioners are engaged in a continual "arms race" with the ransomware developers attempting to defend their digital infrastructure against such attacks. Recent manifestations of ransomware have started to employ a hybrid combination of symmetric and asymmetric encryption to encode user’s files. This report describes an investigation to determine if the techniques currently employed in the field of digital forensics could be leveraged to discover the encryption keys used by these types of malicious software.A safe, isolated virtual environment was created and ransomware samples were executed within it. Memory was captured from the infected system and its contents was examined using three different live forensic tools in an attempt to identify the symmetric encryption keys being used by the ransomware. NotPetya, BadRabbit and Phobos ransomware samples were were tested during the investigation on two different operating systems. The samples were chosen as they were recent, high profile attacks generating significant ransom payments and causing serious disruption to many organisations.If keys were discovered, the following two steps were also performed. Firstly, a timeline was manually created to show when the keys were present in memory and how long they remained there. Secondly, an attempt was made to decrypt the files encrypted by the ransomware using the found keys. In all cases the investigation was able to confirm that it was possible to discover the encryption keys used and these found keys successfully decrypted files that had been encrypted by the ransomware samples.No research was found that conducted cryptographic key examination specifically on ransomware using live forensic techniques, however research was found that investigated other types of cryptographic programs. The results of this investigation matched similar findings from these related research fields, as the keys used by the cryptographic programs were successfully recovered and used to decrypt the files.The ransomware time lining also highlighted different key management processes used by these ransomware programs, where some tended to leave the key in memory for the whole execution while others practiced more dynamic key managemen

Evaluation of Live Forensic Techniques in Ransomware Attack Mitigation

Ransomware continues to grow in both scale, cost, complexity and impact since its initial discovery nearly 30 years ago. Security practitioners are engaged in a continual "arms race" with the ransomware developers attempting to defend their digital infrastructure against such attacks. Recent manifestations of ransomware have started to employ a hybrid combination of symmetric and asymmetric encryption to encode user’s files. This report describes an investigation to determine if the techniques currently employed in the field of digital forensics could be leveraged to discover the encryption keys used by these types of malicious software.A safe, isolated virtual environment was created and ransomware samples were executed within it. Memory was captured from the infected system and its contents was examined using three different live forensic tools in an attempt to identify the symmetric encryption keys being used by the ransomware. NotPetya, BadRabbit and Phobos ransomware samples were were tested during the investigation on two different operating systems. The samples were chosen as they were recent, high profile attacks generating significant ransom payments and causing serious disruption to many organisations.If keys were discovered, the following two steps were also performed. Firstly, a timeline was manually created to show when the keys were present in memory and how long they remained there. Secondly, an attempt was made to decrypt the files encrypted by the ransomware using the found keys. In all cases the investigation was able to confirm that it was possible to discover the encryption keys used and these found keys successfully decrypted files that had been encrypted by the ransomware samples.No research was found that conducted cryptographic key examination specifically on ransomware using live forensic techniques, however research was found that investigated other types of cryptographic programs. The results of this investigation matched similar findings from these related research fields, as the keys used by the cryptographic programs were successfully recovered and used to decrypt the files.The ransomware time lining also highlighted different key management processes used by these ransomware programs, where some tended to leave the key in memory for the whole execution while others practiced more dynamic key managemen

Military Breaking Boundaries Implementing Third-Party Cloud Computing Practices for Data Storage

Senior Information Technology (IT) military leadership cannot currently implement, maintain, and administer cloud data storage without the direct support of third-party vendors. This study explicitly impacts cloud practitioners, engineers, and architects requiring a most sophisticated and streamlined ability to safehouse invaluable data using third-party data storage. Grounded in the theory of planned behavior, the purpose of this qualitative single case study was to investigate strategies military leadership uses to implement third-party cloud computing for data storage. The participants (n = 22) consisted of cloud administrators, engineers, and architects within a sizeable midwestern city with a minimum of 3 years of cloud computing knowledge and 5 years of total IT experience. Data collection included semistructured interviews using Skype, face-to-face, and telephone interviews, and internal and external organizational documents (n = 17). Four themes were identified through thematic analysis: work relationships amongst AWS vendors and military technicians, the strength of newly created security practices, all training/learning curves are considered, and continuous safety and improvement. It is recommended that both AWS and military technicians continue to work together, promoting safety and security. The implications for positive social change include the potential for job creation and enhancing the community economically