90 research outputs found
Hunting for new threats in a feed of malicious samples
Hoy en dĂa, las compañias de seguridad recolectan cantidades masivas de malware y otros posibles
ficheros benignos. Encontrar amenazas interesantes entre millones de ficheros recolectados es un gran
desafĂo. Una de las plataformas de seguridad mĂĄs populares, VirusTotal (VT), permite consultar informes
de archivos que los usuarios envĂan. En este proyecto profundizaremos en el feed de ficheros de VT,
analizamos 328.3M de reports de archivos escaneados por VT durante un año, que pertenecen a 235.7M
de muestras y observamos que 209.6M de muestras son nuevas (89%). Utilizamos los reports de un año
para caracterizar el VT Feed, y lo comparamos con la telemetrĂa de uno de los motores de antivirus mĂĄs
grandes del planeta. Utilizamos ambos datasets para responder a reponder a estas preguntas: ÂżCĂłmo de
diverso es el feed? ¿Cuål es la distribución de los tipos de ficheros a lo largo del año? ¿Cuål de ambas
plataformas detecta antes los archivos maliciosos? ÂżPodemos detectar archivos maliciosos detectados por
VirusTotal pero no por el motor de antivirus de la telemetrĂa? ÂżCuĂĄl es la distribuciĂłn del malware a lo
largo de un año?
A continuaciĂłn, analizamos 3 estrategias de clustering sobre Windows y APKs ground truths datasets,
Hierarchical DBSCAN (HDBSCAN), HAC-T, un HAC mejorado que agrupa sobre TLSH, que reduce la
complejidad de O(n2) a O(n log n), y Feature Value Grouping (FVG). Consideramos que solo HAC-T y
FVG producen clustering de alta precisiĂłn. Nuestros resultados muestran que FVG es la Ășnica estrategia
escalable sobre el VT File Feed dataset de un año.
Ademas, hemos desarrollado un técnica novedosa de threat hunting para identificar muestras maliciosas
que supuestamente son benignas, por ejemplo, sin detecciones por motores de AV. Cuando lo
aplicamos sobre los 235M del VT feed, nuestra encontramos 190K muestras benignas (no detectadas
por ninguna empresa de antivirus) que pertenecen a 29K clĂșsters maliciosos, es decir, la mayorĂa de las
muestras de los clĂșsters son maliciosos.Nowadays, security companies collect massive amounts of malware and other possibly benign files.
Finding interesting threats among many millions of files collected is a very challenging task. One of the
most popular security platforms, VirusTotal (VT), allows querying for reports of files that the users has
submitted. VT offers the VT File Feed (i.e., a stream of reports), in this project we deep dive into the
VT File Feed, we analyze 328.3M reports scanned by VirusTotal during one year, that belongs to 235.7M
samples, we observe that 209.6M samples were new (89%). We use the one-year reports to characterize the
VirusTotal Feed, and we compare it with the telemetry of a large antivirus vendor. With both datasets
we want to answer the following questions: How diverse is the feed? What is the filetype distribution over
a year? Which of both platforms detects earlier malicious files? Could we detect malicious files detected
by VirusTotal but not by the large security vendor telemetry? What is the malware distribution over
one year?
Then, we evaluate three clustering approaches over windows and apk ground truth datasets, Hierarchical
DBSCAN (HDBSCAN), HAC-T, an improved Hierarchical Agglomerative Clustering (HAC) over
TLSH that reduces complexity from O(n2) to O(n log n), and Feature Value Grouping (FVG). We conclude
that only HAC-T and FVG produces highly precission clusterings. Our results show that FVG is
the only approach that scales the full one-year VT File Feed dataset.
Then, we develop a novel threat hunting approach to identify malicious samples that were supposedly
benign, i.e., have zero detections by AV engines. When applied on 235M samples in the VT feed, our
approach identifies 190K possibly not-so-benign samples that belong to 29K malicious clusters, i.e., most
cluster samples are malicious.MĂĄster Universitario en Ciberseguridad (M179
Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and Coverage
Multiple works have leveraged the public Bitcoin ledger to estimate the
revenue cybercriminals obtain from their victims. Estimations focusing on the
same target often do not agree, due to the use of different methodologies, seed
addresses, and time periods. These factors make it challenging to understand
the impact of their methodological differences. Furthermore, they underestimate
the revenue due to the (lack of) coverage on the target's payment addresses,
but how large this impact remains unknown.
In this work, we perform the first systematic analysis on the estimation of
cybercrime bitcoin revenue. We implement a tool that can replicate the
different estimation methodologies. Using our tool we can quantify, in a
controlled setting, the impact of the different methodology steps. In contrast
to what is widely believed, we show that the revenue is not always
underestimated. There exist methodologies that can introduce huge
overestimation. We collect 30,424 payment addresses and use them to compare the
financial impact of 6 cybercrimes (ransomware, clippers, sextortion, Ponzi
schemes, giveaway scams, exchange scams) and of 141 cybercriminal groups. We
observe that the popular multi-input clustering fails to discover addresses for
40% of groups. We quantify, for the first time, the impact of the (lack of)
coverage on the estimation. For this, we propose two techniques to achieve high
coverage, possibly nearly complete, on the DeadBolt server ransomware. Our
expanded coverage enables estimating DeadBolt's revenue at $2.47M, 39 times
higher than the estimation using two popular Internet scan engines
AnĂĄlisis de procedimientos de escalada de privilegios basado en el framework MITRE ATT&CK
Este documento pretende mostrar y analizar las distintas técnicas existentes que han sido utilizadas en
ataques reales para escalar privilegios en una mĂĄquina. BasĂĄndonos en el framework MITTRE ATT&CK
se ha realizado un estudio para auditar los sistemas operativos Windows y Linux frente a un equipo Blue
Team.
Se ha propuesto desarrollar una herramienta que descubra y notifique los puntos débiles de un sistema
para escalar privilegios, estudiaremos cuĂĄl es el funcionamiento de los sistemas Windows y Linux y con
ello abordaremos las principales debilidades que tienen estos sistemas, para posteriormente notificarlas
en caso de que no se encuentre debidamente configuradas.This document aims to show and analyze the various existing techniques that have been used in real
attacks to escalate privileges on a machine. Based on the MITTRE ATT&CK framework, a study has
been carried out to audit the Windows and Linux operating systems against a Blue Team.
We have proposed to develop a tool that discovers and notifies the weak points of a system for
escalating privileges. We will study how the Windows and Linux systems work and with this we will
cover the main weaknesses that these systems have, to later notify them in case they are not properly
configured.Grado en IngenierĂa de Computadore
The effect of electrical neurostimulation on collateral perfusion during acute coronary occlusion
<p>Abstract</p> <p>Background</p> <p>Electrical neurostimulation can be used to treat patients with refractory angina, it reduces angina and ischemia. Previous data have suggested that electrical neurostimulation may alleviate myocardial ischaemia through increased collateral perfusion. We investigated the effect of electrical neurostimulation on functional collateral perfusion, assessed by distal coronary pressure measurement during acute coronary occlusion. We sought to study the effect of electrical neurostimulation on collateral perfusion.</p> <p>Methods</p> <p>Sixty patients with stable angina and significant coronary artery disease planned for elective percutaneous coronary intervention were split in two groups. In all patients two balloon inflations of 60 seconds were performed, the first for balloon dilatation of the lesion (first episode), the second for stent delivery (second episode). The Pw/Pa ratio (wedge pressure/aortic pressure) was measured during both ischaemic episodes. Group 1 received 5 minutes of active neurostimulation before plus 1 minute during the first episode, group 2 received 5 minutes of active neurostimulation before plus 1 minute during the second episode.</p> <p>Results</p> <p>In group 1 the Pw/Pa ratio decreased by 10 ± 22% from 0.20 ± 0.09 to 0.19 ± 0.09 (p = 0.004) when electrical neurostimulation was deactivated. In group 2 the Pw/Pa ratio increased by 9 ± 15% from 0.22 ± 0.09 to 0.24 ± 0.10 (p = 0.001) when electrical neurostimulation was activated.</p> <p>Conclusion</p> <p>Electrical neurostimulation induces a significant improvement in the Pw/Pa ratio during acute coronary occlusion.</p
Transthoracic coronary flow reserve and dobutamine derived myocardial function: a 6-month evaluation after successful coronary angioplasty
After percutaneous transluminal coronary angioplasty (PTCA), stress-echocardiography and gated single photon emission computerized tomography (g-SPECT) are usually performed but both tools have technical limitations. The present study evaluated results of PTCA of left anterior descending artery (LAD) six months after PTCA, by combining transthoracic Doppler coronary flow reserve (CFR) and color Tissue Doppler (C-TD) dobutamine stress. Six months after PTCA of LAD, 24 men, free of angiographic evidence of restenosis, underwent standard Doppler-echocardiography, transthoracic CFR of distal LAD (hyperemic to basal diastolic coronary flow ratio) and C-TD at rest and during dobutamine stress to quantify myocardial systolic (S(m)) and diastolic (E(m )and A(m), E(m)/A(m )ratio) peak velocities in middle posterior septum. Patients with myocardial infarction, coronary stenosis of non-LAD territory and heart failure were excluded. According to dipyridamole g-SPECT, 13 patients had normal perfusion and 11 with perfusion defects. The 2 groups were comparable for age, wall motion score index (WMSI) and C-TD at rest. However, patients with perfusion defects had lower CFR (2.11 ± 0.4 versus 2.87 ± 0.6, p < 0.002) and septal S(m )at high-dose dobutamine (p < 0.01), with higher WMSI (p < 0.05) and stress-echo positivity of LAD territory in 5/11 patients. In the overall population, CFR was related negatively to high-dobutamine WMSI (r = -0.50, p < 0.01) and positively to high-dobutamine S(m )of middle septum (r = 0.55, p < 0.005). In conclusion, even in absence of epicardial coronary restenosis, stress perfusion imaging reflects a physiologic impairment in coronary microcirculation function whose magnitude is associated with the degree of regional functional impairment detectable by C-TD
Plasma Chemokine Levels Are Associated with the Presence and Extent of Angiographic Coronary Collaterals in Chronic Ischemic Heart Disease
In patients with chronic ischemic heart disease (IHD), the presence and extent of spontaneously visible coronary collaterals are powerful determinants of clinical outcome. There is marked heterogeneity in the recruitment of coronary collaterals amongst patients with similar degrees of coronary artery stenoses, but the biological basis of this heterogeneity is not known. Chemokines are potent mediators of vascular remodeling in diverse biological settings. Their role in coronary collateralization has not been investigated. We sought to determine whether plasma levels of angiogenic and angiostatic chemokines are associated with of the presence and extent of coronary collaterals in patients with chronic IHD.We measured plasma concentrations of angiogenic and angiostatic chemokine ligands in 156 consecutive subjects undergoing coronary angiography with at least one â„90% coronary stenosis and determined the presence and extent of spontaneously visible coronary collaterals using the Rentrop scoring system. Eighty-eight subjects (56%) had evidence of coronary collaterals. In a multivariable regression model, the concentration of the angiogenic ligands CXCL5, CXCL8 and CXCL12, hyperlipidemia, and an occluded artery were associated with the presence of collaterals; conversely, the concentration of the angiostatic ligand CXCL11, interferon-Îł, hypertension and diabetes were associated with the absence of collaterals (ROC area 0.91). When analyzed according to extent of collateralization, higher Rentrop scores were significantly associated with increased concentration of the angiogenic ligand CXCL1 (p<0.0001), and decreased concentrations of angiostatic ligands CXCL9 (p<0.0001), CXCL10 (pâ=â0.002), and CXCL11 (pâ=â0.0002), and interferon-Îł (pâ=â0.0004).Plasma chemokine concentrations are associated with the presence and extent of spontaneously visible coronary artery collaterals and may be mechanistically involved in their recruitment
Organisatie en huisvesting : ontwerp van een structuuradviesmodel ter ondersteuning van de advisering inzake huisvesting van kantoororganisaties
- âŠ