Study of Blacklisted Malicious Domains from a Microsoft Windows End-user Perspective: Is It Safe Behind the Wall?

The Internet is a dangerous place, filled with dierent cyber threats, including malware. To withstand this, blacklists have been utilized for a long time to block known infection and delivery sources. However, through blacklisting the domain names we are leaving a landscape of threats to be unknown and forgotten. In this paper, first, we investigate the current state-of-the-art in cyber threats available on such blacklists. Then, we study the corresponding malicious actors and reveal that those persistently appear since 2006. By shedding light on this part of the cyber threat landscape we target increased information security perception of the landscape from the perspective of the average end-user. Moreover, it is clear that the blacklisting the domains should not be one-way function and need to be regularly re-evaluated. Moreover, blacklisting might not be enforced by client applications in addition to outdated system software leaving real danger. For practical evaluation, we created a multi-focused experimental setup employing different MS Windows OS and browser versions. This allowed us to perform a thorough analysis of blacklisted domains from the perspective of the published information, content retrieved and possible malware distribution campaigns. We believe that this paper serves as a stepping stone in a re-evaluation of the once found and then blacklisted domains from the perspective of minimal security protection of a general user, who might not be equipped with a blacklisting mechanism

Distributed Deep Neural-Network-Based Middleware for Cyber-Attacks Detection in Smart IoT Ecosystem: A Novel Framework and Performance Evaluation Approach

Cyberattacks always remain the major threats and challenging issues in the modern digital world. With the increase in the number of internet of things (IoT) devices, security challenges in these devices, such as lack of encryption, malware, ransomware, and IoT botnets, leave the devices vulnerable to attackers that can access and manipulate the important data, threaten the system, and demand ransom. The lessons from the earlier experiences of cyberattacks demand the development of the best-practices benchmark of cybersecurity, especially in modern Smart Environments. In this study, we propose an approach with a framework to discover malware attacks by using artificial intelligence (AI) methods to cover diverse and distributed scenarios. The new method facilitates proactively tracking network traffic data to detect malware and attacks in the IoT ecosystem. Moreover, the novel approach makes Smart Environments more secure and aware of possible future threats. The performance and concurrency testing of the deep neural network (DNN) model deployed in IoT devices are computed to validate the possibility of in-production implementation. By deploying the DNN model on two selected IoT gateways, we observed very promising results, with less than 30 kb/s increase in network bandwidth on average, and just a 2% increase in CPU consumption. Similarly, we noticed minimal physical memory and power consumption, with 0.42 GB and 0.2 GB memory usage for NVIDIA Jetson and Raspberry Pi devices, respectively, and an average 13.5% increase in power consumption per device with the deployed model. The ML models were able to demonstrate nearly 93% of detection accuracy and 92% f1-score on both utilized datasets. The result of the models shows that our framework detects malware and attacks in Smart Environments accurately and efficiently.publishedVersio

A Novel Architectural Framework on IoT Ecosystem, Security Aspects and Mechanisms: A Comprehensive Survey

For the past few years, the Internet of Things (IoT) technology continues to not only gain popularity and importance, but also witnesses the true realization of everything being smart. With the advent of the concept of smart everything, IoT has emerged as an area of great potential and incredible growth. An IoT ecosystem centers around innovation perspective which is considered as its fundamental core. Accordingly, IoT enabling technologies such as hardware and software platforms as well as standards become the core of the IoT ecosystem. However, any large-scale technological integration such as the IoT development poses the challenge to ensure secure data transmission. Perhaps, the ubiquitous and the resource-constrained nature of IoT devices and the sensitive and private data being generated by IoT systems make them highly vulnerable to physical and cyber threats. In this paper, we re-define an IoT ecosystem from the core technologies view point. We propose a modified three layer IoT architecture by dividing the perception layer into elementary blocks based on their attributed functions. Enabling technologies, attacks and security countermeasures are classified under each layer of the proposed architecture. Additionally, to give the readers a broader perspective of the research area, we discuss the role of various state-of-the-art emerging technologies in the IoT security. We present the security aspects of the most prominent standards and other recently developed technologies for IoT which might have the potential to form the yet undefined IoT architecture. Among the technologies presented in this article, we give a special interest to one recent technology in IoT domain. This technology is named IQRF that stands for Intelligent Connectivity using Radio Frequency. It is an emerging technology for wireless packet-oriented communication that operates in sub-GHz ISM band (868 MHz) and which is intended for general use where wireless connectivity is needed, either in a mesh network or point-to-point (P2P) configuration. We also highlighted the security aspects implemented in this technology and we compare it with the other already known technologies. Moreover, a detailed discussion on the possible attacks is presented. These attacks are projected on the IoT technologies presented in this article including IQRF. In addition, lightweight security solutions, implemented in these technologies, to counter these threats in the proposed IoT ecosystem architecture are also presented. Lastly, we summarize the survey by listing out some common challenges and the future research directions in this field.publishedVersio

Machine Learning Aided Static Malware Analysis: A Survey and Tutorial

Malware analysis and detection techniques have been evolving during the last decade as a reflection to development of different malware techniques to evade network-based and host-based security protections. The fast growth in variety and number of malware species made it very difficult for forensics investigators to provide an on time response. Therefore, Machine Learning (ML) aided malware analysis became a necessity to automate different aspects of static and dynamic malware investigation. We believe that machine learning aided static analysis can be used as a methodological approach in technical Cyber Threats Intelligence (CTI) rather than resource-consuming dynamic malware analysis that has been thoroughly studied before. In this paper, we address this research gap by conducting an in-depth survey of different machine learning methods for classification of static characteristics of 32-bit malicious Portable Executable (PE32) Windows files and develop taxonomy for better understanding of these techniques. Afterwards, we offer a tutorial on how different machine learning techniques can be utilized in extraction and analysis of a variety of static characteristic of PE binaries and evaluate accuracy and practical generalization of these techniques. Finally, the results of experimental study of all the method using common data was given to demonstrate the accuracy and complexity. This paper may serve as a stepping stone for future researchers in cross-disciplinary field of machine learning aided malware forensics.Comment: 37 Page

Predicting likelihood of legitimate data loss in email DLP

The volume and variety of data collected for modern organizations has increased significantly over the last decade necessitating the detection and prevention of disclosure of sensitive data. Data loss prevention is an embedded process used to protect against disclosure of sensitive data to external uncontrolled environments. A typical Data Loss Prevention (DLP) system uses custom policies to identify and prevent accidental and malicious data leakage producing large number of security alerts including significant volume of false positives. Consequently, identifying legitimate data loss can be very challenging as each incident comprises of different characteristics often requiring extensive intervention by a domain expert to review alerts individually. This limits the ability to detect data loss alerts in real-time making organisations vulnerable to financial and reputational damages. The aim of this research is to strengthen data loss detection capabilities of a DLP system by implementing a machine learning model to predict the likelihood of legitimate data loss. We conducted extensive experimentation using Decision Tree and Random Forest algorithms with historical email incident data collected by a globally established telecommunication enterprise. The final model produced with Random Forest algorithm was identified as the most effective as it was successfully able to predict approximately 95% data loss incidents accurately with an average true positive value of 90%. Furthermore, the proposed solution successfully enables identification of legitimate data loss in email DLP whilst facilitating prioritisation of real data loss through human-understandable explanation of the decision thereby improving the efficiency of the process

Decentralized self-enforcing trust management system for social Internet of Things

The Internet of Things (IoT) is the network of connected computing devices that have the ability to transfer valued data between each other via the Internet without requiring human intervention. In such a connected environment, the social IoT (SIoT) has become an emerging trend where multiple IoT devices owned by users support communication within a social circle. Trust management in the SIoT network is imperative as trusting the information from compromised devices could lead to serious compromises within the network. It is important to have a mechanism where the devices and their users evaluate the trustworthiness of other devices and users before trusting the information sent by them. The privacy preservation, decentralization, and self-enforcing management without involving trusted third parties are the fundamental challenges in designing a trust management system for SIoT. To fulfill these challenges, this article presents a novel framework for computing and updating the trustworthiness of participants in the SIoT network in a self-enforcing manner without relying on any trusted third party. The privacy of the participants in the SIoT is protected by using homomorphic encryption in the decentralized setting. To achieve the properties of self-enforcement, the trust score of each device is automatically updated based on its previous trust score and the up-to-date tally of the votes by its peers in the network with zero-knowledge proofs (ZKPs) to enforce that every participant follows the protocol honestly. We evaluate the performance of the proposed scheme and present evaluation benchmarks by prototyping the main functionality of the system. The performance results show that the system has a linear increase in computation and communication overheads with more participants in the network. Furthermore, we prove the correctness, privacy, and security of the proposed system under a malicious adversarial model

Automatic rule-extraction for malware detection on mobile devices

Malware causes damage not only to personal computers, yet also to contemporary mobile devices. With growing performance and storage capabilities users of mobile devices tend to store more sensitive information than before. Additionally, mobile platforms allow to use charged telecom services via installed software applications for extending the functionality of devices. Beside certified application-distribution services, users can download applications from uncertified developers. The amount of applications have been increasing exponentially each year and part of them are distributed by third-party markets. Taking all these aspects into account, mobile devices have become attractive targets for attackers and their malicious software. Mobile platforms possess restricted access to information and execution of applications. In order to be able to execute some functionality, applications require a user to provide a set of permissions. Another protection mechanism is commercial Anti-Virus (AV) software that uses socalled signatures. These signatures define indicators used for malicious applications recognition. The detection process of such software can be as simple as file names comparison or as complex as checking system artifacts. Sometimes signatures can be composed only as a result of advanced malware reverse engineering. Despite the fact of the existing protection solutions, there is still a challenge to detect malware automatically in dynamic environment. This is because the malware detection process involves evaluation of different factors, which accompany malware execution. This study focuses on deriving fuzzy rules for malware detection automatically. Challenges of malware detection are many-fold and therefore we will focus on mobile devices in this study. We introduce precise artifacts that mobile malware leaves during execution. In this study a virtualized environment is involved in studying dynamic malware behavior. In addition, analysis of static malware attributes is performed. The goal is not only to derive malware detection rules automatically, yet also empower them with linguistic meaning that is understandable by human. The thesis will establish a method in, which combination of Artificial Neural Networks (ANN) and Fuzzy Logic (FL) is utilized for rules extraction. In result, such rules are human-explainable, which allows forensics analyst to use them in a court of law. Finally, the thesis presented here provides justification of how derived rules can be applied in an automated analysis of large amount of mobile malware

Evolutionary optimization of on-line multilayer perceptron for similarity-based access control

Neural Networks have been successfully used in different fields of Information Security such that network intrusion detection and malware analysis because of ability to provide high level of abstraction for complex and incomplete data. Despite its successful application as off-line learning method, the on-line learning can be challenging when dealing with data streams. This paper presents an ongoing research on on-line Neural Network for Access Control. It can be used for similarity-based access to sensitive information. Conventional training is not efficient when dealing with data streams such that access patterns flow since the availability of the data samples is limited. Considering this obstacle we proposed to use Genetic Algorithm as meta-heuristic optimization in selection of individual training rates α for each weight. Similarity-based Access Control mechanism deals with a data stream that includes continuous flow of attributes characterizing user and resources, so the task is to estimate the likelihood of legitimacy of user accessing a particular resource in dynamic environment. This research contributes to the field of Information Security by overcoming the limitations of data stream mining in agile environment

Advancing Neuro-Fuzzy Algorithm for Automated Classification in Largescale Forensic and Cybercrime Investigations: Adaptive Machine Learning for Big Data Forensic

Abstract Cyber Crime Investigators are challenged by the huge amount and complexity of digital data seized in criminal cases. Human experts are present in the Court of Law and make decisions with respect to the digital data and evidence found. Therefore, it is necessary to combine automated analysis and human-understandable representation of digital data and evidences. Machine Learning methods such as Artificial Neural Networks, Support Vector Machines and Bayes Networks have been successfully applied in Digital Investigation & Forensics. The challenge however is in the fact that these methods neither provide precise human-explainable models nor can work without prior knowledge. Our research is inspired by the emerging area of Computational Forensics. We focus on the Neuro-Fuzzy rule-extraction classification method, a promising Hybrid Intelligence model. The contribution goes towards the improved performance of Neuro-Fuzzy in extracting accurate fuzzy rules that are human-explainable. These rules can be presented and explained in a Court of Law, which is better than a set of numerical parameters obtained from more abstract Machine Learning models. In our initial research on the Neuro-Fuzzy method, we found that its application in Digital Forensics was promising, but with a number of drawbacks. These include (i) poor performance in learning from real-world in comparison to other state of the art Machine Learning methods, (ii) a number of output fuzzy rules so large that no human expert can understand them, (iii) a strong model overfitting caused by the huge number of fuzzy rules, and (iv) an intrinsic learning procedure that neglects part of the data, which therefore becomes inaccurate. Due to this criticism, Neuro- Fuzzy method’s latent potential has not been widely applied to the area yet. The contribution of this work is the following: (1) theoretical in the improvement of Neuro-Fuzzy method and (2) empirical in the experimental design using large scale datasets in Digital Forensics domain. The entire study was conducted during2013-2017 at the NTNU Digital Forensics Group. Add. 1. Neuro-Fuzzy was revised and therefore we first contributed to the Machine Learning domain and subsequently the large-scale Digital Forensics application. In particular, (i) we proposed exploratory data analysis to improve Self-Organizing Map initialization and generalization of the Neuro-Fuzzy method targeting largescale datasets; (ii) we also improved the compactness and generalization of fuzzy patches, resulting in the increased accuracy and robustness of the method through a chi-square goodness of fit test; (iii) we constructed the new membership function based on Gaussian multinomial distribution that considers fuzzy patches representation as a statistically estimated hyperellipsoid; (iv) we reformulated the application of the Neuro-Fuzzy in solving multi-class problems rather than conventional two classes problems; (v) finally, we designed a new approach to model non-linear data using D ep Learning and Neuro-Fuzzy method that results in a Deep Neuro- Fuzzy architecture. Add. 2. The experimental study includes extended evaluation of the proposed improvements with respect to the challenges and requirements of a variety of different real-world applications, including: (i) state of the art datasets like the Android malware dataset, network intrusion detection KDD CUP 1999 and web application firewalls PKDD 2007 datasets. Moreover, community-accepted datasets from UCI collection were also used, including large-scale datasets such as SUSY and HIGGS. (ii) A new, novel large-scale collection of Windows Portable Executable 32-bit malware files was also composed as a part of this PhD work. It consists of 328,000 labelled malware samples that represent 10,362 families and 35 categories; these were further tested as non-trivial multi-class problems, neither sufficiently studied in the literature nor previously explored. Sammendrag Etterforskere som arbeider med cyberkriminalitet blir utfordret av den store mengden av og kompleksiteten på digitale data som blir beslaglagt i kriminalsaker. Menneskelige eksperter er tilstede i retten og tar beslutninger basert på de digitale data og bevisene som er funnet. Det er derfor nødvendig å kombinere automatiske analyser med en representasjon av de digitale data og bevis som er forståelig for mennesker. Maskinlæringsmetoder, som kunstige nevrale nettverk, støttevektormaskiner og bayesianske nettverk har blitt benyttet vellykket innenfor digital etterforsking. Utfordringene er at disse metodene verken gir modeller som er lett forståelig for mennesker, eller virker uten forkunnskap. Vår forskning er inspirert av det fremvoksende området computational forensics. Vi fokuserer på metoden neuro-fuzzy rule-extraction, en lovende hybrid intelligensmodell. Bidraget går til å forbedre ytelsen av neuro-fuzzy til å finne presise fuzzy- regler som er forståelige for mennesker. Disse reglene kan bli presentert og forklart i retten, noe som er bedre enn et sett med numeriske parametere tatt fra en mer abstrakt maskinlæringsmodell. I starten av vår forskning på neuro-fuzzy metoden fant vi at dens anvendelse innenfor digital etterforskning var lovende, men med en del ulemper. Disse inkluderer (i) dårlig ytelse når det gjelder læring av modeller, fra den virkelige verden, sammenlignet med andre rådende metoder innenfor maskinlæring, (ii) en del av fuzzyreglene er så store at ingen menneskelig ekspert kan forstå dem, (iii) en sterk overtilpasning av modeller, forårsaket av den store mengden fuzzy-regler, og (iv) en iboende læringsprosedyre som forsømmer deler av dataene og derfor blir unøyaktig. På bakgrunn av denne kritikken har neuro-fuzzy metodens latente potensiale ikke blitt mye benyttet innenfor dette området enda. Bidragene fra dette verket er som følger: (1) teoretisk i forbedring av neuro-fuzzy metoden og (2) empirisk gjennom eksperimentell design ved hjelp av storskala datasett fra domenet digital etterforskning. Hele studien ble utført 2013-2017 ved gruppen for digital etterforskning ved NTNU. Add. 1. Vi har revidert neuro-fuzzy metoden, og derfor først bidratt innenfor maskinlæringsdomenet og dernest til anvendelsen innenfor storskala digital etterforskning. Spesielt, (i) har vi foreslått utforskende dataanalyser for å forbedre initialisering av selvorganiserende kart og generalisering av neuro-fuzzy metoden rettet mot storskala datasett; (ii) vi har også forbedret kompaktheten og generaliseringen til fuzzy-patches, noe som resulterte i økt nøyaktighet og robusthet av metoden ved hjelp av chi-kvadrat godhet av passformtest; (iii) vi laget en ny medlemskapsfunksjon basert på gaussisk multinomisk fordeling som tar høyde for representasjonen av fuzzy-patches som en statistisk estimert hyperellipsoide; (iv) vi reformulerte anvendelsen av neuro-fuzzy til å løse multiklasseproblemer i stedet for konvensjonelle toklasseproblemer; (v) tilslutt designet vi en ny fremgangsmåte for å modellere ikke-lineære data ved hjelp av deep learning og neuro-fuzzy, som resulterte i en deep neuro-fuzzy arkitektur. Add. 2. Den eksperimentelle studien inkluderer bred evaluering av de foreslåtte forbedringene med hensyn til de utfordringene og kravene fra den varierte anvendelsen fra den reelle verden, inkludert: (i) rådende datasett, som Android malware datasettet, detektering av nettverksinnbrudd i KDD CUP 1999 og datasettet med brannmurer for web-applikasjoner, PKDD 2007. I tillegg ble det brukt andre datasett som er akseptert i miljøet, inkludert storskala datasett som SUSY og HIGGs. (ii) I tillegg ble det gjort en ny storskala innsamling av Windows Portable Executable 32-bit skadevare filer som en del av dette PhD-arbeidet. Det består av 328,000 merkede prøver av skadevare som representerer 10,362 familier og 35 kategorier; disse ble videre testet som ikke-trivielle multiklasseproblemer som ikke var tilstrekkelig studert i litteraturen eller utforsket tidligere

Securing Resource-Constrained IoT Nodes: Towards Intelligent Microcontroller-Based Attack Detection in Distributed Smart Applications

In recent years, the Internet of Things (IoT) devices have become an inseparable part of our lives. With the growing demand for Smart Applications, it becomes clear that IoT will bring regular automation and intelligent sensing to a new level thus improving quality of life. The core component of the IoT ecosystem is data which exists in various forms and formats. The collected data is then later used to create context awareness and make meaningful decisions. Besides an undoubtedly large number of advantages from the usage of IoT, there exist numerous challenges attributed to the security of objects that cannot be neglected for uninterrupted services. The Mirai botnet attack demonstrated that the IoT system is susceptible to different forms of cyberattacks. While advanced data analytics and Machine Learning have proved efficiency in various applications of cybersecurity, those still have not been explored enough in the literature from the applicability perspective in the domain of resource-constrained IoT. Several architectures and frameworks have been proposed for defining the ways for analyzing the data, yet mostly investigating off-chip analysis. In this contribution, we show how an Artificial Neural Network model can be trained and deployed on trivial IoT nodes for detecting intelligent similarity-based network attacks. This article proposes a concept of the resource-constrained intelligent system as a part of the IoT infrastructure to be able to harden the cybersecurity on microcontrollers. This work will serve as a stepping stone for the application of Artificial Intelligence on devices with limited computing capabilities such as end-point IoT nodes