SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models

The dependability community has expressed a growing interest in the recent years for the effects of malicious, ex-ternal, operational faults in computing systems, ie. intru-sions. The term intrusion tolerance has been introduced to emphasize the need to go beyond what classical fault toler-ant systems were able to offer. Unfortunately, as opposed to well understood accidental faults, the domain is still lack-ing sound data sets and models to offer rationales in the design of intrusion tolerant solutions. In this paper, we de-scribe a framework similar in its spirit to so called honey-farms but built in a way that makes its large-scale deploy-ment easily feasible. Furthermore, it offers a very rich level of interaction with the attackers without suffering from the drawbacks of expensive high interaction systems. The sys-tem is described, a prototype is presented as well as some preliminary results that highlight the feasibility as well as the usefulness of the approach.

Gone Rogue: An Analysis of Rogue Security Software Campaigns

In the past few years, Internet miscreants have developed a number of techniques to defraud and make a hefty profit out of their unsuspecting victims. A troubling, recent example of this trend is cyber-criminals distributing rogue security software, that is malicious programs that,by pretending to be legitimate security tools (e.g., anti-virus or anti-spyware), deceive users into paying a substantial amount of money in exchange for little or no protection.While the technical and economical aspects of rogue security software (e.g., its distribution and monetization mechanisms) are relatively well-understood, much less is known about the campaigns through which this type of malware is distributed, that is what are the underlying techniques and coordinated efforts employed by cyber-criminals to spread their malware.In this paper, we present the techniques we used to analyze rogue security software campaigns, with an emphasis on the infrastructure employed in the campaign and the life-cycle of the clients that they infect

Extracting inter-arrival time based behaviour from honeypot traffic using cliques

The Leurre.com project is a worldwide network of honeypot environments that collect traces of malicious Internet traffic every day. Clustering techniques have been utilized to categorize and classify honeypot activities based on several traffic features. While such clusters of traffic provide useful information about different activities that are happening in the Internet, a new correlation approach is needed to automate the discovery of refined types of activities that share common features. This paper proposes the use of packet inter-arrival time (IAT) as a main feature in grouping clusters that exhibit commonalities in their IAT distributions. Our approach utilizes the cliquing algorithm for the automatic discovery of cliques of clusters. We demonstrate the usefulness of our methodology by providing several examples of IAT cliques and a discussion of the types of activity they represent. We also give some insight into the causes of these activities. In addition, we address the limitation of our approach, through the manual extraction of what we term supercliques, and discuss ideas for further improvement

Challenges in Critical Infrastructure Security

Part 1: KeynoteInternational audienceThe threat landscape is continuously evolving. Large, widespread worm infections are leaving more and more space to more stealthy attacks targeting highly valuable targets. Industrial Control Systems (ICS) are rapidly becoming a new major target of cyber-criminals: ICS are evolving, bringing powerful capabilities into the critical infrastructure environment along with new and yet undiscovered threats.This was pointed out in multiple occasions by security experts and was confirmed by a recent survey carried out by Symantec: according to the survey (http://bit.ly/bka8UF), 53% of a total of 1580 critical infrastructure industries have admitted to being targeted by cyber attacks. The survey implies that the incidents reported by the press over the last several years are nothing but the tip of a considerably larger problem: the vast majority of these incidents has never been disclosed. Moreover, when looking at the few publicly disclosed incidents such as Stuxnet, we see a completely different level of sophistication, compared to traditional malware witnessed in the wild in previous years.This talk will dive into the challenges and the opportunities associated to ICS security research, and on the tools at our disposal to improve our ability to protect such critical environments