[Show abstract][Hide abstract] ABSTRACT: Authorship verification consists of checking whether a target document was written or not by a specific individual. In this paper, we study the problem of authorship verification for Continuous Authentication (CA) purposes. Different from traditional authorship verification that focuses on long texts, we tackle the use of micro-messages. Shorter authentication delay (i.e. smaller data sample) is essential to reduce the window size of the re-authentication period in CA. We explored lexical, syntactic, and application specific features. We investigated two different classification schemes: on one hand Logistic Regression (LR) and on the other hand an hybrid classifier combining Support Vector Machine (SVM) and LR. Experimental evaluation based on the Enron email dataset involving 76 authors and Twitter dataset involving 100 authors yield very promising results consisting of Equal Error Rates (EER) of 9.18% and 11.83%, respectively.
Twelfth Annual International Conference on Privacy, Security and Trust (PST 2014), Toronto, Canada; 07/2014
[Show abstract][Hide abstract] ABSTRACT: Most of the methods that generate decision trees for a specific problem use the examples of data instances in the decision tree–generation process. This article proposes a method called RBDT-1—rule-based decision tree—for learning a decision tree from a set of decision rules that cover the data instances rather than from the data instances themselves. The goal is to create on demand a short and accurate decision tree from a stable or dynamically changing set of rules. The rules could be generated by an expert, by an inductive rule learning program that induces decision rules from the examples of decision instances such as AQ-type rule induction programs, or extracted from a tree generated by another method, such as the ID3 or C4.5. In terms of tree complexity (number of nodes and leaves in the decision tree), RBDT-1 compares favorably with AQDT-1 and AQDT-2, which are methods that create decision trees from rules. RBDT-1 also compares favorably with ID3 while it is as effective as C4.5 where both (ID3 and C4.5) are well-known methods that generate decision trees from data examples. Experiments show that the classification accuracies of the decision trees produced by all methods under comparison are indistinguishable.
[Show abstract][Hide abstract] ABSTRACT: Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect
in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experimental evaluation of MARD achieves a detection rate of 99.6%
and a false positive rate of 4%.
28th IEEE International Conference on Advanced Information Networking and Applications, Research Track - Security and Privacy; 05/2014
[Show abstract][Hide abstract] ABSTRACT: Continuous Authentication (CA) consists of mon-itoring and checking repeatedly and unobtrusively user behav-ior during a computing session in order to discriminate between legitimate and impostor behaviors. Stylometry analysis, which consists of checking whether a target document was written or not by a specific individual, could potentially be used for CA. In this work, we adapt existing stylometric features and develop a new authorship verification model applicable for continuous authentication. We use existing lexical, syntactic, and application specific features, and propose new features based on n-gram analysis. We start initially with a large features set, and identify a reduced number of user-specific features by computing the information gain. In addition, our approach includes a strategy to circumvent issues regarding unbalanced dataset which is an inherent problem in stylometry analysis. We use Support Vector Machine (SVM) for classifica-tion. Experimental evaluation based on the Enron email dataset involving 76 authors yields very promising results consisting of an Equal Error Rate (EER) of 12.42% for message blocks of 500 characters.
2014 IEEE 28th International Conference on Advanced Information Networking and Applications (AINA), Victoria, BC, Canada; 05/2014
[Show abstract][Hide abstract] ABSTRACT: Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. Such malware are very difficult to analyse and detect manually even with the help of tools. We need to automate the analysis and detection process of such malware. This paper introduces and presents a new language named MAIL (Malware Analysis Intermediate Language) to automate and optimize this process. MAIL also provides portability for building malware analysis and detection tools. Each MAIL statement is assigned a pattern that can be used to annotate a control flow graph for pattern matching to analyse and detect metamorphic malware. Experimental evaluation of the proposed approach using an existing dataset yields malware detection rate of 93.92% and false positive rate of 3.02%.
ACM Sixth International Conference on Security of Information and Networks, Aksaray, Turkey; 11/2013
[Show abstract][Hide abstract] ABSTRACT: Botnets represent one of the most serious cybersecurity threats faced by organizations today. Botnets have been used as the main vector in carrying many cyber crimes reported in the recent news. While a significant amount of research has been accomplished on botnet analysis and detection, several challenges remain unaddressed, such as the ability to design detectors which can cope with new forms of botnets. In this paper, we propose a new approach to detect botnet activity based on traffic behavior analysis by classifying network traffic behavior using machine learning. Traffic behavior analysis methods do not depend on the packets payload, which means that they can work with encrypted network communication protocols. Network traffic information can usually be easily retrieved from various network devices without affecting significantly network performance or service availability. We study the feasibility of detecting botnet activity without having seen a complete network flow by classifying behavior based on time intervals. Using existing datasets, we show experimentally that it is possible to identify the presence of existing and unknown botnets activity with high accuracy even with very small time windows.
[Show abstract][Hide abstract] ABSTRACT: Intrusion analysis is a resource intensive, complex and expensive process for any organization. The reconstruction of the attack scenario is an important aspect of such endeavor. We tackle in this paper several challenges overlooked by existing attack scenarios reconstruction techniques that undermine their performances. These include the ability to identify and extract novel attack patterns and the correlation of heterogeneous multisensor alerts. We propose a novel attack scenario reconstruction approach that analyzes both implicit and explicit relationships between intrusion alerts using semantic analysis and a new intrusion ontology. The proposed approach can reconstruct known and unknown attack scenarios and correlate alerts generated in multi-sensor IDS environment. Moreover, our approach can handle for the first time both novel attacks and false negative alerts generated by Intrusion Detection Systems (IDSs). Our experimental results show the potential of our approach and its advantages over previous approaches.
Journal of Information Security and Applications. 07/2013; 18(1):53–67.
[Show abstract][Hide abstract] ABSTRACT: The mouse dynamics biometric is a behavioral biometric technology that extracts and analyzes the movement characteristics of the mouse input device when a computer user interacts with a graphical user interface for identification purposes. Most of the existing studies on mouse dynamics analysis have targeted primarily continuous authentication or user reauthentication for which promising results have been achieved. Static authentication (at login time) using mouse dynamics, however, appears to face some challenges due to the limited amount of data that can reasonably be captured during such a process. In this paper, we present a new mouse dynamics analysis framework that uses mouse gesture dynamics for static authentication. The captured gestures are analyzed using a learning vector quantization neural network classifier. We conduct an experimental evaluation of our framework with 39 users, in which we achieve a false acceptance ratio of 5.26% and a false rejection ratio of 4.59% when four gestures were combined, with a test session length of 26.9 s. This is an improvement both in the accuracy and validation sample, compared to the existing mouse dynamics approaches that could be considered adequate for static authentication. Furthermore, to our knowledge, our work is the first to present a relatively accurate static authentication scheme based on mouse gesture dynamics.
IEEE Systems Journal 06/2013; 7(2):262-274. · 1.75 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Authorship verification can be checked using stylometric techniques through the analysis of linguistic styles and writing characteristics of the authors. Stylometry is a behavioral feature that a person exhibits during writing and can be extracted and used potentially to check the identity of the author of online documents. Although stylometric techniques can achieve high accuracy rates for long documents, it is still challenging to identify an author for short documents, in particular when dealing with large authors populations. These hurdles must be addressed for stylometry to be usable in checking authorship of online messages such as emails, text messages, or twitter feeds. In this paper, we pose some steps toward achieving that goal by proposing a supervised learning technique combined with n-gram analysis for authorship verification in short texts. Experimental evaluation based on the Enron email dataset involving 87 authors yields very promising results consisting of an Equal Error Rate (EER) of 14.35% for message blocks of 500 characters.
Computer, Information and Telecommunication Systems (CITS), 2013 International Conference on; 01/2013
[Show abstract][Hide abstract] ABSTRACT: Mobile Ad Hoc Networks (MANETs) offer a dynamic environment where data exchange and routing between nodes occur without the help of any centralized server or human intervention, providing that nodes cooperate with each other. In such environment, the presence of malevolent nodes may result in wormhole attacks. In this paper, a secured AODV-based routing scheme (referred to as Timed and Secured Monitoring Implementation - (TSMI)) is proposed for mitigating such attacks. Simulation results are provided to demonstrate the effectiveness of our approach, using the packet delivery ratio, the number of broken links detected, and the number of packets received by destination, as performance indicators.
Computer, Information and Telecommunication Systems (CITS), 2013 International Conference on; 01/2013
[Show abstract][Hide abstract] ABSTRACT: A Mobile ad hoc network (MANET) is a collection of mobile nodes that rely on co-operation amongst devices that route packets to each other. From a security design perspective, MANETs have no clear line of defense. This lack of security leads the network accessible to both legitimate network users and malicious attackers. A blackhole attack is a severe attack that can be employed against data routing in MANETs. A blackhole is a malicious node that can falsely reply for any route requests without having an active route to a specified destination and drop all the receiving data packets. The attack may even lead to more devastating damage if two or more blackhole nodes cooperate with each other to launch an attack. This type of attack is known as collaborative blackhole attack. In this paper, a novel scheme Detecting Collaborative Blackhole Attacks (so-called DCBA) for detecting collaborative blackhole attacks in MANETs is introduced. Simulation results are provided, demonstrating the superiority of DCBA compared to Dynamic Source Routing (DSR) and the Bait DSR scheme (so-called BDSR)  - a recently proposed scheme for detecting and avoiding collaborative blackhole attacks in MANETs - in terms of network throughput rate and minimum packet loss percentage, when collaborative blackhole nodes are present in the network.
Proceedings of the 5th international conference on Foundations and Practice of Security; 10/2012
[Show abstract][Hide abstract] ABSTRACT: With the increase in the number of digital crimes and in their
sophistication, High Performance Computing (HPC) is becoming a must in
Digital Forensics (DF). According to the FBI annual report, the size of
data processed during the 2010 fiscal year reached 3,086 TB (compared to
2,334 TB in 2009) and the number of agencies that requested Regional
Computer Forensics Laboratory assistance increasing from 689 in 2009 to
722 in 2010. Since most investigation tools are both I/O and CPU bound,
the next-generation DF tools are required to be distributed and offer
HPC capabilities. The need for HPC is even more evident in investigating
crimes on clouds or when proactive DF analysis and on-site
investigation, requiring semi-real time processing, are performed.
Although overcoming the performance challenge is a major goal in DF, as
far as we know, there is almost no research on HPC-DF except for few
papers. As such, in this work, we extend our work on the need of a
proactive system and present a high performance automated proactive
digital forensic system. The most expensive phase of the system, namely
proactive analysis and detection, uses a parallel extension of the
iterative z algorithm. It also implements new parallel information-based
outlier detection algorithms to proactively and forensically handle
suspicious activities. To analyse a large number of targets and events
and continuously do so (to capture the dynamics of the system), we rely
on a multi-resolution approach to explore the digital forensic space.
Data set from the Honeynet Forensic Challenge in 2001 is used to
evaluate the system from DF and HPC perspectives.
Journal of Physics Conference Series 10/2012; 385(1):2003-.
[Show abstract][Hide abstract] ABSTRACT: Continuous authentication (CA) consists of authenticating the user repetitively throughout a session with the goal of detecting and protecting against session hijacking attacks. While the accuracy of the detector is central to the success of CA, the detection delay or length of an individual authentication period is important as well since it is a measure of the window of vulnerability of the system. However, high accuracy and small detection delay are conflicting requirements that need to be balanced for optimum detection. In this paper, we propose the use of sequential sampling technique to achieve optimum detection by trading off adequately between detection delay and accuracy in the CA process. We illustrate our approach through CA based on user command line sequence and naïve Bayes classification scheme. Experimental evaluation using the Greenberg data set yields encouraging results consisting of a false acceptance rate (FAR) of 11.78% and a false rejection rate (FRR) of 1.33%, with an average command sequence length (i.e., detection delay) of 37 commands. When using the Schonlau (SEA) data set, we obtain FAR = 4.28% and FRR = 12%.
IEEE transactions on systems, man, and cybernetics. Part B, Cybernetics: a publication of the IEEE Systems, Man, and Cybernetics Society 04/2012; 42(5):1343-56. · 3.01 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed, and as such, put in question the robustness and reliability of the proposed systems. In this paper, we propose a new online risk-based authentication system that provides more robust user identity information by combining mouse dynamics and keystroke dynamics biometrics in a multimodal framework. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 8.21%, which is promising considering that we are dealing with free text and free mouse movements, and the fact that many web sessions tend to be very short.
Digital Home (ICDH), 2012 Fourth International Conference on; 01/2012
[Show abstract][Hide abstract] ABSTRACT: In Emergency MANETs (eMANETs), the broadcasting nature of the wireless medium, the lack of pre-established trust relationship among nodes, and the frequent topology changes, cause some serious security challenges, making the network vulnerable to malicious attacks such as wormhole attacks. This paper investigates a recently proposed Advanced Encryption Standard (AES)-based routing algorithm (so-called AODV-Wormhole Attack Detection Reaction - here referred to as AODV-WADR-AES) for securing AODV-based eMANETs against wormhole attacks. The proposal consists of substituting the AES part of the scheme by the Triple Data Encryption Standard (TDES), yielding the AODV-WADR-TDES routing algorithm, with the goal to study the performance of the algorithm where mobile devices that are incompatible with AES are part of eMANET nodes. In doing so, markers in the form of hash codes are included in the data packets to help consolidating the data integrity. Simulation results are presented to validate the proposed AODV-WADR-TDEA scheme. It is also shown that the AODV-WADR-AES scheme outperforms the AODV-WADR-TDES scheme in terms of end-to-end delay, packet delivery ratio, and number of packets traversing through the wormhole link.
[Show abstract][Hide abstract] ABSTRACT: Recent papers have urged the need for new forensic techniques and tools able to investigate anti-forensics methods, and have
promoted automation of live investigation. Such techniques and tools are called proactive forensic approaches, i.e., approaches
that can deal with digitally investigating an incident while it occurs. To come up with such an approach, a Systematic Literature
Review (SLR) was undertaken to identify and map the processes in digital forensics investigation that exist in literature.
According to the review, there is only one process that explicitly supports proactive forensics, the multicomponent process
. However, this is a very high-level process and cannot be used to introduce automation and to build a proactive forensics
system. As a result of our SLR, a derived functional process that can support the implementation of a proactive forensics
system is proposed.
Information Security and Assurance - International Conference, ISA 2011, Brno, Czech Republic, August 15-17, 2011. Proceedings; 01/2011
[Show abstract][Hide abstract] ABSTRACT: Data aggregation has been emerged as a basic approach in wireless sensor networks (WSNs) in order to reduce the number of transmissions of sensor nodes.This paper proposes an energy-efficient multi-source temporal data aggregation model called MSTDA ...
Wireless Personal Communications 01/2011; 56(3):353-357. · 0.43 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: In this paper we propose a new approach to manage alerts flooding in IDSs. The proposed approach uses semantic analysis and ontology engineering techniques to combine and fuse two or more raw IDS alerts into one summarized hybrid/meta-alert. Our approach applies a new method based on measuring the semantic similarity between IDS alerts attributes to identify the alerts that are suitable for aggregation and summarization. In contrast to previous works our approach ensures that the aggregated alerts will not lose any valuable information existing in the raw alerts set. The experimental results show that our approach is effective and efficient in fusing massive number of alerts compared to previous works in the area.
7th International Conference on Information Assurance and Security, IAS 2011, Melacca, Malaysia, December 5-8, 2011; 01/2011
[Show abstract][Hide abstract] ABSTRACT: Continuous Authentication (CA) departs from the traditional static authentication scheme by requiring the authentication process to occur multiple times throughout the entire logon session. One of the main objectives of the CA process is to detect session hijacking. An important requirement about designing or operating a CA system is the need to achieve the quickest detection while maintaining rates of missed and false detections to predetermined levels. We introduce in this paper a new approach for detection based on the sequential sampling theory that allows balancing appropriately between detection promptness and accuracy in CA systems. We study and illustrate the proposed approach using an existing mouse dynamics biometrics recognition model and corresponding sample experimental data.
Twenty-Seventh Annual Computer Security Applications Conference, ACSAC 2011, Orlando, FL, USA, 5-9 December 2011; 01/2011