[Show abstract][Hide abstract] ABSTRACT: Authorship verification consists of checking whether a target document was written or not by a specific individual. In this paper, we study the problem of authorship verification for Continuous Authentication (CA) purposes. Different from traditional authorship verification that focuses on long texts, we tackle the use of micro-messages. Shorter authentication delay (i.e. smaller data sample) is essential to reduce the window size of the re-authentication period in CA. We explored lexical, syntactic, and application specific features. We investigated two different classification schemes: on one hand Logistic Regression (LR) and on the other hand an hybrid classifier combining Support Vector Machine (SVM) and LR. Experimental evaluation based on the Enron email dataset involving 76 authors and Twitter dataset involving 100 authors yield very promising results consisting of Equal Error Rates (EER) of 9.18% and 11.83%, respectively.
Twelfth Annual International Conference on Privacy, Security and Trust (PST 2014), Toronto, Canada; 07/2014
[Show abstract][Hide abstract] ABSTRACT: Most of the methods that generate decision trees for a specific problem use the examples of data instances in the decision tree–generation process. This article proposes a method called RBDT-1—rule-based decision tree—for learning a decision tree from a set of decision rules that cover the data instances rather than from the data instances themselves. The goal is to create on demand a short and accurate decision tree from a stable or dynamically changing set of rules. The rules could be generated by an expert, by an inductive rule learning program that induces decision rules from the examples of decision instances such as AQ-type rule induction programs, or extracted from a tree generated by another method, such as the ID3 or C4.5. In terms of tree complexity (number of nodes and leaves in the decision tree), RBDT-1 compares favorably with AQDT-1 and AQDT-2, which are methods that create decision trees from rules. RBDT-1 also compares favorably with ID3 while it is as effective as C4.5 where both (ID3 and C4.5) are well-known methods that generate decision trees from data examples. Experiments show that the classification accuracies of the decision trees produced by all methods under comparison are indistinguishable.
[Show abstract][Hide abstract] ABSTRACT: Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect
in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experimental evaluation of MARD achieves a detection rate of 99.6%
and a false positive rate of 4%.
28th IEEE International Conference on Advanced Information Networking and Applications, Research Track - Security and Privacy; 05/2014
[Show abstract][Hide abstract] ABSTRACT: The dynamic nature of the Web 2.0 and the heavy obfuscation of web-based attacks complicate the job of the traditional protection systems such as Firewalls, Anti-virus solutions, and IDS systems. It has been witnessed that using ready-made toolkits, cyber-criminals can launch sophisticated attacks such as cross-site scripting (XSS), cross-site request forgery (CSRF) and botnets to name a few. In recent years, cyber-criminals have targeted legitimate websites and social networks to inject malicious scripts that compromise the security of the visitors of such websites. This involves performing actions using the victim browser without his/her permission. This poses the need to develop effective mechanisms for protecting against Web 2.0 attacks that mainly target the end-user. In this paper, we address the above challenges from information flow control perspective by developing a framework that restricts the flow of information on the client-side to legitimate channels. The proposed model tracks sensitive information flow and prevents information leakage from happening. The proposed model when applied to the context of client-side web-based attacks is expected to provide a more secure browsing environment for the end-user.
2014 28th International Conference on Advanced Information Networking and Applications Workshops (WAINA); 05/2014
[Show abstract][Hide abstract] ABSTRACT: Continuous Authentication (CA) consists of mon-itoring and checking repeatedly and unobtrusively user behav-ior during a computing session in order to discriminate between legitimate and impostor behaviors. Stylometry analysis, which consists of checking whether a target document was written or not by a specific individual, could potentially be used for CA. In this work, we adapt existing stylometric features and develop a new authorship verification model applicable for continuous authentication. We use existing lexical, syntactic, and application specific features, and propose new features based on n-gram analysis. We start initially with a large features set, and identify a reduced number of user-specific features by computing the information gain. In addition, our approach includes a strategy to circumvent issues regarding unbalanced dataset which is an inherent problem in stylometry analysis. We use Support Vector Machine (SVM) for classifica-tion. Experimental evaluation based on the Enron email dataset involving 76 authors yields very promising results consisting of an Equal Error Rate (EER) of 12.42% for message blocks of 500 characters.
2014 IEEE 28th International Conference on Advanced Information Networking and Applications (AINA), Victoria, BC, Canada; 05/2014
[Show abstract][Hide abstract] ABSTRACT: This paper continues the investigation of our recently proposed protocol (called E2-SCAN) designed for protecting against network layer attacks in mobile ad hoc networks. The enhancements of the E2-SCAN protocol are twofold: (1) a modified credit strategy for tokens renewal is introduced, and (2) a novel strategy for selecting the routing path, resulting to our so-called Conditional SCAN (CSCAN). Simulation experiments are conducted, establishing the superiority of C-SCAN over E2-SCAN in terms of energy efficiency, where the energy efficiency of a node is defined as the ratio of the amount of energy consumed by the node to the total energy consumed by the network.
2014 28th International Conference on Advanced Information Networking and Applications Workshops (WAINA); 05/2014
[Show abstract][Hide abstract] ABSTRACT: Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. Such malware are very difficult to analyse and detect manually even with the help of tools. We need to automate the analysis and detection process of such malware. This paper introduces and presents a new language named MAIL (Malware Analysis Intermediate Language) to automate and optimize this process. MAIL also provides portability for building malware analysis and detection tools. Each MAIL statement is assigned a pattern that can be used to annotate a control flow graph for pattern matching to analyse and detect metamorphic malware. Experimental evaluation of the proposed approach using an existing dataset yields malware detection rate of 93.92% and false positive rate of 3.02%.
ACM Sixth International Conference on Security of Information and Networks, Aksaray, Turkey; 11/2013
[Show abstract][Hide abstract] ABSTRACT: Botnets represent one of the most serious cybersecurity threats faced by organizations today. Botnets have been used as the main vector in carrying many cyber crimes reported in the recent news. While a significant amount of research has been accomplished on botnet analysis and detection, several challenges remain unaddressed, such as the ability to design detectors which can cope with new forms of botnets. In this paper, we propose a new approach to detect botnet activity based on traffic behavior analysis by classifying network traffic behavior using machine learning. Traffic behavior analysis methods do not depend on the packets payload, which means that they can work with encrypted network communication protocols. Network traffic information can usually be easily retrieved from various network devices without affecting significantly network performance or service availability. We study the feasibility of detecting botnet activity without having seen a complete network flow by classifying behavior based on time intervals. Using existing datasets, we show experimentally that it is possible to identify the presence of existing and unknown botnets activity with high accuracy even with very small time windows.
[Show abstract][Hide abstract] ABSTRACT: In digital home networks, it is expected that independent smart devices communicate and cooperate with each other, without the knowledge of the fundamental communication technology, on the basis of a distributed operating system paradigm. In such context, securing the access rights to some objects such as data, apparatus, and contents, is still a challenge. This paper introduces a risk-based authentication technique based on behavioral biometrics as solution approach to tackle this challenge. Risk-based authentication is an increasingly popular component in the security architecture deployed by many organizations to mitigate online identity fraud. Risk-based authentication uses contextual and historical information extracted from online communications to build a risk profile for the user that can be used accordingly to make authentication and authorization decisions. Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed, and as such, put in question the robustness and reliability of the proposed systems. In this paper, we propose a new online risk-based authentication system that provides more robust user identity information by combining mouse dynamics and keystroke dynamics biometrics in a multimodal framework. We propose a Bayesian network model for analyzing free keystrokes and free mouse movements involved in web sessions. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 8.21 %. This is very encouraging considering that we are dealing with free text and free mouse movements, and the fact that many web sessions tend to be very short.
Multimedia Tools and Applications 07/2013; · 1.06 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Intrusion analysis is a resource intensive, complex and expensive process for any organization. The reconstruction of the attack scenario is an important aspect of such endeavor. We tackle in this paper several challenges overlooked by existing attack scenarios reconstruction techniques that undermine their performances. These include the ability to identify and extract novel attack patterns and the correlation of heterogeneous multisensor alerts. We propose a novel attack scenario reconstruction approach that analyzes both implicit and explicit relationships between intrusion alerts using semantic analysis and a new intrusion ontology. The proposed approach can reconstruct known and unknown attack scenarios and correlate alerts generated in multi-sensor IDS environment. Moreover, our approach can handle for the first time both novel attacks and false negative alerts generated by Intrusion Detection Systems (IDSs). Our experimental results show the potential of our approach and its advantages over previous approaches.
Journal of Information Security and Applications. 07/2013; 18(1):53–67.
[Show abstract][Hide abstract] ABSTRACT: The mouse dynamics biometric is a behavioral biometric technology that extracts and analyzes the movement characteristics of the mouse input device when a computer user interacts with a graphical user interface for identification purposes. Most of the existing studies on mouse dynamics analysis have targeted primarily continuous authentication or user reauthentication for which promising results have been achieved. Static authentication (at login time) using mouse dynamics, however, appears to face some challenges due to the limited amount of data that can reasonably be captured during such a process. In this paper, we present a new mouse dynamics analysis framework that uses mouse gesture dynamics for static authentication. The captured gestures are analyzed using a learning vector quantization neural network classifier. We conduct an experimental evaluation of our framework with 39 users, in which we achieve a false acceptance ratio of 5.26% and a false rejection ratio of 4.59% when four gestures were combined, with a test session length of 26.9 s. This is an improvement both in the accuracy and validation sample, compared to the existing mouse dynamics approaches that could be considered adequate for static authentication. Furthermore, to our knowledge, our work is the first to present a relatively accurate static authentication scheme based on mouse gesture dynamics.
IEEE Systems Journal 06/2013; 7(2):262-274. · 1.75 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Authorship verification can be checked using stylometric techniques through the analysis of linguistic styles and writing characteristics of the authors. Stylometry is a behavioral feature that a person exhibits during writing and can be extracted and used potentially to check the identity of the author of online documents. Although stylometric techniques can achieve high accuracy rates for long documents, it is still challenging to identify an author for short documents, in particular when dealing with large authors populations. These hurdles must be addressed for stylometry to be usable in checking authorship of online messages such as emails, text messages, or twitter feeds. In this paper, we pose some steps toward achieving that goal by proposing a supervised learning technique combined with n-gram analysis for authorship verification in short texts. Experimental evaluation based on the Enron email dataset involving 87 authors yields very promising results consisting of an Equal Error Rate (EER) of 14.35% for message blocks of 500 characters.
Computer, Information and Telecommunication Systems (CITS), 2013 International Conference on; 01/2013
[Show abstract][Hide abstract] ABSTRACT: Mobile Ad Hoc Networks (MANETs) offer a dynamic environment where data exchange and routing between nodes occur without the help of any centralized server or human intervention, providing that nodes cooperate with each other. In such environment, the presence of malevolent nodes may result in wormhole attacks. In this paper, a secured AODV-based routing scheme (referred to as Timed and Secured Monitoring Implementation - (TSMI)) is proposed for mitigating such attacks. Simulation results are provided to demonstrate the effectiveness of our approach, using the packet delivery ratio, the number of broken links detected, and the number of packets received by destination, as performance indicators.
Computer, Information and Telecommunication Systems (CITS), 2013 International Conference on; 01/2013
[Show abstract][Hide abstract] ABSTRACT: A Mobile ad hoc network (MANET) is a collection of mobile nodes that rely on co-operation amongst devices that route packets to each other. From a security design perspective, MANETs have no clear line of defense. This lack of security leads the network accessible to both legitimate network users and malicious attackers. A blackhole attack is a severe attack that can be employed against data routing in MANETs. A blackhole is a malicious node that can falsely reply for any route requests without having an active route to a specified destination and drop all the receiving data packets. The attack may even lead to more devastating damage if two or more blackhole nodes cooperate with each other to launch an attack. This type of attack is known as collaborative blackhole attack. In this paper, a novel scheme Detecting Collaborative Blackhole Attacks (so-called DCBA) for detecting collaborative blackhole attacks in MANETs is introduced. Simulation results are provided, demonstrating the superiority of DCBA compared to Dynamic Source Routing (DSR) and the Bait DSR scheme (so-called BDSR)  - a recently proposed scheme for detecting and avoiding collaborative blackhole attacks in MANETs - in terms of network throughput rate and minimum packet loss percentage, when collaborative blackhole nodes are present in the network.
Proceedings of the 5th international conference on Foundations and Practice of Security; 10/2012
[Show abstract][Hide abstract] ABSTRACT: With the increase in the number of digital crimes and in their
sophistication, High Performance Computing (HPC) is becoming a must in
Digital Forensics (DF). According to the FBI annual report, the size of
data processed during the 2010 fiscal year reached 3,086 TB (compared to
2,334 TB in 2009) and the number of agencies that requested Regional
Computer Forensics Laboratory assistance increasing from 689 in 2009 to
722 in 2010. Since most investigation tools are both I/O and CPU bound,
the next-generation DF tools are required to be distributed and offer
HPC capabilities. The need for HPC is even more evident in investigating
crimes on clouds or when proactive DF analysis and on-site
investigation, requiring semi-real time processing, are performed.
Although overcoming the performance challenge is a major goal in DF, as
far as we know, there is almost no research on HPC-DF except for few
papers. As such, in this work, we extend our work on the need of a
proactive system and present a high performance automated proactive
digital forensic system. The most expensive phase of the system, namely
proactive analysis and detection, uses a parallel extension of the
iterative z algorithm. It also implements new parallel information-based
outlier detection algorithms to proactively and forensically handle
suspicious activities. To analyse a large number of targets and events
and continuously do so (to capture the dynamics of the system), we rely
on a multi-resolution approach to explore the digital forensic space.
Data set from the Honeynet Forensic Challenge in 2001 is used to
evaluate the system from DF and HPC perspectives.
Journal of Physics Conference Series 10/2012; 385(1):2003-.
[Show abstract][Hide abstract] ABSTRACT: Continuous authentication (CA) consists of authenticating the user repetitively throughout a session with the goal of detecting and protecting against session hijacking attacks. While the accuracy of the detector is central to the success of CA, the detection delay or length of an individual authentication period is important as well since it is a measure of the window of vulnerability of the system. However, high accuracy and small detection delay are conflicting requirements that need to be balanced for optimum detection. In this paper, we propose the use of sequential sampling technique to achieve optimum detection by trading off adequately between detection delay and accuracy in the CA process. We illustrate our approach through CA based on user command line sequence and naïve Bayes classification scheme. Experimental evaluation using the Greenberg data set yields encouraging results consisting of a false acceptance rate (FAR) of 11.78% and a false rejection rate (FRR) of 1.33%, with an average command sequence length (i.e., detection delay) of 37 commands. When using the Schonlau (SEA) data set, we obtain FAR = 4.28% and FRR = 12%.
IEEE transactions on systems, man, and cybernetics. Part B, Cybernetics: a publication of the IEEE Systems, Man, and Cybernetics Society 04/2012; 42(5):1343-56. · 3.01 Impact Factor
[Show abstract][Hide abstract] ABSTRACT: Existing risk-based authentication systems rely on basic web communication information such as the source IP address or the velocity of transactions performed by a specific account, or originating from a certain IP address. Such information can easily be spoofed, and as such, put in question the robustness and reliability of the proposed systems. In this paper, we propose a new online risk-based authentication system that provides more robust user identity information by combining mouse dynamics and keystroke dynamics biometrics in a multimodal framework. Experimental evaluation of our proposed model with 24 participants yields an Equal Error Rate of 8.21%, which is promising considering that we are dealing with free text and free mouse movements, and the fact that many web sessions tend to be very short.
Digital Home (ICDH), 2012 Fourth International Conference on; 01/2012
[Show abstract][Hide abstract] ABSTRACT: In Emergency MANETs (eMANETs), the broadcasting nature of the wireless medium, the lack of pre-established trust relationship among nodes, and the frequent topology changes, cause some serious security challenges, making the network vulnerable to malicious attacks such as wormhole attacks. This paper investigates a recently proposed Advanced Encryption Standard (AES)-based routing algorithm (so-called AODV-Wormhole Attack Detection Reaction - here referred to as AODV-WADR-AES) for securing AODV-based eMANETs against wormhole attacks. The proposal consists of substituting the AES part of the scheme by the Triple Data Encryption Standard (TDES), yielding the AODV-WADR-TDES routing algorithm, with the goal to study the performance of the algorithm where mobile devices that are incompatible with AES are part of eMANET nodes. In doing so, markers in the form of hash codes are included in the data packets to help consolidating the data integrity. Simulation results are presented to validate the proposed AODV-WADR-TDEA scheme. It is also shown that the AODV-WADR-AES scheme outperforms the AODV-WADR-TDES scheme in terms of end-to-end delay, packet delivery ratio, and number of packets traversing through the wormhole link.
[Show abstract][Hide abstract] ABSTRACT: In this research, we propose a novel biometric system for static user authentication that homogeneously combines mouse dynamics, visual search capability and short-term memory effect. The proposed system introduces the visual search capability, and short-term memory effect to the biometric-based security world for the first time. The use of a computer mouse for its dynamics, and as an input sensor for the other two biometrics, means no additional hardware is required than the standard mouse. Experimental evaluation showed the system effectiveness using variable or one-time passwords. All of these attributes qualify the proposed system to be effectively deployed as a static authentication mechanism. Extensive experimentation was done using 2740 sessions collected from 274 users. To measure the performance, a computational statistics model was specially designed and used; a statistical classifier based on Weighted-Sum produced an Equal Error Rate (EER) of 2.11%.