[Show abstract][Hide abstract] ABSTRACT: Metamorphism is a technique that mutates the binary code using different obfuscations and never keeps the same sequence of
opcodes in the memory. This stealth technique provides the capability to a malware for evading detection by simple signature-based
(such as instruction sequences, byte sequences and string signatures) anti-malware programs. In this paper, we present a new
scheme named Annotated Control Flow Graph (ACFG) to efficiently detect such kinds of malware. ACFG is built by annotating
CFG of a binary program and is used for graph and pattern matching to analyse and detect metamorphic malware. We also optimize
the runtime of malware detection through parallelization and ACFG reduction, maintaining the same accuracy (without ACFG reduction)
for malware detection. ACFG proposed in this paper: (i) captures the control flow semantics of a program; (ii) provides a
faster matching of ACFGs and can handle malware with smaller CFGs, compared with other such techniques, without compromising
the accuracy; (iii) contains more information and hence provides more accuracy than a CFG. Experimental evaluation of the
proposed scheme using an existing dataset yields malware detection rate of 98.9% and false positive rate of 4.5%.
Full-text · Article · Oct 2015 · The Computer Journal
[Show abstract][Hide abstract] ABSTRACT: Intrusion detection systems (IDSs) produce a massive number of intrusion alerts. A huge number of these alerts are false positives. Investigating false positive alerts is an expensive and time consuming process, and as such represents a significant problem for intrusion analysts. This shows the needs for automated approaches to eliminate false positive alerts. In this paper, we propose a novel alert verification and false positives reduction approach. The proposed approach uses context-aware and semantic similarity to filter IDS alerts and eliminate false positives. Evaluation of the approach with an IDS dataset that contains massive number of IDS alerts yields strong performance in detecting false positive alerts.
[Show abstract][Hide abstract] ABSTRACT: Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (syntax) more than the behavior (semantic) of such a new malware. On this assumption and motivation, this paper presents a new framework named MARD for Metamorphic Malware Analysis and Real-Time Detection. As part of the new framework, to build a behavioral signature and detect metamorphic malware in real-time, we propose two novel techniques, named ACFG (Annotated Control Flow Graph) and SWOD-CFWeight (Sliding Window of Difference and Control Flow Weight). Unlike other techniques, ACFG provides a faster matching of CFGs, without compromising detection accuracy; it can handle malware with smaller CFGs, and contains more information and hence provides more accuracy than a CFG. SWODCFWeight mitigates and addresses key issues in current techniques, related to the change of
the frequencies of opcodes, such as the use of different compilers, compiler optimizations, operating systems and obfuscations. The size of SWOD can change, which gives antimalware tool developers the ability to select appropriate parameter values to further optimize malware detection. CFWeight captures the control flow semantics of a program to an extent that helps detect metamorphic malware in real-time. Experimental evaluation of the two proposed techniques, using an existing dataset, achieved detection rates in the range 94%e99.6%. Compared to ACFG, SWOD-CFWeight significantly improves the detection time, and is suitable to be used where the time for malware detection is more important as in real-time (practical) anti-malware applications.
Full-text · Article · Feb 2015 · Computers & Security
[Show abstract][Hide abstract] ABSTRACT: Authorship verification using stylometry consists of identifying a user based on his writing style. In this paper, authorship verification is applied for continuous authentication using unstructured online text-based entry. An online document is decomposed into consecutive blocks of short texts over which (continuous) authentication decisions happen, discriminating between legitimate and impostor behaviors. We investigate blocks of texts with 140, 280 and 500 characters. The feature set includes traditional features such as lexical, syntactic, application specific features, and new features extracted from n -gram analysis. Furthermore, the proposed approach includes a strategy to circumvent issues related to unbalanced dataset, and uses Information Gain and Mutual Information as a feature selection strategy and Support Vector Machine (SVM) for classification. Experimental evaluation of the proposed approach based on the Enron email and Twitter corpuses yields very promising results consisting of an Equal Error Rate (EER) varying from 9.98% to 21.45%, for different block sizes.
No preview · Article · Dec 2014 · Journal of Computer and System Sciences
[Show abstract][Hide abstract] ABSTRACT: Stylometry consists of the analysis of linguistic styles and writing characteristics of the authors for identification, characterization, or verification purposes. In this paper, we investigate authorship verification for the purpose of user authentication process. In this setting, authentication consists of comparing sample writing of an individual against the model or profile associated with the identity claimed by that individual at login time (i.e. 1-to-1 identity matching). In addition, the authentication process must be done in a short period of time, which means analyzing short messages. Although a significant amount of literature has been produced showing high accuracy rates for long documents, it is still challenging to identify accurately authors of short unstructured documents, in particular when dealing with large authors populations. In this paper, we pose some steps toward achieving that goal by proposing a supervised learning technique combined with n-grams analysis for authorship verification for short texts. We introduce a new n-gram metric and study several sizes of n-grams using a relatively large dataset. The experimental evaluation shows increased effectiveness of our approach compared to the existing approaches published in the literature.
No preview · Article · Dec 2014 · Journal of Networks
[Show abstract][Hide abstract] ABSTRACT: Current embedded system, such as cell phones and smart-cards, in corporate security devices or cryptographic processor. These cryptographic devices often store private keys or other sensitive data, so compromise of this data or the underlying hardware may lead to loss of privacy, forged access, or monetary theft. Even if the attackers fail to gain the secret information that is stored in a hardware, they may be able to disrupt the hardware or deny service leading to other kinds of security failures in the system. Therefore hardware attacks targets this security devices. Hardware attacks could be covert or overt based on awareness of the targeted system. This paper reviews proposed Accessibility/Resources/Time (ART) schema that quantifies hardware attacks. We focus in this paper on presenting covert attacks and quantify the attack using the ART schema.
[Show abstract][Hide abstract] ABSTRACT: With the advent of Internet of Things, we are facing another wave of malware attacks, that encompass intelligent embedded devices. Because of the limited energy resources, running a complete malware detector on these devices is quite challenging. There is a need to devise new techniques to detect malware on these devices. Malware detection is one of the services that can be provided as an in-cloud service. This paper reviews current such systems, discusses there pros and cons, and recommends an improved in-cloud malware analysis and detection system. We introduce a new three layered hybrid system with a lightweight antimalware engine. These features can provide faster malware detection response time, shield the client from malware and reduce the bandwidth between the client and the cloud, compared to other such systems. The paper serves as a motivation for improving the current and developing new techniques for in-cloud malware analysis and detection system.
[Show abstract][Hide abstract] ABSTRACT: Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. This stealthy mutation technique helps a malware evade detection by today’s signature-based anti-malware programs. This paper analyzes the current trends, provides future directions and reasons about some of the basic characteristics of a system for providing real-time detection of metamorphic malware. Our emphasis is on the most recent advancements and the potentials available in metamorphic malware detection, so we only cover some of the major academic research efforts carried out, including and after, the year 2006. The paper not only serves as a collection of recent references and information for easy comparison and analysis, but also as a motivation for improving the current and developing new techniques for metamorphic malware detection.
[Show abstract][Hide abstract] ABSTRACT: Authorship verification consists of checking whether a target document was written or not by a specific individual. In this paper, we study the problem of authorship verification for Continuous Authentication (CA) purposes. Different from traditional authorship verification that focuses on long texts, we tackle the use of micro-messages. Shorter authentication delay (i.e. smaller data sample) is essential to reduce the window size of the re-authentication period in CA. We explored lexical, syntactic, and application specific features. We investigated two different classification schemes: on one hand Logistic Regression (LR) and on the other hand an hybrid classifier combining Support Vector Machine (SVM) and LR. Experimental evaluation based on the Enron email dataset involving 76 authors and Twitter dataset involving 100 authors yield very promising results consisting of Equal Error Rates (EER) of 9.18% and 11.83%, respectively.
[Show abstract][Hide abstract] ABSTRACT: Most of the methods that generate decision trees for a specific problem use the examples of data instances in the decision tree–generation process. This article proposes a method called RBDT-1—rule-based decision tree—for learning a decision tree from a set of decision rules that cover the data instances rather than from the data instances themselves. The goal is to create on demand a short and accurate decision tree from a stable or dynamically changing set of rules. The rules could be generated by an expert, by an inductive rule learning program that induces decision rules from the examples of decision instances such as AQ-type rule induction programs, or extracted from a tree generated by another method, such as the ID3 or C4.5. In terms of tree complexity (number of nodes and leaves in the decision tree), RBDT-1 compares favorably with AQDT-1 and AQDT-2, which are methods that create decision trees from rules. RBDT-1 also compares favorably with ID3 while it is as effective as C4.5 where both (ID3 and C4.5) are well-known methods that generate decision trees from data examples. Experiments show that the classification accuracies of the decision trees produced by all methods under comparison are indistinguishable.
[Show abstract][Hide abstract] ABSTRACT: This paper continues the investigation of our recently proposed protocol (called E2-SCAN) designed for protecting against network layer attacks in mobile ad hoc networks. The enhancements of the E2-SCAN protocol are twofold: (1) a modified credit strategy for tokens renewal is introduced, and (2) a novel strategy for selecting the routing path, resulting to our so-called Conditional SCAN (CSCAN). Simulation experiments are conducted, establishing the superiority of C-SCAN over E2-SCAN in terms of energy efficiency, where the energy efficiency of a node is defined as the ratio of the amount of energy consumed by the node to the total energy consumed by the network.
[Show abstract][Hide abstract] ABSTRACT: Continuous Authentication (CA) consists of mon-itoring and checking repeatedly and unobtrusively user behav-ior during a computing session in order to discriminate between legitimate and impostor behaviors. Stylometry analysis, which consists of checking whether a target document was written or not by a specific individual, could potentially be used for CA. In this work, we adapt existing stylometric features and develop a new authorship verification model applicable for continuous authentication. We use existing lexical, syntactic, and application specific features, and propose new features based on n-gram analysis. We start initially with a large features set, and identify a reduced number of user-specific features by computing the information gain. In addition, our approach includes a strategy to circumvent issues regarding unbalanced dataset which is an inherent problem in stylometry analysis. We use Support Vector Machine (SVM) for classifica-tion. Experimental evaluation based on the Enron email dataset involving 76 authors yields very promising results consisting of an Equal Error Rate (EER) of 12.42% for message blocks of 500 characters.
[Show abstract][Hide abstract] ABSTRACT: The latest stealth techniques, such as metamorphism, allow malware to evade detection by today’s signature-based anti-malware programs. Current techniques for detecting malware are compute intensive and unsuitable for real-time detection. Techniques based on opcode patterns have the potential to be used for real-time malware detection, but have the following issues: (1) The frequencies of opcodes can change by using different compilers, compiler optimizations and operating systems. (2) Obfuscations introduced by polymorphic and metamorphic malware can change the opcode distributions. (3) Selecting too many features (patterns) results in a high detection rate but also increases the runtime and vice versa. In this paper we present a novel technique named SWOD-CFWeight (Sliding Window of Difference and Control Flow Weight) that helps mitigate these effects and provides a solution to these problems. The SWOD size can be changed; this property gives anti-malware tool developers the ability to select appropriate parameters to further optimize malware detection. The CFWeight feature captures control flow information to an extent that helps detect metamorphic malware in real-time. Experimental evaluation of the proposed scheme using an existing dataset yields a malware detection rate of 99.08 % and a false positive rate of 0.93 %.
[Show abstract][Hide abstract] ABSTRACT: Because of the financial and other gains attached with the growing malware industry, there is a need to automate the process of malware analysis and provide real-time malware detection. To hide a malware, obfuscation techniques are used. One such technique is metamorphism encoding that mutates the dynamic binary code and changes the opcode with every run to avoid detection. This makes malware difficult to detect
in real-time and generally requires a behavioral signature for detection. In this paper we present a new framework called MARD for Metamorphic Malware Analysis and Real-Time Detection, to protect the end points that are often the last defense, against metamorphic malware. MARD provides: (1) automation (2) platform independence (3) optimizations for real-time performance and (4) modularity. We also present a comparison of MARD with other such recent efforts. Experimental evaluation of MARD achieves a detection rate of 99.6%
and a false positive rate of 4%.
[Show abstract][Hide abstract] ABSTRACT: The dynamic nature of the Web 2.0 and the heavy obfuscation of web-based attacks complicate the job of the traditional protection systems such as Firewalls, Anti-virus solutions, and IDS systems. It has been witnessed that using ready-made toolkits, cyber-criminals can launch sophisticated attacks such as cross-site scripting (XSS), cross-site request forgery (CSRF) and botnets to name a few. In recent years, cyber-criminals have targeted legitimate websites and social networks to inject malicious scripts that compromise the security of the visitors of such websites. This involves performing actions using the victim browser without his/her permission. This poses the need to develop effective mechanisms for protecting against Web 2.0 attacks that mainly target the end-user. In this paper, we address the above challenges from information flow control perspective by developing a framework that restricts the flow of information on the client-side to legitimate channels. The proposed model tracks sensitive information flow and prevents information leakage from happening. The proposed model when applied to the context of client-side web-based attacks is expected to provide a more secure browsing environment for the end-user.
[Show abstract][Hide abstract] ABSTRACT: Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. Such malware are very difficult to analyse and detect manually even with the help of tools. We need to automate the analysis and detection process of such malware. This paper introduces and presents a new language named MAIL (Malware Analysis Intermediate Language) to automate and optimize this process. MAIL also provides portability for building malware analysis and detection tools. Each MAIL statement is assigned a pattern that can be used to annotate a control flow graph for pattern matching to analyse and detect metamorphic malware. Experimental evaluation of the proposed approach using an existing dataset yields malware detection rate of 93.92% and false positive rate of 3.02%.
[Show abstract][Hide abstract] ABSTRACT: Botnets represent one of the most serious cybersecurity threats faced by organizations today. Botnets have been used as the main vector in carrying many cyber crimes reported in the recent news. While a significant amount of research has been accomplished on botnet analysis and detection, several challenges remain unaddressed, such as the ability to design detectors which can cope with new forms of botnets. In this paper, we propose a new approach to detect botnet activity based on traffic behavior analysis by classifying network traffic behavior using machine learning. Traffic behavior analysis methods do not depend on the packets payload, which means that they can work with encrypted network communication protocols. Network traffic information can usually be easily retrieved from various network devices without affecting significantly network performance or service availability. We study the feasibility of detecting botnet activity without having seen a complete network flow by classifying behavior based on time intervals. Using existing datasets, we show experimentally that it is possible to identify the presence of existing and unknown botnets activity with high accuracy even with very small time windows.
Full-text · Article · Nov 2013 · Computers & Security
[Show abstract][Hide abstract] ABSTRACT: In this paper, a new Electronic Design Automation (EDA) tool that estimates the probability of successful hacking of Printed Circuit Boards (PCBs) is presented. The tool uses a new analytical model for the probability of successful hacking that is developed using Markov chain analysis. A Graphical User Interface (GUI) is designed as a designer-friendly interface to analyze the security of a PCB based on its technology parameters, which are calibrated using image processing techniques. Based on the simulation results, we propose new design ideas to improve the immunity of PCBs against reverse engineering.
[Show abstract][Hide abstract] ABSTRACT: Intrusion analysis is a resource intensive, complex and expensive process for any organization. The reconstruction of the attack scenario is an important aspect of such endeavor. We tackle in this paper several challenges overlooked by existing attack scenarios reconstruction techniques that undermine their performances. These include the ability to identify and extract novel attack patterns and the correlation of heterogeneous multisensor alerts. We propose a novel attack scenario reconstruction approach that analyzes both implicit and explicit relationships between intrusion alerts using semantic analysis and a new intrusion ontology. The proposed approach can reconstruct known and unknown attack scenarios and correlate alerts generated in multi-sensor IDS environment. Moreover, our approach can handle for the first time both novel attacks and false negative alerts generated by Intrusion Detection Systems (IDSs). Our experimental results show the potential of our approach and its advantages over previous approaches.