Evan Cooke's research while affiliated with University of Michigan and other places

Publications (22)

Patent
A system is provided for detecting, analyzing and quarantining unwanted files in a network environment. A host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis. The network service is accessible to computing devices in the n...
Article
Full-text available
Global Internet threats have undergone a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. At the center of many of these attacks are collections of compromised computers, or Botnets, remotely controlled by the attackers, and whose members are located in homes, schools...
Conference Paper
Software patches are designed to have a positive ef- fect on the operation of software systems. However, these patches may cause incompatibilities, regressions, and other unintended negative impact on the reliability, performance, and security of software. In this paper, we propose PatchAdvisor, a technique to improve the manageability of the patch...
Conference Paper
Full-text available
Modern mobile devices continue to approach the capabilities and extensibility of standard desktop PCs. Unfortunately, these devices are also beginning to face many of the same security threats as desktops. Currently, mobile security solutions mirror the traditional desktop model in which they run detection services on the device. This approach is c...
Article
As virtualization continues to become increasingly popular in enterprise and organizational networks, oper-ators and administrators are turning to live migration of virtual machines for the purpose of workload balancing and management. However, the security of live virtual machine migration has yet to be analyzed. This paper looks at this poorly ex...
Conference Paper
Antivirus software is one of the most widely used tools for detecting and stopping malicious and unwanted files. However, the long term effectiveness of traditional host- based antivirus is questionable. Antivirus software fails to detect many modern threats and its increasing com- plexity has resulted in vulnerabilities that are being ex- ploited...
Article
Antivirus software installed on each end host in an or- ganization has become the de-facto security mechanism used to defend against unwanted executables. We argue that the executable analysis currently provided by host- based antivirus software can be more efficiently and ef- fectively provided as an in-cloud network service. In- stead of running...
Conference Paper
Security on the Internet today is treated mostly as a data plane problem. IDS's, rew alls, and spam lters all op- erate on the simple principle of detecting malicious data plane behavior and erecting data plane lters. In this pa- per we explore how breaking down the barrier between the control and data plane can signican tly enhance our under- stan...
Article
Internet security systems like intrusion detection and intru-sion prevention systems are based on a simple input-output principle: they receive a high-bandwidth stream of input data and produce summaries of suspicious events. This sim-ple model has serious drawbacks, including the inability to attach context to security alerts, a lack of detailed h...
Conference Paper
Full-text available
The Internet today is beset with constant attacks targeting users and infrastructure. One popular method of detecting these attacks and the infected hosts behind them is to monitor unused network addresses. Because many Internet threats propagate randomly, infection attempts can be captured by monitoring the unused spaces between live addresses. Se...
Conference Paper
Self-propagating malware like worms and bots can dramatically impact the availability and reliability of the Internet. Techniques for the detection and mitigation of Internet threats using content prevalence and scan detectors are based on assumptions of how threats propagate. Some of these assumptions have recently been called into question by obs...
Conference Paper
Full-text available
Internet traffic destined for unused or unreachable ad- dresses provides critically important information on ma- licious and misconfigured activity. Since Internet ad- dress allocation and policy information is distributed across many devices, applications, and administrative domains, constructing a comprehensive map of unused and unreachable ("dar...
Conference Paper
Full-text available
Network-centric tools like NetFlow and security systems like IDSes provide essential data about the availability, reliability, and security of network devices and appli-cations. However, the increased use of encryption and tunnelling has reduced the visibility of monitoring ap-plications into packet headers and payloads (e. g. 93% of traffic on our...
Article
An insight to functioning of Blaster worm of 2003 that infected at least 100000 Microsoft Windows systems, is presented. The Blaster worm can be launched with a sucessful new infection or in case of a user rebooting an already infected system. Once launched the worm immediately starts the setup for further propagation by choosing an address from th...
Article
Global Internet threats are undergoing a profound transformation from attacks designed solely to disable infrastructure to those that also target people and or- ganizations. Behind these new attacks is a large pool of compromised hosts sitting in homes, schools, busi- nesses, and governments around the world. These sys- tems are infected with a bot...
Conference Paper
Full-text available
Threats to the privacy of users and to the availability of Internet infrastructure are evolving at a tremendous rate. To characterize these emerging threats, researchers must effectively balance monitoring the large number of hosts needed to quickly build confidence in new attacks, while still preserving the detail required to differentiate these a...
Conference Paper
As national infrastructure becomes intertwined with emerging global data networks, the stability and integrity of the two have become synonymous. This connection, while necessary, leaves network assets vulnerable to the rapidly moving threats of today's Internet, including fast moving worms, distributed denial of service attacks, and routing exploi...
Article
Long after the Blaster, Slammer/Sapphire, and CodeRedII worms caused significant worldwide disruptions, a huge number of infected hosts from these worms continue to probe the Internet today. This paper investigates hotspots (non-uniformities) in the targeting behavior of these important Internet worms. Recent data collected over the period of a mon...
Article
To provide scalable, early warning and analysis of new Internet threats like worms or automated attacks, we propose a globally distributed, hybrid monitoring architecture that can capture and analyze new vulnerabilities and exploits as they occur. To achieve this, our architectures increases the exposure of high-interaction honeypots to these threa...
Conference Paper
The monitoring of unused Internet address space has been shown to be an effective method for characterizing Internet threats including Internet worms and DDOS attacks. Because there are no legitimate hosts in an unused address block, traffic must be the result of misconfiguration, backscatter from spoofed source addresses, or scanning from worms an...
Article
Full-text available
Networks are increasingly subjected to a broad spectrum of threats that impact the reliability and availability of critical infrastructure. In response, researchers and network operators have increasingly relied on monitoring to characterize and track these threats. This paper introduces the Internet Motion Sensor (IMS), a globally scoped Internet...

Citations

... Lately, in-cloud AV solutions are getting relevance, as they improve performance and availability of resources at smaller on-device cost [12]. ...
... The IMS is based on a distributed blackhole network with a lightweight responder, a payload signature and a caching mechanism. These capabilities are used to generate new insights about worms, DDoS, and scan activities[94]. Furthermore, the Protected Repository for the Defense of Infrastructure against Cyber Threats (PREDICT) project investigates spatial and longitudinal darknet data. The authors aim to describe some of the large-scale spatial and longitudinal darknet information. ...
... Bots were initially benign and used by the protocol to provide services and support. The irst IRC bot was created in 1993, under the name Eggdrop [26,106,124]. Eggdrop was then further developed, and soon malicious bots made their appearance. These bots' purpose was to attack other IRC users or even whole servers, which in time resulted in these bots being engineered to be able to carry out Distributed Denial of Service (DDoS) [72] attacks. ...
... Botnet technology (Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M., 2009) has been widely used to conduct malicious activities like DDoS attacks. Ironically, since Mirai's source leaked, this technology has been more accelerating evolution and has produced various variants. ...
... Several solutions to address the problems of cost and complexity of the virtual honeypot system have been proposed. The hybrid honeypot system was proposed; it includes multiple levels of honeypots, such as the LIH at the front end and HIH at the back end [9], [10]. Once sufficient information is collected from the LIH, the hybrid system redirects the current traffic to the HIH. ...
... Through their analysis, the authors concluded that global scanning worm detectors are not a viable long-term strategy for detecting worms in early stages. Additionally, Cooke et al.[166] try to understand non-uniformity in worms' behavior. Using a large darknet data rich with Blaster, Slammer and Code Red II infections, the authors analyzed and discovered three bias in malware behavior. ...
... After overloaded detection, the overloaded VMs are migrated. VM migration or portability is the critical element of virtualization innovation which is utilized to give equipment/framework support, responsibility adjusting, and straightforward administration in ordinary server farms just as in Cloud foundation (Ahmad et al. 2015;Shetty et al. 2012;Oberheide et al. 2008;Kazim et al. 2013). Notwithstanding, VM migration with metadata (keys of scrambled circle mages) isn't secure as a result of the inaccessibility of solid security includes in hypervisors.VM migration without security becomes a single purpose of a disappointment for Cloud climate since interlopers can infuse malevolent code or alter the VM content. ...
... Approach/Technique Tool/Project [83] Resource-Aware Multi-Format Data Storage IMS [84] Graphical Processor Custom In this category, Cooke et al. [83] propose a resource-aware multi-format data storage of security information with the aim to simultaneously save various security information. The proposed architecture consists of a set of algorithms for storing various formats of data. ...
... Consequently, various research efforts have relied on thousands of deployed honeypots to collect malware information (e.g., malware binaries) and hence study and understand the imposed cyber threat on IoT devices [3], [5]. Additionally, some other research works [1], [3], [5]- [7] have used a multitude of data per-spectives including malware repository (e.g., VirusTotal [8]), Internet-scale network scans (e.g., Censys [9], Shodan [10], ShadowServer [11], ZMAP [12] and Masscan [13]), Telnet honeypots (e.g., Akamai and Cowrie [14]), network telescope/darknet probes (e.g., CAIDA network telescope [15] and Merit Network Inc. [16]), Domain Name System (DNS) traces (e.g., Farsight [17] and Dyn [18]) and Command and Control (C&C) milkers (e.g., Akamai) to analyze and subsequently mitigate the cyber threat targeting the IoT paradigm. Although a multitude of data perspectives is used for forensic collection, yet, primarily relying on the deployment of numerous IoT honeypots is not sufficient to accommodate for a large number of dispersed malwareinfected IoT devices. ...
... It is one extensive method to scrutinize a wide range of intriguing Internet phenomena [55]. Due to the absence of active hosts on the unused network telescope IP space, the traffic is strictly uni-directional and mainly provoked by unsolicited activities associated with malware worms and Internet backscatter radiation [5]. The network telescope is successfully leveraged in numerous works as a distinguished vantage point for investigating Internet probing activities [17], DDoS attacks [7,39,40], and Internet worm propagation [38]. ...