2014 Fifth Cybercrime and Trustworthy Computing Conference最新文献

Mining Malware to Detect Variants 挖掘恶意软件检测变体

2014 Fifth Cybercrime and Trustworthy Computing Conference Pub Date : 2014-11-24 DOI: 10.1109/CTC.2014.11

A. Azab, R. Layton, M. Alazab, Jonathan J. Oliver

{"title":"Mining Malware to Detect Variants","authors":"A. Azab, R. Layton, M. Alazab, Jonathan J. Oliver","doi":"10.1109/CTC.2014.11","DOIUrl":"https://doi.org/10.1109/CTC.2014.11","url":null,"abstract":"Cybercrime continues to be a growing challenge and malware is one of the most serious security threats on the Internet today which have been in existence from the very early days. Cyber criminals continue to develop and advance their malicious attacks. Unfortunately, existing techniques for detecting malware and analysing code samples are insufficient and have significant limitations. For example, most of malware detection studies focused only on detection and neglected the variants of the code. Investigating malware variants allows antivirus products and governments to more easily detect these new attacks, attribution, predict such or similar attacks in the future, and further analysis. The focus of this paper is performing similarity measures between different malware binaries for the same variant utilizing data mining concepts in conjunction with hashing algorithms. In this paper, we investigate and evaluate using the Trend Locality Sensitive Hashing (TLSH) algorithm to group binaries that belong to the same variant together, utilizing the k-NN algorithm. Two Zeus variants were tested, TSPY_ZBOT and MAL_ZBOT to address the effectiveness of the proposed approach. We compare TLSH to related hashing methods (SSDEEP, SDHASH and NILSIMSA) that are currently used for this purpose. Experimental evaluation demonstrates that our method can effectively detect variants of malware and resilient to common obfuscations used by cyber criminals. Our results show that TLSH and SDHASH provide the highest accuracy results in scoring an F-measure of 0.989 and 0.999 respectively.","PeriodicalId":213064,"journal":{"name":"2014 Fifth Cybercrime and Trustworthy Computing Conference","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124798665","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 49

A Comparative Study of Likelihood Ratio Based Forensic Text Comparison Procedures: Multivariate Kernel Density with Lexical Features vs. Word N-grams vs. Character N-grams 基于似然比的法医学文本比较程序的比较研究:多变量核密度与词汇特征、词n -图、字符n -图

2014 Fifth Cybercrime and Trustworthy Computing Conference Pub Date : 2014-11-24 DOI: 10.1109/CTC.2014.9

S. Ishihara

{"title":"A Comparative Study of Likelihood Ratio Based Forensic Text Comparison Procedures: Multivariate Kernel Density with Lexical Features vs. Word N-grams vs. Character N-grams","authors":"S. Ishihara","doi":"10.1109/CTC.2014.9","DOIUrl":"https://doi.org/10.1109/CTC.2014.9","url":null,"abstract":"This is a comparative study to empirically investigate the performances of three different procedures for calculating authorship attribution likelihood ratios (LR). The procedures to be compared are: 1) a procedure based on multivariate kernel density (MVKD) with lexical features; 2) a procedure based on word N-grams; and 3) a procedure based on character N-grams. Furthermore, the best-performing LRs of these three procedures are fused into combined single LRs using a logistic-regression fusion, in order to investigate the extent of the improvement/deterioration that the fusion brings about. This study uses chatlog messages, which were presented as evidence to prosecute paedophiles, for testing. The numbers of word tokens used to model the authorship attribution of each message group are 500 and 1000 words. This was done to examine the effect of sample size on the performance of a system. The performance of a system is assessed with regard to its validity (= accuracy) and reliability (= precision) using the log-likelihood-ratio cost (Cllr) and 95% credible intervals (CI), respectively. While describing the different characteristics of these three procedures in their outcomes, this study demonstrates that the MVKD procedure was the best-performing procedure out of the three in terms of Cllr . This study also demonstrates that a logistic-regression fusion is useful for combining the LRs obtained from the three procedures in question, resulting in a good improvement in performance.","PeriodicalId":213064,"journal":{"name":"2014 Fifth Cybercrime and Trustworthy Computing Conference","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128269080","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 3

Be Careful Who You Trust: Issues with the Public Key Infrastructure 小心你信任的人:公钥基础设施的问题

2014 Fifth Cybercrime and Trustworthy Computing Conference Pub Date : 2014-11-24 DOI: 10.1109/CTC.2014.8

Paul Black, R. Layton

引用次数: 5

Authorship Analysis of the Zeus Botnet Source Code 宙斯僵尸网络源代码的作者分析

2014 Fifth Cybercrime and Trustworthy Computing Conference Pub Date : 2014-11-24 DOI: 10.1109/CTC.2014.14

R. Layton, A. Azab

引用次数: 15

Malicious Advertising and Music Piracy: A New Zealand Case Study 恶意广告和音乐盗版:新西兰案例研究

2014 Fifth Cybercrime and Trustworthy Computing Conference Pub Date : 2014-11-24 DOI: 10.1109/CTC.2014.13

P. Watters, Maya F. Watters, J. Ziegler

{"title":"Malicious Advertising and Music Piracy: A New Zealand Case Study","authors":"P. Watters, Maya F. Watters, J. Ziegler","doi":"10.1109/CTC.2014.13","DOIUrl":"https://doi.org/10.1109/CTC.2014.13","url":null,"abstract":"Recent studies have investigated the link between online advertising and rogue websites promoting film piracy, in several different countries around Asia-Pacific. The key findings are that high risk advertising dominates sites which are geared towards Hollywood TV and movies in English, yet mainstream advertising tends to be more prevalent on sites in local languages with local content. In this first systematic analysis of music piracy, the prevalence of high risk and mainstream advertising on music rogue sites was estimated. Advertising was measured from 3,210 web pages identified as infringing by Google, according to the DMCA, and advertisements were downloaded with a New Zealand IP address, to replicate what New Zealand users would have seen. New Zealand was selected because the founder of the Megaupload file hosting website - previously among the Top 100 websites worldwide - has recently been the subject of a police investigation into criminal copyright infringement. The results show that 93% of advertisements were high risk, and only 7% were mainstream. Disturbingly, 97.24% of the high risk ads were for malware - much higher than for movie websites - suggesting that Kiwis are at extreme risk for malware infection if they visit these sites. Further research on the malware samples downloaded needs to be undertaken to determine if rogue music websites are a vector for banking malware.","PeriodicalId":213064,"journal":{"name":"2014 Fifth Cybercrime and Trustworthy Computing Conference","volume":"224 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125909737","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 2

Analysis of Malware Behaviour: Using Data Mining Clustering Techniques to Support Forensics Investigation 恶意软件行为分析:使用数据挖掘聚类技术支持取证调查

2014 Fifth Cybercrime and Trustworthy Computing Conference Pub Date : 2014-11-24 DOI: 10.1109/CTC.2014.10

Edem Inang Edem, Chafika Benzaid, Ameer Al-Nemrat, P. Watters

{"title":"Analysis of Malware Behaviour: Using Data Mining Clustering Techniques to Support Forensics Investigation","authors":"Edem Inang Edem, Chafika Benzaid, Ameer Al-Nemrat, P. Watters","doi":"10.1109/CTC.2014.10","DOIUrl":"https://doi.org/10.1109/CTC.2014.10","url":null,"abstract":"The proliferation of malware in recent times have accounted for the increase in computer crimes and prompted for a more aggressive research into improved investigative strategies, to keep up with the menace. Recent techniques and tools that have been developed and adopted to keep up in an arms race with malware authors who have resorted to the use of evasive techniques to avoid analysis during investigation is an on-going concern. Exploring dynamic analysis is unarguably, a positive step to supporting static evidence with malware dynamic behaviour logs. In view of this, analysing this huge generated reports raises concerns about speed, accuracy and performance. This research proposes an Automated Malware Investigative Framework Model, a component based approach that is designed to support investigation by integrating both malware analysis and data mining clustering techniques as part of an effort to solve the problem of overly generated reports. Thus, grouping analysed suspicious samples that exhibit similar behavioural features to make investigation easy and more intuitive. The focus of this paper however, is on implementing sub-components of the framework that directly deals with the problem at hand.","PeriodicalId":213064,"journal":{"name":"2014 Fifth Cybercrime and Trustworthy Computing Conference","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132838973","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 11

Privacy Threats from Social Networking Service Aggregators 来自社交网络服务聚合器的隐私威胁

2014 Fifth Cybercrime and Trustworthy Computing Conference Pub Date : 2014-11-24 DOI: 10.1109/CTC.2014.12

Omar Jaafor, B. Birregah, Charles Perez, Marc Lemercier

{"title":"Privacy Threats from Social Networking Service Aggregators","authors":"Omar Jaafor, B. Birregah, Charles Perez, Marc Lemercier","doi":"10.1109/CTC.2014.12","DOIUrl":"https://doi.org/10.1109/CTC.2014.12","url":null,"abstract":"Social networking services (SNS) have increased in popularity over the last decade. They have become major platforms for e-commerce, personal branding, socialization and information. The success of social networking services like Facebook and Twitter as well as LinkedIn, LiveJournal andFoursquare and the variety of their usages leads their users to create a set of profiles on different SNS. Recently, social networking service aggregators have proposed centralizing the multiple social networking profiles of a given user in order to facilitate his interactions with social networking services. Such aggregators allow the messages received by a profile over multiple SNS to be retrieved, edited and posted with much less effort. Despite their obvious advantages, we highlight in this paper the risk of potential data leaks due to the inexperienced use of such tools. For this purpose, we provide a classification of online SNS and present their specificities with regard to the publicly exposed data of a user. Based on this classification, we investigate the possible insecure use of aggregators with an inappropriate set of SNS, which could lead to rendering sensitive data accessible to people it wasn't intended for. We present a decision tree approach for identifying a possible data leak based on the three following criteria: opinion, interest and location. We finally show the result of this approach on popular social networking aggregators.","PeriodicalId":213064,"journal":{"name":"2014 Fifth Cybercrime and Trustworthy Computing Conference","volume":"239 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117190411","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 4