Visible to the public Zero-Day Exploits, Part 1

SoS Newsletter- Advanced Book Block


SoS Logo

Zero–Day Exploits

Part 1

Zero–day exploits are a major research challenge in cybersecurity. Recent work on this subject has been conducted globally. The works cited here were presented in 2014 and early 2015.

Bazzi, A.; Onozato, Y., “Preventing Attacks in Real-Time through the Use of a Dummy Server,” Autonomous Decentralized Systems (ISADS), 2015 IEEE Twelfth International Symposium on, vol., no., pp. 236, 241, 25-27 March 2015. doi:10.1109/ISADS.2015.36
Abstract: Zero-day exploits against servers pose one of the most challenging problems faced by system and security administrators. Current solutions rely mainly on signature databases of known attacks and are not efficient at detecting new attacks not covered by their attack signature database. We propose using a dummy server, i.e. A mirror of the server to be protected but without the real data. Consequently, any incoming network packet is first tested against the dummy server and once it is ensured that the packet is benign, it is delivered to the real server. This would prevent all types of attacks, including those based on zero-day exploits, from reaching the protected server.
Keywords: program debugging; security of data; attack signature database; dummy server; network packet; zero-day exploits; Databases; IP networks; Intrusion detection; Routing protocols; Servers; Software (ID#: 15-6193)

Mayo, Jackson R.; Armstrong, Robert C.; Hulette, Geoffrey C., “Digital System Robustness via Design Constraints: The Lesson of Formal Methods,” Systems Conference (SysCon), 2015 9th Annual IEEE International, vol., no., pp. 109, 114, 13-16 April 2015. doi:10.1109/SYSCON.2015.7116737
Abstract: Current programming languages and programming models make it easy to create software and hardware systems that fulfill an intended function but also leave such systems open to unintended function and vulnerabilities. Software engineering and code hygiene may make systems incrementally safer, but do not produce the wholesale change necessary for secure systems from the outset. Yet there exists an approach with impressive results: We cite recent examples showing that formal methods, coupled with formally informed digital design, have produced objectively more robust code even beyond the properties directly proven. Though discovery of zero-day vulnerabilities is almost always a surprise and powerful tools like semantic fuzzers can cover a larger search space of vulnerabilities than a developer can conceive of, formal models seem to produce robustness of a higher qualitative order than traditionally developed digital systems. Because the claim is necessarily a qualitative one, we illustrate similar results with an idealized programming language in the form of Boolean networks where we have control of parameters related to stability and adaptability. We argue that verifiability with formal methods is an instance of broader design constraints that promote robustness. We draw analogies to real-world programming models and languages that can be mathematically reasoned about in contrast to ones that are essentially undecidable.
Keywords: Computational modeling; Computer languages; Digital systems; Hardware; Programming; Robustness; Software; Digital design; complex systems; formal methods; programming models; robustness; security (ID#: 15-6194)

Kaur, R.; Singh, M., “Efficient Hybrid Technique for Detecting Zero-Day Polymorphic Worms,” Advance Computing Conference (IACC), 2014 IEEE International, vol., no., pp. 95, 100, 21-22 Feb. 2014. doi:10.1109/IAdCC.2014.6779301
Abstract: This paper presents an efficient technique for detecting zero-day polymorphic worms with almost zero false positives. Zero-day polymorphic worms not only exploit unknown vulnerabilities but also change their own representations on each new infection or encrypt their payloads using a different key per infection. Thus, there are many variations in the signatures for the same worm, making fingerprinting very difficult. With their ability to rapidly propagate, these worms increasingly threaten the Internet hosts and services. If these zero-day worms are not detected and contained at right time, they can potentially disable the Internet or can wreak serious havoc. So the detection of Zero-day polymorphic worms is of paramount importance.
Keywords: Internet; cryptography; digital signatures; invasive software; Internet hosts; encryption; fingerprinting; hybrid technique; signatures; unknown vulnerabilities; zero false positives; zero-day polymorphic worm detection; Algorithm design and analysis; Grippers; Internet; Malware; Payloads; Registers; Sensors; Zero-day attack; hybrid system; intrusion detection; polymorphic worm (ID#: 15-6195)

Holm, H., “Signature Based Intrusion Detection for Zero-Day Attacks: (Not) A Closed Chapter?,” System Sciences (HICSS), 2014 47th Hawaii International Conference on, vol., no., pp. 4895, 4904, 6-9 Jan. 2014. doi:10.1109/HICSS.2014.600
Abstract: A frequent claim that has not been validated is that signature based network intrusion detection systems (SNIDS) cannot detect zero-day attacks. This paper studies this property by testing 356 severe attacks on the SNIDS Snort, configured with an old official rule set. Of these attacks, 183 attacks are zero-days’ to the rule set and 173 attacks are theoretically known to it. The results from the study show that Snort clearly is able to detect zero-days’ (a mean of 17% detection). The detection rate is however on overall greater for theoretically known attacks (a mean of 54% detection). The paper then investigates how the zero-days’ are detected, how prone the corresponding signatures are to false alarms, and how easily they can be evaded. Analyses of these aspects suggest that a conservative estimate on zero-day detection by Snort is 8.2%.
Keywords: computer network security; digital signatures; SNIDS; false alarm; signature based network intrusion detection; zero day attacks; zero day detection; Computer architecture; Payloads; Ports (Computers); Reliability; Servers; Software; Testing; Computer security; NIDS; code injection; exploits (ID#: 15-6196)

Javed, A.; Akhlaq, M., “On the Approach of Static Feature Extraction in Trojans to Combat against Zero-Day Threats,” IT Convergence and Security (ICITCS), 2014 International Conference on, vol., no., pp. 1, 5, 28-30 Oct. 2014. doi:10.1109/ICITCS.2014.7021794
Abstract: Over the past few years, the enormous challenge ever faced by cyber space is to combat against cyber threats in the shape of malware attacks. Of these, Trojans stands out as the most common choice due to its deceptive and alluring properties. Most of the modern / sophisticated malwares are polymorphic in nature, thus signature / heuristics based techniques are becoming out of scope in outraging zero-day threats. By and large Trojan and its numerous variants have common static features which are always existent in such malwares. By exploiting this analogy, a set of features is determined by analyzing known samples which can be effectively plied for combating against zero-day attacks launched by means of unknown malicious codes.
Keywords: feature extraction; invasive software; Trojan; cyber space; malicious codes; malware attacks; signature-heuristics based techniques; static feature extraction; zero-day threats; Electronic mail; Feature extraction; Grippers; Software; Trojan horses (ID#: 15-6197)

Shahzad, K.; Woodhead, S., “Towards Automated Distributed Containment of Zero-Day Network Worms,” Computing, Communication and Networking Technologies (ICCCNT), 2014 International Conference on, vol., no., pp. 1, 7, 11-13 July 2014. doi:10.1109/ICCCNT.2014.6963119
Abstract: Worms are a serious potential threat to computer network security. The high potential speed of propagation of worms and their ability to self-replicate make them highly infectious. Zero-day worms represent a particularly challenging class of such malware, with the cost of a single worm outbreak estimated to be as high as US $2.6 Billion. In this paper, we present a distributed automated worm detection and containment scheme that is based on the correlation of Domain Name System (DNS) queries and the destination IP address of outgoing TCP SYN and UDP datagrams leaving the network boundary. The proposed countermeasure scheme also utilizes cooperation between different communicating scheme members using a custom protocol, which we term Friends. The absence of a DNS lookup action prior to an outgoing TCP SYN or UDP datagram to a new destination IP addresses is used as a behavioral signature for a rate limiting mechanism while the Friends protocol spreads reports of the event to potentially vulnerable uninfected peer networks within the scheme. To our knowledge, this is the first implementation of such a scheme. We conducted empirical experiments across six class C networks by using a Slammer-like pseudo-worm to evaluate the performance of the proposed scheme. The results show a significant reduction in the worm infection, when the countermeasure scheme is invoked.
Keywords: computer network security; digital signatures; invasive software; protocols; DNS queries; Friends protocol; Slammer-like pseudoworm; TCP SYN datagrams; UDP datagrams; automated distributed containment; behavioral signature; communicating scheme members; computer network security; countermeasure scheme; custom protocol; destination IP address; distributed automated worm detection; domain name system queries; malware; network boundary; rate limiting mechanism; six class C networks; worm infection reduction; zero-day network worms; Grippers; IP networks; Internet; Limiting; Malware; Routing protocols; countermeasure; malware; network worm; rate limiting (ID#: 15-6198)

Zolotukhin, M.; Hamalainen, T., “Detection of Zero-Day Malware Based on the Analysis of Opcode Sequences,” Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, vol., no., pp. 386, 391, 10-13 Jan. 2014. doi:10.1109/CCNC.2014.6866599
Abstract: Today, rapid growth in the amount of malicious software is causing a serious global security threat. Unfortunately, widespread signature-based malware detection mechanisms are not able to deal with constantly appearing new types of malware and variants of existing ones, until an instance of this malware has damaged several computers or networks. In this research, we apply an anomaly detection approach which can cope with the problem of new malware detection. First, executable files are analyzed in order to extract operation code sequences and then n-gram models are employed to discover essential features from these sequences. A clustering algorithm based on the iterative usage of support vector machines and support vector data descriptions is applied to analyze feature vectors obtained and to build a benign software behavior model. Finally, this model is used to detect malicious executables within new files. The scheme proposed allows one to detect malware unseen previously. The simulation results presented show that the method results in a higher accuracy rate than that of the existing analogues.
Keywords: invasive software; iterative methods; pattern clustering; support vector machines; anomaly detection approach; benign software behavior model; clustering algorithm; global security threat; iterative usage; malicious software; n-gram models; opcode sequences analysis; operation code sequences; support vector data descriptions; support vector machines; widespread signature-based malware detection mechanism; zero-day malware detection; Feature extraction; Malware; Software; Software algorithms; Support vector machines; Training; Vectors (ID#: 15-6199)

Shahzad, K.; Woodhead, S., “A Pseudo-Worm Daemon (PWD) for Empirical Analysis of Zero-Day Network Worms and Countermeasure Testing,” Computing, Communication and Networking Technologies (ICCCNT), 2014 International Conference on, vol., no., pp. 1, 6, 11-13 July 2014. doi:10.1109/ICCCNT.2014.6963124
Abstract: The cyber epidemiological analysis of computer worms has emerged a key area of research in the field of cyber security. In order to understand the epidemiology of computer worms; a network daemon is required to empirically observe their infection and propagation behavior. The same facility can also be employed in testing candidate worm countermeasures. In this paper, we present the architecture and design of Pseudo-Worm Daemon; termed (PWD), which is designed to perform true random scanning and hit-list worm like functionality. The PWD is implemented as a proof-of-concept in C programming language. The PWD is platform independent and can be deployed on any host in an enterprise network. The novelty of this worm daemon includes; its UDP based propagation, a user-configurable random scanning pool, ability to contain a user defined hit-list, authentication before infecting susceptible hosts and efficient logging of time of infection. Furthermore, this paper presents experimentation and analysis of a Pseudo-Witty worm by employing the PWD with real Witty worm outbreak attributes. The results obtained by Pseudo-Witty worm outbreak are quite comparable to real Witty worm outbreak; which are further quantified by using the Susceptible Infected (SI) model.
Keywords: C language; invasive software; program testing; C programming language; PWD; UDP based propagation; computer worms; cyber epidemiological analysis; cyber security; enterprise network; hit-list worm like functionality; pseudo-witty worm outbreak; pseudo-worm daemon; random scanning functionality; susceptible infected model; user-configurable random scanning pool; worm countermeasure testing; worm infection behavior; worm propagation behavior; zero-day network worms; Computational modeling; Computer worms; Grippers; IP networks; Mathematical model; Servers; Silicon; cyber; hit-list; scanning; witty; worm (ID#: 15-6200)

Asif, M.K.; Al-Harthi, Y.S., “Intrusion Detection System Using Honey Token Based Encrypted Pointers to Mitigate Cyber Threats for Critical Infrastructure Networks,” Systems, Man and Cybernetics (SMC), 2014 IEEE International Conference on, vol., no., pp. 1266, 1270, 5-8 Oct. 2014. doi:10.1109/SMC.2014.6974088
Abstract: Recent advancements in cyberspace impose a greater threat to the security of critical infrastructure than ever before. The scale of damage that could be done on these infrastructures by well-planned cyber-attacks is enormous. Most of the research work done for the security of these critical infrastructures focuses on conventional security measures. In this paper, we designed an Intrusion Detection System (IDS) that is based on the novel approach of Honey Token based Encrypted Pointers to prevent critical infrastructure networks from cyber-attacks particularly from zero day cyber threats. These honey tokens inside the frame will serve as a trap for the attacker. All nodes operating within the working domain of critical infrastructure network are divided into four different pools. This division is based according to their computational power and level of vulnerability. These pools are provided with different levels of security measures within the network. IDS use different number of Honey Tokens (HT) per frame for every different pool. Moreover every pool uses different types of encryption schemes (AES-128,192,256) etc. We use critical infrastructure network of 64 nodes for our simulations. We analyzed the performance of IDS in terms of True Positive and False Negative Alarms. Finally we test this IDS through Network Penetration Testing (NPT). This NPT is accomplished by putting the critical infrastructure network of 64 nodes directly under the zero day cyber-attacks and then we analyze the behavior of the IDS under such realistic conditions. The IDS is designed in such a way that it not only detects the intrusions but also recovers the entire zero day attack using reverse engineering approach.
Keywords: computer network security; critical infrastructures; cryptography; reverse engineering; IDS; NPT; critical infrastructure networks; cyber-attacks; encryption schemes; false negative alarms; honey token based encrypted pointers; intrusion detection system; network penetration testing; reverse engineering approach; true positive alarms; zero day cyber threats; Databases; Encryption; Generators; Intrusion detection; Protocols; Critical Infrastructure Networks; Cyber Security; Cyber Space; Cyber Threats; Cyber Warfare; DNP3; Distributed Sensor Networks; Encrypted Pointers; Honey Token; Industrial Communication Protocol; Industrial Networks; Information Infrastructure; Information Security; Intelligence Infrastructure; Intrusion Detection System; SCADA Command and Control System; Zero Day Attacks (ID#: 15-6201)

Tokhtabayev, A.G.; Aimyshev, B.; Seitkulov, Y., “tBox: A System to Protect a ‘Bad’ User from Targeted and User-Oriented Attacks,” Application of Information and Communication Technologies (AICT), 2014 IEEE 8th International Conference on, vol., no., pp. 1, 6, 15-17 Oct. 2014. doi:10.1109/ICAICT.2014.7035913
Abstract: We introduce tBox system that enables protection from targeted and user-oriented attacks. Such attacks relay on users mistakes such as misinterpreting or ignoring security alerts, which leads to proliferation of malicious objects inside trusted perimeter of cyber-security systems (e.g. exclusion list of AV). These attacks include strategic web compromise, spear phishing, insider threat and social network malware. Moreover, targeted attacks often deliver zero-day malware that is made difficult to be detected, e.g. due to distributed malicious payload. The tBox system allows for protecting even a "bad" user who does not cooperate with security products. To accomplish this, tBox seamlessly transfers user activity with vulnerable applications into specific virtual environment that provides three key factors: user-activity isolation, behavior self-monitoring and security inheritance for user-carried objects. To provide self-monitoring, our team developed a novel technology for deep dynamic analysis of system-wide behavior, which allows for run-time recognition of malicious functionalities including obfuscated and distributed ones. We evaluate the tBox prototype with corpus of real malware families. Results show high efficiency of tBox in detecting and blocking malware while having low system overhead.
Keywords: Internet; invasive software; behavior self-monitoring; cyber-security systems; distributed malicious payload; insider threat; security alerts; security inheritance; social network malware; spear phishing; strategic Web compromise; tBox system; targeted attacks; user-activity isolation; user-oriented attacks; zero-day malware; Browsers; Containers; Engines; Malware; Payloads; Software; Attacks on a User; Distributed malware; Targeted attacks; Threat isolation; Zero-day malware (ID#: 15-6202)

Mirza, N.A.S.; Abbas, H.; Khan, F.A.; Al Muhtadi, J., “Anticipating Advanced Persistent Threat (APT) Countermeasures Using Collaborative Security Mechanisms,” Biometrics and Security Technologies (ISBAST), 2014 International Symposium on, vol., no., pp. 129, 132, 26-27 Aug. 2014. doi:10.1109/ISBAST.2014.7013108
Abstract: Information and communication security has gained significant importance due to its wide spread use, increased sophistication and complexity in its deployment. On the other hand, more sophisticated and stealthy techniques are being practiced by the intruder’s group to penetrate and exploit the technology and attack detection. One such treacherous threat to all critical assets of an organization is Advanced Persistent Threat (APT). Since APT attack vector is not previously known, consequently this can harm the organization’s assets before the patch for this security flaw is released/available. This paper presents a preliminary research effort to counter the APT or zero day attacks at an early stage by detecting malwares. Open Source version of Security Information and Event Management (SIEM) is used to detect denial of service attack launched through remote desktop service. The framework presented in this paper also shows the efficiency of the technique and it can be enhanced with more sophisticated mechanisms for APT attack detection.
Keywords: computational complexity; invasive software; public domain software; APT attack detection; APT attack vector; SIEM; advanced persistent threat countermeasures; collaborative security mechanisms; deployment complexity; information and communication security; malwares; open source version; organization assets; remote desktop service; security information and event management; stealthy techniques; zero day attacks; Intrusion detection; Kernel; Malware; Monitoring; Neural networks; Organizations; Advanced Persistent Threat; Security Information and Event Management; Zero Day Exploits (ID#: 15-6203)

Pandey, S.K.; Mehtre, B.M., “Performance of Malware Detection Tools: A Comparison,” Advanced Communication Control and Computing Technologies (ICACCCT), 2014 International Conference on, vol., no., pp. 1811,1817, 8-10 May 2014. doi:10.1109/ICACCCT.2014.7019422
Abstract: Malwares are a big threat to modern computer world. There are many tools and techniques for detecting malwares, like Intrusion Detection System, Firewalls and Virus scans etc. But malicious executables like unseen zero day malwares are still a major challenge. In this paper, we are going to present a performance comparison of existing tools and techniques for malware detection. In order to know the performance of malware detection tools, we have created a virtual Malware analysis lab using virtual box. We have taken 17 most commonly known malware detection tools and 29 malwares as a data set for our comparison. We have tested and analyzed the performance of malware detection tools on the basis of several parameters which are also shown graphically. It is found that the top three tools (based on certain parameters and the given data set) are the Regshot, Process Monitor and Process Explorer.
Keywords: computer viruses; firewalls; Regshot; firewalls; intrusion detection system; malicious executables; malware detection tools; process explorer; process monitor; unseen zero day malwares; virtual box; virtual malware analysis lab; virus scans; Cryptography; Firewalls (computing); Grippers; Immune system; Pattern matching; Trojan horses; Cyber Defense; Intrusion Detection System; Malicious executables; Malware; Malware Analysis; Zero Day Malwares (ID#: 15-6204)

Pandey, S.K.; Mehtre, B.M., “A Lifecycle Based Approach for Malware Analysis,” Communication Systems and Network Technologies (CSNT), 2014 Fourth International Conference on, vol., no., pp. 767, 771, 7-9 April 2014. doi:10.1109/CSNT.2014.161
Abstract: Most of the detection approaches like Signature based, Anomaly based and Specification based are not able to analyze and detect all types of malware. Signature-based approach for malware detection has one major drawback that it cannot detect zero-day attacks. The fundamental limitation of anomaly based approach is its high false alarm rate. And specification-based detection often has difficulty to specify completely and accurately the entire set of valid behaviors a malware should exhibit. Modern malware developers try to avoid detection by using several techniques such as polymorphic, metamorphic and also some of the hiding techniques. In order to overcome these issues, we propose a new approach for malware analysis and detection that consist of the following twelve stages Inbound Scan, Inbound Attack, Spontaneous Attack, Client-Side Exploit, Egg Download, Device Infection, Local Reconnaissance, Network Surveillance, & Communications, Peer Coordination, Attack Preparation, and Malicious Outbound Propagation. These all stages will integrate together as interrelated process in our proposed approach. This approach had solved the limitations of all the three approaches by monitoring the behavioral activity of malware at each any every stage of life cycle and then finally it will give a report of the maliciousness of the files or software’s.
Keywords: invasive software; anomaly based approach; attack preparation; client-side exploit; device infection; egg download; hiding techniques; inbound attack; inbound scan; lifecycle based approach; local reconnaissance; malicious outbound propagation; malware analysis; network surveillance; peer coordination; signature-based approach; specification-based detection; spontaneous attack; Computers; Educational institutions; Malware; Monitoring; Reconnaissance; Metamorphic; Polymorphic; Reconnaissance; Signature based; Zero day attack (ID#: 15-6205)

Kumar, S.; Rama Krishna, C.; Aggarwal, N.; Sehgal, R.; Chamotra, S., “Malicious Data Classification Using Structural Information and Behavioral Specifications in Executables,” Engineering and Computational Sciences (RAECS), 2014 Recent Advances in, vol., no., pp. 1, 6, 6-8 March 2014. doi:10.1109/RAECS.2014.6799525
Abstract: With the rise in the underground Internet economy, automated malicious programs popularly known as malwares have become a major threat to computers and information systems connected to the internet. Properties such as self healing, self hiding and ability to deceive the security devices make these software hard to detect and mitigate. Therefore, the detection and the mitigation of such malicious software is a major challenge for researchers and security personals. The conventional systems for the detection and mitigation of such threats are mostly signature based systems. Major drawback of such systems are their inability to detect malware samples for which there is no signature available in their signature database. Such malwares are known as zero day malware. Moreover, more and more malware writers uses obfuscation technology such as polymorphic and metamorphic, packing, encryption, to avoid being detected by antivirus. Therefore, the traditional signature based detection system is neither effective nor efficient for the detection of zero-day malware. Hence to improve the effectiveness and efficiency of malware detection system we are using classification method based on structural information and behavioral specifications. In this paper we have used both static and dynamic analysis approaches. In static analysis we are extracting the features of an executable file followed by classification. In dynamic analysis we are taking the traces of executable files using NtTrace within controlled atmosphere. Experimental results obtained from our algorithm indicate that our proposed algorithm is effective in extracting malicious behavior of executables. Further it can also be used to detect malware variants.
Keywords: Internet; invasive software; pattern classification; program diagnostics; NtTrace; antivirus; automated malicious programs; behavioral specifications; dynamic analysis; executable file; information systems; malicious behavior extraction; malicious data classification; malicious software detection; malicious software mitigation; malware detection system effectiveness improvement; malware detection system efficiency improvement; malwares; obfuscation technology; security devices; signature database; signature-based detection system; static analysis; structural information; threat detection; threat mitigation; underground Internet economy; zero-day malware detection; Algorithm design and analysis; Classification algorithms; Feature extraction; Internet; Malware; Software; Syntactics; behavioral specifications; classification algorithms; dynamic analysis; malware detection; static analysis; system calls (ID#: 15-6206)

Sigholm, J.; Larsson, E., “Determining the Utility of Cyber Vulnerability Implantation: The Heartbleed Bug as a Cyber Operation,” Military Communications Conference (MILCOM), 2014 IEEE, vol., no., pp. 110, 116, 6-8 Oct. 2014. doi:10.1109/MILCOM.2014.25
Abstract: Flaws in computer software or hardware that are as yet unknown to the public, known as zero-day vulnerabilities, are an increasingly sought-after resource by actors conducting cyber operations. While the objective pursued is commonly defensive, as in protecting own systems and networks, cyber operations may also involve exploiting identified vulnerabilities for intelligence collection or to produce military effects. The weapon zing and stockpiling of such vulnerabilities by various actors, or even the intentional implantation into cyberspace infrastructure, is a trend that currently resembles an arms race. An open question is how to measure the utility that access to these exploitable vulnerabilities provides for military purposes, and how to contrast and compare this to the possible adverse societal consequences that withholding disclosure of them may result in, such as loss of privacy or impeded freedom of the press. This paper presents a case study focusing on the Heart bleed bug, used as a tool in an offensive cyber operation. We introduce a model to estimate the adoption rate of an implanted flaw in Open SSL, derived by fitting collected real-world data. Our calculations show that reaching a global adoption of at least 50 % would take approximately three years from the time of release, given that the vulnerability remains undiscovered, while surpassing 75% adoption would take an estimated four years. The paper concludes that while exploiting zero-day vulnerabilities may indeed be of significant military utility, such operations take time. They may also incur non-negligible risks of collateral damage and other societal costs.
Keywords: program debugging; security of data; OpenSSL; collateral damage; computer software; cyber vulnerability implantation; cyberspace infrastructure; global adoption; heartbleed bug; identified vulnerabilities; intelligence collection; intentional implantation; military effects; military utility; offensive cyber operation; societal costs; sought-after resource; zero-day vulnerabilities; Fitting; Heart rate variability; Military aircraft; Predictive models; Security; Servers; Software; computer network operations; cyber operations; exploitation; intelligence; vulnerabilities (ID#: 15-6207)

Uppal, D.; Sinha, R.; Mehra, V.; Jain, V., “Malware Detection and Classification Based on Extraction of API Sequences,” Advances in Computing, Communications and Informatics (ICACCI, 2014 International Conference on, vol., no., pp. 2337, 2342, 24-27 Sept. 2014. doi:10.1109/ICACCI.2014.6968547
Abstract: With the substantial growth of IT sector in the 21st century, the need for system security has also become inevitable. While the developments in the IT sector have innumerable advantages but attacks on websites and computer systems are also increasing relatively. One such attack is zero day malware attack which poses a great challenge for the security testers. The malware pen testers can use bypass techniques like Compression, Code obfuscation and Encryption techniques to easily deceive present day Antivirus Scanners. This paper elucidates a novel malware identification approach based on extracting unique aspects of API sequences. The proposed feature selection method based on N grams and odds ratio selection, capture unique and distinct API sequences from the extracted API calls thereby increasing classification accuracy. Next a model is built by the classification algorithms using active machine learning techniques to categorize malicious and benign files.
Keywords: application program interfaces; invasive software; learning (artificial intelligence); pattern classification; API sequences extraction; IT sector; N grams; Websites; active machine learning techniques; antivirus scanners; benign files; bypass techniques; code obfuscation; computer systems; encryption techniques; malicious files; malware classification; malware detection; malware pen testers; odds ratio selection; security testers; zero day malware attack; Accuracy; Classification algorithms; Feature extraction; Machine learning algorithms; Malware; Software; API call gram; API sequence (ID#: 15-6208)

Kotenko, I.; Doynikova, E., “Security Evaluation for Cyber Situational Awareness,” High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE 11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS), 2014 IEEE Intl Conf on, vol., no., pp. 1197,1204, 20-22 Aug. 2014. doi:10.1109/HPCC.2014.196
Abstract: The paper considers techniques for measurement and calculation of security metrics taking into account attack graphs and service dependencies. The techniques are based on several assessment levels (topological, attack graph level, attacker level, events level and system level) and important aspects (zero-day attacks, cost-efficiency characteristics). It allows understanding the current security situation, including defining the vulnerable characteristics and weaknesses of the system under protection, dangerous events, current and possible cyber attack parameters, attacker intentions, integral cyber situation metrics and necessary countermeasures.
Keywords: firewalls; attack countermeasures; attack graph level; attack graphs; attacker intentions; attacker level; cost-efficiency characteristics; cyber attack parameters; cyber situational awareness; dangerous events; event level; integral cyber situation metrics; security evaluation; security metric calculation; security metric measurement; service dependencies; system level; system weaknesses; topological assessment level; vulnerable characteristics; zero-day attacks; Business; Conferences; High performance computing; Integrated circuits; Measurement; Probabilistic logic; Security; network security; risk assessment; security metrics (ID#: 15-6209)

Markel, Z.; Bilzor, M., “Building a Machine Learning Classifier for Malware Detection,” Anti-malware Testing Research (WATeR), 2014 Second Workshop on, vol., no., pp. 1, 4, 23-23 Oct. 2014. doi:10.1109/WATeR.2014.7015757
Abstract: Current signature-based antivirus software is ineffective against many modern malicious software threats. Machine learning methods can be used to create more effective antimalware software, capable of detecting even zero-day attacks. Some studies have investigated the plausibility of applying machine learning to malware detection, primarily using features from n-grams of an executables file’s byte code. We propose an approach that primarily learns from metadata, mostly contained in the headers of executable files, specifically the Windows Portable Executable 32-bit (PE32) file format. Our experiments indicate that executable file metadata is highly discriminative between malware and benign software. We also employ various machine learning methods, finding that Decision Tree classifiers outperform Logistic Regression and Naive Bayes in this setting. We analyze various features of the PE32 header and identify those most suitable for machine learning classifiers. Finally, we evaluate changes in classifier performance when the malware prevalence (fraction of malware versus benign software) is varied.
Keywords: decision trees; invasive software; learning (artificial intelligence); pattern classification; regression analysis; Windows Portable Executable file format; antimalware software; decision tree classifiers; logistic regression; machine learning classifier; malicious software threat; malware detection; malware prevalence; meta data; naive Bayes; signature-based antivirus software; zero-day attacks; Databases; Decision trees; Feature extraction; Logistics; Malware; Software; Training (ID#: 15-6210)

Ziyu Wang; Jiahai Yang; Fuliang Li, “An On-Line Anomaly Detection Method Based on a New Stationary Metric — Entropy-Ratio,” Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on, vol., no., pp.90,97, 24-26 Sept. 2014. doi:10.1109/TrustCom.2014.16
Abstract: Anomaly detection has been a hot topic in recent years due to its capability of detecting zero day attacks. In this paper, we propose a new metric called Entropy-Ratio. We validate that the Entropy-Ratio is stationary. Making use of this observation, we combine the Least Mean Square algorithm and the Forward Linear Predictor to propose a new on-line detector called LMS-FLP detector. Using the two synthetic data sets - CEGI-6IX synthetic data and CERNET2 synthetic data, we validate that the LMS-FLP detector is very effective in detecting both anomalies involving many small IP flows and anomalies involving a few large IP flows.
Keywords: IP networks; computer network security; entropy; least mean squares methods; CEGI-6IX synthetic data set; CERNET2 synthetic data set; forward linear predictor; large-IP flows; least mean square algorithm; online LMS-FLP detector; online anomaly detection method; small-IP flows; stationary entropy-ratio metric; zero-day attack detection capability; Detectors; Educational institutions; Entropy; Equations; IP networks; Mathematical model; Vectors; Entropy-Ratio; Forward Linear Predictor; Least Mean Square; anomaly detection (ID#: 15-6211)

Rivers, A.T.; Vouk, M.A.; Williams, L.A., “On Coverage-Based Attack Profiles,” Software Security and Reliability-Companion (SERE-C), 2014 IEEE Eighth International Conference on,  vol., no., pp. 5, 6, June 30 2014–July 2 2014.  doi:10.1109/SERE-C.2014.15
Abstract: Automated cyber attacks tend to be schedule and resource limited. The primary progress metric is often “coverage” of pre-determined “known” vulnerabilities that may not have been patched, along with possible zero-day exploits (if such exist). We present and discuss a hypergeometric process model that describes such attack patterns. We used web request signatures from the logs of a production web server to assess the applicability of the model.
Keywords: Internet; security of data; Web request signatures; attack patterns; coverage-based attack profiles; cyber attacks; hypergeometric process model; production Web server; zero-day exploits; Computational modeling; Equations; IP networks; Mathematical model; Software; Software reliability; Testing; attack; coverage; models; profile; security (ID#: 15-6212)

Trikalinou, A.; Bourbakis, N., “AMYNA: A Security Generator Framework,” Information, Intelligence, Systems and Applications, IISA 2014, The 5th International Conference on, vol., no., pp. 404, 409, 7-9 July 2014. doi:10.1109/IISA.2014.6878840
Abstract: Security has always been an important concern in Computer Systems. In this paper we focus on zero-day, memory-based attacks, one of the top three most dangerous attacks according to the MITRE ranking, and propose AMYNA, a novel security generator framework/model, which can automatically create personalized optimum security solutions. Motivated by the most prevailing security methods, which target a limited set of attacks, but do so efficiently and effectively, we present the idea and architecture of AMYNA, which can automatically combine security methods represented in a high-level model in order to produce a security solution with elevated security coverage.
Keywords: security of data; AMYNA; MITRE ranking; computer systems; elevated security coverage; high-level model; memory-based attacks; personalized optimum security solutions; security generator framework; zero-day attacks; Computational modeling; Computer architecture; Libraries; Load modeling; Numerical models; Real-time systems; Security; buffer overflow; control-flow hijacking; dynamic information flow tainting (DIFT); host security (ID#: 15-6213)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.