Malware Detection Through Call Graphs

Kinable, Joris

January 2010

Each day, anti-virus companies receive large quantities of potentially harmful executables. Many of the malicious samples among these executables are variations of earlier encountered malware, created by their authors to evade pattern-based detection. Consequently, robust detection approaches are required, capable of recognizing similar samples automatically.In this thesis, malware detection through call graphs is studied. In a call graph, the functions of a binary executable are represented as vertices, and the calls between those functions as edges. By representing malware samples as call graphs, it is possible to derive and detect structural similarities between multiple samples. The latter can be used to implement generic malware detection schemes, which can proactively detect existing versions of the malware, as well as future releases with similar characteristics.To compare call graphs mutually, we compute pairwise graph similarity scores via graphmatchings which minimize an objective function known as the Graph Edit Distance. Finding exact graph matchings is intractable for large call graph instances. Hence we investigate several efficient approximation algorithms. Next, to facilitate the discovery of similar malware samples, we employ several clustering algorithms, including variations on k-medoids clustering and DBSCAN clustering algorithms. Clustering experiments are conducted on a collection of real malware samples, and the results are evaluated against manual classifications provided by virus analysts from F-Secure Corporation. Experiments show that it is indeed possible to accurately detect malware families using the DBSCAN clustering algorithm. Based on our results, we anticipate that in the future it is possible to use call graphs to analyse the emergence of new malware families, and ultimately to automate implementinggeneric protection schemes for malware families.

ntnudaim

Information security

Security Analysis of Future Internet Architectures

Ballester Lafuente, Carlos

January 2010

During the last decades, Internet has evolved from host-centric toinformation-centric in the sense that it is information and data what matters,regardless of where it is located. Meanwhile, Internet's architecturestill remains the same as it was in its origins and still focuses on host-tohostcommunication, putting too much emphasis on the "where" ratherthan putting it on the "what".Original Internet's architecture also introduces several security aws suchas DoS and DDoS, spoong and spam, and other non-security relatedproblems such as availability or location dependence related issues. Inorder to address these issues, several new architectures and protocols havebeen proposed. Some of them aim at redesigning totally the architecture ofInternet from scratch, while others aim at improving it without redesigningit totally.The aim of this Master Thesis is to analyze these new protocols and architecturesfrom a security point of view in order to determine whether thesecurity claims made are true or not. The security analysis is made basedon RFCs, technical papers and project deliverables. The results obtainedhave uncovered some security issues in several of the new protocols andarchitectures and have provided some insight into further improving them.

ntnudaim

Information security

Energy Efficiency of Streaming over Mobile Ad-hoc Networks

Pattabiraman, Prashanth

January 2010

Hand held mobile devices are widely used today primarily due to their rich functionality and the ease of portability. However, the battery life of these devices is very limited and deploying resource hungry applications such as streaming on these mobile devices is a challenging task. It is extremely important to maximize the efficient use of the contained resources on these devices especially when they participate in a mobile ad hoc network. The optimization can occur in any layer of the OSI stack, however, this thesis work focuses only on the routing protocols used in the network layer. In this thesis work we have been able to evaluate the Energy Efficiency of the four most widely used MANET routing protocols (AODV, OLSR, DSDV and DSR) in terms of their energy consumption and performance. The initial phase of the work was carried out using the Network Simulator 2(NS2) tool and later the observations were done on a real world MANET testbed. The influence of several external factors on the performance and energy consumption are also taken into consideration while performing the simulations and experiments. The results obtained from our observations provide both qualitative and quantitative analysis of the routing protocols. Furthermore, it also highlights how the behaviour of the protocols are sometimes highly unpredictable, yielding results that we may not expect.

ntnudaim

Information security

Secure data aggregation for wireless sensor network

Tran-Thi-Thuy, Trang

January 2010

Like conventional networks, security is also a big concern in wireless sensor networks. However, security in this type of networks faces not only typical but also new challenges. Constrained devices, changing topology or susceptibility to unprecedented security threats such as node capture and node compromise has refrained developers from applying conventional security solutions into wireless sensor networks. Hence, developing security solutions for wireless sensor networks not only requires well security analysis but also offers a low power and processing consuming.In this thesis, we implemented security solution targeting IRIS sensor motes. In our implementation, a public key-based key exchange is used to establish shared secret keys between sensor nodes. These secret keys are used to provide authenticity, integrity and freshness for transmission data. Our implementation ensures the flexibility in integrating our solution with available TinyOS operating system. Additionally, the thesis work also focuses on evaluating the performance in wireless sensor networks both in memory and energy consuming.

ntnudaim

Information security

Employing Ethernet Multiple Spanning Tree Protocol in an OpMiGua network

Veisllari, Raimena

January 2010

Hybrid optical packet/circuit switched networking architectures are increasingly becoming an interesting research field. They integrate and combine the high resource utilization of statistically multiplexed packet switched networks with the low processing requirements and guaranteed quality of service provided by circuit switched networks. The aim of this thesis is to integrate the OpMiGua hybrid optical network with Ethernet. Specifically, the work is focused on the compatibility of the Ethernet’s loop-free topology protocols with the redundant multiple traffic service paths of OpMiGua. We analyse the problems and limitations imposed on the network architecture and propose our topology solution called the SM chain-connectivity. The analysis and the proposed schemes are verified based on results obtained from simulations. Furthermore, we design an integrated logical OpMiGua node that relies on an Ethernet switch instead of the Optical Packet Switch for the Statistically Multiplexed traffic. To date, to our knowledge there are no studies analysing the compatibility of Ethernet and its protection mechanisms in a hybrid optical network. This is the first work addressing the use of Ethernet in OpMiGua.

ntnudaim

Information security

Automated Security Analysis of Infrastructure Clouds

Bleikertz, Sören

January 2010

Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. In particular, these highly flexible but complex cloud computing environments are prone to misconfigurations leading to security incidents, eg, erroneous exposure of services due to faulty network security configurations. In this thesis we present a novel approach in the security assessment of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API and translating it into a generic data model for later analysis. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization andautomated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical andtheoretical scenarios. Furthermore, a framework is presented which allows the evaluation of configuration changes in the agile and dynamic cloud environments with regard to properties like vulnerabilities or expected availability. In case of a vulnerability perspective, this evaluation can be used to monitor the securitylevels of the configuration over its lifetime and to indicate degradations.

ntnudaim

Information security

Specification of security properties by JML

Dulaj, Ilir

January 2010

Nowadays, verification of programs is gaining increased importance. The software industry appears more and more interested in methods and tools to ensure security in their applications. Java Modeling Language has been successfully used in the past by programmers to express their intentions in the Design by Contract fashion in sequential programming. One of the design goals of JML was to improve the functional software correctness of Java applications. Regarding the verification of security properties, JML was mostly successful in Java Smart Card applets due to the specifics of these applications. In this thesis work we investigate the feasibility of JML to express high-level security properties in Java applications that have more realistic requirements and are implemented in the object oriented technology. We do a threat analysis of a case study regarding a medical clinic and derive the required security properties to secure the application. We develop a prototype application where we specify high-level security properties with JML and use a runtime assertion checking tool to verify the code. We model the functional behavior of the prototype that establishes the security proper-ties as a finite state automaton. Our prototype is developed based on this automaton. States and state transitions modeled in the automaton are expressed in the prototype with JML annotations and verified during runtime. We observe that currently available features in JML are not very feasible to capture the security related behavior of Java programs on the level of the entire application.

ntnudaim

Information security

Design and implementation of a framework for security metrics creation / Konstruktion och användning av ett ramverk för säkerhetsmetriker

Lundholm, Kristoffer

January 2009

<p>Measuring information security is the key to unlocking the knowledge of how secure information systems really are. In order to perform these measurements, security metrics can be used. Since all systems and organizations are different, there is no single set of metrics that is generally applicable. In order to help organizations create metrics, this thesis will present a metrics creation framework providing a structured way of creating the necessary metrics for any information system. The framework takes a high level information security goal as input, and transforms it to metrics using decomposition of goals that are then inserted into a template. The thesis also presents a set of metrics based on a minimum level of information security produced by the Swedish emergency management agency. This set of metrics can be used to show compliance with the minimum level or as a base when a more extensive metrics program is created.</p>

Information security

Metrics framework

Security assessment

Information technology

Informationsteknik

Mänsklig säkerhet i Sudan- För vem och mot vad?

Grundevik, Rick

January 2008

<p>The concept of security is a contested one. The United Nations definition in UNDPs Development report of 1994 is the most authoritive and commonly cited. The civil war in Sudan has led to 2 million deaths and over 5.5 million refugees. In a resolution from 2005, the UN decided that the war in Sudan was a threat to international security and peace. The 10th of January UN decided that a peace commission ought to be send with 10 000 military and civil men including 700 policemen.</p><p>The main purpose of this thesis is to improve our knowledge of those factors which can cause an increased risk of conflict within a state, and how that can affect the social conditions for individuals. First, I analyse which kind of threats to human security that are to be identified in Sudan. Secondly, I discuss and analyse the role of UN in Sudan, focusing on the human security issues. Different information from sources is analyzed through qualitative content analysis, with quantative components. The theoretical perspective is based on Johan Galtungs theory concerning positive and negative peace, but also on the concept of human security. </p><p>Based on the collected data and the theoretical framework the conclusions are that it is a clear connection between the direct violence and the structural and cultural violence in south Sudan. It depends on the historical legacy but also because of the deep rooted structures of the institutions in Sudan. The conflict is about the oil and the ethnic and cultural identification. All this is a threat to the human security in Sudan, due to the condition about social equitable and the right to have a decent life. The UN has resolved the immediate military threat in the south of Sudan. There are a lot of things to be done before the security situation reach the UN definition of human security. The Sudan government must be responsible for implementing policies to assure this security.</p>

Security

human security

Sudan

direct violence

structural violence

cultural violence

Develop a Secure Network – A Case Study

Rayapati, Habeeb

January 2010

<p>In recent years, so many networks are being built and some of the organizations are able to provide security to their networks. The performance of a network depends on the amount of security implemented on the network without compromising the network capabilities. For building a secure network, administrators should know all the possible attacks and their mitigation techniques and should perform risk analysis to find the risks involved in designing the network. And they must also know how to design security policies for implement the network and to educate the employees, to protect the organization’s information. The goal behind this case-study is to build a campus network which can sustain from reconnaissance attacks.</p><p>This thesis describes all the network attacks and explores their mitigation techniques. This will help an administrator to be prepared for the coming attacks. This thesis explains how to perform risk analysis and the two different ways to perform risk analysis. It also describes the importance of security policies and how security policies are designed in real world.</p>

Network Security

Attacks

Risk analysis

Security Policy

Computer engineering

Datorteknik