Users Perceptions on Computer Intrusion

Mohajer Soltani, Aria

January 2016

This thesis is built on the hypothesis that the average computer user has very little understanding regarding computer intrusion. Due to the prevalence of computers in our day and age, the prospect of users lacking even basic knowledge regarding something a user is at risk of encountering almost daily is worrying. This thesis presents the discrepancies between how computer intrusion occurs and how the average user believes computer intrusion occurs. It does this by conducting a series of qualitative interviews with interviewees having wide ranges of experience and knowledge regarding computer intrusion, quantifying their answers, and comparing the data to existing statistics on the topic. This thesis found that the average user does indeed understand very little about computer intrusion. When asked how they believe it occurs, they in general either gave very vague answers and were unable to elaborate, or gave answers that correspond to a movie or TV show stereotype of computer hacking, with nerdy hackers rapidly tapping on their keyboards causing their computer screens to flash with bright colors and fancy graphics. Furthermore, this thesis also found that even in users who had extensive experience working within IT or with computing, a clear lack of knowledge in many areas could be observed. Additionally, this thesis also managed to reach some additional interesting conclusions based on the data gathered that were not originally the goal of the survey, such as the fact that many users seem to be far more susceptible to phising on social media as compared to email, and that users completely misunderstand the motives of people who perform computer intrusion.

Computer Security

Interviews

Computer Engineering

Datorteknik

Attacking Computer Security Using Peripheral Device Drivers

King, Michael Aaron

01 May 2010

Detection of malicious logic on a hardware device is difficult to detect. This thesis proposes a device driver that emulates a hardware device and that device’s software driver. This device driver attacks the target system by accessing the hard disk in order to perform read and write transactions without the knowledge of the operating system or intrusion detection/prevention software. The attacks performed by the driver compromise the confidentiality, integrity, and availability of data on the target system’s disk drive. The attacks performed by the device driver have a less than one percent impact on system performance. This thesis, while tested in a Windows environment, applies to other operating systems (such as Linux/Unix, etc.) and thus has major implications for a wide range of users.

device driver

hardware

computer security

attack

PRIMA - Privilege Management and Authorization in Grid Computing Environments

Lorch, Markus

28 April 2004

Computational grids and other heterogeneous, large-scale distributed systems require more powerful and more flexible authorization mechanisms to realize fine-grained access-control of resources. Computational grids are increasingly used for collaborative problem-solving and advanced science and engineering applications. Usage scenarios for advanced grids require support for small, dynamic working groups, direct delegation of access privileges among users, procedures for establishing trust relationships without requiring organizational level agreements, precise management by individuals of their privileges, and retention of authority by resource providers. Existing systems fail to provide the necessary flexibility and granularity to support these scenarios. The reasons include the overhead imposed by required administrator intervention, coarse granularity that only allows for all-or-nothing access control decisions, and the inability to implement finer-grained access control without requiring trusted application code. PRIMA, the model and system developed in this research, focuses on management and enforcement of fine-grained privileges. The PRIMA model introduces novel approaches that can be used in place of, or in combination with existing access control mechanisms. PRIMA enables the users of a system to manage access to their own assets directly without the need for, and costs of intervention by technical personnel. System administrators benefit from more flexible and fine-grained definition of access privileges and policies. A novel access control decision and enforcement model with support for legacy applications has been developed. The model uses on-demand account leasing and implements expressive enforcement mechanisms built on existing low-overhead security primitives of the operating systems. The combination of the PRIMA components constitutes a comprehensive security model that facilitates highly dynamic authorization scenarios and increases security through least privilege access to resources. In summary, PRIMA mechanisms enable the use of fine-grained access rights, reduce administrative costs to resource providers, enable ad-hoc and dynamic collaboration scenarios, and provide improved security service to long-lived grid communities. / Ph. D.

Distributed Systems

Grid Security

Computer Security

Remote misuse detection system using mobile agents and relational database query techniques

Kapoor, Bharat

01 April 2000

No description available.

Computer security

Mobile agents (Computer software)

On the specification and analysis of secure transport layers

Dilloway, Christopher

January 2008

The world is becoming strongly dependent on computers, and on distributed communication between computers. As a result of this, communication security is important, sometimes critically so, to many day-to-day activities. Finding strategies for discovering attacks against security protocols and for proving security protocols correct is an important area of research. An increasingly popular technique that is used to simplify the design of security protocols is to rely on a secure transport layer to protect messages on the network, and to provide protection against attackers. In order to make the right decision about which secure transport layer protocols to use, and to compare and contrast different secure transport protocols, it is important that we have a good understanding of the properties that they can provide. To do this, we require a means to specify these properties precisely. The aim of this thesis is to improve our understanding of the security guarantees that can be provided by secure transport protocols. We define a framework in which one can capture security properties. We describe a simulation relation over specifications based on the events performed by honest agents. This simulation relation allows us to compare channels; it also allows us to specify the same property in different ways, and to conclude that the specifications are equivalent. We describe a hierarchy of confidentiality, authentication, session and stream properties. We present example protocols that we believe satisfy these specifications, and we describe which properties we believe that the various modes of TLS satisfy. We investigate the effects of chaining our channel properties through a trusted third party, and we prove an invariance theorem for the secure channel properties. We describe how one can build abstract CSP models of the secure transport protocol properties. We use these models to analyse two single sign-on protocols for the internet that rely on SSL and TLS connections to function securely. We present a new methodology for designing security protocols which is based on our secure channel properties. This new approach to protocol design simplifies the design process and results in a simpler protocol.

621.382

An exfiltration subversion demonstration

Murray, Jessica L.

06 1900

Approved for public release, distribution is unlimited / A dynamic subversion attack on the Windows XP Embedded operating system is demonstrated to raise awareness in developers and consumers of the risk of subversion in commercial operating systems that may be safety critical. SCADA (Supervisory Control and Data Acquisition) systems that monitor and control our critical infrastructure depend on embedded systems. The attack can be loaded onto a fielded system that has been subverted with a small software artifice. The artifice could be inserted into the system at any time in the system's lifecycle. The attack provides a flexible method for the attacker, who may not be the same individual who inserted the artifice, to gain total control of the subverted system. Due to the dynamic loading property of this subversion, the attacker does not have to decide the aspect of the system to be targeted until a time of her choice. The attack does not exploit an existing flaw in the target module but is possible because the initial artifice is inserted into the kernel of an operating system where adversaries have access to source code. This thesis discusses certain aspects of known methods for developing systems free from subversion. Several projects that utilized these methods are presented. / Civilian, Naval Postgraduate School

Computer security

Operating systems (Computers)

Operating systems subversion

Computer security

Verifiable protection

Software wiretap

Using the bootstrap concept to build an adaptable and compact subversion artifice

Lack, Lindsey A.

06 1900

Approved for public release, distribution is unlimited / The attack of choice for a professional attacker is system subversion: the insertion of a trap door that allows the attacker to bypass an operating system's protection controls. This attack provides significant capabilities and a low risk of detection. One potential design is a trap door that itself accepts new programming instructions. This allows an attacker to decide the capabilities of the artifice at the time of attack rather than prior to its insertion. Early tiger teams recognized the possibility of this design and compared it to the two-card bootstrap loader used in mainframes, since both exhibit the characteristics of compactness and adaptability. This thesis demonstrates that it is relatively easy to create a bootstrapped trap door. The demonstrated artifice consists of 6 lines of C code that, when inserted into the Windows XP operating system, accept additional arbitrary code from the attacker, allowing subversion in any manner the attacker chooses. The threat from subversion is both extremely potent and eminently feasible. Popular risk mitigation strategies that rely on defense-in-depth are ineffective against subversion. This thesis focuses on how the use of the principles of layering, modularity, and information hiding can contribute to high-assurance development methodologies by increasing system comprehensibility. / Civilian, Naval Postgraduate School

Computer security

System subversion

Computer security

Artifice

Trap door

Bootstrap

Assurance

Layering

Information hiding

Modularity

DATA COLLECTION FRAMEWORK AND MACHINE LEARNING ALGORITHMS FOR THE ANALYSIS OF CYBER SECURITY ATTACKS

Unknown Date

The integrity of network communications is constantly being challenged by more sophisticated intrusion techniques. Attackers are shifting to stealthier and more complex forms of attacks in an attempt to bypass known mitigation strategies. Also, many detection methods for popular network attacks have been developed using outdated or non-representative attack data. To effectively develop modern detection methodologies, there exists a need to acquire data that can fully encompass the behaviors of persistent and emerging threats. When collecting modern day network traffic for intrusion detection, substantial amounts of traffic can be collected, much of which consists of relatively few attack instances as compared to normal traffic. This skewed distribution between normal and attack data can lead to high levels of class imbalance. Machine learning techniques can be used to aid in attack detection, but large levels of imbalance between normal (majority) and attack (minority) instances can lead to inaccurate detection results. / Includes bibliography. / Dissertation (Ph.D.)--Florida Atlantic University, 2019. / FAU Electronic Theses and Dissertations Collection

Machine learning

Algorithms

Anomaly detection (Computer security)

Big data

A Methodology for Detecting and Classifying Rootkit Exploits

Levine, John G. (John Glenn)

18 March 2004

A Methodology for Detecting and Classifying Rootkit Exploits John G. Levine 164 Pages Directed by Dr. Henry L. Owen We propose a methodology to detect and classify rootkit exploits. The goal of this research is to provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions concerning systems that are compromised by rootkits. There is no such methodolgoy available at present to perform this function. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits. A formal framework was developed in order to define rootkit exploits as an existing rootkit, a modification to an exisiting, or an entirely new rootkit. A methodology was then described in order to apply this framework against rootkits that are to be investigated. We then proposed some new methods to detect and characterize specific types of rootkit exploits. These methods consisted of identifying unique string signatures of binary executable files as well as examining the system call table within the system kernel. We established a Honeynet in order to aid in our research efforts and then applied our methodology to a previously unseen rootkit that was targeted against the Honeynet. By using our methodology we were able to uniquely characterize this rootkit and identify some unique signatures that could be used in the detection of this specific rootkit. We applied our methodolgy against nine additional rootkit exploits and were were able to identify unique characterstics for each of these rootkits. These charactersitics could also be used in the prevention and detection of these rootkits.

Computer security

Rootkits

Computer hackers

Computer security

Computer networks (Security measures)

Ethernet sniffing : a big threat to network security

Mukantabana, Beatrice

January 1994

Networks play an important role in today's information age. The need to share information and resources makes networks a necessity in almost any computing environment. In many cases, the network can be thought of as a large, distributed computer, with disks and other resources on big systems being shared by smaller workstations on people's desks.Security has long been an object of concern and study for both data processing systems and communications facilities. With computer networks, these concerns are combined, and for local networks, the problems may be more acute. Consider a fullcapacity local network, with direct terminal access to the network, data files, and applications distributed among a variety of processors. This network may also provide access to and from long-haul communications and be part of an internet. Clearly, the task of providing security in such a complex environment is quite involved.The subject of security is a broad one and encompasses physical and administrative controls. The aim of this research is to explore the security problems pertaining to Ethernet networks. Different approaches to obtain a secure Ethernet environment are also discussed. / Department of Computer Science

Computer security.

Ethernet (Local area network system)

Computer security -- Computer programs.