It-säkerhetsmedvetenhet hos gymnasieungdomar : En kvantitativ studie om it-säkerhetshot och risker för Internetanvändare

Persson, Fredrik, Åström, Joel

January 2014

Syftet med denna studie är att ta reda på hur medvetna gymnasieelever är om it-säkerhetshot och risker på Internet. Detta har gjorts genom att först undersöka aktuella hot genom att studera trendrapporter från ledande it-säkerhetsföretag. Denna information har sedan använts i en enkät för att ta reda på kunskapen och medvetenhetsnivån om dessa it-säkerhetshot bland gymnasieelever i Uppsala. Studien visar att det finns ett behov av utökad kunskap inom området. I resultatet kunde särskilda brister ses i de sociala aspekterna av it-säkerhet. Undersökningens resultat kan användas som stöd vid framtagandet av utbildning inom risker och hot på Internet.

It-säkerhetshot

gymnasieelever

it-säkerhetsmedvetenhet

kunskap

social engineering

malware

A self-healing framework to combat cyber attacks : analysis and development of a self-healing mitigation framework against controlled malware attacks for enterprise networks

Alhomoud, Adeeb M.

January 2014

Cybercrime costs a total loss of about $338 billion annually which makes it one of the most profitable criminal activities in the world. Controlled malware (Botnet) is one of the most prominent tools used by cybercriminals to infect, compromise computer networks and steal important information. Infecting a computer is relatively easy nowadays with malware that propagates through social networking in addition to the traditional methods like SPAM messages and email attachments. In fact, more than 1/4 of all computers in the world are infected by malware which makes them viable for botnet use. This thesis proposes, implements and presents the Self-healing framework that takes inspiration from the human immune system. The designed self-healing framework utilises the key characteristics and attributes of the nature’s immune system to reverse botnet infections. It employs its main components to heal the infected nodes. If the healing process was not successful for any reason, it immediately removes the infected node from the Enterprise’s network to a quarantined network to avoid any further botnet propagation and alert the Administrators for human intervention. The designed self-healing framework was tested and validated using different experiments and the results show that it efficiently heals the infected workstations in an Enterprise network.

364.16

Detecting Objective-C Malware through Memory Forensics

Case, Andrew

13 May 2016

Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors. In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides a rich set of APIs that malware uses to manipulate and steal data and to perform other malicious activities. The novel memory forensics techniques presented in this thesis deeply examine the state of the Objective-C runtime, identifying a number of suspicious activities, from keystroke logging to pointer swizzling.

Memory Forensics

Objective-C

Malware Analysis

Incident Response

Information Security

A multi-layer approach to designing secure systems: from circuit to software

Zhou, Boyou

04 June 2019

In the last few years, security has become one of the key challenges in computing systems. Failures in the secure operations of these systems have led to massive information leaks and cyber-attacks. Case in point, the identity leaks from Equifax in 2016, Spectre and Meltdown attacks to Intel and AMD processors in 2017, Cyber-attacks on Facebook in 2018. These recent attacks have shown that the intruders attack different layers of the systems, from low-level hardware to software as a service(SaaS). To protect the systems, the defense mechanisms should confront the attacks in the different layers of the systems. In this work, we propose four security mechanisms for computing systems: (i ) using backside imaging to detect Hardware Trojans (HTs) in Application Specific Integrated Circuits (ASICs) chips, (ii ) developing energy-efficient reconfigurable cryptographic engines, (iii) examining the feasibility of malware detection using Hardware Performance Counters (HPC). Most of the threat models assume that the root of trust is the hardware running beneath the software stack. However, attackers can insert malicious hardware blocks, i.e. HTs, into the Integrated Circuits (ICs) that provide back-doors to the attackers or leak confidential information. HTs inserted during fabrication are extremely hard to detect since their overheads in performance and power are below the variations in the performance and power caused by manufacturing. In our work, we have developed an optical method that identifies modified or replaced gates in the ICs. We use the near-infrared light to image the ICs because silicon is transparent to near-infrared light and metal reflects infrared light. We leverage the near-infrared imaging to identify the locations of each gate, based on the signatures of metal structures reflected by the lowest metal layer. By comparing the imaged results to the pre-fabrication design, we can identify any modifications, shifts or replacements in the circuits to detect HTs. With the trust of the silicon, the computing system must use secure communication channels for its applications. The low-energy cost devices, such as the Internet of Things (IoT), leverage strong cryptographic algorithms (e.g. AES, RSA, and SHA) during communications. The cryptographic operations cause the IoT devices a significant amount of power. As a result, the power budget limits their applications. To mitigate the high power consumption, modern processors embed these cryptographic operations into hardware primitives. This also improves system performance. The hardware unit embedded into the processor provides high energy-efficiency, low energy cost. However, hardware implementations limit flexibility. The longevity of theIoTs can exceed the lifetime of the cryptographic algorithms. The replacement of the IoT devices is costly and sometimes prohibitive, e.g., monitors in nuclear reactors.In order to reconfigure cryptographic algorithms into hardware, we have developed a system with a reconfigurable encryption engine on the Zedboard platform. The hardware implementation of the engine ensures fast, energy-efficient cryptographic operations. With reliable hardware and secure communication channels in place, the computing systems should detect any malicious behaviors in the processes. We have explored the use of the Hardware Performance Counters (HPCs) in malware detection. HPCs are hardware units that count micro-architectural events, such as cache hits/misses and floating point operations. Anti-virus software is commonly used to detect malware but it also introduces performance overhead. To reduce anti-virus performance overhead, many researchers propose to use HPCs with machine learning models in malware detection. However, it is counter-intuitive that the high-level program behaviors can manifest themselves in low-level statics. We perform experiments using 2 ∼ 3 × larger program counts than the previous works and perform a rigorous analysis to determine whether HPCs can be used to detect malware. Our results show that the False Discovery Rate of malware detection can reach 20%. If we deploy this detection system on a fresh installed Windows 7 systems, among 1,323 binaries, 198 binaries would be flagged as malware.

Computer engineering

Cryptographic acceleration

Hardware Trojan detection

Malware detection

Security

Automated Reverse Engineering of Malware to Develop Network Signatures to Match with Known Network Signatures

Sinema, Dan

01 May 2014

Illicit software that seeks to steal user information, deny service, or cause general mayhem on computer networks is often discovered after the damage has been done. The ability to discover network behavior of software before a computer network is utilized would allow administrators to protect and preserve valuable resources. Static reverse engineering is the process of discovering in a offline environment how a software application is built and how it will behave. By automating static reverse engineering, software behavior can be discovered before it is executed on client devices. Fingerprints are then built from the discovered behavior which is matched with known malicious fingerprints to identify potentially dangerous software.

Malware

Automated Reverse Engineering

Network Signatures

Computer Sciences

Malicious URL Detection in Social Network

Su, Qun-kai

15 August 2011

Social network web sites become very popular nowadays. Users can establish connections with other users forming a social network, and quickly share information, photographs, and videos with friends. Malwares called social network worms can send text messages with malicious URLs by employing social engineering techniques. They are trying let users click malicious URL and infect users. Also, it can quickly attack others by infected user accounts in social network. By curiosity, most users click it without validation. This thesis proposes a malicious URL detection method used in Facebook wall, which used heuristic features with high classification property and machine learning algorithm, to predict the safety of URL messages. Experiments show that, the proposed approach can achieve about 96.3% of True Positive Rate, 95.4% of True Negative Rate, and 95.7% of Accuracy.

Malware

Machine learning

Malicious URL

Social network

Social Engineering

Code Classification Based on Structure Similarity

Yang, Chia-hui

14 September 2012

Automatically classifying malware variants source code is the most important research issue in the field of digital forensics. By means of malware classification, we can get complete behavior of malware which can simplify the forensics task. In previous researches, researchers use malware binary to perform dynamic analysis or static analysis after reverse engineering. In the other hand, malware developers even use anti-VM and obfuscation techniques try to cheating malware classifiers. With honeypots are increasingly used, researchers could get more and more malware source code. Analyzing these source codes could be the best way for malware classification. In this paper, a novel classification approach is proposed which based on logic and directory structure similarity of malwares. All collected source code will be classified correctly by hierarchical clustering algorithm. The proposed system not only helps us classify known malwares correctly but also find new type of malware. Furthermore, it avoids forensics staffs spending too much time to reanalyze known malware. And the system could also help realize attacker's behavior and purpose. The experimental results demonstrate the system can classify the malware correctly and be applied to other source code classification aspect.

Malware Classification

Source Code

Static Analysis

Structure Similarity

Efficient Hypervisor Based Malware Detection

Klemperer, Peter Friedrich

01 December 2014

Recent years have seen an uptick in master boot record (MBR) based rootkits that load before the Windows operating system and subvert the operating system’s own procedures. As such, MBR rootkits are difficult to counter with operating system-based antivirus software that runs at the same privilege-level as the rookits. Hypervisors operate at a higher privilege level than the guests they manage, creating a high-ground position in the host. This high-ground position can be exploited to perform security checks on the virtual machine guests where the checking software is isolated from guest-based viruses. The efficient introspection system described in this thesis targets existing virtualized systems to improve security with real-time, concurrent memory introspection capabilities. Efficient introspection decouples memory introspection from virtual machine guest execution, establishes coherent and consistent memory views between the host and running guest, while maintaining normal guest operation. Existing introspection systems have provided one or two of these properties but not all three at once. This thesis presents a new concurrent-computing approach – high-performance memory snapshotting – to accelerating hypervisor based introspection of virtual machine guest memory that combines all three elements to improve performance and security. Memory snapshots create a coherent and consistent memory view of the guest that can be shared with the independently running introspection application. Three memory snapshotting mechanisms are presented and evaluated for their impact on normal guest operation. Existing introspection systems and security protection techniques that were previously dismissed as too slow are now be enabled by efficient introspection. This thesis explains why existing introspection systems are inadequate, describes how existing system performance can be improved, evaluates an efficient introspection prototype on both applications and microbenchmarks, and discusses two potential security applications that are enabled by efficient introspection. These applications point to efficient introspection’s utility for supporting useful security applications.

computer systems

virtualization

memory snapshots

introspection

malware

performance

A social approach to security : using social networks to help detect malicious web content /

Robertson, Michael J.

January 2010

Typescript. Includes bibliographical references (leaves 108-111).

EtherAnnotate: a transparent malware analysis tool for integrating dynamic and static examination

Eads, Joshua Michael,

January 2010

Thesis (M.S.)--Missouri University of Science and Technology, 2010. / Vita. The entire thesis text is included in file. Title from title screen of thesis/dissertation PDF file (viewed May 4, 2010) Includes bibliographical references (p. 65-68).