Understanding malware autostart techniques with web data extraction /

Gottlieb, Matthew.

January 2009

Thesis (M.S.)--Rochester Institute of Technology, 2009. / Typescript. Includes bibliographical references (leaves 44-45).

Countering kernel malware in virtual execution environments

Xuan, Chaoting.

January 2009

Thesis (Ph.D)--Electrical and Computer Engineering, Georgia Institute of Technology, 2010. / Committee Chair: Copeland A. John; Committee Member: Alessandro Orso; Committee Member: Douglas M. Blough; Committee Member: George F. Riley; Committee Member: Raheem A. Beyah. Part of the SMARTech Electronic Thesis and Dissertation Collection.

A social approach to security : using social networks to help detect malicious web content /

Robertson, Michael J.

January 2010

Typescript. Includes bibliographical references (leaves 108-111).

EtherAnnotate: a transparent malware analysis tool for integrating dynamic and static examination

Eads, Joshua Michael,

January 2010

Thesis (M.S.)--Missouri University of Science and Technology, 2010. / Vita. The entire thesis text is included in file. Title from title screen of thesis/dissertation PDF file (viewed May 4, 2010) Includes bibliographical references (p. 65-68).

Reverse engineering of a malware eyeing the future of security

Burji, Supreeth Jagadish.

January 2009

Thesis (M.S.)--University of Akron, Dept. of Computer Science, 2009. / "August, 2009." Title from electronic thesis title page (viewed 11/11/2009) Advisor, Kathy J. Liszka; Faculty Readers, Timothy W. O'Neil, Wolfgang Pelz; Department Chair, Chien-Chung Chan; Dean of the College, Chand Midha; Dean of the Graduate School, George R. Newkome. Includes bibliographical references.

On Resilience to Computable Tampering

Ball Jr, Maynard Marshall

January 2021

Non-malleable codes, introduced by Dziembowski, Pietrzak, and Wichs (ICS 2010), provide a means of encoding information such that if the encoding is tampered with, the result encodes something either identical or completely unrelated. Unlike error-correcting codes (for which the result of tampering must always be identical), non-malleable codes give guarantees even when tampering functions are allowed to change every symbol of a codeword. In this thesis, we will provide constructions of non-malleable codes secure against a variety tampering classes with natural computational semantics: • Bounded-Communication: Functions corresponding to 2-party protocols where each party receives half the input (respectively) and then may communicate <𝒏/4 bits before returning their (respective) half of the tampered output. •Local Functions (Juntas):} each tampered output bit is only a function of n¹-ẟ inputs bits, where ẟ>0 is any constant (the efficiency of our code depends on ẟ). This class includes NC⁰. •Decision Trees: each tampered output bit is a function of n¹/⁴-⁰(¹) adaptively chosen bits. •Small-Depth Circuits: each tampered output bit is produced by a 𝒄log(n)/log log(n)-depth circuit of polynomial size, for some constant 𝒄. This class includes AC⁰. •Low Degree Polynomials: each tampered output field element is produced by a low-degree (relative to the field size) polynomial. •Polynomial-Size Circuit Tampering: each tampered codeword is produced by circuit of size 𝒏ᶜ where 𝒄 is any constant (the efficiency of our code depends on 𝒄). This result assumes that E is hard for exponential size nondeterministic circuits (all other results are unconditional). We stress that our constructions are efficient (encoding and decoding can be performed in uniform polynomial time) and (with the exception of the last result, which assumes strong circuit lower bounds) enjoy unconditional, statistical security guarantees. We also illuminate some potential barriers to constructing codes for more complex computational classes from simpler assumptions.

Computer science

Data encryption (Computer science)

Malware (Computer software)

Deep Learning for Android Application Ransomware Detection

Unknown Date

Smartphones and mobile tablets are rapidly growing, and very important nowadays. The most popular mobile operating system since 2012 has been Android. Android is an open source platform that allows developers to take full advantage of both the operating system and the applications itself. However, due to the open source community of an Android platform, some Android developers took advantage of this and created countless malicious applications such as Trojan, Malware, and Ransomware. All which are currently hidden in a large number of benign apps in official Android markets, such as Google PlayStore, and Amazon. Ransomware is a malware that once infected the victim’s device. It will encrypt files, unlock device system, and display a popup message which asks the victim to pay ransom in order to unlock their device or system which may include medical devices that connect through the internet. In this research, we propose to combine permission and API calls, then use Deep Learning techniques to detect ransomware apps from the Android market. Permissions setting and API calls are extracted from each app file by using a python library called AndroGuard. We are using Permissions and API call features to characterize each application, which can identify which application has potential to be ransomware or is benign. We implement our Android Ransomware Detection framework based on Keras, which uses MLP with back-propagation and a supervised algorithm. We used our method with experiments based on real-world applications with over 2000 benign applications and 1000 ransomware applications. The dataset came from ARGUS’s lab [1] which validated algorithm performance and selected the best architecture for the multi-layer perceptron (MLP) by trained our dataset with 6 various of MLP structures. Our experiments and validations show that the MLPs have over 3 hidden layers with medium sized of neurons achieved good results on both accuracy and AUC score of 98%. The worst score is approximately 45% to 60% and are from MLPs that have 2 hidden layers with large number of neurons. / Includes bibliography. / Thesis (M.S.)--Florida Atlantic University, 2018. / FAU Electronic Theses and Dissertations Collection

Deep learning

Malware (Computer software)--Prevention

Influence modeling and malicious users identification in interactive networks. / CUHK electronic theses & dissertations collection

January 2012

由於在線社交網絡的龐大用戶群和口碑效應的病毒式傳播特點，使用少量用戶吸引大量用戶的定向廣告策略在病毒營銷中是非常有效的。公司可以先提供免費商品給在線社交網絡上的小部份用戶，然後依靠這些用戶推薦此產品給他們的好友，從而達到提升產品整體銷售額的目的。在本文中，我們考慮如下在線社交網絡中廣告投放的問題:給定廣告投放資本，比如固定數目的免費產品，公司需要決定在線社交網絡中用戶會最終購買的概率。為了研究此問題，我們把在線社交網絡模擬成擁有或者沒有高聚合係數的無標度圖。我們使用多個影響機制來刻畫如此大規模網絡中的影響傳播，并且使用本地平均場技術來分析這些節點狀態會被影響機制所改變的網絡。我們運行了大量的仿真實驗來驗證我們的理論模型。這些模型能夠為設計在線社交網絡中的有效廣告投放策略提供認識和指導。 / 雖然口碑效應的病毒式傳播能有效地促進產品銷售，但是它同時也為惡意行為提供了機會:不誠實用戶會故意給他們的好友提供錯誤的推薦從而擾亂正常的市場份額分配。為了解決這個問題，我們提出了一個通用的檢測框架，并基於此檢測框架制定了一系列完全分佈式的檢測算法來識別在線社交網絡中的不誠實用戶。我們考慮了不誠實用戶採取基本策略和智能策略兩種情況。我們通過計算假陽性概率，假陰性概率和檢測不誠實用戶所需要的時間的分佈來度量檢測算法的性能。大量的仿真實驗不僅說明了不誠實推薦所造成的影響，也驗證了檢測算法的有效性。我們還應用前面提到的通用檢測框架來解決無線網格網絡(wireless mesh network)和點對點視頻直播網絡(peer-to-peer live streaming network)中的污染攻擊問題。在應用了網絡編碼的無線網格網絡中，污染攻擊是一個很嚴重的安全問題。惡意節點能夠輕易地發動污染攻擊，從而造成污染數據包的病毒式傳播進而消耗網絡資源。前面提到的通用檢測框架也能被用來解決此安全問題。明確地說，我們使用基於時間的校驗碼和批量驗證機制來決定污染數據包的存在與否，然後提出一系列完全分佈式的檢測算法。即使智能攻擊者存在時，此檢測算法仍然有效。這裡智能攻擊者指的是那些為了降低被檢測到的概率從而假裝合法節點傳輸有效數據包的節點。並且，為了解決攻擊者合作注入污染數據包的情形并加速檢測，我們還提出了一個增強的檢測算法。我們也給出了規範的分析來度量檢測算法的性能。最後，仿真實驗和系統原型驗證了我們的理論分析以及檢測算法的有效性。 / 污染攻擊還會對點對點視頻直播網絡基礎設施造成嚴重影響，比如說，它能夠減少網絡中的攻擊問題，我們仍然基於前面提到的通用檢測框架提出了分佈式的檢測算法來識別污染攻擊者。我們也提供了理論分析來度量檢測算法的性能從而證明了算法的有效性。 / Due to the large population in online social networks and the epidemic spreading of word-of-mouth effect, targeted advertisement which use a small fraction of buyers to attract a large population of buyers is very efficient in viral marketing, for example, companies can provide incentives (e.g., via free samples of a product) to a small group of users in an online social network, and these users can provide recommendations to their friends so as to increase the overall sales of the product. In particular, we consider the following advertisement problem in online social networks: given a fixed advertisement investment, e.g., a number of free samples, a company needs to determine the probability that users in the online social network will eventually purchase the product. To address this problem, we model online social networks as scale-free graphs with/without high clustering coefficient. We employ various influence mechanisms that govern the influence spreading in such large scale networks and use the local mean field technique to analyze them wherein states of nodes can be changed by various influence mechanisms. We carry out extensive simulations to validate our models which can provide insight on designing efficient advertising strategies in online social networks. / Although epidemic spreading of word-of-mouth effect can increase the sales of a product efficiently in viral marketing, it also opens doors for “malicious behaviors: dishonest users may intentionally give wrong recommendations to their friends so as to distort the normal sales distribution. To address this problem, we propose a general detection framework and develop a set of fully distributed detection algorithms to discover dishonest users in online social networks by applying the general detection framework. We consider both cases when dishonest users adopt (1) baseline strategy, and (2) intelligent strategy. We quantify the performance of the detection algorithms by deriving probability of false positive, probability of false negative and distribution function of time needed to detect dishonest users. Extensive simulations are carried out to illustrate the impact of dishonest recommendations and the effectiveness of the detection algorithms. / We also apply the general detection framework to address the problem of pollution attack in wireless mesh networks (WMNs) and peer-to-peer (P2P) streaming networks. Epidemic attack is a severe security problem in network-coding enabled wireless mesh networks, and malicious nodes can easily launch such form of attack to create an epidemic spreading of polluted packets and deplete network resources. The general detection framework can also be applied to address such security problem. Specifically, we employ the time-based checksum and batch verification to determine the existence of polluted packets, then propose a set of fully distributed detection algorithms. We also allow the presence of “smart attackers, i.e., they can pretend to be legitimate nodes to probabilistically transmit valid packets so as to reduce the chance of being detected. To address the case when attackers cooperatively inject polluted packets and speed up the detection, an enhanced detection algorithm is also developed. Furthermore, we provide formal analysis to quantify the performance of the detection algorithms. At last, simulations and system prototyping are also carried out to validate the theoretic analysis and show the effectiveness and efficiency of the detection algorithms. / To address the problem of pollution attack in P2P streaming networks, which is known to have a disastrous effect on existing P2P infrastructures, e.g., it can reduce the number of legitimate users by as much as 85%, we also propose distributed detection algorithms to identify pollution attackers by applying the general framework. Moreover, we provide theoretical analysis to quantify the performance of the detection algorithms so as to show their effectiveness and efficiency. / Detailed summary in vernacular field only. / Detailed summary in vernacular field only. / Detailed summary in vernacular field only. / Li, Yongkun. / Thesis (Ph.D.)--Chinese University of Hong Kong, 2012. / Includes bibliographical references (leaves 148-157). / Electronic reproduction. Hong Kong : Chinese University of Hong Kong, [2012] System requirements: Adobe Acrobat Reader. Available via World Wide Web. / Abstract also in Chinese. / Chapter 1 --- Introduction --- p.1 / Chapter 2 --- Influence Modeling in Online Social Networks --- p.7 / Chapter 2.1 --- Scale-free Graphs without High Clustering Coefficient --- p.8 / Chapter 2.1.1 --- Modeling Online Social Networks --- p.8 / Chapter 2.1.2 --- q-influence Model --- p.11 / Chapter 2.1.3 --- m-threshold Influence Model --- p.14 / Chapter 2.1.4 --- Majority Rule Influence Model --- p.16 / Chapter 2.2 --- Scale-free Graphs with High Clustering Coefficient --- p.19 / Chapter 2.3 --- Generalized Influence Models --- p.21 / Chapter 2.3.1 --- Deterministic Influence Model --- p.21 / Chapter 2.3.2 --- Probabilistic Influence Model --- p.25 / Chapter 2.4 --- Multi-state Model --- p.27 / Chapter 2.4.1 --- Example of 3-State Majority Rule --- p.32 / Chapter 3 --- Identifying Dishonest Recommenders in Online Social Networks --- p.35 / Chapter 3.1 --- General Detection Framework --- p.37 / Chapter 3.2 --- Modeling the Behaviors of Users --- p.41 / Chapter 3.2.1 --- Products and Recommendations --- p.41 / Chapter 3.2.2 --- Behaviors of Users --- p.43 / Chapter 3.3 --- Distributed Detection Algorithms --- p.45 / Chapter 3.3.1 --- Identifying Dishonest Recommenders when Baseline Strategy is Adopted --- p.46 / Chapter 3.3.2 --- Identifying Dishonest Recommenders when Intelligent Strategy is Adopted --- p.53 / Chapter 3.3.3 --- Complete Detection Algorithm --- p.57 / Chapter 3.4 --- Cooperative Algorithm to Speed up the Detection --- p.58 / Chapter 3.5 --- Algorithm Dealing with User Churn --- p.61 / Chapter 4 --- Identifying Pollution Attackers in Network Coding Enabled Wireless Mesh Networks --- p.64 / Chapter 4.1 --- Introduction on Wireless Mesh Networks and Pollution Attack --- p.64 / Chapter 4.2 --- Network Coding and Time-based Checksum Batch Verification --- p.66 / Chapter 4.3 --- Basic Detection Algorithms --- p.70 / Chapter 4.3.1 --- Core Idea of the Detection Algorithms --- p.71 / Chapter 4.3.2 --- Attackers with Imitation Probability δ = 0 --- p.74 / Chapter 4.3.3 --- Attackers with Imitation Probability δ > 0 --- p.78 / Chapter 4.3.4 --- Improvement on Probability of False Negative --- p.81 / Chapter 4.4 --- Enhanced Detection Algorithm --- p.82 / Chapter 4.4.1 --- Detection Algorithm --- p.82 / Chapter 4.4.2 --- Performance Analysis --- p.87 / Chapter 4.4.3 --- Detection Acceleration --- p.91 / Chapter 4.5 --- Alternative Detection Algorithms --- p.92 / Chapter 5 --- Identifying Pollution Attackers in Peer-to-Peer Live Streaming Systems --- p.95 / Chapter 5.1 --- Introduction on Peer-to-Peer Streaming Systems and the Problem of Pollution Attack --- p.95 / Chapter 5.2 --- Detection Algorithms --- p.97 / Chapter 5.2.1 --- Imitation Probability δ = 0 --- p.99 / Chapter 5.2.2 --- Imitation Probability δ > 0 --- p.102 / Chapter 5.2.3 --- Improvement on Probability of False Negative --- p.104 / Chapter 6 --- Performance Evaluation --- p.106 / Chapter 6.1 --- Influence Modeling in Online Social Networks --- p.107 / Chapter 6.1.1 --- Online Social Networks without High Clustering Coefficient --- p.107 / Chapter 6.1.2 --- Online Social Networks with High Clustering Coefficient --- p.113 / Chapter 6.1.3 --- Performance Evaluation of the Multi-state Model --- p.116 / Chapter 6.2 --- Performance Evaluation of the Detection Algorithms in Online Social Networks --- p.118 / Chapter 6.2.1 --- Synthesizing Dynamically Evolving Online Social Networks --- p.118 / Chapter 6.2.2 --- Impact of Wrong Recommendations --- p.120 / Chapter 6.2.3 --- Performance Evaluation of the Detection Algorithms --- p.121 / Chapter 6.3 --- Performance Evaluation of the Detection Algorithms in Wireless Mesh Networks --- p.126 / Chapter 6.3.1 --- Performance of the Basic Detection Algorithms --- p.126 / Chapter 6.3.2 --- Results from System Prototype --- p.131 / Chapter 6.3.3 --- Performance of the Enhanced Detection Algorithm --- p.132 / Chapter 6.4 --- Performance Evaluation of the Detection Algorithms in Peer-topeer Streaming Networks --- p.136 / Chapter 6.4.1 --- Performance of the Baseline Algorithm --- p.136 / Chapter 6.4.2 --- Performance of the Randomized Algorithm --- p.138 / Chapter 6.4.3 --- Derive Optimal Uploading Probability --- p.141 / Chapter 7 --- RelatedWork and Conclusion --- p.143

Malware (Computer software)

Hitch-hiking attacks in online social networks and their defense via malicious URL classification. / CUHK electronic theses & dissertations collection

January 2012

近年來，網絡的犯罪數量一直在迅速增加。現在，惡意軟件作者編寫惡意程序竊取用戶的個人信息，或提供基於垃圾郵件的營銷服務為利潤的地方。為了更有效地傳播惡意軟件，黑客已經開始瞄準流行的在線社交網絡服務（SNS）的 SNS用戶和服務的互動性之間固有的信任關係。一種常見的攻擊方法是惡意軟件自動登錄使用偷來的 SNS用戶憑據，然後提供接觸/被盜的用戶帳戶的朋友名單，他們通過在一些短消息嵌入惡意 URL（鏈接）。受害人然後認為是他們的朋友提供的鏈接，按一下被感染。然而，這種方法是有效的，惡意軟件來模仿人類類似的行為，它可以超越任何一個/兩個班輪對話。在這篇論文中，我們首先介紹一個新類型的攻擊，提供惡意網址 SNS用戶之間的合法對話。為了證明其概念，我們設計和實施名為 Hitchbot惡意軟件[1]，其中包括多個攻擊源，為實現我們所提出的攻擊。特別是，當一個 SNS用戶發送一個鏈接/ URL到他/她的朋友，Hitchbot悄悄地取代類似，但惡意攔截在幾個可能的點之一，互動式輸入/輸出鏈接系統。由於惡意鏈接在一些適當的對話上下文之間的合法用戶交付，這使得它更難以對受害者（以及吊具）來實現攻擊，從而可以大幅增加轉換率。這方法也使 Hitchbot的繞過大多數現有的防禦計劃，主要是靠對用戶的行為或流量異常檢測。 Hitchbot是基於客戶端模塊的形式可以順利上常見的社交網絡服務，包括雅虎和微軟的郵件客戶端和其他基於 Web瀏覽器，如 Facebook和 MySpace的社交網絡服務的加息。為量化 Hitchbot的效力，我們已經研究，交換和處理對 URL操作時用戶的行為。最後，我們研究通過自動在線分類 /識別惡意網址的可行性。尤其是不同類型的屬性/惡意 URL分類功能的有效性進行量化，從不同的惡意網址數據庫中獲得數據的基礎上，我們也考慮實時的準確性，嚴格的延遲要求影響和權衡需求的惡意網址分類。 / The number of cyber crimes has continued to increase rapidly in the recent years. It is now commonplace for malware authors to write malicious programs for prot by stealing user personal information or providing spam-based marketing services. In order to spread malware more effectively, hackers have started to target popular online social networking services (SNS) due to the inherent trust-relationship between the SNS users and the interactive nature of the services. A common attacking approach is for a malware to automatically login using stolen SNS user cre¬dentials and then deliver malicious URLs (links) to the people on the contact/friend-list of the stolen user account by embedding them in some short messages. The victim then gets infected by clicking on the links thought to be delivered by their friends. However, for this approach to be effective, the malware has to mimic human-like behavior which can be quite challenging for anything beyond one/two-liner conversations. In this thesis, we first introduce a new type of attacks called the social hitch-hiking attacks which use a stealthier way to deliver malicious URLs by hitch-hiking on legitimate conversations among SNS users. As a proof-of-concept, we have designed and implemented a malware named Hitchbot [1] which incorporates multiple attack vectors for the realization of our proposed social hitch-hiking attacks. In particular, when a SNS user sends a link/URL to his/her friends, Hitchbot quietly replaces it with a similar-looking, but malicious one by intercepting the link at one of the several pos¬sible points along the interactive-input/output chain of the system. Since the malicious link is delivered within some proper conversation context between the legitimate users, this makes it much more difficult for the victim (which is also the spreader) to realize the attack and thus can increase the conversion rate substantially. The hitch-hiking approach also enables Hitchbot to bypass most existing defense schemes which mainly rely on user-behavior or traffic anomaly detection. Hitchbot is in form of a client-based module which can hitch-hike on common social networking services including the Yahoo and Microsoft Messaging clients and other web-browser-based social-networking services such as Facebook and Myspace. To quantify the effectiveness of Hitchbot, we have studied the behavior of users in exchanging, handling and operating on URLs. Lastly, we study the feasibility of defending hitching-hiking attacks via automated online classification/identification of malicious URLs. In particular, the effectiveness of different types of attributes/features used in malicious URL classification are quantified based on a data obtained from various malicious URL databases. We also consider the implications and trade-offis of stringent latency requirement on the accuracy of real-time, on-demand malicious URL classifications. / Detailed summary in vernacular field only. / Lam, Ka Chun. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2012. / Includes bibliographical references (leaves 43-48). / Electronic reproduction. Hong Kong : Chinese University of Hong Kong, [2012] System requirements: Adobe Acrobat Reader. Available via World Wide Web. / Abstracts also in Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Background --- p.1 / Chapter 1.2 --- Organization --- p.4 / Chapter 2 --- Related Work --- p.6 / Chapter 2.1 --- Exploiting Social Networking Services --- p.6 / Chapter 2.1.1 --- Malware Spreading Channels in SNS --- p.7 / Chapter 2.1.2 --- Common Exploits on SNS platforms --- p.10 / Chapter 2.2 --- Recent defense mechanisms of Malware --- p.12 / Chapter 3 --- A New Class of Attacks via Social Hitch-hiking --- p.14 / Chapter 3.1 --- The Social Hitch-hiking Attack --- p.14 / Chapter 3.1.1 --- The Interactive User Input/Output Chain --- p.16 / Chapter 3.1.2 --- Four Attack Vectors --- p.17 / Chapter 4 --- Attack Evaluation and Measurement --- p.26 / Chapter 4.1 --- Comparison of Attack Vectors --- p.26 / Chapter 4.2 --- Attack Measurement --- p.27 / Chapter 4.3 --- Defense against Hitch-hiking Attacks --- p.29 / Chapter 5 --- Defense via Malicious URL Classification --- p.31 / Chapter 5.1 --- Methodology --- p.31 / Chapter 5.2 --- Attributes --- p.33 / Chapter 5.2.1 --- Lexical attributes --- p.34 / Chapter 5.2.2 --- Webpage content attributes --- p.34 / Chapter 5.2.3 --- Network attributes --- p.34 / Chapter 5.2.4 --- Host-based attributes --- p.35 / Chapter 5.2.5 --- Link popularity attributes --- p.36 / Chapter 5.3 --- Performance Evaluation and Discussions --- p.36 / Chapter 6 --- Conclusion and Future work --- p.41

Computer networks--Security measures

Computer security

Malware (Computer software)--Prevention

Design and Analysis of Decoy Systems for Computer Security

Bowen, Brian M.

January 2011

This dissertation is aimed at defending against a range of internal threats, including eaves-dropping on network taps, placement of malware to capture sensitive information, and general insider threats to exfiltrate sensitive information. Although the threats and adversaries may vary, in each context where a system is threatened, decoys can be used to deny critical information to adversaries making it harder for them to achieve their target goal. The approach leverages deception and the use of decoy technologies to deceive adversaries and trap nefarious acts. This dissertation proposes a novel set of properties for decoys to serve as design goals in the development of decoy-based infrastructures. To demonstrate their applicability, we designed and prototyped network and host-based decoy systems. These systems are used to evaluate the hypothesis that network and host decoys can be used to detect inside attackers and malware. We introduce a novel, large-scale automated creation and management system for deploying decoys. Decoys may be created in various forms including bogus documents with embedded beacons, credentials for various web and email accounts, and bogus financial in- formation that is monitored for misuse. The decoy management system supplies decoys for the network and host-based decoy systems. We conjecture that the utility of the decoys depends on the believability of the bogus information; we demonstrate the believability through experimentation with human judges. For the network decoys, we developed a novel trap-based architecture for enterprise networks that detects "silent" attackers who are eavesdropping network traffic. The primary contributions of this system is the ease of injecting, automatically, large amounts of believable bait, and the integration of various detection mechanisms in the back-end. We demonstrate our methodology in a prototype platform that uses our decoy injection API to dynamically create and dispense network traps on a subset of our campus wireless network. We present results of a user study that demonstrates the believability of our automatically generated decoy traffic. We present results from a statistical and information theoretic analysis to show the believability of the traffic when automated tools are used. For host-based decoys, we introduce BotSwindler, a novel host-based bait injection sys- tem designed to delude and detect crimeware by forcing it to reveal itself during the ex- ploitation of monitored information. Our implementation of BotSwindler relies upon an out-of-host software agent to drive user-like interactions in a virtual machine, seeking to convince malware residing within the guest OS that it has captured legitimate credentials. To aid in the accuracy and realism of the simulations, we introduce a novel, low overhead approach, called virtual machine verification, for verifying whether the guest OS is in one of a predefined set of states. We provide empirical evidence to show that BotSwindler can be used to induce malware into performing observable actions and demonstrate how this approach is superior to that used in other tools. We present results from a user to study to illustrate the believability of the simulations and show that financial bait infor- mation can be used to effectively detect compromises through experimentation with real credential-collecting malware. We present results from a statistical and information theo- retic analysis to show the believability of simulated keystrokes when automated tools are used to distinguish them. Finally, we introduce and demonstrate an expanded role for decoys in educating users and measuring organizational security through experiments with approximately 4000 university students and staff.

Computer science

Malware (Computer software)

Cyber intelligence (Computer security)