Matching Items (26)
155706-Thumbnail Image.png
Description
The volume and frequency of cyber attacks have exploded in recent years. Organizations subscribe to multiple threat intelligence feeds to increase their knowledge base and better equip their security teams with the latest information in threat intelligence domain. Though such subscriptions add intelligence and can help in taking more informed

The volume and frequency of cyber attacks have exploded in recent years. Organizations subscribe to multiple threat intelligence feeds to increase their knowledge base and better equip their security teams with the latest information in threat intelligence domain. Though such subscriptions add intelligence and can help in taking more informed decisions, organizations have to put considerable efforts in facilitating and analyzing a large number of threat indicators. This problem worsens further, due to a large number of false positives and irrelevant events detected as threat indicators by existing threat feed sources. It is often neither practical nor cost-effective to analyze every single alert considering the staggering volume of indicators. The very reason motivates to solve the overcrowded threat indicators problem by prioritizing and filtering them.

To overcome above issue, I explain the necessity of determining how likely a reported indicator is malicious given the evidence and prioritizing it based on such determination. Confidence Score Measurement system (CSM) introduces the concept of confidence score, where it assigns a score of being malicious to a threat indicator based on the evaluation of different threat intelligence systems. An indicator propagates maliciousness to adjacent indicators based on relationship determined from behavior of an indicator. The propagation algorithm derives final confidence to determine overall maliciousness of the threat indicator. CSM can prioritize the indicators based on confidence score; however, an analyst may not be interested in the entire result set, so CSM narrows down the results based on the analyst-driven input. To this end, CSM introduces the concept of relevance score, where it combines the confidence score with analyst-driven search by applying full-text search techniques. It prioritizes the results based on relevance score to provide meaningful results to the analyst. The analysis shows the propagation algorithm of CSM linearly scales with larger datasets and achieves 92% accuracy in determining threat indicators. The evaluation of the result demonstrates the effectiveness and practicality of the approach.
ContributorsModi, Ajay (Author) / Ahn, Gail-Joon (Thesis advisor) / Zhao, Ziming (Committee member) / Doupe, Adam (Committee member) / Arizona State University (Publisher)
Created2017
155726-Thumbnail Image.png
Description
Phishing is a form of online fraud where a spoofed website tries to gain access to user's sensitive information by tricking the user into believing that it is a benign website. There are several solutions to detect phishing attacks such as educating users, using blacklists or extracting phishing characteristics found

Phishing is a form of online fraud where a spoofed website tries to gain access to user's sensitive information by tricking the user into believing that it is a benign website. There are several solutions to detect phishing attacks such as educating users, using blacklists or extracting phishing characteristics found to exist in phishing attacks. In this thesis, we analyze approaches that extract features from phishing websites and train classification models with extracted feature set to classify phishing websites. We create an exhaustive list of all features used in these approaches and categorize them into 6 broader categories and 33 finer categories. We extract 59 features from the URL, URL redirects, hosting domain (WHOIS and DNS records) and popularity of the website and analyze their robustness in classifying a phishing website. Our emphasis is on determining the predictive performance of robust features. We evaluate the classification accuracy when using the entire feature set and when URL features or site popularity features are excluded from the feature set and show how our approach can be used to effectively predict specific types of phishing attacks such as shortened URLs and randomized URLs. Using both decision table classifiers and neural network classifiers, our results indicate that robust features seem to have enough predictive power to be used in practice.
ContributorsNamasivayam, Bhuvana Lalitha (Author) / Bazzi, Rida (Thesis advisor) / Zhao, Ziming (Committee member) / Liu, Huan (Committee member) / Arizona State University (Publisher)
Created2017
155819-Thumbnail Image.png
Description
Today the information technology systems have addresses, software stacks and other configuration remaining unchanged for a long period of time. This paves way for malicious attacks in the system from unknown vulnerabilities. The attacker can take advantage of this situation and plan their attacks with sufficient time. To protect our

Today the information technology systems have addresses, software stacks and other configuration remaining unchanged for a long period of time. This paves way for malicious attacks in the system from unknown vulnerabilities. The attacker can take advantage of this situation and plan their attacks with sufficient time. To protect our system from this threat, Moving Target Defense is required where the attack surface is dynamically changed, making it difficult to strike.

In this thesis, I incorporate live migration of Docker container using CRIU (checkpoint restore) for moving target defense. There are 460K Dockerized applications, a 3100% growth over 2 years[1]. Over 4 billion containers have been pulled so far from Docker hub. Docker is supported by a large and fast growing community of contributors and users. As an example, there are 125K Docker Meetup members worldwide. As we see industry adapting to Docker rapidly, a moving target defense solution involving containers is beneficial for being robust and fast. A proof of concept implementation is included for studying performance attributes of Docker migration.

The detection of attack is using a scenario involving definitions of normal events on servers. By defining system activities, and extracting syslog in centralized server, attack can be detected via extracting abnormal activates and this detection can be a trigger for the Docker migration.
ContributorsBohara, Bhakti (Author) / Huang, Dijiang (Thesis advisor) / Doupe, Adam (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2017
155591-Thumbnail Image.png
Description
Mobile telephony is a critical aspect of our modern society: through telephone calls,

it is possible to reach almost anyone around the globe. However, every mobile telephone

call placed implicitly leaks the user's location to the telephony service provider (TSP).

This privacy leakage is due to the fundamental nature of mobile telephony calls

Mobile telephony is a critical aspect of our modern society: through telephone calls,

it is possible to reach almost anyone around the globe. However, every mobile telephone

call placed implicitly leaks the user's location to the telephony service provider (TSP).

This privacy leakage is due to the fundamental nature of mobile telephony calls that

must connect to a local base station to receive service and place calls. Thus, the TSP

can track the physical location of the user for every call that they place. While the

The Internet is similar in this regard, privacy-preserving technologies such as Tor allow

users to connect to websites anonymously (without revealing to their ISP the site

that they are visiting). In this thesis, the scheme presented, called shadow calling,

to allow geolocation anonymous calling from legacy mobile devices. In this way,

the call is placed from the same number, however, the TSP will not know the user's

physical location. The scheme does not require any change on the network side and

can be used on current mobile networks. The scheme implemented is for the GSM

(commonly referred to as 2G) network, as it is the most widely used mode of mobile

telephony communication. The feasibility of our scheme is demonstrated through the

prototype. Shadow calling, which renders the users geolocation anonymous, will be

beneficial for users such as journalists, human rights activists in hostile nations, or

other privacy-demanding users.
ContributorsPinto, Gerard Lawrence (Author) / Doupe, Adam (Thesis advisor) / Ahn, Gail-Joon (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2017
155601-Thumbnail Image.png
Description
Web applications are an incredibly important aspect of our modern lives. Organizations

and developers use automated vulnerability analysis tools, also known as

scanners, to automatically find vulnerabilities in their web applications during development.

Scanners have traditionally fallen into two types of approaches: black-box

and white-box. In the black-box approaches, the scanner does not have

Web applications are an incredibly important aspect of our modern lives. Organizations

and developers use automated vulnerability analysis tools, also known as

scanners, to automatically find vulnerabilities in their web applications during development.

Scanners have traditionally fallen into two types of approaches: black-box

and white-box. In the black-box approaches, the scanner does not have access to the

source code of the web application whereas a white-box approach has access to the

source code. Today’s state-of-the-art black-box vulnerability scanners employ various

methods to fuzz and detect vulnerabilities in a web application. However, these

scanners attempt to fuzz the web application with a number of known payloads and

to try to trigger a vulnerability. This technique is simple but does not understand

the web application that it is testing. This thesis, presents a new approach to vulnerability

analysis. The vulnerability analysis module presented uses a novel approach

of Inductive Reverse Engineering (IRE) to understand and model the web application.

IRE first attempts to understand the behavior of the web application by giving

certain number of input/output pairs to the web application. Then, the IRE module

hypothesizes a set of programs (in a limited language specific to web applications,

called AWL) that satisfy the input/output pairs. These hypotheses takes the form of

a directed acyclic graph (DAG). AWL vulnerability analysis module can then attempt

to detect vulnerabilities in this DAG. Further, it generates the payload based on the

DAG, and therefore this payload will be a precise payload to trigger the potential vulnerability

(based on our understanding of the program). It then tests this potential

vulnerability using the generated payload on the actual web application, and creates

a verification procedure to see if the potential vulnerability is actually vulnerable,

based on the web application’s response.
ContributorsKhairnar, Tejas (Author) / Doupe, Adam (Thesis advisor) / Ahn, Gail-Joon (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2017
155561-Thumbnail Image.png
Description
Field of cyber threats is evolving rapidly and every day multitude of new information about malware and Advanced Persistent Threats (APTs) is generated in the form of malware reports, blog articles, forum posts, etc. However, current Threat Intelligence (TI) systems have several limitations. First, most of the TI systems examine

Field of cyber threats is evolving rapidly and every day multitude of new information about malware and Advanced Persistent Threats (APTs) is generated in the form of malware reports, blog articles, forum posts, etc. However, current Threat Intelligence (TI) systems have several limitations. First, most of the TI systems examine and interpret data manually with the help of analysts. Second, some of them generate Indicators of Compromise (IOCs) directly using regular expressions without understanding the contextual meaning of those IOCs from the data sources which allows the tools to include lot of false positives. Third, lot of TI systems consider either one or two data sources for the generation of IOCs, and misses some of the most valuable IOCs from other data sources.

To overcome these limitations, we propose iGen, a novel approach to fully automate the process of IOC generation and analysis. Proposed approach is based on the idea that our model can understand English texts like human beings, and extract the IOCs from the different data sources intelligently. Identification of the IOCs is done on the basis of the syntax and semantics of the sentence as well as context words (e.g., ``attacked'', ``suspicious'') present in the sentence which helps the approach work on any kind of data source. Our proposed technique, first removes the words with no contextual meaning like stop words and punctuations etc. Then using the rest of the words in the sentence and output label (IOC or non-IOC sentence), our model intelligently learn to classify sentences into IOC and non-IOC sentences. Once IOC sentences are identified using this learned Convolutional Neural Network (CNN) based approach, next step is to identify the IOC tokens (like domains, IP, URL) in the sentences. This CNN based classification model helps in removing false positives (like IPs which are not malicious). Afterwards, IOCs extracted from different data sources are correlated to find the links between thousands of apparently unrelated attack instances, particularly infrastructures shared between them. Our approach fully automates the process of IOC generation from gathering data from different sources to creating rules (e.g. OpenIOC, snort rules, STIX rules) for deployment on

the security infrastructure.

iGen has collected around 400K IOCs till now with a precision of 95\%, better than any state-of-art method.
ContributorsPanwar, Anupam (Author) / Ahn, Gail-Joon (Thesis advisor) / Doupe, Adam (Committee member) / Zhao, Ziming (Committee member) / Arizona State University (Publisher)
Created2017