Malware detection based on structural and behavioural features of API calls
- Authors: Alazab, Mamoun , Layton, Robert , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2010
- Type: Text , Conference proceedings
- Full Text: false
- Description: In this paper, we propose a five-step approach to detect obfuscated malware by investigating the structural and behavioural features of API calls. We have developed a fully automated system to disassemble and extract API call features effectively from executables. Using n-gram statistical analysis of binary content, we are able to classify if an executable file is malicious or benign. Our experimental results with a dataset of 242 malwares and 72 benign files have shown a promising accuracy of 96.5% for the unigram model. We also provide a preliminary analysis by our approach using support vector machine (SVM) and by varying n-values from 1 to 5, we have analysed the performance that include accuracy, false positives and false negatives. By applying SVM, we propose to train the classifier and derive an optimum n-gram model for detecting both known and unknown malware efficiently.
Internet security applications of Grobner-Shirvov bases
- Authors: Kelarev, Andrei , Yearwood, John , Watters, Paul
- Date: 2010
- Type: Text , Journal article
- Relation: Asian-European Journal of Mathematics Vol. 3, no. 3 (2010), p. 435-442
- Relation: http://purl.org/au-research/grants/arc/DP0211866
- Full Text: false
- Reviewed:
An unsupervised stochastic model for detection and identification of objects in textured color images using segmentation technique
- Authors: Islam, Mofakharul , Watters, Paul
- Date: 2009
- Type: Text , Conference proceedings
- Full Text: false
- Description: The process of meaningful image object identification is the critical first step in the extraction of image information for computer vision and image understanding. The disjoint regions correspond to visually distinct objects in a scene. In this particular work, we investigate and propose a novel stochastic model based approach to implement a robust unsupervised color image content understanding technique that segments a color textured image into its constituent parts automatically and meaningfully. The aim of this work is to produce precise segmentation of different objects in a color image using color information, texture information and neighborhood relationships among neighboring image pixels in terms of their features using Markov Random Field (MRF) Model to get the maximum accuracy in segmentation. The evaluation of the results is done through comparison of the segmentation quality and accuracy with another similar existing method which demonstrates that the proposed approach outperforms the existing method by achieving better segmentation accuracy with faithful segmentation results.
A Grobner-Shirshov Algorithm for Applications in Internet Security
- Authors: Kelarev, Andrei , Yearwood, John , Watters, Paul , Wu, Xinwen , Ma, Liping , Abawajy, Jemal , Pan, L.
- Date: 2011
- Type: Text , Journal article
- Relation: Southeast Asian Bulletin of Mathematics Vol. 35, no. (2011), p. 807-820
- Full Text: false
- Reviewed:
- Description: The design of multiple classication and clustering systems for the detection of malware is an important problem in internet security. Grobner-Shirshov bases have been used recently by Dazeley et al. [15] to develop an algorithm for constructions with certain restrictions on the sandwich-matrices. We develop a new Grobner-Shirshov algorithm which applies to a larger variety of constructions based on combinatorial Rees matrix semigroups without any restrictions on the sandwich-matrices.
Accessibility solutions for visually impaired users of web discussion boards
- Authors: Watters, Paul , Arajuo, A , Hezart, A , Naik, S
- Date: 2005
- Type: Text , Conference paper
- Relation: Paper presented at 3rd IEEE International Conference on Information Technology and Applications 2005 p. 1-10
- Full Text: false
- Reviewed:
Detecting illicit drugs on social media using Automated Social Media Intelligence Analysis (ASMIA)
- Authors: Watters, Paul , Phair, Nigel
- Date: 2012
- Type: Text , Conference paper
- Relation: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) Vol. 7672 LNCS, p. 66-76
- Full Text:
- Reviewed:
- Description: While social media is a new and exciting technology, it has the potential to be misused by organized crime groups and individuals involved in the illicit drugs trade. In particular, social media provides a means to create new marketing and distribution opportunities to a global marketplace, often exploiting jurisdictional gaps between buyer and seller. The sheer volume of postings presents investigational barriers, but the platform is amenable to the partial automation of open source intelligence. This paper presents a new methodology for automating social media data, and presents two pilot studies into its use for detecting marketing and distribution of illicit drugs targeted at Australians. Key technical challenges are identified, and the policy implications of the ease of access to illicit drugs are discussed. © 2012 Springer-Verlag.
- Description: 2003010676
Indirect information linkage for OSINT through authorship analysis of aliases
- Authors: Layton, Robert , Perez, Charles , Birregah, Babiga , Watters, Paul , Lemercier, Marc
- Date: 2013
- Type: Text , Conference paper
- Relation: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 17th Pacific-Asia Conference on Knowledge Discovery and Data Mining Vol. 7867 LNAI, p. 36-46
- Full Text: false
- Reviewed:
- Description: In this paper we examine the problem of automatically linking online accounts for open source intelligence gathering. We specifically aim to determine if two social media accounts are shared by the same author, without the use of direct linking evidence. We profile the accounts using authorship analysis and find the best matching guess. We apply this to a series of Twitter accounts identified as malicious by a methodology named SPOT and find several pairs of accounts that belong to the same author, despite no direct evidence linking the two. Overall, our results show that linking aliases is possible with an accuracy of 84%, and using our automated threshold method improves our accuracy to over 90% by removing incorrectly discovered matches. © Springer-Verlag 2013.
Real-time detection of children's skin on social networking sites using Markov random field modelling
- Authors: Islam, Mofakharul , Watters, Paul , Yearwood, John
- Date: 2011
- Type: Text , Journal article
- Relation: Information Security Technical Report Vol. 16, no. 2 (2011), p. 51-58
- Full Text: false
- Reviewed:
- Description: Social networking sites are increasingly being used as the source for paedophiles to search for, download and exchange child exploitation images. Law Enforcement Agencies (LEAs) around the world face a difficult challenge to combat technologically-savvy paedophiles. In this paper, we propose a framework for detecting images containing children's pictures in different poses, with the ultimate view of identifying and classifying images as corresponding to the COPINE scale. To achieve the goal of automatic detection, we present a novel stochastic vision model based on a Markov Random Fields (MRF) prior, which will employ a skin model and human affine-invariant geometric descriptor to detect and identify skin regions containing pornographic contexts. © 2011 Published by Elsevier Ltd.
Skype Traffic Classification Using Cost Sensitive Algorithms
- Authors: Azab, Azab , Layton, Robert , Alazab, Mamoun , Watters, Paul
- Date: 2013
- Type: Text , Conference paper
- Relation: Proceedings - 4th Cybercrime and Trustworthy Computing Workshop, CTC 2013 p. 14-21
- Full Text: false
- Reviewed:
- Description: Voice over IP (VoIP) technologies such as Skype are becoming increasingly popular and widely used in different organisations, and therefore identifying the usage of this service at the network level becomes very important. Reasons for this include applying Quality of Service (QoS), network planning, prohibiting its use in some networks and lawful interception of communications. Researchers have addressed VoIP traffic classification from different viewpoints, such as classifier accuracy, building time, classification time and online classification. This previous research tested their models using the same version of a VoIP product they used for training the model, giving generalizability only to that version of the product. This means that as new VoIP versions are released, these classifiers become obsolete. In this paper, we address if this approach is applicable to detecting new, untrained, versions of Skype. We suggest that using cost-sensitive classifiers can help to improve the accuracy of detecting untrained versions, by testing compared to other algorithms. Our experiment demonstrates promising preliminary results to detect Skype version 4, by building a cost sensitive classifier on Skype version 3, achieving an F-measure score of 0.57. This is a drastic improvement from not using cost sensitivity, which scores an F-measure of 0. This approach may be enhanced to improve the detection results and extended to improve detection for other applications that change protocols from version to version.
Recentred local profiles for authorship attribution
- Authors: Layton, Robert , Watters, Paul , Dazeley, Richard
- Date: 2012
- Type: Text , Journal article
- Relation: Natural Language Engineering Vol. 18, no. 3 (2012), p. 293-312
- Full Text:
- Reviewed:
- Description: Authorship attribution methods aim to determine the author of a document, by using information gathered from a set of documents with known authors. One method of performing this task is to create profiles containing distinctive features known to be used by each author. In this paper, a new method of creating an author or document profile is presented that detects features considered distinctive, compared to normal language usage. This recentreing approach creates more accurate profiles than previous methods, as demonstrated empirically using a known corpus of authorship problems. This method, named recentred local profiles, determines authorship accurately using a simple 'best matching author' approach to classification, compared to other methods in the literature. The proposed method is shown to be more stable than related methods as parameter values change. Using a weighted voting scheme, recentred local profiles is shown to outperform other methods in authorship attribution, with an overall accuracy of 69.9% on the ad-hoc authorship attribution competition corpus, representing a significant improvement over related methods. Copyright © Cambridge University Press 2011.
- Description: 2003010688
Measuring Surveillance in Online Advertising: A Big Data Approach
- Authors: Herps, Aaron , Watters, Paul , Pineda-Villavicencio, Guillermo
- Date: 2013
- Type: Text , Conference paper
- Relation: Proceedings - 4th Cybercrime and Trustworthy Computing Workshop, CTC 2013 p. 30-35
- Full Text: false
- Reviewed:
- Description: There is an increasing public and policy awareness that tracking cookies are being used to support behavioral advertising, but the extent to which tracking is occurring is not clear. The extent of tracking could have implications for the enforceability of legislative responses to the sharing of personal data, including the Privacy Act 1988 (Cth). In this paper, we develop a methodology for determining the prevalence of tracking cookies, and report the results for a sample of the 50 most visited sites by Australians. We find that the use of tracking cookies is endemic, but that distinct clusters of tracking can be identified across categories including search, pornography and social networking. The implications of the work in relation to privacy are discussed.
Descriptive data mining on fraudulent online dating profiles
- Authors: Pan, Jinjian A. , Winchester, Donald , Land, Lesley , Watters, Paul
- Date: 2010
- Type: Text , Conference paper
- Relation: Proceedings of ECIS 2010, The 18th European Conference on Information Systems 2010 p. 1-11
- Full Text: false
- Reviewed:
- Description: The increasing ease of access to the World Wide Web and email harvesting tools has enabled spammers to target a wider audience. The problem is where scams are widely encountered in day to day environmental to individuals from all walks of life and result in millions of dollars in financial loss as well as emotional trauma (Newman 2005). This paper aims to analyse and examine the structure of Romance Fraud, in a bid to understand and detect Romance Fraud profiles. We focus on scams that utilise the medium of dating websites. The primary indicators of Romance Fraud identified in the literature include social factors, scam characteristics and content....
Automated unsupervised authorship analysis using evidence accumulation clustering
- Authors: Layton, Robert , Watters, Paul , Dazeley, Richard
- Date: 2013
- Type: Text , Journal article
- Relation: Natural Language Engineering Vol. 19, no. 1 (2013), p. 95-120
- Full Text:
- Reviewed:
- Description: Authorship Analysis aims to extract information about the authorship of documents from features within those documents. Typically, this is performed as a classification task with the aim of identifying the author of a document, given a set of documents of known authorship. Alternatively, unsupervised methods have been developed primarily as visualisation tools to assist the manual discovery of clusters of authorship within a corpus by analysts. However, there is a need in many fields for more sophisticated unsupervised methods to automate the discovery, profiling and organisation of related information through clustering of documents by authorship. An automated and unsupervised methodology for clustering documents by authorship is proposed in this paper. The methodology is named NUANCE, for n-gram Unsupervised Automated Natural Cluster Ensemble. Testing indicates that the derived clusters have a strong correlation to the true authorship of unseen documents. © 2011 Cambridge University Press.
- Description: 2003010584
Fake file detection in P2P networks by consensus and reputation
- Authors: Watters, Paul , Layton, Robert
- Date: 2011
- Type: Text , Conference proceedings
- Full Text: false
- Description: Previous research [1] has indicated that reputation scores can be used as the basis for trust computation in P2P networks. In this paper, we use reputation scores calculated from P2P search engine rating sites to determine whether a torrent is likely to be linked to a fake file (or not). Our results indicate clear separability between files which are fake and which are genuine, assuming the integrity of the "community" ratings provided by specific subcultural groups [2]. Suggestions for more sophisticated reputation-based scoring are also provided. © 2011 Crown.
Characterising and predicting cyber attacks using the Cyber Attacker Model Profile (CAMP)
- Authors: Watters, Paul , McCombie, Stephen , Layton, Robert , Pieprzyk, Josef
- Date: 2012
- Type: Text , Journal article
- Relation: Journal of Money Laundering Control Vol. 15, no. 4 (2012), p. 430-441
- Full Text: false
- Reviewed:
- Description: Purpose – Ethnographic studies of cyber attacks typically aim to explain a particular profile of attackers in qualitative terms. The purpose of this paper is to formalise some of the approaches to build a Cyber Attacker Model Profile (CAMP) that can be used to characterise and predict cyber attacks. Design/methodology/approach – The paper builds a model using social and economic independent or predictive variables from several eastern European countries and benchmarks indicators of cybercrime within the Australian financial services system. Findings – The paper found a very strong link between perceived corruption and GDP in two distinct groups of countries – corruption in Russia was closely linked to the GDP of Belarus, Moldova and Russia, while corruption in Lithuania was linked to GDP in Estonia, Latvia, Lithuania and Ukraine. At the same time corruption in Russia and Ukraine were also closely linked. These results support previous research that indicates a strong link between been legitimate economy and the black economy in many countries of Eastern Europe and the Baltic states. The results of the regression analysis suggest that a highly skilled workforce which is mobile and working in an environment of high perceived corruption in the target countries is related to increases in cybercrime even within Australia. It is important to note that the data used for the dependent and independent variables were gathered over a seven year time period, which included large economic shocks such as the global financial crisis. Originality/value – This is the first paper to use a modelling approach to directly show the relationship between various social, economic and demographic factors in the Baltic states and Eastern Europe, and the level of card skimming and card not present fraud in Australia. Acknowledgements: Paul A. Watters and Robert Layton are funded by IBM, Westpac, the State Government of Victoria and the Australian Federal Police.
- Description: 2003011112
Establishing reasoning communities of security experts for Internet Commerce Security
- Authors: Kelarev, Andrei , Brown, Simon , Watters, Paul , Wu, Xinwen , Dazeley, Richard
- Date: 2011
- Type: Text , Book chapter
- Relation: Technologies for supporting reasoning communities and collaborative decision making : Cooperative approaches p. 380-396
- Full Text: false
- Reviewed:
- Description: The highly sophisticated and rapidly evolving area of internet commerce security presents many novel challenges for the organization of discourse in reasoning communities. This chapter suggests appropriate reasoning methods and demonstrates how establishing reasoning communities of security experts and enabling productive group discourse among them can play a crucial role in successful resolution of problems concerning the implementation, integration, deployment and maintenance of flexible local security systems for defense against malware threats in internet security. Local security systems of this sort may combine several ready open source or commercial software packages behind a common front-end and may enhance and supplement their facilities with additional plug-ins. To illustrate the diverse character of challenges the reasoning communities in internet security are likely to be faced with, this chapter concentrates on defense against phishing attacks. This example was selected as it is one of the newest and most rapidly changing application domains for the principles of organizing reasoning communities. The major group discourse methods suggested for the reasoning communities of security experts in this chapter include the Delphi Method, the Wideband Delphi Process, the Generic/Actual Argument Model of Structured Reasoning, Brainstorming, Reverse Brainstorming, Consensus Decision Making, Voting, Open Delphi and Open Brainstorming Methods. The Delphi Method and Wideband Delphi Process are suggested as tools for organizing a cohesive reasoning architecture, for coordinating other methods, and for preparing and allocating other methods to particular issues.
Cybercrime : The case of obfuscated malware
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul , Alazab, Moutaz , Alazab, Ammar
- Date: 2011
- Type: Text , Conference paper
- Relation: Joint 7th International Conference on Global Security, Safety and Sustainability, ICGS3 2011, and the 4th Conference on e-Democracy Vol. 99 LNICST, p. 204-211
- Full Text: false
- Reviewed:
- Description: Cybercrime has rapidly developed in recent years and malware is one of the major security threats in computer which have been in existence from the very early days. There is a lack of understanding of such malware threats and what mechanisms can be used in implementing security prevention as well as to detect the threat. The main contribution of this paper is a step towards addressing this by investigating the different techniques adopted by obfuscated malware as they are growingly widespread and increasingly sophisticated with zero-day exploits. In particular, by adopting certain effective detection methods our investigations show how cybercriminals make use of file system vulnerabilities to inject hidden malware into the system. The paper also describes the recent trends of Zeus botnets and the importance of anomaly detection to be employed in addressing the new Zeus generation of malware. © 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.
- Description: 2003010650
Identifying Faked Hotel Reviews Using Authorship Analysis
- Authors: Layton, Robert , Watters, Paul , Ureche, Oana
- Date: 2013
- Type: Text , Conference paper
- Relation: Proceedings - 4th Cybercrime and Trustworthy Computing Workshop, CTC 2013 p. 1-6
- Full Text: false
- Reviewed:
- Description: The use of online review sites has grown significantly, allowing for communities to share information on products or services.These online review sites are marketed as being independent and trustworthy, but have been criticised for not ensuring the integrity of the reviews.One major concern is that of review fraud; where a person (such as a marketer) is paid to write favourable reviews for one product or poor reviews for a competitor.In this research we show a method for determining if two reviews share an author, which can be used to identify if a review is legitimate.Our results indicate a high quality of the method, with an f-1-score of over 0.66 in testing data with 40 authors, with most authors having only one or two documents.This type of analysis can be used to investigate cases of potential hotel review fraud.
REPLOT: REtrieving profile links on Twitter for suspicious networks detection
- Authors: Perez, Charles , Birregah, Babiga , Layton, Robert , Lemercier, Marc , Watters, Paul
- Date: 2013
- Type: Text , Conference paper
- Relation: Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM 2013 p. 1307-1314
- Full Text: false
- Reviewed:
- Description: In the last few decades social networking sites have encountered their first large-scale security issues. The high number of users associated with the presence of sensitive data (personal or professional) is certainly an unprecedented opportunity for malicious activities. As a result, one observes that malicious users are progressively turning their attention from traditional e-mail to online social networks to carry out their attacks. Moreover, it is now observed that attacks are not only performed by individual profiles, but that on a larger scale, a set of profiles can act in coordination in making such attacks. The latter are referred to as malicious social campaigns. In this paper, we present a novel approach that combines authorship attribution techniques with a behavioural analysis for detecting and characterizing social campaigns. The proposed approach is performed in three steps: first, suspicious profiles are identified from a behavioural analysis; second, connections between suspicious profiles are retrieved using a combination of authorship attribution and temporal similarity; third, a clustering algorithm is performed to identify and characterise the suspicious campaigns obtained. We provide a real-life application of the methodology on a sample of 1,000 suspicious Twitter profiles tracked over a period of forty days. Our results show that a large set of suspicious profiles behaves in coordination (70%) and propagates mainly, but not only, trustworthy URLs on the online social network. Among the three largest detected campaigns, we have highlighted that one represents an important security issue for the platform by promoting a significant set of malicious URLs. Copyright 2013 ACM.
ICANN or ICANT: Is WHOIS an Enabler of Cybercrime?
- Authors: Watters, Paul , Herps, Aaron , Layton, Robert , McCombie, Stephen
- Date: 2013
- Type: Text , Conference paper
- Relation: Proceedings - 4th Cybercrime and Trustworthy Computing Workshop, CTC 2013 p. 44-49
- Full Text: false
- Reviewed:
- Description: WHOIS acts as a registry for organisations or individuals who 'own' or take responsibility for domains. For any registry to be functional, its integrity needs to be assured. Unfortunately, WHOIS data does not appear to meet basic integrity requirements in many cases, reducing the effectiveness of law enforcement and rightsholders in requesting takedowns for phishing kits, zombie hosts that are part of a botnet, or infringing content. In this paper, we illustrate the problem using a case study from trademark protection, where investigators attempt to trace fake goods being advertised on Facebook. The results indicate that ICANN needs to at least introduce minimum verification standards for WHOIS records vis-Ã -vis integrity, and optimally, develop a system for rapid takedowns in the event that a domain is being misused.