A survey on latest botnet attack and defense
- Authors: Zhang, Lei , Yu, Shui , Wu, Di , Watters, Paul
- Date: 2011
- Type: Text , Conference proceedings
- Full Text: false
- Description: A botnet is a group of compromised computers, which are remotely controlled by hackers to launch various network attacks, such as DDoS attack and information phishing. Botnet has become a popular and productive tool behind many cyber attacks. Recently, the owners of some botnets, such as storm worm, torpig and conflicker, are employing fluxing techniques to evade detection. Therefore, the understanding of their fluxing tricks is critical to the success of defending from botnet attacks. Motivated by this, we survey the latest botnet attacks and defenses in this paper. We begin with introducing the principles of fast fluxing (FF) and domain fluxing (DF), and explain how these techniques were employed by botnet owners to fly under the radar. Furthermore, we investigate the state-of-art research on fluxing detection. We also compare and evaluate those fluxing detection methods by multiple criteria. Finally, we discuss future directions on fighting against botnet based attacks. © 2011 IEEE.
An unsupervised stochastic model for detection and identification of objects in textured color images using segmentation technique
- Authors: Islam, Mofakharul , Watters, Paul
- Date: 2009
- Type: Text , Conference proceedings
- Full Text: false
- Description: The process of meaningful image object identification is the critical first step in the extraction of image information for computer vision and image understanding. The disjoint regions correspond to visually distinct objects in a scene. In this particular work, we investigate and propose a novel stochastic model based approach to implement a robust unsupervised color image content understanding technique that segments a color textured image into its constituent parts automatically and meaningfully. The aim of this work is to produce precise segmentation of different objects in a color image using color information, texture information and neighborhood relationships among neighboring image pixels in terms of their features using Markov Random Field (MRF) Model to get the maximum accuracy in segmentation. The evaluation of the results is done through comparison of the segmentation quality and accuracy with another similar existing method which demonstrates that the proposed approach outperforms the existing method by achieving better segmentation accuracy with faithful segmentation results.
Authorship attribution of IRC messages using inverse author frequency
- Authors: Layton, Robert , McCombie, Stephen , Watters, Paul
- Date: 2012
- Type: Text , Conference proceedings
- Full Text: false
- Description: Internet Relay Chat (IRC) is a useful and relativelysimple protocol for text based chat online, used in a variety ofareas online such as for discussion and technical support. IRC isalso used for cybercrime, with online rooms selling stolen creditcard details, botnet access and malware. The reasons for theuse of IRC in cybercrime include the widespread adoption andease of use, but also focus around the anonymity granted bythe protocol, allowing users to hide behind aliases that can bechanged regularly. In this research, we apply authorship analysistechniques to be able to attribute chat messages to known aliases.A preliminary experiment shows that this application is verydifficult, due to the short messages and repeated information.To improve the accuracy, we apply inverse-author-frequency(iaf) weighting, which gives higher weights to features used byfewer authors. This research is the first time that iaf has beenapplied to character n-gram models, previously being applied toword based models of authorship. We find that this improvesthe accuracy significantly for the RLP method and provides aplatform for successful applications of authorship analysis in thefuture. Overall, the method achieves accuracies of over 55% ina very difficult application domain. © 2012 IEEE.
- Description: 2003011051
Challenges to automated allegory resolution in open source intelligence
- Authors: Watters, Paul
- Date: 2012
- Type: Text , Conference proceedings
- Full Text: false
- Description: The resolution of lexical ambiguity in machine translation systems often involves the automated, on-line selection of the correct sense of polysemous target words in the context of a clause, phrase or sentence. However, the performance of machine translation systems in emulating this aspect of human language processing has not been entirely successful, to the extent that resolution of entities and terms in natural language could be automated for open source intelligence analysis. Whilst some of these systems confine themselves to processing domain-specific knowledge (e.g., medical terminology), with some success, the popular general-purpose direct translation systems now freely available on the World Wide Web (WWW) are investigated for characteristic semantic processing errors in this study. A ubiquitous sentence ("The quick brown fox jumps over the lazy dog"), an equative metaphor, and a simile are translated into four romance and one Germanic language, with the translation then inverted back to English using the same translation system. It is found that in addition to expected differences in correctly mapping shades of meaning (e.g., "quick" is mapped to "fast"), some spatial meanings are incorrectly transformed, especially for verbs (e.g., "jumps over" becomes "branches over" or "jumps on"). The most serious error is the addition of extra semantic features to individual words, particularly features associated with nouns (e.g., the gender-neutral "fox" becomes the female "vixen"). The implications of these types of errors for the automatic translation of human language - with respect to semantic representation in open source intelligence - are discussed. © 2012 IEEE.
- Description: 2003011052
Characterising network traffic for Skype forensics
- Authors: Azab, Ahmad , Watters, Paul , Layton, Robert
- Date: 2012
- Type: Text , Conference proceedings
- Full Text: false
- Description: Voice over IP (VoIP) is increasingly replacing fixed line telephone systems globally due to lower cost, call quality improvements over digital lines and ease of availability. At the same time, criminals have also transitioned to using this environment, creating challenges for law enforcement, since interception of VoIP traffic is more difficult than a traditional telephony environment. One key problem for proprietary VoIP algorithms like Skype is being able to reliably identify and characterize network traffic. In this paper, the latest Skype version and its components are analyzed, in terms of network traffic behavior for logins, calls establishment, call answering and the change status phases. Network conditions tested included blocking different port numbers, inbound connections and outbound connections. The results provide a clearer view of the difficulties in characterizing Skype traffic in forensic contexts. We also found different changes from previous investigations into older versions of Skype. © 2012 IEEE.
- Description: 2003011053
Child face detection using age specific luminance invariant geometric descriptor
- Authors: Islam, Mofakharul , Watters, Paul , Yearwood, John
- Date: 2011
- Type: Text , Conference proceedings
- Full Text: false
- Description: While considerable research have been conducted on age-wise age estimation using skin detection most often with other visual cues, relatively little research has looked closely at the subject. In this paper, we present a new framework for interpreting facial image patterns that can be employed in categorical age estimation. The aim is to propose a novel approach to investigate and implement a child face detection technique that is able to estimate age categorically adult or child based on a new hybrid feature descriptor. The novel hybrid feature descriptor LIGD (the luminance invariant geometric descriptor) is composed of some low and high level features, which are found to be effective in characterizing the local appearance. In local appearance estimation, chromaticity, texture, and positional information of few facial visual cues can be employed simultaneously. Compared to the results published in a recent work, our proposed approach yields the highest precision and recall, and overall accuracy in recognition. © 2011 IEEE.
Determining the influence of visual training on EEG activity patterns using association rule mining
- Authors: Yan, Fangang , Watters, Paul , Wang, Wei
- Date: 2011
- Type: Text , Conference proceedings
- Full Text: false
- Description: To confirm that visual training can change EEG patterns by association rule mining method, firstly, we collected the EEG of people who are under a long-term visual professional training (visual training group) and novice people (control group) during a specific mental tasks. Secondly, we determined the difference of brain electrical activity between the two groups using machine learning methods. Thirdly, we discovered distinct patterns using association rule algorithm, finding that the two groups were separable based on their completion of visual professional cognitive tasks. In the beta band, visual training group showed a specific and significant association pattern which included FP1 and C4. The results indicate that the EEG patterns were modified because of visual professional training. We further discuss the impact of long-term visual professional training on the EEG. © 2011 IEEE.
Fake file detection in P2P networks by consensus and reputation
- Authors: Watters, Paul , Layton, Robert
- Date: 2011
- Type: Text , Conference proceedings
- Full Text: false
- Description: Previous research [1] has indicated that reputation scores can be used as the basis for trust computation in P2P networks. In this paper, we use reputation scores calculated from P2P search engine rating sites to determine whether a torrent is likely to be linked to a fake file (or not). Our results indicate clear separability between files which are fake and which are genuine, assuming the integrity of the "community" ratings provided by specific subcultural groups [2]. Suggestions for more sophisticated reputation-based scoring are also provided. © 2011 Crown.
Local n-grams for author identification: Notebook for PAN at CLEF 2013 C3 - CEUR Workshop Proceedings
- Authors: Layton, Robert , Watters, Paul , Dazeley, Richard
- Date: 2013
- Type: Text , Conference proceedings
- Full Text:
- Description: Our approach to the author identification task uses existing authorship attribution methods using local n-grams (LNG) and performs a weighted ensemble. This approach came in third for this year's competition, using a relatively simple scheme of weights by training set accuracy. LNG models create profiles, consisting of a list of character n-grams that best represent a particular author's writing. The use of a weighted ensemble improved upon the accuracy of the method without reducing the speed of the algorithm; the submitted solution was not only near the top of the leaderboard in terms of accuracy, but it was also one of the faster algorithms submitted.
Malware detection based on structural and behavioural features of API calls
- Authors: Alazab, Mamoun , Layton, Robert , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2010
- Type: Text , Conference proceedings
- Full Text: false
- Description: In this paper, we propose a five-step approach to detect obfuscated malware by investigating the structural and behavioural features of API calls. We have developed a fully automated system to disassemble and extract API call features effectively from executables. Using n-gram statistical analysis of binary content, we are able to classify if an executable file is malicious or benign. Our experimental results with a dataset of 242 malwares and 72 benign files have shown a promising accuracy of 96.5% for the unigram model. We also provide a preliminary analysis by our approach using support vector machine (SVM) and by varying n-values from 1 to 5, we have analysed the performance that include accuracy, false positives and false negatives. By applying SVM, we propose to train the classifier and derive an optimum n-gram model for detecting both known and unknown malware efficiently.
Rapid anomaly detection using integrated prudence analysis (IPA)
- Authors: Maruatona, Omaru , Vamplew, Peter , Dazeley, Richard , Watters, Paul
- Date: 2018
- Type: Text , Conference proceedings
- Relation: PAKDD 2018.Trends and Applications in Knowledge Discovery and Data Mining. p. 137-141
- Full Text: false
- Reviewed:
- Description: Integrated Prudence Analysis has been proposed as a method to maximize the accuracy of rule based systems. The paper presents evaluation results of the three Prudence methods on public datasets which demonstrate that combining attribute-based and structural Prudence produces a net improvement in Prudence Accuracy.
The seven scam types: Mapping the terrain of cybercrime
- Authors: Stabek, Amber , Watters, Paul , Layton, Robert
- Date: 2010
- Type: Text , Conference proceedings
- Full Text:
- Description: Threat of cybercrime is a growing danger to the economy. Industries and businesses are targeted by cyber-criminals along with members of the general public. Since cybercrime is often a symptom of more complex criminological regimes such as laundering, trafficking and terrorism, the true damage caused to society is unknown. Dissimilarities in reporting procedures and non-uniform cybercrime classifications lead international reporting bodies to produce incompatible results which cause difficulties in making valid comparisons. A cybercrime classification framework has been identified as necessary for the development of an inter-jurisdictional, transnational, and global approach to identify, intercept, and prosecute cyber-criminals. Outlined in this paper is a cybercrime classification framework which has been applied to the incidence of scams. Content analysis was performed on over 250 scam descriptions stemming from in excess of 35 scamming categories and over 80 static features derived. Using hierarchical cluster and discriminant function analysis, the sample was reduced from over 35 ambiguous categories into 7 scam types and the top four scamming functions - identified as scamming business processes, revealed. The results of this research bear significant ramifications to the current state of scam and cybercrime classification, research and analysis, as well as offer significant insight into the business processes and applications adopted by scammers and cyber-criminals. © 2010 IEEE.
Towards an implementation of information flow security using semantic web technologies
- Authors: Ureche, Oana , Layton, Robert , Watters, Paul
- Date: 2012
- Type: Text , Conference proceedings
- Full Text:
- Description: Controlling the flow of sensitive data has been widely acknowledged as a critical aspect for securing web information systems. A common limitation of previous approaches for the implementation of the information flow control is their proposal of new scripting languages. This makes them infeasible to be applied to existing systems written in traditional programming languages as these systems need to be redeveloped in the proposed scripting language. This paper proposes a methodology that offers a common interlinqua through the use of Semantic Web technologies for securing web information systems independently of their programming language. © 2012 IEEE.
- Description: 2003011056
Towards understanding malware behaviour by the extraction of API calls
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2010
- Type: Text , Conference proceedings
- Full Text:
- Description: One of the recent trends adopted by malware authors is to use packers or software tools that instigate code obfuscation in order to evade detection by antivirus scanners. With evasion techniques such as polymorphism and metamorphism malware is able to fool current detection techniques. Thus, security researchers and the anti-virus industry are facing a herculean task in extracting payloads hidden within packed executables. It is a common practice to use manual unpacking or static unpacking using some software tools and analyse the application programming interface (API) calls for malware detection. However, extracting these features from the unpacked executables for reverse obfuscation is labour intensive and requires deep knowledge of low-level programming that includes kernel and assembly language. This paper presents an automated method of extracting API call features and analysing them in order to understand their use for malicious purpose. While some research has been conducted in arriving at file birthmarks using API call features and the like, there is a scarcity of work that relates to features in malcodes. To address this gap, we attempt to automatically analyse and classify the behavior of API function calls based on the malicious intent hidden within any packed program. This paper uses four-step methodology for developing a fully automated system to arrive at six main categories of suspicious behavior of API call features. © 2010 IEEE.
Unsupervised authorship analysis of phishing webpages
- Authors: Layton, Robert , Watters, Paul , Dazeley, Richard
- Date: 2012
- Type: Text , Conference proceedings
- Full Text:
- Description: Authorship analysis on phishing websites enables the investigation of phishing attacks, beyond basic analysis. In authorship analysis, salient features from documents are used to determine properties about the author, such as which of a set of candidate authors wrote a given document. In unsupervised authorship analysis, the aim is to group documents such that all documents by one author are grouped together. Applying this to cyber-attacks shows the size and scope of attacks from specific groups. This in turn allows investigators to focus their attention on specific attacking groups rather than trying to profile multiple independent attackers. In this paper, we analyse phishing websites using the current state of the art unsupervised authorship analysis method, called NUANCE. The results indicate that the application produces clusters which correlate strongly to authorship, evaluated using expert knowledge and external information as well as showing an improvement over a previous approach with known flaws. © 2012 IEEE.
- Description: 2003010678
Windows rootkits: Attacks and countermeasures
- Authors: Lobo, Desmond , Watters, Paul , Wu, Xin , Sun, Li
- Date: 2010
- Type: Text , Conference proceedings
- Full Text:
- Description: Windows XP is the dominant operating system in the world today and rootkits have been a major concern for XP users. This paper provides an in-depth analysis of the rootkits that target that operating system, while focusing on those that use various hooking techniques to hide malware on a machine. We identify some of the weaknesses in the Windows XP architecture that rootkits exploit and then evaluate some of the anti-rootkit security features that Microsoft has unveiled in Vista and 7. To reduce the number of rootkit infections in the future, we suggest that Microsoft should take full advantage of Intel's four distinct privilege levels. © 2010 IEEE.
Zero-day malware detection based on supervised learning algorithms of API call signatures
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul , Alazab, Moutaz
- Date: 2011
- Type: Text , Conference proceedings
- Full Text:
- Description: Zero-day or unknown malware are created using code obfuscation techniques that can modify the parent code to produce offspring copies which have the same functionality but with different signatures. Current techniques reported in literature lack the capability of detecting zero-day malware with the required accuracy and efficiency. In this paper, we have proposed and evaluated a novel method of employing several data mining techniques to detect and classify zero-day malware with high levels of accuracy and efficiency based on the frequency of Windows API calls. This paper describes the methodology employed for the collection of large data sets to train the classifiers, and analyses the performance results of the various data mining algorithms adopted for the study using a fully automated tool developed in this research to conduct the various experimental investigations and evaluation. Through the performance results of these algorithms from our experimental analysis, we are able to evaluate and discuss the advantages of one data mining algorithm over the other for accurately detecting zero-day malware successfully. The data mining framework employed in this research learns through analysing the behavior of existing malicious and benign codes in large datasets. We have employed robust classifiers, namely Naïve Bayes (NB) Algorithm, k-Nearest Neighbor (kNN) Algorithm, Sequential Minimal Optimization (SMO) Algorithm with 4 differents kernels (SMO - Normalized PolyKernel, SMO - PolyKernel, SMO - Puk, and SMO- Radial Basis Function (RBF)), Backpropagation Neural Networks Algorithm, and J48 decision tree and have evaluated their performance. Overall, the automated data mining system implemented for this study has achieved high true positive (TP) rate of more than 98.5%, and low false positive (FP) rate of less than 0.025, which has not been achieved in literature so far. This is much higher than the required commercial acceptance level indicating that our novel technique is a major leap forward in detecting zero-day malware. This paper also offers future directions for researchers in exploring different aspects of obfuscations that are affecting the IT world today. © 2011, Australian Computer Society, Inc.
- Description: 2003009506