Digital forensic techniques for static analysis of NTFS images
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at 4th International Conference of Information Technology, ICIT 2009, AL-Zaytoonah University, Amman, Jordan : 3rd-5th June 2009
- Full Text:
- Description: Static analysis of the Windows NTS File System (NTFS) which is the standard and most commonly used file system could provide useful information for digital forensics. However, since the NFTS disk image records every event in the system, forensic tools need to process an enormous amount of information related to user / kernel environment, buffer overflows, trace conditions, network stack and other related subsystems. This leads to imperfect forensic tools that are practical for implementation but not comprehensive and effective. This research discusses the analysis technique to detect data hidden based on the internal structure of the NTFS file system in the boot sector. Further, it attempts to unearth the vulnerabilities of NTFS disk image and weaknesses of the current forensic techniques. The paper argues that a comprehensive tool with improved techniques is warranted for a successful forensic analysis.
- Description: 2003007524
Towards automatic image segmentation using optimised region growing technique
- Authors: Nicholson, Ann , Li, Xiaodong , Alazab, Mamoun , Islam, Mofakharul , Venkatraman, Sitalakshmi
- Date: 2009
- Type: Text , Conference paper
- Relation: Paper presented at 22nd Australasian Joint Conference, AI 2009: Advances in Artificial Intelligence, Melbourne, Victoria : 1st-4th December 2009 Vol. 5866, p. 131-139
- Full Text: false
- Description: Image analysis is being adopted extensively in many applications such as digital forensics, medical treatment, industrial inspection, etc. primarily for diagnostic purposes. Hence, there is a growing interest among researches in developing new segmentation techniques to aid the diagnosis process. Manual segmentation of images is labour intensive, extremely time consuming and prone to human errors and hence an automated real-time technique is warranted in such applications. There is no universally applicable automated segmentation technique that will work for all images as the image segmentation is quite complex and unique depending upon the domain application. Hence, to fill the gap, this paper presents an efficient segmentation algorithm that can segment a digital image of interest into a more meaningful arrangement of regions and objects. Our algorithm combines region growing approach with optimised elimination of false boundaries to arrive at more meaningful segments automatically. We demonstrate this using X-ray teeth images that were taken for real-life dental diagnosis.
- Description: 2003007514
GOM: New Genetic Optimizing Model for broadcasting tree in MANET
- Authors: Elaiwat, Said , Alazab, Ammar , Venkatraman, Sitalakshmi , Alazab, Mamoun
- Date: 2010
- Type: Text , Conference proceedings
- Full Text:
- Description: Data broadcasting in a mobile ad-hoc network (MANET) is the main method of information dissemination in many applications, in particular for sending critical information to all hosts. Finding an optimal broadcast tree in such networks is a challenging task due to the broadcast storm problem. The aim of this work is to propose a new genetic model using a fitness function with the primary goal of finding an optimal broadcast tree. Our new method, called Genetic Optimisation Model (GOM) alleviates the broadcast storm problem to a great extent as the experimental simulations result in efficient broadcast tree with minimal flood and minimal hops. The result of this model also shows that it has the ability to give different optimal solutions according to the nature of the network. © 2010 IEEE.
Effective digital forensic analysis of the NTFS disk image
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2009
- Type: Text , Journal article
- Relation: Ubiquitous Computing and Communication Journal Vol. 4, no. 3 (Special issue on ICIT 2009 Conference - Applied Computing) (2009), p. 551-558
- Full Text: false
- Reviewed:
- Description: Forensic analysis of the Windows NT File System (NTFS) could provide useful information leading towards malware detection and presentation of digital evidence for the court of law. Since NTFS records every event of the system, forensic tools are required to process an enormous amount of information related to user / kernel environment, buffer overflows, trace conditions, network stack, etc. This has led to imperfect forensic tools that are practical for implementation and hence become popular, but are not comprehensive and effective. Many existing techniques have failed to identify malicious code in hidden data of the NTFS disk image. This research discusses the analysis technique we have adopted to successfully detect maliciousness in hidden data, by investigating the NTFS boot sector. We have conducted experimental studies with some of the existing popular forensics tools and have identified their limitations. Further, through our proposed three-stage forensic analysis process, our experimental investigation attempts to unearth the vulnerabilities of NTFS disk image and the weaknesses of the current forensic techniques.
- Description: 2003007525
Towards understanding malware behaviour by the extraction of API calls
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2010
- Type: Text , Conference proceedings
- Full Text:
- Description: One of the recent trends adopted by malware authors is to use packers or software tools that instigate code obfuscation in order to evade detection by antivirus scanners. With evasion techniques such as polymorphism and metamorphism malware is able to fool current detection techniques. Thus, security researchers and the anti-virus industry are facing a herculean task in extracting payloads hidden within packed executables. It is a common practice to use manual unpacking or static unpacking using some software tools and analyse the application programming interface (API) calls for malware detection. However, extracting these features from the unpacked executables for reverse obfuscation is labour intensive and requires deep knowledge of low-level programming that includes kernel and assembly language. This paper presents an automated method of extracting API call features and analysing them in order to understand their use for malicious purpose. While some research has been conducted in arriving at file birthmarks using API call features and the like, there is a scarcity of work that relates to features in malcodes. To address this gap, we attempt to automatically analyse and classify the behavior of API function calls based on the malicious intent hidden within any packed program. This paper uses four-step methodology for developing a fully automated system to arrive at six main categories of suspicious behavior of API call features. © 2010 IEEE.
Applying genetic alogorithm for optimizing broadcasting process in ad-hoc network
- Authors: Elaiwat, Said , Alazab, Ammar , Venkatraman, Sitalakshmi , Alazab, Mamoun
- Date: 2011
- Type: Text , Journal article
- Relation: International Journal of Recent Trends in Engineering & Technology Vol. 4, no. 1 (2011), p. 68-72
- Full Text: false
- Reviewed:
- Description: Optimizing broadcasting process in mobile ad hoc network (MANET) is considered as a main challenge due to many problems, such as Broadcast Storm problem and high complexity in finding the optimal tree resulting in an NP-hard problem. Straight forward techniques like simple flooding give rise to Broadcast Storm problem with a high probability. In this work, genetic algorithm (GA) that searches over a population that represents a distinguishable ‘structure’ is adopted innovatively to suit MANETs. The novelty of the GA technique adopted here to provide the means to tackle this MANET problem lies mainly on the proposed method of searching for a structure of a suitable spanning tree that can be optimized, in order to meet the performance indices related to the broadcasting problem. In other words, the proposed genetic model (GM) evolves with the structure of random trees (individuals) ‘genetically’ generated using rules that are devised specifically to capture MANET behaviour in order to arrive at a minimal spanning tree that satisfies certain fitness function. Also, the model has the ability to give different solutions depending on the main factors specified such as, ‘time’ (or speed) in certain situations and ‘reachability’ in certain others.
Towards understanding and improving E-government strategies in Jordan
- Authors: Alkhaleefah, Mohammad , Alkhawaldeh, Mahmoud , Venkatraman, Sitalakshmi , Alazab, Mamoun
- Date: 2010
- Type: Text , Conference paper
- Relation: Paper presented at (ICCBS 2010) International Conference on e-Commerce, e-Business and e-Service Vol. 66, p. 1871-1877
- Full Text: false
- Reviewed:
- Description: Electronic government or e-government initiatives in Jordan are facing major challenges that hinder the country's expected economic and social transformation. The aims of this paper are two-fold, firstly to provide an insight into the understanding of these challenges, and secondly to propose an insight into the understanding of these challenges, and secondly to propose a four-step improvement plan for a successful implementation of Jordan's e-government project. The proposed pragmatic method, strategies and action plan are envisaged to improve Jordan's potential in developing the capability, resources, law and infrastructure for enhancing the e-service delivery to citizens and businesses. Such a method of developing an improvement plan that uniquely aligns with Jordan's e-government strategic pillars would result in the fruitful realization of their e-government vision as a major contributor towards economic and social development. The proposed improvement plan could be adopted by other similar developing countries for successfully implementing their e-government projects as well.
Stochastic model based approach for biometric identification
- Authors: Islam, Mofakharul , Venkatraman, Sitalakshmi , Alazab, Mamoun
- Date: 2010
- Type: Text , Conference proceedings
- Full Text: false
- Description: In this paper, we present a new stochastic model based approach for enhanced image segmentation in biometric identification systems. Biometric features such as fingerprint, face, iris, hand geometry and more recently dental features are being used for human identification. Image analysis of each of these biometric features has various challenges to overcome. To address such contemporary problems of image segmentation, we provide a novel approach based on maximum a posteriori (MAP) fitting Gaussian mixture model using Expectation-Minimization (EM) algorithm within the Bayesian framework. Our new algorithm captures the pixel intensity by the likelihood term in Bayesian Networks, and a priori biasing term of the spatial location information with the help of Markov Random Fields (MRF) model. We have employed a novel approach of using Daubechies wavelet transform for texture feature extraction that uses MRF model and a robust technique of determining the number of pixel classes based on Cluster Ensembles for a reliable segmentation of dental X-ray images. We present how our approach could be applied in dental biometrics to achieve very fast and reliable human identification. Experiments show that our new unsupervised image segmentation technique provides accurate feature extraction and teeth segmentation for effective biometric identification.
Six sigma approach to improve quality in e-services: An empirical study in Jordan
- Authors: Alhyari, Salah , Alazab, Moutaz , Venkatraman, Sitalakshmi , Alazab, Mamoun , Alazab, Ammar
- Date: 2012
- Type: Text , Journal article
- Relation: International Journal of Electronic Government Research Vol. 8, no. 2 (April, 2012), p. 57-74
- Full Text: false
- Reviewed:
- Description: This paper investigates the application of the Six Sigma approach to improve quality in electronic services (e-services) as more countries are adopting e-services as a means of providing services to their people through the Web. This paper presents a case study about the use of Six Sigma model to measure customer satisfaction and quality levels achieved in e-services that were recently launched by public sector organisations in a developing country, such as Jordan. An empirical study consisting of 280 customers of Jordan's e-services is conducted and problems are identified through the DMAIC phases of Six Sigma. The service quality levels are measured and analysed using six main criteria: Website Design, Reliability, Responsiveness, Personalization, Information Quality, and System Quality. The study indicates a 74% customer satisfaction with a Six Sigma level of 2.12 has enabled the Greater Amman Municipality to identify the usability issues associated with their e-services offered by public sector organisations. The aim of the paper is not only to implement Six Sigma as a measurement-based strategy for improving e-customer service in a newly launched e-service programme, but also widen its scope in investigating other service dimensions and perform comparative studies in other developing countries.
Zero-day malware detection based on supervised learning algorithms of API call signatures
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul , Alazab, Moutaz
- Date: 2011
- Type: Text , Conference proceedings
- Full Text:
- Description: Zero-day or unknown malware are created using code obfuscation techniques that can modify the parent code to produce offspring copies which have the same functionality but with different signatures. Current techniques reported in literature lack the capability of detecting zero-day malware with the required accuracy and efficiency. In this paper, we have proposed and evaluated a novel method of employing several data mining techniques to detect and classify zero-day malware with high levels of accuracy and efficiency based on the frequency of Windows API calls. This paper describes the methodology employed for the collection of large data sets to train the classifiers, and analyses the performance results of the various data mining algorithms adopted for the study using a fully automated tool developed in this research to conduct the various experimental investigations and evaluation. Through the performance results of these algorithms from our experimental analysis, we are able to evaluate and discuss the advantages of one data mining algorithm over the other for accurately detecting zero-day malware successfully. The data mining framework employed in this research learns through analysing the behavior of existing malicious and benign codes in large datasets. We have employed robust classifiers, namely Naïve Bayes (NB) Algorithm, k-Nearest Neighbor (kNN) Algorithm, Sequential Minimal Optimization (SMO) Algorithm with 4 differents kernels (SMO - Normalized PolyKernel, SMO - PolyKernel, SMO - Puk, and SMO- Radial Basis Function (RBF)), Backpropagation Neural Networks Algorithm, and J48 decision tree and have evaluated their performance. Overall, the automated data mining system implemented for this study has achieved high true positive (TP) rate of more than 98.5%, and low false positive (FP) rate of less than 0.025, which has not been achieved in literature so far. This is much higher than the required commercial acceptance level indicating that our novel technique is a major leap forward in detecting zero-day malware. This paper also offers future directions for researchers in exploring different aspects of obfuscations that are affecting the IT world today. © 2011, Australian Computer Society, Inc.
- Description: 2003009506
Information security governance: The art of detecting hidden malware
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2013
- Type: Text , Book chapter
- Relation: IT Security governance innovations: Theory and research p. 293-315
- Full Text: false
- Reviewed:
- Description: Detecting malicious software or malware is one of the major concerns in information security governance as malware authors pose a major challenge to digital forensics by using a variety of highly sophisticated stealth techniques to hide malicious code in computing systems, including smartphones. The current detection techniques are futile, as forensic analysis of infected devices is unable to identify all the hidden malware, thereby resulting in zero day attacks. This chapter takes a key step forward to address this issue and lays foundation for deeper investigations in digital forensics. The goal of this chapter is, firstly, to unearth the recent obfuscation strategies employed to hide malware. Secondly, this chapter proposes innovative techniques that are implemented as a fully-automated tool, and experimentally tested to exhaustively detect hidden malware that leverage on system vulnerabilities. Based on these research investigations, the chapter also arrives at an information security governance plan that would aid in addressing the current and future cybercrime situations.
An optimal transportation routing approach using GIS-based dynamic traffic flows
- Authors: Alazab, Ammar , Venkatraman, Sitalakshmi , Abawajy, Jemal , Alazab, Mamoun
- Date: 2010
- Type: Text , Conference proceedings
- Full Text: false
- Description: This paper examines the value of real-time traffic information gathered through Geographic Information Systems for achieving an optimal vehicle routing within a dynamically stochastic transportation network. We present a systematic approach in determining the dynamically varying parameters and implementation attributes that were used for the development of a Web-based transportation routing application integrated with real-time GIS services. We propose and implement an optimal routing algorithm by modifying Dijkstra’s algorithm in order to incorporate stochastically changing traffic flows. We describe the significant features of our Web application in making use of the real-time dynamic traffic flow information from GIS services towards achieving total costs savings and vehicle usage reduction. These features help users and vehicle drivers in improving their service levels and productivity as the Web application enables them to interactively find the optimal path and in identifying destinations effectively.
Malware detection based on structural and behavioural features of API calls
- Authors: Alazab, Mamoun , Layton, Robert , Venkatraman, Sitalakshmi , Watters, Paul
- Date: 2010
- Type: Text , Conference proceedings
- Full Text: false
- Description: In this paper, we propose a five-step approach to detect obfuscated malware by investigating the structural and behavioural features of API calls. We have developed a fully automated system to disassemble and extract API call features effectively from executables. Using n-gram statistical analysis of binary content, we are able to classify if an executable file is malicious or benign. Our experimental results with a dataset of 242 malwares and 72 benign files have shown a promising accuracy of 96.5% for the unigram model. We also provide a preliminary analysis by our approach using support vector machine (SVM) and by varying n-values from 1 to 5, we have analysed the performance that include accuracy, false positives and false negatives. By applying SVM, we propose to train the classifier and derive an optimum n-gram model for detecting both known and unknown malware efficiently.
Malicious code detection using penalized splines on OPcode frequency
- Authors: Alazab, Mamoun , Al Kadiri, Mohammad , Venkatraman, Sitalakshmi , Al-Nemrat, Ameer
- Date: 2012
- Type: Text , Conference proceedings
- Full Text: false
- Description: Recently, malicious software are gaining exponential growth due to the innumerable obfuscations of extended x86 IA-32 (OPcodes) that are being employed to evade from traditional detection methods. In this paper, we design a novel distinguisher to separate malware from benign that combines Multivariate Logistic Regression model using kernel HS in Penalized Splines along with OPcode frequency feature selection technique for efficiently detecting obfuscated malware. The main advantage of our penalized splines based feature selection technique is its performance capability achieved through the efficient filtering and identification of the most important OPcodes used in the obfuscation of malware. This is demonstrated through our successful implementation and experimental results of our proposed model on large malware datasets. The presented approach is effective at identifying previously examined malware and non-malware to assist in reverse engineering. © 2012 IEEE.
- Description: 2003011056
Analysis of firewall log-based detection scenarios for evidence in digital forensics
- Authors: Mukhtar, Rubiu , Al-Nemrat, Ameer , Alazab, Mamoun , Venkatraman, Sitalakshmi , Jahankhani, Hamid
- Date: 2012
- Type: Text , Journal article
- Relation: International Journal of Electronic Security and Digital Forensics Vol. 4, no. 4 (2012), p. 261-279
- Full Text: false
- Reviewed:
- Description: With the recent escalating rise in cybercrime, firewall logs have attained much research focus in assessing their capability to serve as excellent evidence in digital forensics. Even though the main aim of firewalls is to screen or filter part or all network traffic, firewall logs could provide rich traffic information that could be used as evidence to prove or disprove the occurrence of online attack events for legal purposes. Since courts have a definition of what could be presented to it as evidence, this research investigates on the determinants for the acceptability of firewall logs as suitable evidence. Two commonly used determinants are tested using three different firewall-protected network scenarios. These determinants are: 1 admissibility that requires the evidence to satisfy certain legal requirements stipulated by the courts 2 weight that represents the sufficiency and extent to which the evidence convinces the establishment of cybercrime attack. Copyright © 2012 Inderscience Enterprises Ltd.
- Description: 2003010400
Identifying cyber predators through forensic authorship analysis of chat logs
- Authors: Amuchi, Faith , Al-Nemrat, Ameer , Alazab, Mamoun , Layton, Robert
- Date: 2012
- Type: Text , Conference proceedings
- Full Text: false
- Description: Online Grooming is a growing phenomenon within online environments. One of the major problems encountered in qualitative internet research of chat communication is the issue of anonymity which is being exploited and greatly enjoyed by chatters. An important question that has been asked in the literature is 'How can a researcher be sure to analyse the communication of children and adolescents and not the chat communication of adults who pretend to be under 18?'. Our reply to this question would be the field of Authorship Analysis. Authorship Analysis offers a way to unmask the anonymity of cyber predators. Stylometry, as used in this chat log analysis, is a type of Authorship Analysis that is not based on an author's handwriting but includes contextual clues from the content of their writings. This research paper will analyse the application of different authorship attribution techniques to chat log from a forensic perspective. © 2012 IEEE.
- Description: 2003011054
Skype Traffic Classification Using Cost Sensitive Algorithms
- Authors: Azab, Azab , Layton, Robert , Alazab, Mamoun , Watters, Paul
- Date: 2013
- Type: Text , Conference paper
- Relation: Proceedings - 4th Cybercrime and Trustworthy Computing Workshop, CTC 2013 p. 14-21
- Full Text: false
- Reviewed:
- Description: Voice over IP (VoIP) technologies such as Skype are becoming increasingly popular and widely used in different organisations, and therefore identifying the usage of this service at the network level becomes very important. Reasons for this include applying Quality of Service (QoS), network planning, prohibiting its use in some networks and lawful interception of communications. Researchers have addressed VoIP traffic classification from different viewpoints, such as classifier accuracy, building time, classification time and online classification. This previous research tested their models using the same version of a VoIP product they used for training the model, giving generalizability only to that version of the product. This means that as new VoIP versions are released, these classifiers become obsolete. In this paper, we address if this approach is applicable to detecting new, untrained, versions of Skype. We suggest that using cost-sensitive classifiers can help to improve the accuracy of detecting untrained versions, by testing compared to other algorithms. Our experiment demonstrates promising preliminary results to detect Skype version 4, by building a cost sensitive classifier on Skype version 3, achieving an F-measure score of 0.57. This is a drastic improvement from not using cost sensitivity, which scores an F-measure of 0. This approach may be enhanced to improve the detection results and extended to improve detection for other applications that change protocols from version to version.
Forensic identification and detection of hidden and obfuscated malware
- Authors: Alazab, Mamoun
- Date: 2012
- Type: Text , Thesis , PhD
- Full Text:
- Description: The revolution in online criminal activities and malicious software (malware) has posed a serious challenge in malware forensics. Malicious attacks have become more organized and purposefully directed. With cybercrimes escalating to great heights in quantity as well as in sophistication and stealth, the main challenge is to detect hidden and obfuscated malware. Malware authors use a variety of obfuscation methods and specialized stealth techniques of information hiding to embed malicious code, to infect systems and to thwart any attempt to detect them, specifically with the use of commercially available anti-malware engines. This has led to the situation of zero-day attacks, where malware inflict systems even with existing security measures. The aim of this thesis is to address this situation by proposing a variety of novel digital forensic and data mining techniques to automatically detect hidden and obfuscated malware. Anti-malware engines use signature matching to detect malware where signatures are generated by human experts by disassembling the file and selecting pieces of unique code. Such signature based detection works effectively with known malware but performs poorly with hidden or unknown malware. Code obfuscation techniques, such as packers, polymorphism and metamorphism, are able to fool current detection techniques by modifying the parent code to produce offspring copies resulting in malware that has the same functionality, but with a different structure. These evasion techniques exploit the drawbacks of traditional malware detection methods, which take current malware structure and create a signature for detecting this malware in the future. However, obfuscation techniques aim to reduce vulnerability to any kind of static analysis to the determent of any reverse engineering process. Furthermore, malware can be hidden in file system slack space, inherent in NTFS file system based partitions, resulting in malware detection that even more difficult.
- Description: Doctor of Philosophy
Malicious Spam Emails Developments and Authorship Attribution
- Authors: Alazab, Mamoun , Layton, Robert , Broadhurst, Roderic , Bouhours, Brigitte
- Date: 2013
- Type: Text , Conference paper
- Relation: Proceedings - 4th Cybercrime and Trustworthy Computing Workshop, CTC 2013 p. 58-68
- Full Text: false
- Reviewed:
- Description: The Internet is a decentralized structure that offers speedy communication, has a global reach and provides anonymity, a characteristic invaluable for committing illegal activities. In parallel with the spread of the Internet, cybercrime has rapidly evolved from a relatively low volume crime to a common high volume crime. A typical example of such a crime is the spreading of spam emails, where the content of the email tries to entice the recipient to click a URL linking to a malicious Web site or downloading a malicious attachment. Analysts attempting to provide intelligence on spam activities quickly find that the volume of spam circulating daily is overwhelming; therefore, any intelligence gathered is representative of only a small sample, not of the global picture. While past studies have looked at automating some of these analyses using topic-based models, i.e. separating email clusters into groups with similar topics, our preliminary research investigates the usefulness of applying authorship-based models for this purpose. In the first phase, we clustered a set of spam emails using an authorship-based clustering algorithm. In the second phase, we analysed those clusters using a set of linguistic, structural and syntactic features. These analyses reveal that emails within each cluster were likely written by the same author, but that it is unlikely we have managed to group together all spam produced by each group. This problem of high purity with low recall, has been faced in past authorship research. While it is also a limitation of our research, the clusters themselves are still useful for the purposes of automating analysis, because they reduce the work needing to be performed. Our second phase revealed useful information on the group that can be utilized in future research for further analysis of such groups, for example, identifying further linkages behind spam campaigns.
Cybercrime : The case of obfuscated malware
- Authors: Alazab, Mamoun , Venkatraman, Sitalakshmi , Watters, Paul , Alazab, Moutaz , Alazab, Ammar
- Date: 2011
- Type: Text , Conference paper
- Relation: Joint 7th International Conference on Global Security, Safety and Sustainability, ICGS3 2011, and the 4th Conference on e-Democracy Vol. 99 LNICST, p. 204-211
- Full Text: false
- Reviewed:
- Description: Cybercrime has rapidly developed in recent years and malware is one of the major security threats in computer which have been in existence from the very early days. There is a lack of understanding of such malware threats and what mechanisms can be used in implementing security prevention as well as to detect the threat. The main contribution of this paper is a step towards addressing this by investigating the different techniques adopted by obfuscated malware as they are growingly widespread and increasingly sophisticated with zero-day exploits. In particular, by adopting certain effective detection methods our investigations show how cybercriminals make use of file system vulnerabilities to inject hidden malware into the system. The paper also describes the recent trends of Zeus botnets and the importance of anomaly detection to be employed in addressing the new Zeus generation of malware. © 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering.
- Description: 2003010650