Cyber threat intelligence

THÔNG TIN TÀI LIỆU

Cấu trúc

Contents
Cyber Threat Intelligence: Challenges and Opportunities
- 1 Introduction
  - 1.1 Cyber Threat Intelligence Challenges
    - 1.1.1 Attack Vector Reconnaissance
    - 1.1.2 Attack Indicator Reconnaissance
  - 1.2 Cyber Threat Intelligence Opportunities
- 2 A Brief Review of the Book Chapters
- References
Machine Learning Aided Static Malware Analysis:A Survey and Tutorial
- 1 Introduction
- 2 An Overview of Machine Learning-Aided Static Malware Detection
  - 2.1 Static Characteristics of PE Files
  - 2.2 Machine Learning Methods Used for Static-Based Malware Detection
    - 2.2.1 Statistical Methods
    - 2.2.2 Rule Based
    - 2.2.3 Distance Based
    - 2.2.4 Neural Networks
    - 2.2.5 Open Source and Freely Available ML Tools
    - 2.2.6 Feature Selection and Construction Process
  - 2.3 Taxonomy of Malware Static Analysis Using Machine Learning
- 3 Approaches for Malware Feature Construction
- 4 Experimental Design
- 5 Results and Discussions
  - 5.1 Accuracy of ML-Aided Malware Detection Using Static Characteristics
    - 5.1.1 PE32 Header
    - 5.1.2 Bytes n-Gram
    - 5.1.3 Opcode n-Gram
    - 5.1.4 API Call n-Grams
- 6 Conclusion
- References
Application of Machine Learning Techniques to Detecting Anomalies in Communication Networks: Datasets and Feature Selection Algorithms
- 1 Introduction
  - 1.1 Border Gateway Protocol (BGP)
  - 1.2 Approaches for Detecting Network Anomalies
- 2 Examples of BGP Anomalies
- 3 Analyzed BGP Datasets
  - 3.1 Processing of Collected Data
- 4 Extraction of Features from BGP Update Messages
- 5 Review of Feature Selection Algorithms
  - 5.1 Fisher Algorithm
  - 5.2 Minimum Redundancy Maximum Relevance (mRMR) Algorithms
  - 5.3 Odds Ratio Algorithms
  - 5.4 Decision Tree Algorithm
- 6 Conclusion
- References
Application of Machine Learning Techniques to Detecting Anomalies in Communication Networks: Classification Algorithms
- 1 Introduction
  - 1.1 Machine Learning Techniques
- 2 Classification Algorithms
  - 2.1 Performance Metrics
- 3 Support Vector Machine (SVM)
- 4 Long Short-Term Memory (LSTM) Neural Network
- 5 Hidden Markov Model (HMM)
- 6 Naive Bayes
- 7 Decision Tree Algorithm
- 8 Extreme Learning Machine Algorithm (ELM)
- 9 Discussion
- 10 Conclusion
- References
Leveraging Machine LearningTechniques for Windows Ransomware Network Traffic Detection
- 1 Introduction
- 2 Related Works
- 3 Methodology
  - 3.1 Data Collection Phase
    - 3.1.1 Malicious Applications
    - 3.1.2 Benign Applications
  - 3.2 Feature Selection and Extraction
  - 3.3 Machine Learning Classifiers
- 4 Experiments and Results
  - 4.1 Evaluation Measures
  - 4.2 Malware Experiment and Results
  - 4.3 Result Comparison
- 5 Conclusion and Future Works
- References
Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware
- 1 Introduction
- 2 Related Works and Research Literature
- 3 Methodology
  - 3.1 Data Collection
  - 3.2 Feature Extraction
  - 3.3 Dataset Creation
    - 3.3.1 Merging the Data
    - 3.3.2 Normalising the Data
    - 3.3.3 Opcode Breakdown
  - 3.4 Machine Learning Classification
    - 3.4.1 SVM and Kernel Functions
    - 3.4.2 Feature/Attribute Selection Process
  - 3.5 Implementation
    - 3.5.1 Pre-processing the Dataset (1)
    - 3.5.2 Creating the Training and Test Datasets (2)
    - 3.5.3 Training and Testing the SVM Classifier (3.1)
    - 3.5.4 Training and Testing the Attribute Selection Evaluators
    - 3.5.5 Evaluation Metrics
    - 3.5.6 Machine Specifications
- 4 Experiments and Results
  - 4.1 SMO (Two Classes)
  - 4.2 SMO (Six Classes)
  - 4.3 Training and Testing the Attribute Selection Evaluators
    - 4.3.1 CFSSubsetEval
    - 4.3.2 CorrelationAttributeEval
    - 4.3.3 GainRatioAttributeEval
    - 4.3.4 InfoGainAttributeEval
    - 4.3.5 OneRAttributeEval
    - 4.3.6 PrincipalComponents
    - 4.3.7 RelieffAttributeEval
    - 4.3.8 SymmetricalUncertAttributeEval
  - 4.4 Tuning the Attribute Selection Evaluators to Achieve Further Feature Reduction (4)
  - 4.5 Important Opcodes
- 5 Conclusion
- References
BoTShark: A Deep Learning Approach for Botnet Traffic Detection
- 1 Introduction
- 2 Related Work
- 3 Background: Deep Learning
  - 3.1 Autoencoders
  - 3.2 Convolutional Neural Network (CNN)
- 4 Data Collection and Primary Feature Extraction
- 5 Proposed BoTShark
  - 5.1 BoTShark-SA: Using Stacked Autoencoders
  - 5.2 SocialBoTShrak-CNN: Using CNNs
- 6 Evaluation
- 7 Conclusion
- References
A Practical Analysis of the Rise in Mobile Phishing
- 1 Introduction
- 2 Measuring the Impact of Phishing
- 3 Methodology for Visitors to Phishing Websites
- 4 Mobile Phishing Kits in the Wild
- 5 Mobile Phishing Campaigns
- 6 Recommended Changes
- 7 Conclusion
- A.1 Appendix
- References
PDF-Malware Detection: A Survey and Taxonomyof Current Techniques
- 1 Introduction
- 2 Background on Malicious PDF Files
  - 2.1 The Portable Document Format
  - 2.2 PDF Document Obfuscation Techniques
- 3 Taxonomy of PDF Malware Detection Approaches
  - 3.1 Features
    - 3.1.1 Metadata
    - 3.1.2 JavaScript
    - 3.1.3 Whole File
    - 3.1.4 Feature Selection
  - 3.2 Detection Approaches
    - 3.2.1 Statistical Analysis
    - 3.2.2 Machine Learning Classification
    - 3.2.3 Clustering
    - 3.2.4 Signature Matching
- 4 State of the Art Discussion
  - 4.1 Related Works
- 5 Conclusions
- References
Adaptive Traffic Fingerprinting for Darknet Threat Intelligence
- 1 Introduction
- 2 Background
  - 2.1 Analysis of Attack Vectors in Tor
  - 2.2 Hidden Services
  - 2.3 Combining Methods
- 3 Adaptive Traffic Association and BGP Interception Algorithm (ATABI)
  - 3.1 BGP Interception Component
  - 3.2 MITM Component
  - 3.3 Detection Scheme
- 4 Experimentation and Results
  - 4.1 Experiment Setup
  - 4.2 Evaluation Criteria
  - 4.3 Results
- 5 Discussion
  - 5.1 Use Cases
  - 5.2 Proposed Defences
- 6 Conclusion and Future Work
- References
A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies
- 1 Introduction
  - 1.1 Background
  - 1.2 Impact Sub-Score
  - 1.3 Exploitability Sub-Score
  - 1.4 Research Data Set
  - 1.5 The CVSS Analysis of Data Set
- 2 Proposed Model
  - 2.1 Results and Discussion
- 3 Conclusions and Future Works
- References
A Honeypot Proxy Framework for Deceiving Attackers with Fabricated Content
- 1 Introduction
- 2 Deceiving Cyber Adversaries
- 3 Desirable Properties for a Fake Content Generator
- 4 The Design and Implementation of a Fake Content Generator
  - 4.1 A Conceptual Design of a Fake Content Generator
  - 4.2 The Implementation
  - 4.3 An Example on the Usage of Honeyproxy
  - 4.4 Recognizing Names Using Regular Expressions
  - 4.5 Fake Entity Generation
- 5 Experiments
  - 5.1 Recognizing Entity Attributes
  - 5.2 Performance
- 6 Discussion and Limitations
- 7 Related Work
- 8 Conclusions and Future Work
- References
Investigating the Possibility of Data Leakage in Time of Live VM Migration
- 1 Introduction
- 2 Background on Live Virtual Machine Migration
  - 2.1 Memory Migration
  - 2.2 Migration Algorithms
  - 2.3 Live VM Migration Process
- 3 Security Threat Model
  - 3.1 Threat Model
  - 3.2 Security Threats and Attacks
    - 3.2.1 Control Plane
    - 3.2.2 Data Plane
    - 3.2.3 Migration Module
    - 3.2.4 Insecure Algorithms and Implementations
- 4 Secure Live Migration
  - 4.1 Essential Security Requirements
  - 4.2 Existing Solutions
    - 4.2.1 Trusted Computing
    - 4.2.2 VM-vTPM Live Migration
    - 4.2.3 Trusted Third Party
    - 4.2.4 Role-Based Migration
    - 4.2.5 VLANs
- 5 Uncovered Threats with Potential Research Directions
  - 5.1 Bugs in VMM
  - 5.2 Replay of VM Data Messages
  - 5.3 Privileged Access
  - 5.4 Lack of Access Control
- 6 Proposed Secure Live VM Migration Protocol
- 7 Conclusion
- References
Forensics Investigation of OpenFlow-Based SDN Platforms
- 1 Introduction
- 2 Related Work
- 3 Framework Specification and Design
- 4 Framework Development and Implementation
- 5 SDN Southbound Forensics Tool
- 6 Testing Environment Setup
- 7 Evaluation and Discussion
- 8 Conclusion
- References
Mobile Forensics: A Bibliometric Analysis
- 1 Introduction
- 2 Methodology
  - 2.1 Web of Science
- 3 Finding in Publications Distribution
  - 3.1 Productivity
  - 3.2 Research Areas
  - 3.3 Institutions
  - 3.4 Impact Journals
  - 3.5 Highly Cited Articles
- 4 Conclusion and Future Works
- References
Emerging from the Cloud: A Bibliometric Analysis of Cloud Forensics Studies
- 1 Introduction
- 2 Methodology
- 3 Results and Discussion
  - 3.1 Productivity
  - 3.2 Research Areas
  - 3.3 Institutions
  - 3.4 Impact Journals
  - 3.5 Highly-Cited Articles
  - 3.6 Keywords Frequency
- 4 Challenges and Future Trends
  - 4.1 Evidence Identification
  - 4.2 Legal Issues in the Cloud
  - 4.3 Data Collection and Preservation
  - 4.4 Analysis and Presentation
  - 4.5 Future Trends
- 5 Conclusion
- References
Index

Nội dung

Advances in Information Security 70 Ali Dehghantanha Mauro Conti Tooska Dargahi Editors Cyber Threat Intelligence Advances in Information Security Volume 70 Series editor Sushil Jajodia, George Mason University, Fairfax, VA, USA More information about this series at http://www.springer.com/series/5576 Ali Dehghantanha • Mauro Conti Tooska Dargahi Editors Cyber Threat Intelligence 123 Editors Ali Dehghantanha Department of Computer Science University of Sheffield Sheffield, UK Mauro Conti Department of Mathematics University of Padua Padua, Italy Tooska Dargahi Department of Computer Science University of Salford Manchester, UK ISSN 1568-2633 Advances in Information Security ISBN 978-3-319-73950-2 ISBN 978-3-319-73951-9 (eBook) https://doi.org/10.1007/978-3-319-73951-9 Library of Congress Control Number: 2018940162 © Springer International Publishing AG, part of Springer Nature 2018 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations Printed on acid-free paper This Springer imprint is published by the registered company Springer International Publishing AG part of Springer Nature The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Contents Cyber Threat Intelligence: Challenges and Opportunities Mauro Conti, Tooska Dargahi, and Ali Dehghantanha Machine Learning Aided Static Malware Analysis: A Survey and Tutorial Andrii Shalaginov, Sergii Banin, Ali Dehghantanha, and Katrin Franke Application of Machine Learning Techniques to Detecting Anomalies in Communication Networks: Datasets and Feature Selection Algorithms Qingye Ding, Zhida Li, Soroush Haeri, and Ljiljana Trajkovi´c 47 Application of Machine Learning Techniques to Detecting Anomalies in Communication Networks: Classification Algorithms Zhida Li, Qingye Ding, Soroush Haeri, and Ljiljana Trajkovi´c 71 Leveraging Machine Learning Techniques for Windows Ransomware Network Traffic Detection Omar M K Alhawi, James Baldwin, and Ali Dehghantanha 93 Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware 107 James Baldwin and Ali Dehghantanha BoTShark: A Deep Learning Approach for Botnet Traffic Detection 137 Sajad Homayoun, Marzieh Ahmadzadeh, Sattar Hashemi, Ali Dehghantanha, and Raouf Khayami A Practical Analysis of the Rise in Mobile Phishing 155 Brad Wardman, Michael Weideman, Jakub Burgis, Nicole Harris, Blake Butler, and Nate Pratt v vi Contents PDF-Malware Detection: A Survey and Taxonomy of Current Techniques 169 Michele Elingiusti, Leonardo Aniello, Leonardo Querzoni, and Roberto Baldoni Adaptive Traffic Fingerprinting for Darknet Threat Intelligence 193 Hamish Haughey, Gregory Epiphaniou, Haider Al-Khateeb, and Ali Dehghantanha A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies 219 Milda Petraityte, Ali Dehghantanha, and Gregory Epiphaniou A Honeypot Proxy Framework for Deceiving Attackers with Fabricated Content 239 Jarko Papalitsas, Sampsa Rauti, Jani Tammi, and Ville Leppänen Investigating the Possibility of Data Leakage in Time of Live VM Migration 259 Rehana Yasmin, Mohammad Reza Memarian, Shohreh Hosseinzadeh, Mauro Conti, and Ville Leppänen Forensics Investigation of OpenFlow-Based SDN Platforms 281 Mudit Kalpesh Pandya, Sajad Homayoun, and Ali Dehghantanha Mobile Forensics: A Bibliometric Analysis 297 James Gill, Ihechi Okere, Hamed HaddadPajouh, and Ali Dehghantanha Emerging from the Cloud: A Bibliometric Analysis of Cloud Forensics Studies 311 James Baldwin, Omar M K Alhawi, Simone Shaughnessy, Alex Akinbi, and Ali Dehghantanha Index 333 Cyber Threat Intelligence: Challenges and Opportunities Mauro Conti, Tooska Dargahi, and Ali Dehghantanha Abstract The ever increasing number of cyber attacks requires the cyber security and forensic specialists to detect, analyze and defend against the cyber threats in almost real-time In practice, timely dealing with such a large number of attacks is not possible without deeply perusing the attack features and taking corresponding intelligent defensive actions—this in essence defines cyber threat intelligence notion However, such an intelligence would not be possible without the aid of artificial intelligence, machine learning and advanced data mining techniques to collect, analyse, and interpret cyber attack evidences In this introductory chapter we first discuss the notion of cyber threat intelligence and its main challenges and opportunities, and then briefly introduce the chapters of the book which either address the identified challenges or present opportunistic solutions to provide threat intelligence Keywords Cyber threat intelligence · Indicators of attack · Indicators of compromise · Artificial intelligence Introduction In the era of digital information technology and connected devices, the most challenging issue is ensuring the security and privacy of the individuals’ and organizations’ data During the recent years, there has been a significant increase in the M Conti University of Padua, Padua, Italy e-mail: conti@math.unipd.it T Dargahi ( ) Department of Computer Science, University of Salford, Manchester, UK e-mail: t.dargahi@salford.ac.uk A Dehghantanha Department of Computer Science, University of Sheffield, Sheffield, UK e-mail: A.Dehghantanha@sheffield.ac.uk © Springer International Publishing AG, part of Springer Nature 2018 A Dehghantanha et al (eds.), Cyber Threat Intelligence, Advances in Information Security 70, https://doi.org/10.1007/978-3-319-73951-9_1 M Conti et al number and variety of cyber attacks and malware samples which make it extremely difficult for security analysts and forensic investigators to detect and defend against such security attacks In order to cope with this problem, researchers introduced the notion of “Threat Intelligence”, which refers to “the set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators” [14] In fact, Cyber Threat Intelligence (CTI) emerged in order to help security practitioners in recognizing the indicators of cyber attacks, extracting information about the attack methods, and consequently responding to the attack accurately and in a timely manner Here an important challenge would be: How to provide such an intelligence? When a significant amount of data is collected from or generated by different security monitoring solutions, intelligent big-data analytical techniques are necessary to mine, interpret and extract knowledge out of the collected data In this regard, several concerns come along and introduce new challenges to the filed, which we discuss in the following 1.1 Cyber Threat Intelligence Challenges As a matter of fact, cybercriminals adopt several methods to attack a victim in order to (1) steal victim’s sensitive personal information (e.g., financial information); or (2) access and take control of the victim’s machine to perform further malicious activities, such as delivering malware (in case of botnet), locking/encrypting victim machine (in case of ransomware) Though, different cyber attacks seem to follow different methods of infection, in essence they have more or less similar life cycle: starting from victim reconnaissance to performing malicious activities on the victim machine/network 1.1.1 Attack Vector Reconnaissance An important challenge in defending against cyber attacks, is recognizing the point of attacks and the system vulnerabilities that could be exploited by the cybercriminals Along with the common methods that have always been used to deceive victims (e.g., phishing [16]) in performing the actions that the attackers desire, during the recent years, attackers have used smarter and more innovative methods for attacking victims These methods are ranging from delivering a malicious software (malware) in an unexpected format (e.g., Word documents or PDF files) to the victim machine [6], to exploiting 0-day vulnerabilities,1 and trespassing anonymous communications in order to contact threat actors [8] Some examples of such advanced attacks are the new families of Ransomware that have worm-like An application vulnerability that is undisclosed and could be exploited by the attackers to access the victim’s machine [12] Cyber Threat Intelligence: Challenges and Opportunities behaviours, which have infected tens of hundreds of individuals, organizations and critical systems These advancements in attack methods make the recognition of the attacker and attack’s point of arrival an extremely challenging issue 1.1.2 Attack Indicator Reconnaissance Another important issue regarding the emerging cyber attacks is the fact that cybercriminals use advanced anti-forensics and evasion methods in their malicious code, which makes the usual security assessment techniques, e.g., CVSS (Common Vulnerability Scoring System), or static malware and traffic analysis less efficient [13, 15] Moreover, the new networking paradigms, such as software-defined networking (SDN), Internet of Things (IoT), and cloud computing, and their widely adoption by organizations (e.g., using cloud resources for their big-data storage and processing) call for modern techniques in forensic investigation of exchanged and stored data [2, 7, 10, 17] 1.2 Cyber Threat Intelligence Opportunities In order to address the challenges explained in the previous section, the emerging field of cyber threat intelligence considers the application of artificial intelligence and machine learning techniques to perceive, reason, learn and act intelligently against advanced cyber attacks During the recent years, researchers have taken different artificial intelligence techniques into consideration in order to provide the security professionals with a means of recognizing cyber threat indicators In particular, there is an increasing trend in the usage of Machine Learning (ML) and data mining techniques due to their proved efficiency in malware analysis (in both static and dynamic analysis), as well as network anomaly detection [1, 3– 5, 9, 15] Along with the methods that the cyber defenders could use in order to prevent or detect cyber attacks, there are other mechanisms that could be adopted in order to deceive the attackers, such as using honeypots In such mechanisms, security specialists provide fake information or resources that seem to be legitimate to attract attackers, while at the same time they monitor the attackers’ activities and proactively detect the attack [11] Totally, a combination of these methods would be required to provide up-to-date information for security practitioners and analysts A Brief Review of the Book Chapters This book provides an up-to-date and advanced knowledge, from both academia and industry, in cyber threat intelligence In particular, in this book we provide wider knowledge of the field with specific focus on the cyber attack methods and ... present opportunistic solutions to provide threat intelligence Keywords Cyber threat intelligence · Indicators of attack · Indicators of compromise · Artificial intelligence Introduction In the era... data [2, 7, 10, 17] 1.2 Cyber Threat Intelligence Opportunities In order to address the challenges explained in the previous section, the emerging field of cyber threat intelligence considers... Dargahi (eds.) Cyber Threat Intelligence, chap 11, p in press Springer Advances in Information Security series (2018) M Conti et al 14 Shackleford, D.: Who’s using cyberthreat intelligence and

Ngày đăng: 04/03/2019, 11:11