DOCSLIB.ORG

Liu Dissertation 2011.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Liu Dissertation 2011.Pdf Multi-level Sandboxing Techniques for Execution-based Stealthy Malware Detection A dissertation submitted in partial ful¯llment of the requirements for the degree of Doctor of Philosophy at George Mason University By Lei Liu Master of Science Huazhong University of Science and Technology, 1999 Bachelor of Science Huazhong University of Science and Technology, 1996 Director: Songqing Chen, Associate Professor Department of Computer Science Spring Semester 2011 George Mason University Fairfax, VA Copyright °c 2011 by Lei Liu All Rights Reserved ii Dedication I dedicate this dissertation to my parents Zuoxun Liu and Dingfeng Luo. iii Acknowledgments I would like to thank the following people who made this possible. I would like to thank my advisor Dr. Songqing Chen, who has spent so much of his time directing this dissertation work. It would have been impossible without his guidance and support. My gratitude also goes to Dr. Sanjeev Setia, Dr. Brian L. Mark, Dr. Fei Li, and Dr. Yutao Zhong who served on my dissertation committee and gave me their invaluable input. I would also like to thank Dr. Hassan Gomaa for his advice on my dissertation presen- tation, as well as Drs. Xinwen Zhang, Guanhua Yan, Xinyuan Wang, and Zhao Zhang for their advice and collaboration in several research projects during my Ph.D. study. I would also express my appreciation to my lab mates Dongyu Liu and Yao Liu for their help and collaboration, and to my friends I met at George Mason University: Fayin Li, Haidong Lu, Yifan Liu, Bo Zhang, and Baoxian Zhao, just to name a few. As an international student I received a lot of help from people in George Mason Uni- versity and the local Fairfax community. Finally I would like to thank my family members who always stand by me. iv Table of Contents Page List of Tables . viii List of Figures . ix Abstract . x 1 Introduction . 1 1.1 Background . 1 1.2 Malware Detection . 4 1.2.1 Signatured-based Malware Detection Schemes . 4 1.2.2 Anomaly-based Malware Detection Schemes . 5 1.2.3 Sandboxing Techniques . 7 1.3 Problem Statement . 8 1.4 Our Contributions: Multi-level Sandboxing Techniques for Execution-based Detection . 9 1.5 Summary . 12 2 OS-level Sandboxing and BotTracer . 13 2.1 Introduction . 13 2.2 Principle and Overview of BotTracer . 17 2.2.1 Invariant Characteristics of Bot-like Malware . 17 2.2.2 BotTracer Design Rationale . 18 2.2.3 BotTracer Overview . 19 2.3 BotTracer Design . 21 2.3.1 Whitelist and Starting Point Set . 22 2.3.2 Command and Control Channel Event Model . 23 2.3.3 Command and Control Channel Detection . 26 2.3.4 Information Harvesting/Dispersion Behavior Analysis . 29 2.4 BotTracer Evaluation . 33 2.4.1 Prototype Implementation and Experimental Setup . 33 2.4.2 Channel Establishment Detection . 35 2.4.3 Information Harvesting/Dispersion Detection . 36 2.4.4 False Positive Experiments . 37 v 2.5 Discussion . 40 2.6 Summary . 41 3 Process-level Sandboxing and Malyzer . 42 3.1 Introduction . 42 3.2 Malyzer Design . 44 3.2.1 Startup Tracker . 45 3.2.2 Shadow Process Manager . 48 3.2.3 Shadow Process Monitor . 55 3.3 Malyzer Implementation . 58 3.4 Malyzer Evaluation . 60 3.4.1 Whether Malyzer Can Defeat Malware Anti-detections . 60 3.4.2 Whether a Shadow Process Functions Normally and Whether Its Mis- behavior Can Be Detected . 63 3.5 Discussion . 64 3.6 Summary . 66 4 Intra-process Sandboxing and sePlugin . 67 4.1 Introduction . 67 4.2 sePlugin Design . 71 4.2.1 Threat Model . 71 4.2.2 Overview of sePlugin . 72 4.2.3 Sandbox Manager . 73 4.2.4 Proxy . 73 4.2.5 Intra-process Sandbox . 74 4.3 sePlugin Implementation . 78 4.3.1 Sandbox Manager . 78 4.3.2 Proxy and COM interceptor . 79 4.3.3 System Call Interceptor . 82 4.3.4 .NET Interceptor . 84 4.3.5 Security Checker . 86 4.4 Securing IE with sePlugin . 87 4.4.1 Same Origin Policy for Content Extensions . 87 4.4.2 Policies for Browser Extensions . 88 4.5 sePlugin Evaluation . 92 4.5.1 Detecting Malicious Plugins . 92 4.5.2 False Positive Tests . 94 vi 4.5.3 Operational Overhead . 95 4.6 Summary . 97 5 Conclusion . 98 Bibliography . 102 vii List of Tables Table Page 1.1 Multi-level Sandboxing and Systems . 10 2.1 Command and Control Channel Detection . 35 2.2 Agobot HTTP DDoS Attack Packets . 36 2.3 API Called When Graybird Launches Attacks . 37 2.4 Outlook Express Connecting Packets . 38 3.1 Experiment Samples . 61 3.2 rBot Detection . 63 3.3 OS-level Sandbox and Process-level Sandbox Comparison . 64 4.1 Summary of How Plugins Are Secured in Existing Browser Architectures and Our Objectives . 69 4.2 Plugin Interfaces Implemented . 80 4.3 Malicious Plugins Detection . 93 4.4 False Positive Rate (Round 1) . 94 4.5 False Positive Rate (Round 2) . 94 4.6 False Positive Rate (Round 3) . 95 viii List of Figures Figure Page 1.1 Multi-level Sandboxing . 10 2.1 OS-level Sandbox . 16 2.2 BotTracer Detection Logic: Startup, Preparation, and Attack During a Bot Onset . 19 2.3 BotTracer Architecture and Flow of Control . 20 2.4 Tra±c Pattern of Command and Control Channel: Centralized and Decen- tralized . 25 2.5 Command and Control Channel Event Model . 27 2.6 The Dormant Pro¯le of Internet Explorer . 31 2.7 The Dormant Pro¯le of Outlook Express ................... 39 3.1 Malyzer System Architecture . 45 3.2 Dynamic Code Replacement of Graybird ................... 47 3.3 Shadow Process Manager . 51 3.4 A shadow process of reptile .......................... 57 3.5 A Shadow Process of Graybird ......................... 61 3.6 A Shadow Process of Agobot3 .......................... 62 4.1 sePlugin Overview . 72 4.2 Intra-process Sandbox . 75 4.3 Proxy Interfaces . 79 4.4 .NET Weaving with RAIL . 85 4.5 .NET-based Plugin Overview . 86 4.6 Execution Overhead of sePlugin ........................ 96 ix Abstract MULTI-LEVEL SANDBOXING TECHNIQUES FOR EXECUTION-BASED STEALTHY MALWARE DETECTION Lei Liu, PhD George Mason University, 2011 Dissertation Director: Songqing Chen These days all kinds of malware are pervasive on the Internet. Compared to their ances- tors that were commonly used for vandalism or demonstration of skills, modern malware, such as Bots, are driven by the underground economics. Often consisting of hundreds to thousands of bots, botnets are one of the most serious threats on the Internet, responsible for various attacks, such as spamming and distributed denial of service (DDoS). As web browsers are the main interface for the majority of Internet users to surf the Internet today, many of such stealthy malware seek to invade via web browsers in the form of browser helper objects (BHO) and browser toolbars. To defend against Internet malware, existing schemes mainly rely on either signature- based or anomaly-based detection approaches. Signature-based detection is e®ective for known malware if the malware signature has been generated. However, the e®ectiveness of signature-based schemes is challenged by polymorphism, metamorphism, obfuscation, en- cryption,.
Load more

Recommended publications
  • EVALUATION of HIDDEN MARKOV MODEL for MALWARE BEHAVIORAL CLASSIFICATION By
    EVALUATION OF HIDDEN MARKOV MODEL FOR MALWARE BEHAVIORAL CLASSIFICATION By Mohammad Imran A research thesis submitted to the Department of Computer Science, Capital University of Science & Technology, Islamabad in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY IN COMPUTER SCIENCE DEPARTMENT OF COMPUTER SCIENCE CAPITAL UNIVERSITY OF SCIENCE & TECHNOLOGY ISLAMABAD October 2016 Copyright© 2016 by Mr. Mohammad Imran All rights reserved. No part of the material protected by this copyright notice may be reproduced or utilized in any form or any means, electronic or mechanical, including photocopying, recording or by any information storage and retrieval system, without the permission from the author. To my parents and family Contents List of Figures iv List of Tablesv Abbreviations vi Publications vii Acknowledgements viii Abstractx 1 Introduction1 1.1 What is malware?............................1 1.2 Types of malware............................3 1.2.1 Virus...............................3 1.2.2 Worm..............................3 1.2.3 Trojan horse...........................3 1.2.4 Rootkit.............................4 1.2.5 Spyware.............................4 1.2.6 Adware.............................4 1.2.7 Bot................................4 1.3 Malware attack vectors.........................5 1.3.1 Use of vulnerabilities......................5 1.3.2 Drive-by downloads.......................5 1.3.3 Social engineering........................5 1.4 Combating malware: Malware analysis................5 1.4.1 Static analysis..........................6 1.4.2 Dynamic analysis........................9 1.4.3 Hybrid analysis......................... 12 1.5 Combating malware: Malware detection and classification...... 12 1.6 Observations from the literature.................... 13 1.7 Problem statement........................... 15 1.8 Motivation................................ 15 1.8.1 Why malware analysis?..................... 16 1.8.2 Why Hidden Markov Model?................
    [Show full text]
  • A Case Study in DNS Poisoning
    A wrinkle in time: A case study in DNS poisoning Harel Berger Amit Z. Dvir Moti Geva Abstract—The Domain Name System (DNS) provides a trans- lation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threat to the DNS’s wellbeing is a DNS poisoning attack, in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an Internet Service Provider (ISP). Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 99%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods. I. INTRODUCTION Fig. 1. DNS hierarchy example The Domain Name System (DNS) [1], [2] is one of the best known protocols in the Internet. Its main function is to trans- late human-readable domain names into their corresponding following steps.
    [Show full text]
  • Advance Dynamic Malware Analysis Using Api Hooking
    www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume – 5 Issue -03 March, 2016 Page No. 16038-16040 Advance Dynamic Malware Analysis Using Api Hooking Ajay Kumar , Shubham Goyal Department of computer science Shivaji College, University of Delhi, Delhi, India [email protected] [email protected] Abstract— As in real world, in virtual world also there are type of Analysis is ineffective against many sophisticated people who want to take advantage of you by exploiting you software. Advanced static analysis consists of reverse- whether it would be your money, your status or your personal engineering the malware’s internals by loading the executable information etc. MALWARE helps these people into a disassembler and looking at the program instructions in accomplishing their goals. The security of modern computer order to discover what the program does. Advanced static systems depends on the ability by the users to keep software, analysis tells you exactly what the program does. OS and antivirus products up-to-date. To protect legitimate users from these threats, I made a tool B. Dynamic Malware Analysis (ADVANCE DYNAMIC MALWARE ANAYSIS USING API This is done by watching and monitoring the behavior of the HOOKING) that will inform you about every task that malware while running on the host. Virtual machines and software (malware) is doing over your machine at run-time Sandboxes are extensively used for this type of analysis. The Index Terms— API Hooking, Hooking, DLL injection, Detour malware is debugged while running using a debugger to watch the behavior of the malware step by step while its instructions are being processed by the processor and their live effects on I.
    [Show full text]
  • A Study on Advanced Botnets Detection in Various Computing Systems Using Machine Learning Techniques
    SJIF Impact Factor: 7.001| ISI I.F.Value:1.241| Journal DOI: 10.36713/epra2016 ISSN: 2455-7838(Online) EPRA International Journal of Research and Development (IJRD) Volume: 5 | Issue: 12 | December 2020 - Peer Reviewed Journal A STUDY ON ADVANCED BOTNETS DETECTION IN VARIOUS COMPUTING SYSTEMS USING MACHINE LEARNING TECHNIQUES K. Vamshi Krishna Assistant Professor, Department of Computer Science and Engineering, Narasaraopet Engineering College, Narasaraopet, Guntur, India Article DOI: https://doi.org/10.36713/epra5902 ABSTRACT Due to the rapid growth and use of Emerging technologies such as Artificial Intelligence, Machine Learning and Internet of Things, Information industry became so popular, meanwhile these Emerging technologies have brought lot of impact on human lives and internet network equipment has increased. This increment of internet network equipment may bring some serious security issues. A botnet is a number of Internet-connected devices, each of which is running one or more bots.The main aim of botnet is to infect connected devices and use their resource for automated tasks and generally they remain hidden. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. In this paper we are going to address the advanced Botnet detection techniques using Machine Learning. Traditional botnet detection uses manual analysis and blacklist, and the efficiency is very low. Applying machine learning to batch automatic detection of botnets can greatly improve the efficiency of detection. Using machine learning to detect botnets, we need to collect network traffic and extract traffic characteristics, and then use X-Means, SVM algorithm to detect botnets.
    [Show full text]
  • Open Sisko Final__Thesis.Pdf
    THE PENNSYLVANIA STATE UNIVERSITY SCHREYER HONORS COLLEGE DEPARTMENT OF INFORMATION SCIENCE AND TECHNOLOGY THE WAKE OF CYBER-WAREFARE STUDENT NAME JACOB SISKO SPRING 2015 A thesis submitted in partial fulfillment of the requirements for a baccalaureate degree in Security and Risk Analysis with honors in Security and Risk Analysis Reviewed and approved* by the following: Gerald Santoro Senior Lecturer Professor Information Sciences and Technology Thesis Supervisor Edward Glantz Senior Lecturer Professor Information Sciences and Technology Honors Adviser * Signatures are on file in the Schreyer Honors College. i ABSTRACT The purpose of my thesis paper is to explain the significance and inter-relationship of cyber-crime and cyber-warfare. To give my reader a full understanding of the issue, I will begin by explaining the history of the Internet, give a definition of both cyber-crime and cyber-warfare, and then explain how they have impacted the Internet. I will also give examples of a few Chinese hacker groups, and what kind of attacks they have successfully carried out. Then I will talk about how recent attacks have become more sophisticated which are capable of causing more damage. I would also like to discuss how the cyber-warfare has impacted Chinese-US relations, and how it has an impact on the economic ties. Because of the currently capability and potential threat, I will explain why cyber-crime and cyber-warfare are so important to monitor because of the potential damage current and future attacks can cause. ii TABLE OF CONTENTS ACKNOWLEDGEMENTS ......................................................................................... iii Chapter 1 Introduction ................................................................................................. 1 History of the Internet ...................................................................................................... 1 Chapter 2 Cyber-crime – Functions and Capabilities .................................................
    [Show full text]
  • Definition of Bot in Computer Terms
    Definition Of Bot In Computer Terms Crippen.Hearsay BenjieEmil crease Russianising gratifyingly uppishly. as kutcha Kin isHy ironfisted: blue-pencilled she ingenerates her frog wholesale boiling and crazily. wadsets her What bots of bot definition in computer terms chatbot interacts with Refers to a connection between networked computers in below the services of one computer the server are requested by trout other the client Information. The definitions of software that in many users to refer to be used to learn. Is Apex legends Dead 2020? Bot Meaning Best 24 Definitions of Bot YourDictionary. Frequently used in computing definitions of bots designed specifically for words usually protect your neighborhood café and conferencing solutions to. 5 Reasons Why Your Chatbot Needs Natural Language. Evaluating your computer term virus indicates that of computing definitions include in. You letter take pictures with these will send form via the mobile networks to other mobile devices with exactly same technology or to email addresses via the Internet. Using the feed, depending on the game is not contain the impact how web hosting, time by the existing data or valley powers bots? Build and manage Einstein Bots to ease my load on both service agents. This witness the beef of rendered slots googletag. What kinds of repetitive tasks can corn handle? Glossary Archive Malwarebytes Labs Malwarebytes Labs. Contrast to bots in computing definitions above methods that a definition is the tech by coders and access. Often, is kernel type of backdoor that gives an attacker similar remote repair, when the AI is unsure or wants clarification. Problem seems to be cut on network shit on devices.
    [Show full text]
  • A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University
    Dakota State University Beadle Scholar Masters Theses & Doctoral Dissertations Spring 3-2019 A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University Follow this and additional works at: https://scholar.dsu.edu/theses Part of the Information Security Commons, and the Systems Architecture Commons Recommended Citation Wright, Dallas, "A Malware Analysis and Artifact Capture Tool" (2019). Masters Theses & Doctoral Dissertations. 327. https://scholar.dsu.edu/theses/327 This Dissertation is brought to you for free and open access by Beadle Scholar. It has been accepted for inclusion in Masters Theses & Doctoral Dissertations by an authorized administrator of Beadle Scholar. For more information, please contact [email protected]. A MALWARE ANALYSIS AND ARTIFACT CAPTURE TOOL A dissertation submitted to Dakota State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Cyber Operations March 2019 By Dallas Wright Dissertation Committee: Dr. Wayne Pauli Dr. Josh Stroschein Dr. Jun Liu ii iii Abstract Malware authors attempt to obfuscate and hide their execution objectives in their program’s static and dynamic states. This paper provides a novel approach to aid analysis by introducing a malware analysis tool which is quick to set up and use with respect to other existing tools. The tool allows for the intercepting and capturing of malware artifacts while providing dynamic control of process flow. Capturing malware artifacts allows an analyst to more quickly and comprehensively understand malware behavior and obfuscation techniques and doing so interactively allows multiple code paths to be explored. The faster that malware can be analyzed the quicker the systems and data compromised by it can be determined and its infection stopped.
    [Show full text]
  • An Algorithm for Anomaly-Based Botnet Detection
    An Algorithm for Anomaly-based Botnet Detection James R. Binkley Suresh Singh Computer Science Dept. Computer Science Dept. Portland State University Portland State University Portland, OR, USA Portland, OR, USA [email protected] [email protected] Abstract individual host in the IP channel was a scanner. We then sort the IRC channels by scanning count, with the top We present an anomaly-based algorithm for detecting suspect channels labeled as possible evil channels. This IRC-based botnet meshes. The algorithm combines an algorithm is not signature-based in any way. It does not IRC mesh detection component with a TCP scan detec- rely on ports or known botnet command strings. As a tion heuristic called the TCP work weight. The IRC com- result, we are immune to zero-day problems. Our algo- ponent produces two tuples, one for determining the IRC rithm does assume that IRC is cleartext and that attacks mesh based on IP channel names, and a sub-tuple which are being made with the botnet mesh. collects statistics (including the TCP work weight) on in- dividual IRC hosts in channels. We sort the channels by the number of scanners producing a sorted list of poten- 2 IRC Botnet Detection Algorithm tial botnets. This algorithm has been deployed in PSU’s DMZ for over a year and has proven effective in reducing Our architecture relies on the observation that IRC hosts the number of botnet clients. are grouped into channels by a channel name (for exam- ple, ”F7”, or ”ubuntu” might be channel names), and that an evil channel is an IRC channel with a majority of hosts 1 Introduction performing TCP SYN scanning.
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Universidad Carlos Iii De Madrid Signal Processing
    UNIVERSIDAD CARLOS III DE MADRID ESCUELA POLITÉCNICA SUPERIOR BACHELOR THESIS SIGNAL PROCESSING FOR MALWARE ANALYSIS Computer Engineering Department AUTHOR: Raquel Tabuyo Benito TUTOR: Pedro Peris Lopez June, 2016 Bachelor Thesis. Signal Processing for Malware Analysis “Perseverance is not a long race. It is many short races one aftr te oter” -Walter Elliot - Page .2 of 134. - Bachelor Thesis. Signal Processing for Malware Analysis Acknowledgements To my whole family, specially my sister, for whom I have an unconditionally love. I am really grateful for their dedication, patience, support and encouragement to follow my dreams. To Pedro, my Bachelor Thesis tutor, whose kindness and guidance have helped me during this wonderful trip. To my friends, thank you very much for showing me the meaning of true friendship. Without all of you, this would have never been possible. - Page .3 of 134. - Bachelor Thesis. Signal Processing for Malware Analysis Abstract This Project is an experimental analysis of Android malware through images. The analysis is based on classifying the malware into families or differentiating between goodware and malware. This analysis has been done considering two approaches. These two approaches have a common starting point, which is the transformation of Android applications into PNG images. After this conversion, the first approach was subtracting each image from the testing set with the images of the training set, in order to establish which unknown malware belongs to a specific family or to distinguish between goodware and malware. Although the accuracy was higher than the one defined in the requirements, this approach was a time consuming task, so we consider another approach to reduce the time and get the same or better accuracy.
    [Show full text]
  • Supervised Machine Learning Bot Detection Techniques to Identify
    SMU Data Science Review Volume 1 | Number 2 Article 5 2018 Supervised Machine Learning Bot Detection Techniques to Identify Social Twitter Bots Phillip George Efthimion Southern Methodist University, [email protected] Scott aP yne Southern Methodist University, [email protected] Nicholas Proferes University of Kentucky, [email protected] Follow this and additional works at: https://scholar.smu.edu/datasciencereview Part of the Theory and Algorithms Commons Recommended Citation Efthimion, hiP llip George; Payne, Scott; and Proferes, Nicholas (2018) "Supervised Machine Learning Bot Detection Techniques to Identify Social Twitter Bots," SMU Data Science Review: Vol. 1 : No. 2 , Article 5. Available at: https://scholar.smu.edu/datasciencereview/vol1/iss2/5 This Article is brought to you for free and open access by SMU Scholar. It has been accepted for inclusion in SMU Data Science Review by an authorized administrator of SMU Scholar. For more information, please visit http://digitalrepository.smu.edu. Efthimion et al.: Supervised Machine Learning Bot Detection Techniques to Identify Social Twitter Bots Supervised Machine Learning Bot Detection Techniques to Identify Social Twitter Bots Phillip G. Efthimion1, Scott Payne1, Nick Proferes2 1Master of Science in Data Science, Southern Methodist University 6425 Boaz Lane, Dallas, TX 75205 {pefthimion, mspayne}@smu.edu [email protected] Abstract. In this paper, we present novel bot detection algorithms to identify Twitter bot accounts and to determine their prevalence in current online discourse. On social media, bots are ubiquitous. Bot accounts are problematic because they can manipulate information, spread misinformation, and promote unverified information, which can adversely affect public opinion on various topics, such as product sales and political campaigns.
    [Show full text]
  • Practical Malware Analysis
    PRAISE FOR PRACTICAL MALWARE ANALYSIS Digital Forensics Book of the Year, FORENSIC 4CAST AWARDS 2013 “A hands-on introduction to malware analysis. I’d recommend it to anyone who wants to dissect Windows malware.” —Ilfak Guilfanov, CREATOR OF IDA PRO “The book every malware analyst should keep handy.” —Richard Bejtlich, CSO OF MANDIANT & FOUNDER OF TAOSECURITY “This book does exactly what it promises on the cover; it’s crammed with detail and has an intensely practical approach, but it’s well organised enough that you can keep it around as handy reference.” —Mary Branscombe, ZDNET “If you’re starting out in malware analysis, or if you are are coming to analysis from another discipline, I’d recommend having a nose.” —Paul Baccas, NAKED SECURITY FROM SOPHOS “An excellent crash course in malware analysis.” —Dino Dai Zovi, INDEPENDENT SECURITY CONSULTANT “The most comprehensive guide to analysis of malware, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware.” —Chris Eagle, SENIOR LECTURER OF COMPUTER SCIENCE AT THE NAVAL POSTGRADUATE SCHOOL “A great introduction to malware analysis. All chapters contain detailed technical explanations and hands-on lab exercises to get you immediate exposure to real malware.” —Sebastian Porst, GOOGLE SOFTWARE ENGINEER “Brings reverse-engineering to readers of all skill levels. Technically rich and accessible, the labs will lead you to a deeper understanding of the art and science of reverse-engineering. I strongly believe this will become the defacto text for learning malware analysis in the future.” —Danny Quist, PHD, FOUNDER OF OFFENSIVE COMPUTING “An awesome book .
    [Show full text]