DOCSLIB.ORG

December 2009 (PDF)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
December 2009 (PDF) DECEMBER 2009 VOLUME 34 NUMBER 6 OPINION Musings 2 Rik Farrow SECURITY The Conflicts Facing Those Responding to Cyberconflict 7 DaviD DittRich THE USENIX MAGAZINE Top 10 Web Hacking Techniques: “What’s Possible, Not Probable” 16 JeRemiah GRossman Hardening the Web with NoScript 21 Giorgio maone Correct OS Kernel?­ Proof? Done! 28 GeRwin klein Improving TCP Security with Robust Cookies 35 Perry metzGeR, willia m allen simPson, anD Paul vixie COLUMns Practical Perl Tools: Essential Techniques 44 DaviD n. Blank-Edelman Pete’s All Things Sun: Swaddling Applications in a Security Blanket 51 PeteR BaeR Galvin iVoyeur: 7 Habits of Highly Effective Nagios Implementations 57 Dave JosePhsen /dev/random: A Realist’s Glossary of Terms Widely Employed in the Information Security Arena 62 RoBeRt G. Ferrell BooK reVieWS Book Reviews 65 elizaBeth zwicky et al. useniX NOTES 2010 Election for the USENIX Board of Directors 70 ellie younG USACO Teams Shine 71 RoB kolstaD ConFerences Reports from the 18th USENIX Security Symposium 73 Reports from the 2nd Workshop on Cyber Security Experimentation and Test (CSET ’09) 101 Reports from the 4th USENIX Workshop on Hot Topics in Security (HotSec ’09) 108 The Advanced Computing Systems Association dec09covers.indd 1 10.29.09 10:09:48 AM Upcoming Events Fi r s t Wo r k s h o p o n su s t a i n a b l e in F o r m a t i o n 2n d USENIX Wo r k s h o p o n ho t to p i c s in te c h n o l o g y (su s t a i n IT ’10) pa r a l l e l i s m (ho t pa r ’10) Co-located with FAST ’10 Sponsored by USENIX in cooperation with ACM SIGMETRICS, february 22, 2010, San JoSe, ca, uSa ACM SIGSOFT, ACM SIGOPS, and ACM SIGARCH http://www.usenix.org/sustainit10 June 14–15, 2010, berkeley, CA, uSa http://www.usenix.org/hotpar10 Submissions due: January 24, 2010 2n d USENIX Wo r k s h o p o n t h e th e o r y a n d pr a c t i c e o F pr o v e n a n c e (taPP ’10) 8t h an n u a l international co n F e r e n c e o n Co-located with FAST ’10 mo b i l e sy s t e m s , applications a n d se r v i c e s february 22, 2010, San JoSe, ca, uSa (mo b i sy s 2010) http://www.usenix.org/tapp10 Submissions due: December 14, 2009 Jointly sponsored by ACM SIGMOBILE and the USENIX Association 8t h USENIX co n F e r e n c e o n Fi l e a n d st o r a g e June 14–18, 2010, San franciSco, CA, uSa http://www.sigmobile.org/mobisys/2010/ echnologies t (FAST ’10) Abstracts due: December 4, 2009 Sponsored by USENIX in cooperation with ACM SIGOPS february 23–26, 2010, San JoSe, ca, uSa USENIX te c h n i c a l co n F e r e n c e s We e k http://www.usenix.org/fast10 2010 USENIX an n u a l te c h n i c a l co n F e r e n c e 3r d USENIX Wo r k s h o p o n la r g e -sc a l e (USENIX ATC ’10) eX p l o i t s a n d em e r g e n t th r e a t s (LEET ’10) June 23–25, 2010, boSton, Ma, uSa Co-located with NSDI ’10 http://www.usenix.org/atc10 Submissions due: January 11, 2010 april 27, 2010, San JoSe, ca, uSa http://www.usenix.org/leet10 USENIX co n F e r e n c e o n We b ap p l i c a t i o n Submissions due: February 25, 2010 de v e l o p m e n t (We b ap p s ’10) June 23–25, 2010, boSton, Ma, uSa 2010 in t e r n e t ne t W o r k ma n a g e m e n t http://www.usenix.org/webapps10 Wo r k s h o p /Wo r k s h o p o n re s e a r c h o n Paper titles and abstracts due: January 4, 2010 en t e r p r i s e ne t W o r k i n g (INM/WREN ’10) Co-located with NSDI ’10 3r d Wo r k s h o p o n on l i n e so c i a l ne t W o r k s april 27, 2010, San JoSe, ca, uSa (WOSN 2010) http://www.usenix.org/inmwren10 June 22, 2010, boSton, mA, uSa Paper registration due: February 5, 2010 http://www.usenix.org/wosn10 Paper submissions due: February 18, 2010 9t h international Wo r k s h o p o n pe e r -t o -pe e r 2n d USENIX Wo r k s h o p o n ho t to p i c s in sy s t e m s (IPTPS ’10) cl o u d co m p u t i n g (ho t cl o u d ’10) Co-located with NSDI ’10 april 27, 2010, San JoSe, ca, uSa 2n d Wo r k s h o p o n ho t to p i c s in st o r a g e a n d http://www.usenix.org/iptps10 Fi l e sy s t e m s (ho t st o r a g e ’10) Submissions due: December 18, 2009 19t h USENIX se c u r i t y sy m p o s i u m 7t h USENIX sy m p o s i u m o n ne t W o r k e d sy s t e m s (USENIX se c u r i t y ’10) de s i g n a n d implementation (NSDI ’10) auguSt 11–13, 2010, waShington, Dc, uSa Sponsored by USENIX in cooperation with ACM SIGCOMM and http://www.usenix.org/sec10 ACM SIGOPS Submissions due: February 5, 2010 april 28–30, 2010, San JoSe, ca, uSa http://www.usenix.org/nsdi10 For a complete list of all USENIX & USENIX co-sponsored events, see http://www.usenix.org/events. dec09covers.indd 2 10.29.09 10:09:49 AM OPINION Musings 2 Rik FArrOw SECURITY The Conflicts Facing Those Responding to Cyberconflict 7 DAvid DittrIch Top 10 Web Hacking Techniques: “What’s Possible, Not Probable” 16 JeremIAh GrOssman Hardening the Web with NoScript 21 contents GIOrgio Maone Correct OS Kernel? Proof? Done! 28 GerwIN KleIN Improving TCP Security with Robust Cookies 35 Perry meTzGer, Willia m AlleN SimPson, and PAuL VixIe COLUMns Practical Perl Tools: Essential Techniques 44 DAvid N. Blank-EdeLman Pete’s All Things Sun: Swaddling Applications in a Security Blanket 51 PeTer Baer Galvin iVoyeur: 7 Habits of Highly Effective Nagios Implementations 57 VOL. 34, #6, December 2009 DAve JOsePhseN Editor ;login: is the official /dev/random: A Realist’s Glossary of Terms magazine of the Rik Farrow Widely Employed in the Information Security [email protected] USENIX Association. Arena 62 Managing Editor ;login: (ISSN 1044-6397) is RoberT G. FerreLL Jane-Ellen Long published bi-monthly by the [email protected] USENIX Association, 2560 Ninth Street, Suite 215, Copy Editor Berkeley, CA 94710. BooK reVieWS Book Reviews 65 Steve Gilmartin ElizAbeTh zwIcky eT al. [email protected] $90 of each member’s annual dues is for an annual sub- produCtion scription to ;login:. Subscrip- useniX NOTES 2010 Election for the USENIX Board of Casey Henderson tions for nonmembers are Jane-Ellen Long $125 per year. Directors 70 Jennifer Peterson Ellie Young Periodicals postage paid at typEsEttEr Berkeley, CA, and additional USACO Teams Shine 71 Star Type offices. Rob Kolstad [email protected] POSTMASTER: Send address USEniX assoCiation changes to ;login:, 2560 Ninth Street, USENIX Association, ConFerences Reports from the 18th USENIX Security Suite 215, Berkeley, 2560 Ninth Street, Symposium 73 California 94710 Suite 215, Berkeley, Phone: (510) 528-8649 CA 94710. Reports from the 2nd Workshop on FAX: (510) 548-5738 Cyber Security Experimentation and Test ©2009 USENIX Association http://www.usenix.org (CSET ’09) 101 http://www.sage.org USENIX is a registered trade- mark of the USENIX Associa- Reports from the 4th USENIX Workshop on tion. Many of the designations Hot Topics in Security (HotSec ’09) 108 used by manufacturers and sellers to distinguish their products are claimed as trade- marks. USENIX acknowledges all trademarks herein. Where those designations appear in this publication and USENIX is aware of a trademark claim, the designations have been printed in caps or initial caps. ;LOGIN: December 2009 ArTIcLe TITLe 1 Login_articlesDECEMBER_09_final.indd 1 10.29.09 9:27:12 AM ImagIne watchIng the begInnIng of a stock car race. As the drivers climb Rik Farrow into their cars, they ignore the webbing for covering the drivers’ windows and do not attach their five-point restraints or the head-and-neck supports. Although this goes against safety recommendations (and NAS- CAR rules), the drivers have decided that musings these safety measures are “inconvenient” Rik is the Editor of ;login:.
Load more

Recommended publications
  • Justice XML Data Model Technical Overview
    Justice XML Data Model Technical Overview April 2003 WhyWhy JusticeJustice XMLXML DataData ModelModel VersionVersion 3.0?3.0? • Aligned with standards (some were not available to RDD) • Model-based Æ consistent • Requirements-based – data elements, processes, and documents • Object-oriented Æ efficient extension and reuse • Expanded domain (courts, corrections, and juvenile) • Extensions to activity objects/processes • Relationships (to improve exchange information context) • Can evolve/advance with emerging technology (RDF/OWL) • Model provides the basis for an XML component registry that can provide • Searching/browsing components and metadata • Assistance for schema development/generation • Reference/cache XML schemas for validation • Interface (via standard specs) to external XML registries April 2003 DesignDesign PrinciplesPrinciples • Design and synthesize a common set of reusable, extensible data components for a Justice XML Data Dictionary (JXDD) that facilitates standard information exchange in XML. • Generalize JXDD for the justice and public safety communities – do NOT target specific applications. • Provide reference-able schema components primarily for schema developers. • JXDD and schema will evolve and, therefore, facilitate change and extension. • Best extension methods should minimize impact on prior schema and code investments. • Implement and represent domain relationships so they are globally understood. • Technical dependencies in requirements, solutions, and the time constraints of national priorities and demands
    [Show full text]
  • Object Query Language Reference Version: Itop 1.0
    Object Query Language Reference Version: Itop 1.0 Overview OQL aims at defining a subset of the data in a natural language, while hiding the complexity of the data model and benefit of the power of the object model (encapsulation, inheritance). Its syntax sticks to the syntax of SQL, and its grammar is a subset of SQL. As of now, only SELECT statements have been implemented. Such a statement do return objects of the expected class. The result will be used by programmatic means (to develop an API like ITOp). A famous example: the library Starter SELECT Book Do return any book existing in the Database. No need to specify the expected columns as we would do in a SQL SELECT clause: OQL do return plain objects. Join classes together I would like to list all books written by someone whose name starts with `Camus' SELECT Book JOIN Artist ON Book.written_by = Artist.id WHERE Artist.name LIKE 'Camus%' Note that there is no need to specify wether the JOIN is an INNER JOIN, or LEFT JOIN. This is well-known in the data model. The OQL engine will in turn create a SQL queries based on the relevant option, but we do not want to care about it, do we? © Combodo 2010 1 Now, you may consider that the name of the author of a book is of importance. This is the case if should be displayed anytime you will list a set of books, or if it is an important key to search for. Then you have the option to change the data model, and define the name of the author as an external field.
    [Show full text]
  • Éric FREYSSINET Lutte Contre Les Botnets
    THÈSE DE DOCTORAT DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Éric FREYSSINET Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Lutte contre les botnets : analyse et stratégie Présentée et soutenue publiquement le 12 novembre 2015 devant le jury composé de : Rapporteurs : M. Jean-Yves Marion Professeur, Université de Lorraine M. Ludovic Mé Enseignant-chercheur, CentraleSupélec Directeurs : M. David Naccache Professeur, École normale supérieure de thèse M. Matthieu Latapy Directeur de recherche, UPMC, LIP6 Examinateurs : Mme Clémence Magnien Directrice de recherche, UPMC, LIP6 Mme Solange Ghernaouti-Hélie Professeure, Université de Lausanne M. Vincent Nicomette Professeur, INSA Toulouse Cette thèse est dédiée à M. Celui qui n’empêche pas un crime alors qu’il le pourrait s’en rend complice. — Sénèque Remerciements Je tiens à remercier mes deux directeurs de thèse. David Naccache, officier de réserve de la gendarmerie, contribue au développement de la recherche au sein de notre institution en poussant des personnels jeunes et un peu moins jeunes à poursuivre leur passion dans le cadre académique qui s’impose. Matthieu Latapy, du LIP6, avec qui nous avions pu échanger autour d’une thèse qu’il encadrait dans le domaine difficile des atteintes aux mineurs sur Internet et qui a accepté de m’accueillir dans son équipe. Je voudrais remercier aussi, l’ensemble de l’équipe Réseaux Complexes du LIP6 et sa responsable d’équipe actuelle, Clémence Magnien, qui m’ont accueilli à bras ouverts, accom- pagné à chaque étape et dont j’ai pu découvrir les thématiques et les méthodes de travail au fil des rencontres et des discussions.
    [Show full text]
  • Symantec White Paper
    QUARTERLY REPORT: SYMANTEC ENTERPRISE SECURITY SYMANTEC REPORT: QUARTERLY Symantec Intelligence Quarterly July - September, 2009 Published October 2009 Technical Brief: Symantec Enterprise Security Symantec Intelligence Quarterly July - September, 2009 Contents Introduction . 1 Highlights . 2 Metrics. 2 Meeting the Challenge of Sophisticated Attacks . 8 Timeline of a zero-day event . 8 How secure are security protocols?. 11 Why attackers use packers. 14 Protection and Mitigation . 16 Appendix A—Best Practices . 18 Appendix B—Methodologies. 20 Credits . 24 Symantec Intelligence Quarterly July - September, 2009 Introduction Symantec has established some of the most comprehensive sources of Internet threat data in the world through the Symantec™ Global Intelligence Network. More than 240,000 sensors in over 200 countries monitor attack activity through a combination of Symantec products and services such as Symantec DeepSight™ Threat Management System, Symantec™ Managed Security Services and Norton™ consumer products, as well as additional third-party data sources. Symantec also gathers malicious code intelligence from more than 130 million client, server, and gateway systems that have deployed its antivirus products. Additionally, the Symantec distributed honeypot network collects data from around the globe, capturing previously unseen threats and attacks and providing valuable insight into attacker methods. Spam data is captured through the Symantec probe network, a system of more than 2.5 million decoy email accounts, Symantec MessageLabs™ Intelligence, and other Symantec technologies in more than 86 countries from around the globe. Over 8 billion email messages, as well as over 1 billion Web requests, are scanned per day across 16 data centers. Symantec also gathers phishing information through an extensive antifraud community of enterprises, security vendors, and more than 50 million consumers.
    [Show full text]
  • Ilomo Botnet a Study of the Ilomo / Clampi Botnet
    Ilomo A study of the Ilomo / Clampi botnet Ilomo Botnet A study of the Ilomo / Clampi Botnet by Alice Decker: Network Analysis David Sancho: Reverse Engineering Max Goncharov: Network Analysis Robert McArdle: Project Coordinator Release Date: 20 August 2009 Classification: Public Ilomo A study of the Ilomo / Clampi botnet Table of Contents Introduction ........................................................................................................................................................... 3 Ilomo Analysis ....................................................................................................................................................... 4 Stage 1: Dropper ....................................................................................................................................... 4 Stage 2: Main Executable ........................................................................................................................ 7 Stage 3: Injected Code ............................................................................................................................ 12 VMProtect Obfuscator ........................................................................................................................................ 17 Background Information .......................................................................................................................... 17 Technical Information .............................................................................................................................
    [Show full text]
  • Ronald L. Chichester*
    30990-txb_44-1 Sheet No. 4 Side A 02/01/2012 14:53:16 ZOMBIES (DO NOT DELETE) 10/27/2011 12:39 PM SLAYING ZOMBIES IN THE COURTROOM:TEXAS ENACTS THE FIRST LAW DESIGNED SPECIFICALLY TO COMBAT BOTNETS Ronald L. Chichester* I. INTRODUCTION ............................................................................................... 2 II. WHAT IS A BOTNET? ...................................................................................... 2 III. ZOMBIFICATION—CREATING THE BOTNET ............................................ 3 IV. OTHER CURRENT COMPUTER MISUSE STATUTES ................................. 4 V. A SHORT DESCRIPTION OF THE FIRST ANTI-BOTNET STATUTE ........ 6 VI. UTILIZING S.B. 28—THE CAUSE OF ACTION ............................................ 8 VII. GATHERING THE EVIDENCE ........................................................................ 9 VIII. FINDING THE PERPETRATOR(S) .................................................................. 9 IX. CONCLUSIONS ............................................................................................... 10 X. APPENDIX A ................................................................................................... 10 30990-txb_44-1 Sheet No. 4 Side A 02/01/2012 14:53:16 * Ron Chichester is an attorney, a certified computer forensic examiner, and an Adjunct Professor at the University of Houston Law Center, where he teaches “Digital Transaction” (www.digitaltransactions.info). Ron is admitted to practice in the State of Texas, the U.S. Courts for the Southern District of
    [Show full text]
  • Foundations of the Unified Modeling Language
    Foundations of the Unified Modeling Language. CLARK, Anthony <http://orcid.org/0000-0003-3167-0739> and EVANS, Andy Available from Sheffield Hallam University Research Archive (SHURA) at: http://shura.shu.ac.uk/11889/ This document is the author deposited version. You are advised to consult the publisher's version if you wish to cite from it. Published version CLARK, Anthony and EVANS, Andy (1997). Foundations of the Unified Modeling Language. In: 2nd BCS-FACS Northern Formal Methods Workshop., Ilkley, UK, 14- 15 July 1997. Springer. Copyright and re-use policy See http://shura.shu.ac.uk/information.html Sheffield Hallam University Research Archive http://shura.shu.ac.uk Foundations of the Unified Modeling Language Tony Clark, Andy Evans Formal Methods Group, Department of Computing, University of Bradford, UK Abstract Object-oriented analysis and design is an increasingly popular software development method. The Unified Modeling Language (UML) has recently been proposed as a standard language for expressing object-oriented designs. Unfor- tunately, in its present form the UML lacks precisely defined semantics. This means that it is difficult to determine whether a design is consistent, whether a design modification is correct and whether a program correctly implements a design. Formal methods provide the rigor which is lacking in object-oriented design notations. This provision is often at the expense of clarity of exposition for the non-expert. Formal methods aim to use mathematical techniques in order to allow software development activities to be precisely defined, checked and ultimately automated. This paper aims to present an overview of work being undertaken to provide (a sub-set of) the UML with formal semantics.
    [Show full text]
  • Using Telelogic DOORS and Microsoft Visio to Model and Visualize Complex Business Processes
    Using Telelogic DOORS and Microsoft Visio to Model and Visualize Complex Business Processes “The Business Driven Application Lifecycle” Bob Sherman Procter & Gamble Pharmaceuticals [email protected] Michael Sutherland Galactic Solutions Group, LLC [email protected] Prepared for the Telelogic 2005 User Group Conference, Americas & Asia/Pacific http://www.telelogic.com/news/usergroup/us2005/index.cfm 24 October 2005 Abstract: The fact that most Information Technology (IT) projects fail as a result of requirements management problems is common knowledge. What is not commonly recognized is that the widely haled “use case” and Object Oriented Analysis and Design (OOAD) phenomenon have resulted in little (if any) abatement of IT project failures. In fact, ten years after the advent of these methods, every major IT industry research group remains aligned on the fact that these projects are still failing at an alarming rate (less than a 30% success rate). Ironically, the popularity of use case and OOAD (e.g. UML) methods may be doing more harm than good by diverting our attention away from addressing the real root cause of IT project failures (when you have a new hammer, everything looks like a nail). This paper asserts that, the real root cause of IT project failures centers around the failure to map requirements to an accurate, precise, comprehensive, optimized business model. This argument will be supported by a using a brief recap of the history of use case and OOAD methods to identify differences between the problems these methods were intended to address and the challenges of today’s IT projects.
    [Show full text]
  • Modelling, Analysis and Design of Computer Integrated Manueactur1ng Systems
    MODELLING, ANALYSIS AND DESIGN OF COMPUTER INTEGRATED MANUEACTUR1NG SYSTEMS Volume I of II ABDULRAHMAN MUSLLABAB ABDULLAH AL-AILMARJ October-1998 A thesis submitted for the DEGREE OP DOCTOR OF.PHILOSOPHY MECHANICAL ENGINEERING DEPARTMENT, THE UNIVERSITY OF SHEFFIELD 3n ti]S 5íamc of Allai]. ¿Hoot (gractouo. iHHoßt ¿Merciful. ACKNOWLEDGEMENTS I would like to express my appreciation and thanks to my supervisor Professor Keith Ridgway for devoting freely of his time to read, discuss, and guide this research, and for his assistance in selecting the research topic, obtaining special reference materials, and contacting industrial collaborations. His advice has been much appreciated and I am very grateful. I would like to thank Mr Bruce Lake at Brook Hansen Motors who has patiently answered my questions during the case study. Finally, I would like to thank my family for their constant understanding, support and patience. l To my parents, my wife and my son. ABSTRACT In the present climate of global competition, manufacturing organisations consider and seek strategies, means and tools to assist them to stay competitive. Computer Integrated Manufacturing (CIM) offers a number of potential opportunities for improving manufacturing systems. However, a number of researchers have reported the difficulties which arise during the analysis, design and implementation of CIM due to a lack of effective modelling methodologies and techniques and the complexity of the systems. The work reported in this thesis is related to the development of an integrated modelling method to support the analysis and design of advanced manufacturing systems. A survey of various modelling methods and techniques is carried out. The methods SSADM, IDEFO, IDEF1X, IDEF3, IDEF4, OOM, SADT, GRAI, PN, 10A MERISE, GIM and SIMULATION are reviewed.
    [Show full text]
  • Referência Debian I
    Referência Debian i Referência Debian Osamu Aoki Referência Debian ii Copyright © 2013-2021 Osamu Aoki Esta Referência Debian (versão 2.85) (2021-09-17 09:11:56 UTC) pretende fornecer uma visão geral do sistema Debian como um guia do utilizador pós-instalação. Cobre muitos aspetos da administração do sistema através de exemplos shell-command para não programadores. Referência Debian iii COLLABORATORS TITLE : Referência Debian ACTION NAME DATE SIGNATURE WRITTEN BY Osamu Aoki 17 de setembro de 2021 REVISION HISTORY NUMBER DATE DESCRIPTION NAME Referência Debian iv Conteúdo 1 Manuais de GNU/Linux 1 1.1 Básico da consola ................................................... 1 1.1.1 A linha de comandos da shell ........................................ 1 1.1.2 The shell prompt under GUI ......................................... 2 1.1.3 A conta root .................................................. 2 1.1.4 A linha de comandos shell do root ...................................... 3 1.1.5 GUI de ferramentas de administração do sistema .............................. 3 1.1.6 Consolas virtuais ............................................... 3 1.1.7 Como abandonar a linha de comandos .................................... 3 1.1.8 Como desligar o sistema ........................................... 4 1.1.9 Recuperar uma consola sã .......................................... 4 1.1.10 Sugestões de pacotes adicionais para o novato ................................ 4 1.1.11 Uma conta de utilizador extra ........................................ 5 1.1.12 Configuração
    [Show full text]
  • Improving the Effectiveness of Behaviour-Based Malware Detection
    Improving the Effectiveness of Behaviour-based Malware Detection Mohd Fadzli Marhusin BSc. Information Studies (Hons) (Information Systems Management) UiTM, Malaysia Master of Information Technology (Computer Science) UKM, Malaysia A thesis submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy at the School of Engineering and Information Technology University of New South Wales Australian Defence Force Academy Copyright 2012 by Mohd Fadzli Marhusin PLEASE TYPE THE UNIVERSITY OF NEW SOUTH WALES Thesis/Dissertation Sheet Surname or Family name: MARHUSIN First name: MOHD FADZLI Other name/s: Abbreviation for degree as given in the University calendar: PhD (Computer Science) School: School of Engineering and Information Technology (SEIT) Faculty: Title: Improving the Effectiveness of Behaviour-based Malware Detection Abstract 350 words maximum: (PLEASE TYPE) Malware is software code which has malicious intent but can only do harm if it is allowed to execute and propagate. Detection based on signature alone is not the answer, because new malware with new signatures cannot be detected. Thus, behaviour-based detection is needed to detect novel malware attacks. Moreover, malware detection is a challenging task when most of the latest malware employs some protection and evasion techniques. In this study, we present a malware detection system that addresses both propagation and execution. Detection is based on monitoring session traffic for propagation, and API call sequences for execution. For malware detection during propagation, we investigate the effectiveness of signature-based detection, anomaly-based detection and the combination of both. The decision-making relies upon a collection of recent signatures of session-based traffic data collected at the endpoint level.
    [Show full text]
  • Monthly Report on Online Threats in The
    MONTHLY REPORT ON ONLINE THREATS REPORTING PERIOD: IN THE BANKING SECTOR 19.04–19.05.2014 One of the main events during the reporting period was the leakage of payment credentials belonging to eBay users. Details of the incident and other detected threats can be found in the section ‘Key events in the online banking sphere’ below. Overall statistics During the reporting period, Kaspersky Lab solutions blocked 341,216 attempts on user computers to launch malware capable of stealing money from online banking accounts. This figure represents a 36.6% increase compared to the previous reporting period (249,812). This increase in banking malware activity is most likely related to the onset of the vacation season, when customers actively use their payment data to make all types of purchases online. 24 001 - 78 000 16 001 - 24 000 7101 - 16 000 2101 - 7100 1 - 2100 Number of users targeted by banking malware The number of users attacked using these types of programs during the reporting period is shown in the diagram below (Top 10 rating based on the number of users attacked, in descending order): 77,412 27,071 21,801 22,115 13,876 15,651 17,333 5417 6883 7347 France Vietnam Austria India Germany United USA Russian Italy Brazil Kingdom Federation © 1997-2014 Kaspersky Lab ZAO. All Rights Reserved. The table below shows the programs most commonly used to attack online banking users, based on the number of infection attempts: Total notifications of Verdict* Number of users Number of notifications attempted infections by Trojan-Spy.Win32.Zbot 198
    [Show full text]