Showing papers in "International Journal of Electronic Security and Digital Forensics in 2007"

Opcodes as predictor for malware

Abstract: This paper discusses a detection mechanism for malicious code through statistical analysis of opcode distributions A total of 67 malware executables were sampled statically disassembled and their statistical opcode frequency distribution compared with the aggregate statistics of 20 non-malicious samples We find that malware opcode distributions differ statistically significantly from non-malicious software Furthermore, rare opcodes seem to be a stronger predictor, explaining 12 63% of frequency variation

Integrating security and usability into the requirements and design process

Abstract: According to Ross Anderson, 'Many systems fail because their designers protect the wrong things or protect the right things in the wrong way'. Surveys also show that security incidents in industry are rising, which highlights the difficulty of designing good security. Some recent approaches have targeted security from the technological perspective, others from the human computer interaction angle, offering better User Interfaces (UIs) for improved usability of security mechanisms. However, usability issues also extend beyond the user interface and should be considered during system requirements and design. In this paper, we describe Appropriate and Effective Guidance for Information Security (AEGIS), a methodology for the development of secure and usable systems. AEGIS defines a development process and a UML meta-model of the definition and the reasoning over the system's assets. AEGIS has been applied to case studies in the area of Grid computing and we report on one of these.

A machine learning approach to keystroke dynamics based user authentication

Abstract: The majority of computer systems employ a login ID and password as the principal method for access security. In stand-alone situations, this level of security may be adequate, but when computers are connected to the internet, the vulnerability to a security breach is increased. In order to reduce vulnerability to attack, biometric solutions have been employed. In this paper, we investigate the use of a behavioural biometric based on keystroke dynamics. Although there are several implementations of keystroke dynamics available, their effectiveness is variable and dependent on the data sample and its acquisition methodology. The results from this study indicate that the Equal Error Rate (EER) is significantly influenced by the attribute selection process and to a lesser extent on the authentication algorithm employed. Our results also provide evidence that a Probabilistic Neural Network (PNN) can be superior in terms of reduced training time and classification accuracy when compared with a typical MLFN back-propagation trained neural network.

Vulnerabilities in e-governments

Abstract: This paper shows that more than 80% of the e-governments in the world are vulnerable to common web-application attacks such as Cross Site Scripting and Structured Query Language (SQL) injection. Industrialised countries were found to be more vulnerable than under-developed countries (90% versus 50%). This paper also describes some malicious data mining possibilities on the Norwegian e-government and how information can be combined and used to create other practical attacks.

Rule generalisation in intrusion detection systems using SNORT

Abstract: Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this activity. The majority of IDSs use a set of signatures that define what suspicious traffic is, and SNORT is one popular and actively developing open-source IDS that uses such a set of signatures known as SNORT rules. Our aim is to identify a way in which SNORT could be developed further by generalising rules to identify novel attacks. In particular, we attempted to relax and vary the conditions and parameters of current SNORT rules, using a similar approach to classic rule learning operators such as generalisation and specialisation. We demonstrate the effectiveness of our approach through experiments with standard data sets and show that we are able to detect previously undetected variants of various attacks.

Secure information systems engineering: a manifesto

Abstract: In this paper, we lay down the agenda for a discipline that is meant to promote research on increasing the development of secure information systems. In particular, we introduce areas related to the development of secure information systems; we identify limitations of existing approaches and the barriers that currently limit research and we discuss the characteristics for an engineering discipline for the development of secure information systems, its principles and the challenges that must be addressed.

Online ID theft techniques, investigation and response

Abstract: ID theft, especially in its online form, is currently one of the most prevalent types of computer crime. The limited end-user awareness as well as the retention and business processing of large amounts of personal data in a manner that does not meet security and regulatory requirements provide plenty of opportunities to fraudsters. A number of organisations have produced guidelines of good practice targeted to individuals and organisations; however the matter is still on the rise. In this paper, we review computer-based techniques employed by fraudsters in order to steal IDs and refer to published guidelines and the documented good practice against those. We discuss the issues related to the investigation of such incidents and provide the grounds for the development of a framework to assist in their forensic examination.

A web transaction security scheme based on disposable credit card numbers

Abstract: Today, an e-commerce transaction is performed by sending the client's credit card details over a SSL/TLS connection. This form of transaction raises many security threats. The most important one is the client authentication. Because the client normally does not have a public key certificate, the client's authentication is achieved only by the credit card details. In addition, these details are stored unencrypted in the merchant's database. A Disposable Credit Card Number (DCCN) is a technique to overcome these security threats. This paper presents a scheme for off-line generation of the DCCNs. The scheme uses a pre-shared secret key between the issuer and the client to generate Hashed Message Authentication Code for some selected data from the transaction. The scheme is secure and adds minimum overhead on the issuer and client. Furthermore, the generated DCCN has all the features of classical credit card details.

Evaluation of cyber legislations: trading in the global cyber village

Abstract: The menace of organised crime and terrorist activity grows ever more sophisticated as the ability to enter, control and destroy our electronic and security systems grows at an equivalent rate. Cyber-crime (organised criminal acts using microchip and software manipulation) is the world's biggest growth industry and is now costing an estimated $220 billion loss to organisations and individuals, every year. There are serious threats to nations, governments, corporations and the most vulnerable group of all, individuals. Cyber-crime combines the same methods of traditional crime identifying targets, using surveillance and psychological profiling but has added-in levels of duplicity in that the perpetrator need never actually be at the scene of the crime. Indeed the traditional idea of a criminal gang is meaningless in that the unit may exist but each member resides on a different continent and never needs to physically meet. The types of attack individuals face include confidence-trick telephone calls or actual encounters calculated to extract bank or personal details, computer spyware that opens on accessing the internet, enticing users with offers of non-existent free gifts while copying confidential files and programmes that can infiltrate networks, operating within them undetected, ultimately causing them to crash. Information and services provided on the internet which can be utilised by any person(s) with access bring to fore the concept of legislations. Thus cyber laws and legislations refers to those guidelines and regulations put in place to ensure that information and services so displayed and acquired on the internet meet a standard within the e-society. This paper aims to review these legislations and showcasing their impact and relevance to the society for which they are formulated. Finally, the question whether the current internet legislation is adequate to protect society is also raised.

State surveillance of the internet: human rights infringement or e-security mechanism?

Abstract: Crime has always existed in the physical world. However, the transition of crime to an electronic medium brought about new challenges that had hitherto been unknown in the physical world. Besides the problems experienced in cyber crime prevention and investigation, the seriousness and consequences of cyber crime has gradually escalated, for example the distribution of child pornography, the growing prevalence of 'identity theft' and money laundering to name but a few. Since the 11 September 2001 terrorist attack on the USA, attention has increasingly focused on the control of the internet in combating terrorism and cyber crime. This paper focuses on the evolution of unregulated internet use to regulated use with the emphasis on state control by means of state surveillance in the interest of national security and combating crime.

Exploiting error control in network traffic for robust, high rate covert channels

Abstract: Current means of steganography within network traffic are limited in terms of throughput and robustness. We present a novel concept for establishing reliable two-way covert channels that exchange information at a significantly higher rate compared to previous methods. This concept exploits the difficulty in differentiating between erroneous data and unauthorised data. As a proof-of-concept, we examine how the manipulation of Transmission Control Protocol (TCP) error handling may be used for global covert information transfer. Specifically, a new TCP routing application was developed to embed hidden information into cover media and to retrieve the information at the receiving end. A flexible testing architecture was designed and implemented that may also be used to test other steganographic techniques. Error handling techniques for the hidden information were identified for the steganographic protocol, to increase the robustness of the hidden information. Finally, steganalytic techniques and tools have been identified to counter the use of this technique by unfriendly forces.

E-identification technologies for e-government interoperability in the EU

Abstract: The EU commission has set the Pan-European Interoperability of secure authentication and authorisation systems for access to e-government services as a priority target for 2010. To this effect a large number of EU member states have implemented e-identification schemes. These are at varying stages of completion and use a range of technologies. All of them though aim at meeting the above target for interoperability while at the same time securing their home e-government services thus making them more attractive to their citizens. The number of states reviewed here and the state of the technologies used is not exhaustive but provides a good representation across the EU. This work is ongoing as are the initiatives and pilot schemes studied here.

Unauthorised person recognition using gait biometry and information analysis: integration and transparency of security operations in a centralised intelligence environment

Abstract: This paper shows how unique behavioural walking identification properties can be used to recognise unauthorised and suspicious persons when they enter a surveillance/recognition area. Specific gait properties will be examined in order to make clear the impact in the recognition accuracy. The system that is proposed comprise of various parts that operate either as stand alone capacities or as an integral part of a greater system. The two main entities of the system are the gait recognition and the information analysis module. The intelligent automated process in the information analysis enforces the public safety authorities to make simultaneous threat assessments based on complex search queries. The information and the functionalities of the system are delivered to the user through an integrated software solution that provides transparency for the majority of security operations. The integrated solution can be used for real time monitoring as well as for access control at sites of high risk.

Report examining the weaknesses in the fight against cyber-crime from within

Abstract: This report examines the weaknesses in some of the computer forensic methods used by law enforcement in the fight against computer crime (e-crime) and the work that needs to be done from the perspective of someone who works in the field, observed from within and now looking in from the outside. The computer forensic tools and technology that are heavily relied upon without proper research and evaluation, the lack of procedures in place to assess computer forensic experts in the private sector used by law enforcement agencies, insufficient training and the lack of funding for in-house research and development are all contributory to the problem.

Timing considerations in detecting resource starvation attacks using statistical profiles

Abstract: Resource starvation Denial of Service (DoS) attacks cause the attacked services to be denied to legitimate users. This paper introduces an approach to proactively detect such a DoS attack in its early development stages and therefore avoid damage. Our approach uses the set of data in the Management Information Base (MIB) retrieved by the Simple Network Management Protocol (SNMP). MIB traffic data (such as origin/destination; TCP connection state) and process table content (memory/CPU utilisation by specific processes) are used to construct performance profiles over long and short time scales. We define appropriate indicators and identifiable steps (check points) where resource starvation DoS attacks are recognised and stopped before they affect a system. By detecting in the early development stages, it is possible to avoid service interruption, system availability problems and other related effects, such as system and bandwidth performance degradation caused by legitimate operations.

Detection of e-mail concerning criminal activities using association rule-based decision tree

Abstract: Detection of e-mails about criminal activities using association rule-based decision tree is studied here. Instead of using words, word-relation, that is, association rules from these words, is used for building decision tree. In our experiments, we first preprocess data. We then find out association relations among these words using Rakesh Agrawal et al.'s Apriori algorithm applying objective interestingness measures. These rules are used for training and testing the decision tree-based classification system. A discussion of the result obtained is also given.

IT enabled counter terrorism infrastructure: issues and challenges

Abstract: In the post 11 September 2001, terrorism has been an immediate and most serious threat to the free world because of its real and potential damage to the infrastructure, economy and people. In response to the 11 September 2001 terrorist attacks, developed and developing countries, such as USA and Pakistan, have emerged as front line states in the fight against terrorism with the following objectives: (1) prevent future terrorist attacks, (2) reduce the nations vulnerability and (3) minimise the damage and recovery from attacks that occur. In order to achieve these objectives, we require new approaches to intelligence and information gathering and its analysis through the use of information technology. In this paper, we attempt to identify (1) the areas where IT can contribute in accomplishing these three strategic security objectives, (2) the unique IT problems and challenges in counter terrorism applications where such applications are being used and developed such as in USA and (3) lessons learned for developing countries such as Pakistan, so that an IT counter terrorism infrastructure can be established with minimum cost in terms of time and money.

Detection and surveillance technologies: privacy-related requirements and protection schemes

Abstract: Detection, identification, authentication and surveillance technologies are increasingly deployed and at the same time further researched, aiming at countering terrorism and crime, protecting people and goods, and managing working procedures and activities. Although, such technologies may also be applied to secure personal data processing, their wide use raises serious concerns. For instance, when they are used for public security reasons, they led to the creation, collection, storage, communication, interconnection and analysis of huge amounts of personal data, even globally. In this paper, after reviewing relevant developments, mentioning key enabling technologies, discussing relevant risks and mentioning social, ethical, legal and political related aspects, we focus on technological issues, namely privacy-related requirements and protection schemes and techniques, which may respond to human rights and liberties related concerns. Basic building elements of protection measures range from more conventional, such as cryptography, access control and auditing to new ones based on information hiding and privacy-preserving data mining techniques. Also, the active involvement of oversight authorities in data protection schemes may significantly increase their effectiveness.