Projects
The Malware Schism: Inferring Malware Types From Network Traffic
MSc Information Security University College London Supervisor: Gianluca StringhiniAbstract
Malicious software has been an ongoing threat to computer systems and networks for the past decades. The dawn of the 21st century has seen a proliferation in the numbers, complexity and viciousness of malware. The efforts undertaken by the scientific community in dealing with this persistent threat have been repeatedly proven to be inadequate. Most of the current detection techniques rely on signatures which malware authors can trivially evade. In addition, the vast amount of malware detected daily has rendered detection and classification by manual analysis practically infeasible. Therefore, new, more sophisticated approaches are required that would minimise human interaction and would allow for fast processing of large numbers of files. In this thesis, we present a novel system capable of automatically classifying malware based on the network traffic they produce by applying machine learning techniques. Our system consists of two modules, the first automatically infers the spreading mechanism of the samples under analysis, while the latter allows for the efficient classification of malicious programs according to their behaviour. Samples that do not fit in any of the existing classes would act as an "alert" about new cyber-criminal activity or a new attack vector. Furthermore, an automated classification of the malware detected in a network would allow system and network administrators to prioritise the mitigation of threats according to their severity.
PDF PresentationOntological Management of Security Incidents
BSc Telecommunications Science and Technology University of Peloponnese Supervisors: Tselikas Nikolaos, Georgios LioudakisAbstract
Considering that alert information is inherently heterogeneous as well as the need of collaboration between different systems in order to effectively confront potential threats, the exchange of information regarding security incidents over a distributed system has become extremely important over the past years. Internet Engineering Task Force has proposed two protocols based on XML that are considered a touchstone; IDMEF (Intrusion Detection Message Exchange Format) and ΙODEF (Incident Object Description Exchange Format). IDMEF is intended to be a standard data format that can be used by automated intrusion detection systems, response systems as well as management systems. IODEF is a format for describing, archiving and exchanging security information commonly sent between Security Incident Response Teams (CSIRTs). In the context of this thesis, a software system has been developed that parses alerts expressed in Intrusion Detection Message Exchange Format (IDMEF) and appropriately fills the underlying ontology with useful information contained therein. Apart from that, the system provides extra functionalities for efficient management of analyzers as well as for knowledge extraction. The implementation is a Java software library, while the ontology was created in OWL DL.
PDF Presentation