Conference Papers
Permanent URI for this collectionhttps://idr.nitk.ac.in/handle/123456789/28506
Browse
9 results
Search Results
Item IFrandbox - Client side protection from malicious injected iframes(2011) Nadkarni, T.S.; Mohandas, R.; Pais, A.R.Drive-by downloads are currently one of the most popular methods of malware distribution. Widely visited legitimate websites are infused with invisible or barely visible Iframes pointing to malicious URLs, causing silent download malware on users system. In this paper, we present a client side solution for protection from such malevolent hidden Iframes. We have implemented our solution as an extension to Mozilla Firefox browser. The extension will check every Iframe loaded in the browser for properties emblematic of malicious Iframes such as hidden visibility styles and 0-pixel dimensions. These Iframes are then blocked by using browser content policy mechanism, hence alleviating the possibility of the malicious download taking place. © 2011 Springer-Verlag.Item Split personality malware detection and defeating in popular virtual machines(2012) Kumar, A.V.; Vishnani, K.; Kumar, K.V.Virtual Machines have gained immense popularity amongst the Security Researchers and Malware Analysts due to their pertinent design to analyze malware without risking permanent infection to the actual system carrying out the tests. This is because during analysis, even if a malware infects and destabilizes the guest OS, the analyst can simply load in a fresh image thus avoiding any damage to the actual machine. However, the cat and mouse game between the Black Hat and the White Hat Hackers is a well established fact. Hence, the malware writers have once again raised their stakes by creating a new kind of malware which can detect the presence of virtual machines. Once it detects that it is running on a virtual machine, it either terminates execution immediately or simply hides its malicious intent and continues to execute in a benign manner thus evading its own detection. This category of malware has been termed as Split Personality malware or Analysis Aware malware in the Information Security jargon. This paper aims at defeating the split personality malware in popular virtual machine environment. This work includes first the study of various virtual machine detection techniques and then development of a method to thwart these techniques from successfully detecting the virtual machines-VirtualBox, VirtualPC and VMware. Copyright © 2012 ACM.Item Emulating a High Interaction Honeypot to Monitor Intrusion Activity(Springer Verlag service@springer.de, 2013) Gopalakrishna, A.; Pais, A.R.Intrusion activity monitoring is a complex task to achieve. An intruder should not be alerted about being monitored. A stealthy approach is needed, that does not alert the intruder about the presence of monitoring. Virtual Machine based High Interaction Honeypots help achieve stealthy monitoring. Most of the related research work use the concept of Virtual Machine Introspection that relies on System Call Interception. However most of these methods hook the sysenter instruction for interception of system calls. This can be defeated by an intruder since this is not the only way of making a system call. We have designed and implemented a High-Interaction Virtual Machine based honeypot using the open source tool Qebek. Qebek is more effective as it hooks the actual system call implementation itself. We have tested its capturability by running different types of malware. The Results obtained show that the system is able to capture information about processes running on the honeypot, console data and network activities, which reveal the maliciousness of the activities. © Springer-Verlag Berlin Heidelberg 2013.Item VMI based automated real-time malware detector for virtualized cloud environment(Springer Verlag service@springer.de, 2016) M.a, M.A.; Jaidhar, C.D.The Virtual Machine Introspection (VMI) has evolved as a promising future security solution to performs an indirect investigation of the untrustworthy Guest Virtual Machine (GVM) in real-time by operating at the hypervisor in a virtualized cloud environment. The existing VMI techniques are not intelligent enough to read precisely the manipulated semantic information on their reconstructed high-level semantic view of the live GVM. In this paper, a VMI-based Automated-Internal- External (A-IntExt) system is presented that seamlessly introspects the untrustworthy Windows GVM internal semantic view (i.e. Processes) to detect the hidden, dead, and malicious processes. Further, it checks the detected, hidden as well as running processes (not hidden) as benign or malicious. The prime component of the A-IntExt is the Intelligent Cross- View Analyzer (ICV A), which is responsible for detecting hidden-state information from internally and externally gathered state information of the Monitored Virtual Machine (Med−VM). The A-IntExt is designed, implemented, and evaluated by using publicly available malware and Windows real-world rootkits to measure detection proficiency as well as execution speed. The experimental results demonstrate that A-IntExt is effective in detecting malicious and hidden-state information rapidly with maximum performance overhead of 7.2 %. © Springer International Publishing AG 2016.Item Performance Evaluation of Filter-based Feature Selection Techniques in Classifying Portable Executable Files(Elsevier B.V., 2018) Shiva Darshan, S.L.; Jaidhar, J.The dimensionality of the feature space exhibits a significant effect on the processing time and predictive performance of the Malware Detection Systems (MDS). Therefore, the selection of relevant features is crucial for the classification process. Feature Selection Technique (FST) is a prominent solution that effectively reduces the dimensionality of the feature space by identifying and neglecting noisy or irrelevant features from the original feature space. The significant features recommended by FST uplift the malware detection rate. This paper provides the performance analysis of four chosen filter-based FSTs and their impact on the classifier decision. FSTs such as Distinguishing Feature Selector (DFS), Mutual Information (MI), Categorical Proportional Difference (CPD), and Darmstadt Indexing Approach (DIA) have been used in this work and their efficiency has been evaluated using different datasets, various feature-length, classifiers, and success measures. The experimental results explicitly indicate that DFS and MI offer a competitive performance in terms of better detection accuracy and that the efficiency of the classifiers does not decline on both the balanced and unbalanced datasets. © 2018 The Authors. Published by Elsevier B.V.Item A Novel Approach towards Windows Malware Detection System Using Deep Neural Networks(Elsevier B.V., 2022) Divakarla, U.; Reddy, K.H.K.; Chandrasekaran, K.Now-a-day's malicious software is increasing in numbers and at present becomes more harmful for any digital equipment like mobile, tablet, and computers. Traditional techniques like static and dynamic analysis, signature-based detection methods are become absolute and not effective at all. The advanced techniques like code encryption and code packing techniques can be used to hide detection; polymorphic malware is a new class of malware that changes their code structure from time to time to avoid detection, so there is a need for an intelligent system which can efficiently analyze the features of a new, unknown executable file and classify it correctly. There have been learning-based malware detection systems proposed in the literature, but most of those proposed approaches present a high accuracy over a small dataset, whereas the performance is very poor over industry-standard datasets. Operating system like windows is always in prime malware target because of the sheer high number of users. This paper proposes a simple, deep learning-based detection approachthat classifies a specified executable into benign or harmful. It has been trained using EMBER, an industry-level Windows malware dataset and tests with an accuracy of 87.76%. © 2023 The Authors. Published by Elsevier B.V.Item Machine Learning-Based Malware Detection and Classification in Encrypted TLS Traffic(Springer Science and Business Media Deutschland GmbH, 2023) Kashyap, H.; Pais, A.R.; Kondaiah, C.Malware has become a significant threat to Internet users in the modern digital era. Malware spreads quickly and poses a significant threat to cyber security. As a result, network security measures play an important role in countering these cyber threats. Existing malware detection techniques are unable to detect them effectively. A novel Ensemble Machine Learning (ML)-based malware detection technique from Transport Layer Security (TLS)-encrypted traffic without decryption is proposed in this paper. The features are extracted from TLS traffic. Based on the extracted features, malware detection is performed using Ensemble ML algorithms. The benign and malware file datasets are created using features extracted from TLS traffic. According to the experimental results, the 65 new extracted features perform well in detecting malware from encrypted traffic. The proposed method achieves an accuracy of 99.85% for random forest and 97.43% for multiclass classification for identifying malware families. The ensemble model achieved an accuracy of 99.74% for binary classification and 97.45% for multiclass classification. © 2023, The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.Item DNS Cache Poisoning: Investigating Server and Client-Side Attacks and Mitigation Methods(Institute of Electrical and Electronics Engineers Inc., 2023) Chandrasekaran, K.; Divakarla, U.; Srinivasan, K.S.DNS cache poisoning is a type of cyber attack that aims to redirect traffic from legitimate websites to malicious ones. In this attack, the attacker modifies the DNS cache of a DNS server, allowing them to redirect requests for legitimate domain names to their own servers. This can result in distribution of malware and phishing attacks. To mitigate the risk of DNS cache poisoning, various techniques such as DNSSEC, source port randomization, and response rate limiting have been developed. This paper provides an overview of DNS cache poisoning, the techniques used to perform the attack, and the countermeasures that can be employed to protect against it. © 2023 IEEE.Item Early Detection and Classification of Zero-Day Attacks in Network Traffic Using Convolutional Neural Network(Springer Science and Business Media Deutschland GmbH, 2024) Singh, M.P.; Singh, V.P.; Gupta, M.In a Zero-Day cyberattack, attackers exploit a software vulnerability for which the software vendor is unaware or has not released a patch. This can make it difficult for organizations to protect their systems until a patch or mitigation is developed. To stay ahead of these evolving cyber threats, it’s critical to keep up to date with the latest threat information and to remain vigilant. Traditional methods for detecting and classifying zero-day attacks often require session-wide features, which can be challenging to implement. This paper presents a novel approach for detecting and classifying Zero-Day attacks in network traffic. Specifically, we present a framework composed of a 1D Convolutional Neural Network (1D-CNN), which involves minimal preprocessing and directly leverages raw network data as byte sequences to learn features, eliminating the need for complex feature extraction. To test the effectiveness of our proposed approach, publicly available network traffic datasets encompassing various malware families are used. Results show that the proposed approach is significantly effective in detecting and classifying Zero-Day attacks, empowering organizations to combat evolving cyber threats. © The Author(s), under exclusive license to Springer Nature Switzerland AG 2024.