Network Based Malware Detection in Virtualised Environment

While virtualisation can provide many benefits to a networks infrastructure, securing the virtualised environment is a big challenge. The security of a fully virtualised solution is dependent on the security of each of its underlying components, such as the hypervisor, guest operating systems and storage.

This paper presents a single security service running on the hypervisor that could potentially work to provide security service to all virtual machines running on the system. This paper presents a hypervisor hosted framework which performs specialised security tasks for all underlying virtual machines to protect against any malicious attacks by passively analysing the network traffic of VMs. This framework has been implemented using Xen Server and has been evaluated by detecting a Zeus Server setup and infected clients, distributed over a number of virtual machines. This framework is capable of detecting and identifying all infected VMs with no false positive or false negative detection.

Malware detection: program run length against detection rate

N-gram analysis is an approach that investigates the structure of a program using bytes, characters or text strings. This research uses dynamic analysis to investigate malware detection using a classification approach based on N-gram analysis. A key issue with dynamic analysis is the length of time a program has to be run to ensure a correct classification. The motivation for this research is to find the optimum subset of operational codes (opcodes) that make the best indicators of malware and to determine how long a program has to be monitored to ensure an accurate support vector machine (SVM) classification of benign and malicious software. The experiments within this study represent programs as opcode density histograms gained through dynamic analysis for different program run periods. A SVM is used as the program classifier to determine the ability of different program run lengths to correctly determine the presence of malicious software. The findings show that malware can be detected with different program run lengths using a small number of opcodes

Comparison Method for Differentiation of IEC 61850 based Substation Configuration Files

The increased construction and reconstruction of smart substations has exposed a problem with version management of substation configuration description language (SCL) files due to frequent changes. This paper proposes a comparative approach for differentiation of smart substation SCL configuration files. A comparison model for SCL configuration files is built in this method, which is based on the SCL structure and abstract model defined by IEC 61850. The proposed approach adopts the algorithms of depth-first traversal, sorting, and cross comparison in order to rapidly identify differences of changed SCL configuration files. This approach can also be utilized to detect malicious tampering or illegal manipulation tailoring for SCL files. SCL comparison software is developed using the Qt platform to validate the feasibility and effectiveness of the proposed approach.

N-gram density based malware detection

N-gram analysis is an approach that investigates the structure of a program using bytes, characters or text strings. This research uses dynamic analysis to investigate malware detection using a classification approach based on N-gram analysis. The motivation for this research is to find a subset of Ngram features that makes a robust indicator of malware. The experiments within this paper represent programs as N-gram density histograms, gained through dynamic analysis. A Support Vector Machine (SVM) is used as the program classifier to determine the ability of N-grams to correctly determine the presence of malicious software. The preliminary findings show that an N-gram size N=3 and N=4 present the best avenues for further analysis.

A New Android Malware Detection Method Using Bayesian Classification

Mobile malware has been growing in scale and complexity as smartphone usage continues to rise. Android has surpassed other mobile platforms as the most popular whilst also witnessing a dramatic increase in malware targeting the platform. A worrying trend that is emerging is the increasing sophistication of Android malware to evade detection by traditional signature-based scanners. As such, Android app marketplaces remain at risk of hosting malicious apps that could evade detection before being downloaded by unsuspecting users. Hence, in this paper we present an effective approach to alleviate this problem based on Bayesian classification models obtained from static code analysis. The models are built from a collection of code and app characteristics that provide indicators of potential malicious activities. The models are evaluated with real malware samples in the wild and results of experiments are presented to demonstrate the effectiveness of the proposed approach.

Swift and Conversational Culture

Swift often noted his aversion to coffee-house conversation and to tavern talk, to gossip and company, and to being buried in Dublin in the years of his Deanship. Yet the popular myth of a morose, unsociable Swift belies both his engagement with various literary and political clubs in his early career and his participation in collaborative and experimental poetic games in his Dublin circles. This essay considers Swift’s involvement with three clubs in London (the Saturday Club, the Brothers’ Club, and the Scriblerians) and his writings on a number of fictional clubs (the Athenian Society, the Calves-Head Club, and a putative Society for the correction of the English language). While Swift wrote very little of his experience of actual clubs, the latter three, in addition to the Scriblerian Club as an imagined, rather than actual clubs, resulted in a number of defining poems and works in his career. When Swift settled in Dublin, poetry written and exchanged in a number of sociable circles characterised much of his published verse and gave glimpses of the circles and informal clubs which he formed among friends there. Although these poems are often dismissed as ‘trifles’, the essay argues that the poems are crucial for our understandings of ‘conversational culture’ or sociability in Swift’s Dublin.

Whose sins do the Brethren confess? The problem of sin as the problem of expiation

Among Brethren fisher families in Gamrie, northeast Scotland, professional clergy and written liturgy are held to be blasphemous denials of the true workings of the Holy Spirit. God, I was told, chooses to speak through all born-again (male) persons, unrestricted by the vain repetitions of lettered clerics and their prayer books. In this context, confession of one’s own sin is a private and pointedly interior affair. In Gamrie, not only did every man seek to be his own skipper, but also his own priest. Yet, much of Brethren worship is given over to ritualised acts of confession. So whose sins do the Brethren confess, and to what end? This article argues that among the Brethren of Gamrie, such acts involve confessing not one’s own sin, but the sins of a ‘sick’ and ‘fallen’ world. More than this, by attending to the sociological (as opposed to theological) processes of confessing the sins of another, we see a collapse in the distinction between confiteor and credo that has so dogged anthropological studies of Christianity. In Brethren prayer and bible study, as well as in everyday gossip, the “I confess” of the confiteor and the “I believe” of credo co-constitute one another in and through evidences of the ‘lostness’ of ‘this present age’. But how, if at all, does this solve ‘the problem of sin’? This article suggests that, with the ritual gaze of confession turned radically outward, Brethren announcements of global wickedness enact (in a deliberate tautology) both a totalising call for repentance from sin, and a millenarian creed of the imminent apocalypse. Here, the problem of ritual can be understood as the problem of (partially failed) expiation.

Detecting obfuscated malware using reduced opcode set and optimised runtime trace

The research presented, investigates the optimal set of operational codes (opcodes) that create a robust indicator of malicious software (malware) and also determines a program’s execution duration for accurate classification of benign and malicious software. The features extracted from the dataset are opcode density histograms, extracted during the program execution. The classifier used is a support vector machine and is configured to select those features to produce the optimal classification of malware over different program run lengths. The findings demonstrate that malware can be detected using dynamic analysis with relatively few opcodes.

Towards a threat assessment framework for apps collusion

App collusion refers to two or more apps working together to achieve a malicious goal that they otherwise would not be able to achieve individually. The permissions based security model (PBSM) for Android does not address this threat, as it is rather limited to mitigating risks due to individual apps. This paper presents a technique for assessing the threat of collusion for apps, which is a first step towards quantifying collusion risk, and allows us to narrow down to candidate apps for collusion, which is critical given the high volume of Android apps available. We present our empirical analysis using a classified corpus of over 29000 Android apps provided by Intel Security.

Dynalog: an automated dynamic analysis framework for characterizing android applications

Android is becoming ubiquitous and currently has the largest share of the mobile OS market with billions of application downloads from the official app market. It has also become the platform most targeted by mobile malware that are becoming more sophisticated to evade state-of-the-art detection approaches. Many Android malware families employ obfuscation techniques in order to avoid detection and this may defeat static analysis based approaches. Dynamic analysis on the other hand may be used to overcome this limitation. Hence in this paper we propose DynaLog, a dynamic analysis based framework for characterizing Android applications. The framework provides the capability to analyse the behaviour of applications based on an extensive number of dynamic features. It provides an automated platform for mass analysis and characterization of apps that is useful for quickly identifying and isolating malicious applications. The DynaLog framework leverages existing open source tools to extract and log high level behaviours, API calls, and critical events that can be used to explore the characteristics of an application, thus providing an extensible dynamic analysis platform for detecting Android malware. DynaLog is evaluated using real malware samples and clean applications demonstrating its capabilities for effective analysis and detection of malicious applications.