Defending against cybercrime: advances in the detection of malicious servers and the analysis of client-side vulnerabilities

Esta tesis se centra en el análisis de dos aspectos complementarios de la ciberdelincuencia (es decir, el crimen perpetrado a través de la red para ganar dinero). Estos dos aspectos son las máquinas infectadas utilizadas para obtener beneficios económicos de la delincuencia a través de diferentes acciones (como por ejemplo, clickfraud, DDoS, correo no deseado) y la infraestructura de servidores utilizados para gestionar estas máquinas (por ejemplo, C & C, servidores explotadores, servidores de monetización, redirectores). En la primera parte se investiga la exposición a las amenazas de los ordenadores victimas. Para realizar este análisis hemos utilizado los metadatos contenidos en WINE-BR conjunto de datos de Symantec. Este conjunto de datos contiene metadatos de instalación de ficheros ejecutables (por ejemplo, hash del fichero, su editor, fecha de instalación, nombre del fichero, la versión del fichero) proveniente de 8,4 millones de usuarios de Windows. Hemos asociado estos metadatos con las vulnerabilidades en el National Vulnerability Database (NVD) y en el Opens Sourced Vulnerability Database (OSVDB) con el fin de realizar un seguimiento de la decadencia de la vulnerabilidad en el tiempo y observar la rapidez de los usuarios a remiendar sus sistemas y, por tanto, su exposición a posibles ataques. Hemos identificado 3 factores que pueden influir en la actividad de parches de ordenadores victimas: código compartido, el tipo de usuario, exploits. Presentamos 2 nuevos ataques contra el código compartido y un análisis de cómo el conocimiento usuarios y la disponibilidad de exploit influyen en la actividad de aplicación de parches. Para las 80 vulnerabilidades en nuestra base de datos que afectan código compartido entre dos aplicaciones, el tiempo entre el parche libera en las diferentes aplicaciones es hasta 118 das (con una mediana de 11 das) En la segunda parte se proponen nuevas técnicas de sondeo activos para detectar y analizar las infraestructuras de servidores maliciosos. Aprovechamos técnicas de sondaje activo, para detectar servidores maliciosos en el internet. Empezamos con el análisis y la detección de operaciones de servidores explotadores. Como una operación identificamos los servidores que son controlados por las mismas personas y, posiblemente, participan en la misma campaña de infección. Hemos analizado un total de 500 servidores explotadores durante un período de 1 año, donde 2/3 de las operaciones tenían un único servidor y 1/2 por varios servidores. Hemos desarrollado la técnica para detectar servidores explotadores a diferentes tipologías de servidores, (por ejemplo, C & C, servidores de monetización, redirectores) y hemos logrado escala de Internet de sondeo para las distintas categorías de servidores maliciosos. Estas nuevas técnicas se han incorporado en una nueva herramienta llamada CyberProbe. Para detectar estos servidores hemos desarrollado una novedosa técnica llamada Adversarial Fingerprint Generation, que es una metodología para generar un modelo único de solicitud-respuesta para identificar la familia de servidores (es decir, el tipo y la operación que el servidor apartenece). A partir de una fichero de malware y un servidor activo de una determinada familia, CyberProbe puede generar un fingerprint válido para detectar todos los servidores vivos de esa familia. Hemos realizado 11 exploraciones en todo el Internet detectando 151 servidores maliciosos, de estos 151 servidores 75% son desconocidos a bases de datos publicas de servidores maliciosos. Otra cuestión que se plantea mientras se hace la detección de servidores maliciosos es que algunos de estos servidores podrán estar ocultos detrás de un proxy inverso silente. Para identificar la prevalencia de esta configuración de red y mejorar el capacidades de CyberProbe hemos desarrollado RevProbe una nueva herramienta a través del aprovechamiento de leakages en la configuración de la Web proxies inversa puede detectar proxies inversos. RevProbe identifica que el 16% de direcciones IP maliciosas activas analizadas corresponden a proxies inversos, que el 92% de ellos son silenciosos en comparación con 55% para los proxies inversos benignos, y que son utilizado principalmente para equilibrio de carga a través de múltiples servidores. ABSTRACT In this dissertation we investigate two fundamental aspects of cybercrime: the infection of machines used to monetize the crime and the malicious server infrastructures that are used to manage the infected machines. In the first part of this dissertation, we analyze how fast software vendors apply patches to secure client applications, identifying shared code as an important factor in patch deployment. Shared code is code present in multiple programs. When a vulnerability affects shared code the usual linear vulnerability life cycle is not anymore effective to describe how the patch deployment takes place. In this work we show which are the consequences of shared code vulnerabilities and we demonstrate two novel attacks that can be used to exploit this condition. In the second part of this dissertation we analyze malicious server infrastructures, our contributions are: a technique to cluster exploit server operations, a tool named CyberProbe to perform large scale detection of different malicious servers categories, and RevProbe a tool that detects silent reverse proxies. We start by identifying exploit server operations, that are, exploit servers managed by the same people. We investigate a total of 500 exploit servers over a period of more 13 months. We have collected malware from these servers and all the metadata related to the communication with the servers. Thanks to this metadata we have extracted different features to group together servers managed by the same entity (i.e., exploit server operation), we have discovered that 2/3 of the operations have a single server while 1/3 have multiple servers. Next, we present CyberProbe a tool that detects different malicious server types through a novel technique called adversarial fingerprint generation (AFG). The idea behind CyberProbe’s AFG is to run some piece of malware and observe its network communication towards malicious servers. Then it replays this communication to the malicious server and outputs a fingerprint (i.e. a port selection function, a probe generation function and a signature generation function). Once the fingerprint is generated CyberProbe scans the Internet with the fingerprint and finds all the servers of a given family. We have performed a total of 11 Internet wide scans finding 151 new servers starting with 15 seed servers. This gives to CyberProbe a 10 times amplification factor. Moreover we have compared CyberProbe with existing blacklists on the internet finding that only 40% of the server detected by CyberProbe were listed. To enhance the capabilities of CyberProbe we have developed RevProbe, a reverse proxy detection tool that can be integrated with CyberProbe to allow precise detection of silent reverse proxies used to hide malicious servers. RevProbe leverages leakage based detection techniques to detect if a malicious server is hidden behind a silent reverse proxy and the infrastructure of servers behind it. At the core of RevProbe is the analysis of differences in the traffic by interacting with a remote server.

Gene discovery in the wood-forming tissues of poplar: Analysis of 5,692 expressed sequence tags

A rapidly growing area of genome research is the generation of expressed sequence tags (ESTs) in which large numbers of randomly selected cDNA clones are partially sequenced. The collection of ESTs reflects the level and complexity of gene expression in the sampled tissue. To date, the majority of plant ESTs are from nonwoody plants such as Arabidopsis, Brassica, maize, and rice. Here, we present a large-scale production of ESTs from the wood-forming tissues of two poplars, Populus tremula L. × tremuloides Michx. and Populus trichocarpa ‘Trichobel.’ The 5,692 ESTs analyzed represented a total of 3,719 unique transcripts for the two cDNA libraries. Putative functions could be assigned to 2,245 of these transcripts that corresponded to 820 protein functions. Of specific interest to forest biotechnology are the 4% of ESTs involved in various processes of cell wall formation, such as lignin and cellulose synthesis, 5% similar to developmental regulators and members of known signal transduction pathways, and 2% involved in hormone biosynthesis. An additional 12% of the ESTs showed no significant similarity to any other DNA or protein sequences in existing databases. The absence of these sequences from public databases may indicate a specific role for these proteins in wood formation. The cDNA libraries and the accompanying database are valuable resources for forest research directed toward understanding the genetic control of wood formation and future endeavors to modify wood and fiber properties for industrial use.

Chemistry for the analysis of protein–protein interactions: Rapid and efficient cross-linking triggered by long wavelength light

Chemical cross-linking is a potentially useful technique for probing the architecture of multiprotein complexes. However, analyses using typical bifunctional cross-linkers often suffer from poor yields, and large-scale modification of nucleophilic side chains can result in artifactual results attributable to structural destabilization. We report here the de novo design and development of a type of protein cross-linking reaction that uses a photogenerated oxidant to mediate rapid and efficient cross-linking of associated proteins. The process involves brief photolysis of tris-bipyridylruthenium(II) dication with visible light in the presence of the electron acceptor ammonium persulfate and the proteins of interest. Very high yields of cross-linked products can be obtained with irradiation times of <1 second. This chemistry obviates many of the problems associated with standard cross-linking reagents.

Quantitative analysis of chromosomal CGH in human breast tumors associates copy number abnormalities with p53 status and patient survival

We present a general method for rigorously identifying correlations between variations in large-scale molecular profiles and outcomes and apply it to chromosomal comparative genomic hybridization data from a set of 52 breast tumors. We identify two loci where copy number abnormalities are correlated with poor survival outcome (gain at 8q24 and loss at 9q13). We also identify a relationship between abnormalities at two loci and the mutational status of p53. Gain at 8q24 and loss at 5q15-5q21 are linked with mutant p53. The 9q and 5q losses suggest the possibility of gene products involved in breast cancer progression. The analytical techniques are general and also are applicable to the analysis of array-based expression data.

Parallel human genome analysis: microarray-based expression monitoring of 1000 genes.

Microarrays containing 1046 human cDNAs of unknown sequence were printed on glass with high-speed robotics. These 1.0-cm2 DNA "chips" were used to quantitatively monitor differential expression of the cognate human genes using a highly sensitive two-color hybridization assay. Array elements that displayed differential expression patterns under given experimental conditions were characterized by sequencing. The identification of known and novel heat shock and phorbol ester-regulated genes in human T cells demonstrates the sensitivity of the assay. Parallel gene analysis with microarrays provides a rapid and efficient method for large-scale human gene discovery.

DNA analysis and diagnostics on oligonucleotide microchips.

We present a further development in the technology of sequencing by hybridization to oligonucleotide microchips (SHOM) and its application to diagnostics for genetic diseases. A robot has been constructed to manufacture sequencing "microchips." The microchip is an array of oligonucleotides immobilized into gel elements fixed on a glass plate. Hybridization of the microchip with fluorescently labeled DNA was monitored in real time simultaneously for all microchip elements with a two-wavelength fluorescent microscope equipped with a charge-coupled device camera. SHOM has been used to detect beta-thalassemia mutations in patients by hybridizing PCR-amplified DNA with the microchips. A contiguous stacking hybridization technique has been applied for the detection of mutations; it can simplify medical diagnostics and enhance its reliability. The use of multicolor monitoring of contiguous stacking hybridization is suggested for large-scale diagnostics and gene polymorphism studies. Other applications of the SHOM technology are discussed.

Multiplex genotype determination at a large number of gene loci.

To facilitate large-scale genotype analysis, an efficient PCR-based multiplex approach has been developed. For simultaneously amplifying the target sequences at a large number of genetic loci, locus-specific primers containing 5' universal tails are used. Attaching the universal tails to the target sequences in the initial PCR steps allows replacement of all specific primers with a pair of primers identical to the universal tails and converts the multiplex amplification into "uniplex." Simultaneous amplification of 26 genetic loci with this approach is described. The multiplex amplification can be coupled with genotype determination. By incorporating a single-base mismatch between a primer and the template into the target sequences, a polymorphic site can be converted into a desirable restriction fragment length polymorphism when it is necessary. In this way, the allelic PCR products for the polymorphic loci can be discriminated by gel electrophoresis after restriction enzyme digestion. In this study, 32 loci were typed in such a multiplex way.

Finite-size scaling analysis of the distributions of pseudo-critical temperatures in spin glasses

Using the results of large scale numerical simulations we study the probability distribution of the pseudo critical temperature for the three dimensional Edwards Anderson Ising spin glass and for the fully connected Sherrington-Kirkpatrick model. We find that the behaviour of our data is nicely described by straightforward finitesize scaling relations.

Radiocarbon dates, grain size measurements and selected foraminifera analysis from sediment cores AvH248260-2 and AvH248260-1, Ameralik Fjord, SW Greenland

Sedimentological and geochemical (XRF) data together with information from diatom and benthic foraminiferal records of a 3.5 m long gravity core from Ameralik Fjord, southern West Greenland, is used for reconstructing late-Holocene environmental changes in this area. The changes are linked to large-scale North Atlantic ocean and climate variability. AMS 14C-dating of benthic foraminifera indicates that the sediment core records the last 4400 years and covers the termination of the Holocene Thermal Maximum (HTM). The late HTM (4.4 3.2 ka BP) is characterized by high accumulation rates of fine (silty) sediments related to strong meltwater discharge from the Inland Ice. The HTM benthic foraminiferal fauna demonstrates the presence of well-ventilated, saline bottom water originating from inflow of subsurface West Greenland Current water of Atlantic (Irminger Sea) origin. The hydrographic conditions were further characterized by limited sea ice probably related to a mild and relatively windy winter climate. After 3.2 ka BP lower fine-grained sedimentation rates, but a larger input from sea-ice rafted or aeolian coarse material prevailed. This can be related to colder atmospheric conditions with a decreased meltwater discharge and more widespread sea-ice cover in the fjord.

Analysis of the Hydrogeological Conditions and the Effects of Development on the Hydraulic Head at Redmond Ridge East

Redmond Ridge East (RRE) is a large-scale master plan community in East King County, WA. In this report, I evaluate the spatial variability of the Quaternary Advance Outwash (Qva) at RRE and the time-series data for 16 water wells with the intent to better understand groundwater below the RRE area. I investigate changes between pre- and post-development conditions through the determination of temporal changes in annual water level, annual water level fluctuations, hydraulic head response to precipitation, and ambient drainage of the aquifer. I also perform a basic analysis of the annual aquifer recharge and a determination for the storage through the implementation of the water table fluctuation (WTF) method. Associated Earth Sciences (AESI) was tasked with monitoring the geological and environmental impacts during the development of RRE and collected the data I use in this report. AESI involvement in monitoring began in 1998 and extends to the present. Sixteen wells were identified in the RRE area with adequate temporal data to conduct the analysis. A comparison of the well logs and aquifer testing data allowed local variations in the Qva to be mapped. The WTF was used to determine a range of reasonable specific yield values for locations where the Qva was unconfined. Yearly average of the seasonal water level high and lows, and the fluctuations were quantified. Temporal relationships were established through linear regression. The average water level was found to be increasing in some locations, and the corresponding fluctuations were found to decrease. However, no clear change between pre- and post-development was observed. The response of hydraulic head to precipitation was investigated through an analysis of hydrographs for ten wells. Periods of consistent response and the corresponding precipitation during each period were delineated. A linear relationship between precipitation and water level change was determined. The threshold precipitation under which there is a positive response in the hydraulic head was established. No observable changes were apparent between pre- and post-development conditions. The ambient drainage for the Qva was calculated using recessional periods on the hydrograph. The transmissivity of Qva varies with thickness of the overlying lodgment till and thickness of the Qva, itself. Water level fluctuations observed in the Qva are consistent with regional observations. Localized areas in the Qva display the large 10 foot fluctuations and these anomalies are likely due to a combination of the local variability in the storativity as well as the concentration and channeling of water due to geographical variations in the Qva and the overlying topography. All trends seen in the RRE area remained relatively constant through time. There was no evidence showing an effect of development on the hydraulic head at RRE. This implies that the style and distribution of infiltration has not changed as a result of development, and that any measures in place are properly mitigating the effects of development on the RRE region.

Optimization and Machine Learning Frameworks for Complex Network Analysis

Thesis (Ph.D.)--University of Washington, 2016-06

Social-Institutional Structures That Matter: An Exploratory Analysis of Sexual/Gender Minority Status and Income in Japan

Thesis (Master's)--University of Washington, 2016-06

Origin and diversity of the Sox transcription factor gene family: genome-wide analysis in Fugu rubripes

The SOX family of transcription factors are found throughout the animal kingdom and are important in a variety of developmental contexts. Genome analysis has identified 20 Sox genes in human and mouse, which can be subdivided into 8 groups, based on sequence comparison and intron-exon structure. Most of the SOX groups identified in mammals are represented by a single SOX sequence in invertebrate model organisms, suggesting a duplication and divergence mechanism has operated during vertebrate evolution. We have now analysed the Sox gene complement in the pufferfish, Fugu rubripes, in order to shed further light on the diversity and origins of the Sox gene family. Major differences were found between the Sox family in Fugu and those in humans and mice. In particular, Fugu does not have orthologues of Sry, Sox,15 and Sox30, which appear to be specific to mammals, while Sox19, found in Fugu and zebrafish but absent in mammals, seems to be specific to fishes. Six mammalian Sox genes are represented by two copies each in Fugu, indicating a large-scale gene duplication in the fish lineage. These findings point to recent Sox gene loss, duplication and divergence occurring during the evolution of tetrapod and teleost lineages, and provide further evidence for large-scale segmental or a whole-genome duplication occurring early in the radiation of teleosts. (C) 2004 Elsevier B.V. All rights reserved.

An object-oriented designed finite-difference time-domain simulator for electromagnetic analysis and design in MRI - application to high field analyses

This paper presents a finite-difference time-domain (FDTD) simulator for electromagnetic analysis and design applications in MRI. It is intended to be a complete FDTD model of an MRI system including all RF and low-frequency field generating units and electrical models of the patient. The pro-ram has been constructed in an object-oriented framework. The design procedure is detailed and the numerical solver has been verified against analytical solutions for simple cases and also applied to various field calculation problems. In particular, the simulator is demonstrated for inverse RF coil design, optimized source profile generation, and parallel imaging in high-frequency situations. The examples show new developments enabled by the simulator and demonstrate that the proposed FDTD framework can be used to analyze large-scale computational electromagnetic problems in modern MRI engineering. (C) 2004 Elsevier Inc. All rights reserved.

Analysis of transient eddy currents in MRI using a cylindrical FDTD method

Most magnetic resonance imaging (MRI) spatial encoding techniques employ low-frequency pulsed magnetic field gradients that undesirably induce multiexponentially decaying eddy currents in nearby conducting structures of the MRI system. The eddy currents degrade the switching performance of the gradient system, distort the MRI image, and introduce thermal loads in the cryostat vessel and superconducting MRI components. Heating of superconducting magnets due to induced eddy currents is particularly problematic as it offsets the superconducting operating point, which can cause a system quench. A numerical characterization of transient eddy current effects is vital for their compensation/control and further advancement of the MRI technology as a whole. However, transient eddy current calculations are particularly computationally intensive. In large-scale problems, such as gradient switching in MRI, conventional finite-element method (FEM)-based routines impose very large computational loads during generation/solving of the system equations. Therefore, other computational alternatives need to be explored. This paper outlines a three-dimensional finite-difference time-domain (FDTD) method in cylindrical coordinates for the modeling of low-frequency transient eddy currents in MRI, as an extension to the recently proposed time-harmonic scheme. The weakly coupled Maxwell's equations are adapted to the low-frequency regime by downscaling the speed of light constant, which permits the use of larger FDTD time steps while maintaining the validity of the Courant-Friedrich-Levy stability condition. The principal hypothesis of this work is that the modified FDTD routine can be employed to analyze pulsed-gradient-induced, transient eddy currents in superconducting MRI system models. The hypothesis is supported through a verification of the numerical scheme on a canonical problem and by analyzing undesired temporal eddy current effects such as the B-0-shift caused by actively shielded symmetric/asymmetric transverse x-gradient head and unshielded z-gradient whole-body coils operating in proximity to a superconducting MRI magnet.