Dissertations / Theses on the topic 'COMPUTERS / Security / Viruses'

The use of Network Telescope systems has become increasingly popular amongst security researchers in recent years. This study provides a framework for the utilisation of this data. The research is based on a primary dataset of 40 million events spanning 50 months collected using a small (/24) passive network telescope located in African IP space. This research presents a number of differing ways in which the data can be analysed ranging from low level protocol based analysis to higher level analysis at the geopolitical and network topology level. Anomalous traffic and illustrative anecdotes are explored in detail and highlighted. A discussion relating to bogon traffic observed is also presented. Two novel visualisation tools are presented, which were developed to aid in the analysis of large network telescope datasets. The first is a three-dimensional visualisation tool which allows for live, near-realtime analysis, and the second is a two-dimensional fractal based plotting scheme which allows for plots of the entire IPv4 address space to be produced, and manipulated. Using the techniques and tools developed for the analysis of this dataset, a detailed analysis of traffic recorded as destined for port 445/tcp is presented. This includes the evaluation of traffic surrounding the outbreak of the Conficker worm in November 2008. A number of metrics relating to the description and quantification of network telescope configuration and the resultant traffic captures are described, the use of which it is hoped will facilitate greater and easier collaboration among researchers utilising this network security technology. The research concludes with suggestions relating to other applications of the data and intelligence that can be extracted from network telescopes, and their use as part of an organisation’s integrated network security systems

This document aims to provide a complete discussion on vulnerability and patch management. The first chapters look at the trends relating to vulnerabilities, exploits, attacks and patches. These trends describe the drivers of patch and vulnerability management and situate the discussion in the current security climate. The following chapters then aim to present both policy and technical solutions to the problem. The policies described lay out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, managing risk, identifying vulnerability, strategies for reducing downtime and generating metrics to measure progress. Having covered the steps that can be taken by users, a strategy describing how best a vendor should implement a related patch release policy is provided. An argument is made that current monthly patch release schedules are inadequate to allow users to most effectively and timeously mitigate vulnerabilities. The final chapters discuss the technical aspect of automating parts of the policies described. In particular the concept of 'defense in depth' is used to discuss additional strategies for 'buying time' during the patch process. The document then goes on to conclude that in the face of increasing malicious activity and more complex patching, solid frameworks such as those provided in this document are required to ensure an organisation can fully manage the patching process. However, more research is required to fully understand vulnerabilities and exploits. In particular more attention must be paid to threats, as little work as been done to fully understand threat-agent capabilities and activities from a day to day basis.
TeX output 2007.02.08:2212
Adobe Acrobat 9.51 Paper Capture Plug-in

For the greater part, security controls are based on the principle of Decision through Detection (DtD). The exception to this is a honeypot, which analyses interactions between a third party and itself, while occupying a piece of unused information space. As honeypots are not located on productive information resources, any interaction with it can be assumed to be non-productive. This allows the honeypot to make decisions based simply on the presence of data, rather than on the behaviour of the data. But due to limited resources in human capital, honeypots’ uptake in the South African market has been underwhelming. Amber attempts to change this by offering a zero-interaction security system, which will use the honeypot approach of decision through Presence (DtP) to generate a blacklist of third parties, which can be passed on to a network enforcer. Empirical testing has proved the usefulness of this alternative and low cost approach in defending networks. The functionality of the system was also extended by installing nodes in different geographical locations, and streaming their detections into the central Amber hive.

In this research, a security architecture based on the feedback control theory has been proposed. The first loop has been designed, developed and tested. The architecture proposes a feedback model with many controllers located at different stages of network. The controller at each stage gives feedback to the one at higher level and a decision about network security is taken. The first loop implemented in this thesis detects one important anomaly of virus attack, rate of outgoing connection. Though there are other anomalies of a virus attack, rate of outgoing connection is an important one to contain the spread. Based on the feedback model, this symptom is fed back and a state model using queuing theory is developed to delay the connections and slow down the rate of outgoing connections. Upon implementation of this model, whenever an infected machine tries to make connections at a speed not considered safe, the controller kicks in and sends those connections to a delay queue. Because of delaying connections, rate of outgoing connections decrease. Also because of delaying, many connections timeout and get dropped, reducing the spread. PID controller is implemented to decide the number of connections going to safe or suspected queue. Multiple controllers can be implemented to control the parameters like delay and timeout. Control theory analysis is performed on the system to test for stability, controllability, observability. Sensitivity analysis is done to find out the sensitivity of the controller to the delay parameter. The first loop implemented gives feedback to the architecture proposed about symptoms of an attack at the node level. A controller needs to be developed to receive information from different controllers and decision about quarantining needs to be made. This research gives the basic information needed for the controller about what is going on at individual nodes of the network. This information can also be used to increase sensitivity of other loops to increase the effectiveness of feedback architecture.

Today, host-based malware detection approaches such as antivirus programs are severely lagging in terms of defense against malware. Two important aspects that the overall effectiveness of malware detection depend on are the success of extracting information from malware using malware analysis to generate signatures, and then the success of utilizing these signatures on target hosts with appropriate system monitoring techniques. Today's malware employ a vast array of anti-analysis and anti-monitoring techniques to deter analysis and to neutralize antivirus programs, reducing the overall success of malware detection. In this dissertation, we present a set of practical approaches of robust and efficient malware analysis and system monitoring that can help make malware detection on hosts become more effective. First, we present a framework called Eureka, which efficiently deobfuscates single-pass and multi-pass packed binaries and restores obfuscated API calls, providing a basis for extracting comprehensive information from the malware using further static analysis. Second, we present the formal framework of transparent malware analysis and Ether, a dynamic malware analysis environment based on this framework that provides transparent fine-(single instruction) and coarse-(system call) granularity tracing. Third, we introduce an input-based obfuscation technique that hides trigger-based behavior from any input-oblivious analyzer. Fourth, we present an approach that automatically reverse-engineers the emulator and extracts the syntax and semantics of the bytecode language, which helps constructing control-flow graphs of the bytecode program and enables further analysis on the malicious code. Finally, we present Secure In-VM Monitoring, an approach of efficiently monitoring a target host while being robust against unknown malware that may attempt to neutralize security tools.

Worldwide computer systems continue to execute malicious software that degrades the systemsâ performance and consumes network capacity by generating high volumes of unwanted traffic. Network-based detectors can effectively identify machines participating in the ongoing attacks by monitoring the traffic to and from the systems. But, network detection alone is not enough; it does not improve the operation of the Internet or the health of other machines connected to the network. We must identify malicious code running on infected systems, participating in global attack networks. This dissertation describes a robust and secure approach that identifies malware present on infected systems based on its undesirable use of network. Our approach, using virtualization, attributes malicious traffic to host-level processes responsible for the traffic. The attribution identifies on-host processes, but malware instances often exhibit parasitic behaviors to subvert the execution of benign processes. We then augment the attribution software with a host-level monitor that detects parasitic behaviors occurring at the user- and kernel-level. User-level parasitic attack detection happens via the system-call interface because it is a non-bypassable interface for user-level processes. Due to the unavailability of one such interface inside the kernel for drivers, we create a new driver monitoring interface inside the kernel to detect parasitic attacks occurring through this interface. Our attribution software relies on a guest kernelâ s data to identify on-host processes. To allow secure attribution, we prevent illegal modifications of critical kernel data from kernel-level malware. Together, our contributions produce a unified research outcome --an improved malicious code identification system for user- and kernel-level malware.

I dag kan man oftast läsa om olika säkerhetshot och risker en datoranvändare måste tänka på för att inte ge någon utomstående möjlighet att komma åt känslig och/eller privat information. Här talas det om nya virus och nya typer av trojaner som sprids som epidemier över Internet, och i bland handlar det om ett spionprogram som följer med en nedladdad fil. Det är svårt att hålla reda på alla typer av skadlig kod som nämns fast med ökad förståelse ökar också chanserna för att klara sig från smitta. Det har visat sig att utvecklingen av skadlig kod är lika stark som den inom kommersiella mjukvaror. Från persondatorns uppkomst i början av 80-talet och fram till i dag, har utveckling skett i alla områden av den skadliga kod det handlar om strategi, syfte och framförallt ren kodkomplexitet.

Dagens ledande leverantör av operativsystem och webbläsare, Microsoft, lovar allt mer sofistikerade säkerhetslösningar varje gång en ny version av ett program släpps. Framförallt nämndes det i samband med lanseringen av Windows Vista att säkerheten var det som stod högst på listan.

Vi har tillsammans med WM-data i Stockholm tagit fram en programvara för fjärradministration av Windows. Huvudmålet var att med hjälp av våra baskunskaper i programmering skapa ett program för Windows XP och Windows Vista där en rad funktioner skulle kunna fjärrstyras utan att en användare vid den drabbade datorn upptäckte intrånget.

I denna rapport beskrivs utvecklingen av programvaran och de tester som gjorts på de båda operativsystemen. Vidare delas begreppet ”skadlig kod” upp i kategorierna virus, maskar, trojaner samt rootkits och förklaras mer ingående tillsammans med en historisk bild över hur utvecklingen av skadlig kod har sett ut.

In media today, you often read about different security threats and risks that one has to be aware of. Many things must be taken into consideration in order to maintain your integrity and information secrecy. It might be new virus outbreak, a new trojan or some kind of spy ware that undetected finds the way to your computer. It’s hard to keep track of all terms and types of malicious code, and with greater understanding, the risk of infection decreases. The development when it comes to malicious code is as strong as the one in commercial software development. From the 80’s until present day, every area in the development of malicious code has evolved, from strategy and purpose to the pure complexity of the code.

Microsoft, the worlds leading supplier of operating systems and web browsers, ensure us with every new release, that measures has been taken in order to enhance the security features. As the new operating system Windows Vista was released, spokesmen said that the security was now the highest priority.

We have, together with WM-data in Stockholm, developed software for remote administration of Windows. The objectives where by using our limited programming skills only, to come up with a program for Windows XP and Windows Vista, where a number of functions could be remotely executed without alerting a user at the infected computer.

This report describes the development of the software together with test results of execution on both operating systems. Further on, the report discusses different types of malicious code, such as viruses, worms, Trojans and root kits, together with a historical study of the development of malicious code.

Orientador: Arnaldo Vieira Moura
Tese (doutorado) - Universidade Estadual de Campinas, Instituto de Computação
Made available in DSpace on 2018-08-19T00:11:05Z (GMT). No. of bitstreams: 1 Rebiha_Rachid_D.pdf: 1451665 bytes, checksum: abe6fc4e72cf43113c7c93064ab11ed8 (MD5) Previous issue date: 2011
Resumo: É bem sabido que a automação e a eficácia de métodos de verificação formal de softwares, sistemas embarcados ou sistemas híbridos, depende da facilidade com que invariantes precisas possam ser geradas automaticamente a partir do código fonte. Uma invariante é uma propriedade, especificada sobre um local específico do código fonte, e que sempre se verifica a cada execução de um sistema. Apesar dos progressos enormes ao longo dos anos, o problema da geração de invariantes ainda está em aberto para tanto programas não-lineares discretos, como para sistemas não-lineares híbridos. Nesta tese, primeiramente, apresentamos novos métodos computacionais que podem automatizar a descoberta e o fortalecimento de relações não-lineares entre as variáveis de um programa que contém laços não-lineares, ou seja, programas que exibem relações polinomiais multivariadas e manipulações fracionarias. Além disso, a maioria dos sistemas de segurança críticos, tais como aviões, automóveis, produtos químicos, usinas de energia e sistemas biológicos, operam semanticamente como sistemas híbridos não-lineares. Nesse trabalho, apresentamos poderosos métodos computacionais que são capazes de gerar bases de ideais polinomiais de invariantes não-lineares para sistemas híbridos não-lineares. Em segundo lugar, apresentamos métodos pioneiros de verificação que automaticamente gerem bases de invariantes expressas por séries de potências multi-variáveis e por funções transcendentais. Discutimos, também, a sua convergência em sistemas híbridos que exibem modelos não lineares. Verificamos que as séries de potência geradas para invariantes são, muitas vezes, compostas pela expansão de algumas funções transcendentais bem conhecidas, tais como "log" e "exp". Assim, apresentam uma forma analisável fechada que facilita o uso de invariantes na verificação de propriedades de segurança. Para cada problema de geração de invariantes estabelecemos condições suficientes, muito gerais, que garantem a existência e permitem o cálculo dos ideais polinomiais para situações que não podem ser tratadas pelas abordagens de geração invariantes hoje conhecidas. Finalmente, estendemos o domínio de aplicações, acessíveis através de métodos de geração de invariantes, para a área de segurança. Mais precisamente, fornecemos uma plataforma extensível baseada em invariantes pré-computadas que seriam usadas como assinaturas semânticas para análise de intrusos ("malwares") e deteção dos ataques de intrusões mais virulentos. Seguindo a concepção de tais plataformas, propomos sistemas de detecção de intrusão, usando modelos gerados automaticamente, onde as chamadas de sistema e de funções são vigiados pela avaliação de invariantes, pré-calculadas para denunciar qualquer desvio observado durante a execução da aplicação. De modo abrangente, nesta tese, propomos a redução de problemas de geração de invariantes para problemas algébricos lineares. Ao reduzir os problemas de geração de invariante não-triviais de sistemas híbridos não-lineares para problemas algébricos lineares relacionados, somos capazes de ultrapassar as deficiências dos mais modernos métodos de geração de invariante hoje conhecidos permitindo, assim, a geração automática e eficiente de invariantes para programas e sistemas híbridos não lineares complexos. Tais métodos algébricos lineares apresentam complexidades computacionais significativamente inferiores àquelas exigidas pelos os fundamentos matemáticos das abordagens usadas hoje, tais como a computação de bases de Gröbner, a eliminação de quantificadores e decomposições cilíndricas algébricas
Abstract: It is well-known that the automation and effectiveness of formal software verification of embedded or hybrid systems depends to the ease with which precise invariants can be automatically generated from source specifications. An invariant is a property that holds true at a specific location in the specification code, whenever an execution reaches that location. Despite tremendous progress over the years, the problem of invariant generation remains very challenging for both non-linear discrete programs, as well as for non-linear hybrid systems. In this thesis, we first present new computational methods that can automate the discovery and can strengthen interrelationships among the variables of a program that contains non-linear loops, that is, programs that display multivariate polynomial and fractional manipulations. Moreover, most of safety-critical systems such as aircraft, cars, chemicals, power plants and biological systems operate semantically as non-linear hybrid systems. In this work, we demonstrate powerful computational methods that can generate basis for non-linear invariant ideals of non-linear hybrid systems. Secondly, we present the first verification methods that automatically generate basis for invariants expressed by multivariate formal power series and transcendental functions. We also discuss their convergence over hybrid systems that exhibit non linear models. The formal power series invariants generated are often composed by the expansion of some well-known transcendental functions e.g. log and exp. They also have an analysable closed-form which facilitates the use of the invariants when verifying safety properties. For each invariant generation problem, we establish very general sufficient conditions that guarantee the existence and allow for the computation of invariant ideals for situations that can not be treated in the presently known invariant generation approaches. Finally, we extend the domain of applications for invariant generation methods to encompass security problems. More precisely, we provide an extensible invariant-based platform for malware analysis and show how we can detect the most virulent intrusions attacks using these invariants. We propose to automatically generate invariants directly from the specified malware code in order to use them as semantic aware signatures, i.e. malware invariant, that would remain unchanged by most obfuscated techniques. Folix lowing the design of such platforms, we propose host-based intrusion detection systems, using automatically generated models where system calls are guarded by pre-computed invariants in order to report any deviation observed during the execution of the application. In a broad sense, in this thesis, we propose to reduce the verification problem of invariant generation to algebraic problems. By reducing the problems of non-trivial nonlinear invariant generation for programs and hybrid systems to related linear algebraic problems we are able to address various deficiencies of other state-of-the-art invariant generation methods, including the efficient treatment of complicated non-linear loop programs and non-linear hybrid systems. Such linear algebraic methods have much lower computational complexities than the mathematical foundations of previous approaches know today, which use techniques such as as Gröbner basis computation, quantifier elimination and cylindrical algebraic decomposition
Doutorado
Ciência da Computação
Doutor em Ciência da Computação

Internet worm attacks have become increasingly more frequent and have had a major impact on the economy, making the detection and prevention of these attacks a top security concern. Several countermeasures have been proposed and evaluated in recent literature. However, the eect of these proposed defensive mechanisms on legitimate competing traffic has not been analyzed. The first contribution of this thesis is a comparative analysis of the effectiveness of several of these proposed mechanisms, including a measure of their effect on normal web browsing activities. In addition, we introduce a new defensive approach that can easily be implemented on existing hosts, and which significantly reduces the rate of spread of worms using TCP connections to perform the infiltration. Our approach has no measurable effect on legitimate traffic. The second contribution is presenting a variant of the flash worm that we term Compact Flash or CFlash that is capable of spreading even faster than its predecessor. We perform a comparative study between the flash worm and the CFlash worm using a full-detail packet-level simulator, and the results show the increase in propagation rate of the new worm given the same set of parameters. The third contribution is the study of the behavior of TCP based worms in MANETs. We develop an analytical model for the worm spread of TCP worms in the MANETs environment that accounts for payloadsize, bandwidthsharing, radio range, nodal density and several other parameters specific for MANET topologies. We also present numerical solutions for the model and verify the results using packetlevel simulations. The results show that the analytical model developed here matches the results of the packetlevel simulation in most cases.

Thesis (MBA (Business Management))--Stellenbosch University, 2008.
ENGLISH ABSTRACT: Soon after the development of the internet as a network structure connecting computers on a global scale, was the introduction of malicious computer code, which was disseminated through this network. Initially this code was the relegation of pranksters, but evolved quickly to be code causing destruction, intrusion and loss of privacy while on the internet. This code became known as the computer virus and was soon used by fraudsters to infiltrate networks to create deception and fraud for financial gain. It has become of paramount importance for users of the internet to protect themselves and their networks from these attacks, through various ingenious mechanisms of protection. The traditional mainstay for computer virus protection has been the software approach using counter code to protect against any malicious computer code. This protection has had limited success as the very nature of malicious code is constantly changing and evolving, making it sometimes an impossible task for internet users to be protected with the latest anti-virus software for protection. The author of this study introduces a managed anti-virus protection alternative which is delivered by a computer hardware device. This is a new technology and a full description is made of the role of this product as a new product development. The empirical research of this paper focuses around the test for a need for the product described to the point, but excluding commercialization.
AFRIKAANSE OPSOMMING: Kort na die ontwikkeling van die internet as 'n netwerkstruktuur wat rekenaars op 'n globale skaal verbind, was daar die bekendstelling van kwaadwillige rekenaarkodes wat reg deur die netwerk versprei het. Aanvanklik was die kode gemik op die verdrywing van poetsbakkers, maar het spoedig ontwikkel in kodeverdrywing, inmenging en verlies aan privaatheid op die internet. Hierdie kode het bekend geword as die rekenaarvirus, en is spoedig deur bedrieërs gebruik om netwerke te infiltreer om gebruikers te mislei en te bedrieg vir eie finansiële gewin. Dit het vir gebruikers van die internet van uiterste belang geword om hulle en hulle netwerkte teen hierdie aanvalle te beskerm, en wel deur middel van verskeie meganismes. Die bekendste bekermingsmatreël teen die virus is die aanwending van sagteware as teenkode. Hierdie bekermingsmetode het egter tot dusver beperkte sukses behaal, aangesien die aard van kwaadwilligheid voortdurend verander en ontwikkel, sodat dit soms onmoontlik is dat gebruikers deur die nuutste anti-virussagteware beskerm kan word. Die skrywer van hierdie verhandeling stel 'n werkbare, alternatiewe anti-virusbeskermer bekend wat deur rekenaar-hardewareplan daargestel is. Dit het nuwe tegnologie, en 'n volledige beskrywing word gegee van die rol van hierdie produk as 'n nuwe ontwikkeling. Die empiriese navorsing van die verhandeling fokus op die toets vir die noodsaaklikheid van so 'n produk, met die uisluiting van kommersialisering.

Careful examination of the composition and concentration of malicious traffic in transit on the channels of the Internet provides network administrators with a means of understanding and predicting damaging attacks directed towards their networks. This allows for action to be taken to mitigate the effect that these attacks have on the performance of their networks and the Internet as a whole by readying network defences and providing early warning to Internet users. One approach to malicious traffic monitoring that has garnered some success in recent times, as exhibited by the study of fast spreading Internet worms, involves analysing data obtained from network telescopes. While some research has considered using measures derived from network telescope datasets to study large scale network incidents such as Code-Red, SQLSlammer and Conficker, there is very little documented discussion on the merits and weaknesses of approaches to analyzing network telescope data. This thesis is an introductory study in network telescope analysis and aims to consider the variables associated with the data received by network telescopes and how these variables may be analysed. The core research of this thesis considers both novel and previously explored analysis techniques from the fields of security metrics, baseline analysis, statistical analysis and technical analysis as applied to analysing network telescope datasets. These techniques were evaluated as approaches to recognize unusual behaviour by observing the ability of these techniques to identify notable incidents in network telescope datasets

Client-side computers connected to the Internet today are exposed to a lot malicious activity. Browsing the web can easily result in malware infection even if the user only visits well known and trusted sites. Attackers use website vulnerabilities and ad-networks to expose their malicious code to a large user base. The continuing trend of the attackers seems to be botnet construction that collects large amounts of data which could be a serious threat to company secrets and personal integrity. Meanwhile security researches are using a technology known as honeypots/honeyclients to find and analyze new malware. This thesis takes the concept of honeyclients and combines it with a proxy and database software to construct a new kind of real time defense mechanism usable in live environments. The concept is given the name Honeyscout and it analyzes any content before it reaches the user by using visited sites as a starting point for further crawling, blacklisting any malicious content found. A proof-of-concept honeyscout has been developed using the honeyclient Monkey-Spider by Ali Ikinci as a base. Results from the evaluation shows that the concept has potential as an effective and user-friendly defense technology. There are however large needs to further optimize and speed up the crawling process.

This dissertation focuses on the forensic validation of computer evidence. It is a burgeoning field, by necessity, and there have been significant advances in the detection and gathering of evidence related to electronic crimes. What makes the computer forensics field similar to other forensic fields is that considerable emphasis is placed on the validity of the digital evidence. It is not just the methods used to collect the evidence that is a concern. What is also a problem is that perpetrators of digital crimes may be engaged in what is called anti-forensics. Digital forensic evidence techniques are deliberately thwarted and corrupted by those under investigation. In traditional forensics the link between evidence and perpetrator's actions is often straightforward: a fingerprint on an object indicates that someone has touched the object. Anti-forensic activity would be the equivalent of having the ability to change the nature of the fingerprint before, or during the investigation, thus making the forensic evidence collected invalid or less reliable. This thesis reviews the existing security models and digital forensics, paying particular attention to anti-forensic activity that affects the validity of data collected in the form of digital evidence. This thesis will build on the current models in this field and suggest a tentative first step model to manage and detect possibility of anti-forensic activity. The model is concerned with stopping anti-forensic activity, and thus is not a forensic model in the normal sense, it is what will be called a “meta-forensic” model. A meta-forensic approach is an approach intended to stop attempts to invalidate digital forensic evidence. This thesis proposes a formal procedure and guides forensic examiners to look at evidence in a meta-forensic way.

Orientadores: Mario Jino, Paulo Licio de Geus
Tese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação
Made available in DSpace on 2018-08-21T16:40:48Z (GMT). No. of bitstreams: 1 Gregio_AndreRicardoAbed_D.pdf: 5158672 bytes, checksum: 12a24da95543bac78fd3f047f7415314 (MD5) Previous issue date: 2012
Resumo: Ataques envolvendo programas maliciosos (malware) s~ao a grande ameaça atual _a segurança de sistemas. Assim, a motivação desta tese _e estudar o comportamento de malware e como este pode ser utilizado para fins de defesa. O principal mecanismo utilizado para defesa contra malware _e o antivírus (AV). Embora seu propósito seja detectar (e remover) programas maliciosos de máquinas infectadas, os resultados desta detecção provêem, para usuários e analistas, informações insuficientes sobre o processo de infecção realizado pelo malware. Além disso, não há um padrão de esquema de nomenclatura para atribuir, de maneira consistente, nomes de identificação para exemplares de malware detectados, tornando difícil a sua classificação. De modo a prover um esquema de nomenclatura para malware e melhorar a qualidade dos resultados produzidos por sistemas de análise dinâmica de malware, propõe-se, nesta tese, uma taxonomia de malware com base nos comportamentos potencialmente perigosos observados durante vários anos de análise de exemplares encontrados em campo. A meta principal desta taxonomia _e ser clara, de simples manutenção e extensão, e englobar tipos gerais de malware (worms, bots, spyware). A taxonomia proposta introduz quatro classes e seus respectivos comportamentos de alto nível, os quais representam atividades potencialmente perigosas. Para avaliá-la, foram utilizados mais de 12 mil exemplares únicos de malware pertencentes a diferentes classes (atribuídas por antivírus). Outras contribuições provenientes desta tese incluem um breve histórico dos programas maliciosos e um levantamento das taxonomias que tratam de tipos específicos de malware; o desenvolvimento de um sistema de análise dinâmica para extrair pefis comportamentais de malware; a especializa- _c~ao da taxonomia para lidar com exemplares de malware que roubam informações (stealers), conhecidos como bankers, a implementação de ferramentas de visualização para interagir com traços de execução de malware e, finalmente, a introdução de uma técnica de agrupamento baseada nos valores escritos por malware na memória e nos registradores
Abstract: Attacks involving malicious software (malware) are the major current threats to systems security. The motivation behind this thesis is to study malware behavior with that purpose. The main mechanism used for defending against malware is the antivirus (AV) tool. Although the purpose of an AV is to detect (and remove) malicious programs from infected machines, this detection usually provides insufficient information for users and analysts regarding the malware infection process. Furthermore, there is no standard naming scheme for consistently labeling detected malware, making the malware classification process harder. To provide a meaningful naming scheme, as well as to improve the quality of results produced by dynamic analysis systems, we propose a malware taxonomy based on potentially dangerous behaviors observed during several years of analysis of malware found in the wild. The main goal of the taxonomy is, in addition to being simple to understand, extend and maintain, to embrace general types of malware (e.g., worms, bots, spyware). Our behavior-centric malware taxonomy introduces four classes and their respective high-level behaviors that represent potentially dangerous activities. We applied our taxonomy to more than 12 thousand unique malware samples from different classes (assigned by AV scanners) to show that it is useful to better understand malware infections and to aid in malware-related incident response procedures. Other contributions of our work are: a brief history of malware and a survey of taxonomies that address specific malware types; a dynamic analysis system to extract behavioral profiles from malware; specialization of our taxonomy to handle information stealers known as bankers; proposal of visualization tools to interact with malware execution traces and, finally, a clustering technique based on values that malware writes into memory or registers
Doutorado
Engenharia de Computação
Doutor em Engenharia Elétrica

Fenomenet skadlig kod är ett problem som blir allt större i vårt moderna samhälle. Detta beror på att användandet av datorer och andra enheter som använder sig av operativsystem ökar hela tiden, samtidigt som skaparna av den skadliga koden i allt högre utsträckning kan slå

mynt av den. Det är de ekonomiska drivkrafterna som för utvecklingen av den skadliga koden framåt och utsätter användare av datorer och andra enheter som använder sig av operativsystem för säkerhetsrisker.

Syftet med denna uppsats är att undersöka hur den skadliga kodens värld kan tänkas se ut ur ett antal olika synvinklar år 2013, dvs. fem år framåt i tiden efter att denna uppsats färdigställts. De viktigaste synvinklarna är de tänkbara skillnader som finns mellan dagens och framtidens skadliga kod samt de tänkbara trender och nyheter som förväntas dyka upp.

Dessa prognoser grundar sig på intervjuer av fyra i Sverige boende experter samt på litteratur.

De viktigaste slutsatserna som dras i denna uppsats är:

- Skadlig kod kommer att utgöra ett mycket större hot i framtiden än idag

- Skadlig kod kommer att bli mycket mer förekommande

- Kostnaden av dess skadeverkningar kommer att öka

- Ekonomisk vinning blir en ännu starkare drivkraft för skapandet av skadlig kod

- Skadlig kod kommer drabba andra enheter än datorer i högre utsträckning än idag

- Trojaner och Rootkits utgör framtidens största hot

- Den skadliga koden kommer att fortsätta att ligga steget före antivirustillverkarna

The terms and classification schemes used in the computer security field today are not standardised. Thus the field is hard to take in, there is a risk of misunderstandings, and there is a risk that the scientific work is being hampered.

Therefore this report presents a proposal for a taxonomy of software based IT weapons. After an account of the theories governing the formation of a taxonomy, and a presentation of the requisites, seven taxonomies from different parts of the computer security field are evaluated. Then the proposed new taxonomy is introduced and the inclusion of each of the 15 categories is motivated and discussed in separate sections. Each section also contains a part briefly outlining the possible countermeasures to be used against weapons with that specific characteristic.

The final part of the report contains a discussion of the general defences against software weapons, together with a presentation of some open issues regarding the taxonomy. There is also a part discussing possible uses for the taxonomy. Finally the report is summarised.

Enforcing security policies to distributed systems is difficult, in particular, when a system contains untrusted components. We designed AspectKE*, a distributed AOP language based on a tuple space, to tackle this issue. In AspectKE*, aspects can enforce access control policies that depend on future behavior of running processes. One of the key language features is the predicates and functions that extract results of static program analysis, which are useful for defining security aspects that have to know about future behavior of a program. AspectKE* also provides a novel variable binding mechanism for pointcuts, so that pointcuts can uniformly specify join points based on both static and dynamic information about the program. Our implementation strategy performs fundamental static analysis at load-time, so as to retain runtime overheads minimal. We implemented a compiler for AspectKE*, and demonstrate usefulness of AspectKE* through a security aspect for a distributed chat system.

L'objectif de cette thèse est le développement de méthodes de compréhension des logiciels malveillants, afin d'aider l'analyste humain à mieux appréhender cette menace. La première réalisation de cette thèse est une analyse à grande échelle et en profondeur des protections de logiciels malveillants. Plus précisément, nous avons étudié des centaines d'exemplaires de logiciels malveillants, soigneusement sélectionnés pour leur dangerosité. En mesurant de façon automatique un ensemble de caractéristiques originales, nous avons pu alors montrer l'existence d'un modèle de protection particulièrement prévalent dans ces programmes, qui est basé sur l'auto modification du code et sur une limite stricte entre code de protection et code utile. Ensuite, nous avons développé une méthode d'identification d'implémentations cryptographiques adaptée aux programmes en langage machine protégés. Nous avons validé notre approche en identifiant de nombreuses implémentations d'algorithmes cryptographiques -- dont la majorité sont complètement invisibles pour les outils existants --, et ceci en particulier dans des protections singulièrement obscures de logiciels malveillants. Finalement, nous avons développé ce qui est, à notre connaissance, le premier environnement d'émulation de réseaux de machines infectées avec plusieurs milliers de machines. Grâce à cela, nous avons montré que l'exploitation d'une vulnérabilité du protocole pair-à-pair du réseau Waledac permet de prendre son contrôle.

This thesis is focused on a relatively new branch of computer security called Cryptovirology. It uses cryptography and its principles in conjunction with designing and writing malicious codes (e.g. computer viruses, trojan horses, worms). Techniques such as viral propagation through computer networks, capabilities of current viruses and similar threats are described. Beside cryptography and computer viruses, design of the cryptovirus and methods of a cryptoviral extortion attack along with their related potential are also analyzed below in this paper. As a proof of the concept in the given area of cryptovirology, a demonstrational computer program was written. The program was implemented with the respect to the satisfaction of the essentials set to the cryptovirus.

As more and more people gain access to broadband in their properties, the security threats get bigger. A lot more people also have computers that they carry home from work where they store important information concerning the company. The information stored on theese computers can be very easy to retrieve if you have the will and the skill to do it. Very few people have any knowledge how to protect themselves from theese threats.

La protection contre les codes malveillants représente un enjeu majeur. Il suffit de considérer les exemples récents des vers Conficker et Stuxnet pour constater que tout système d'information peut aujourd'hui être la cible de ce type d'attaques. C'est pourquoi, nous abordons dans cette thèse la menace représentée par les codes malveillants et plus particulièrement le cas du métamorphisme. Ce dernier constitue en effet l'aboutissement des techniques d'évolution de codes (" obfuscation ") permettant à un programme d'éviter sa détection. Pour aborder le métamorphisme nous adoptons une double problématique : dans une première partie, nous nous attachons à l'élaboration d'un moteur de métamorphisme afin d'en estimer le potentiel offensif. Pour cela, nous proposons une technique d'obscurcissement de code dont la transformation inverse est démontrée NP-complète dans le cadre de l'analyse statique. Ensuite, nous appliquons ce moteur sur une souche malveillante préalablement détectée afin d'évaluer les capacités des outils de détection actuels. Après cette première partie, nous cherchons ensuite à détecter, outre les variantes engendrées par notre moteur de métamorphisme, celles issues de codes malveillants connus. Pour cela, nous proposons une approche de détection dynamique s'appuyant sur la similarité comportementale entre programmes. Nous employons alors la complexité de Kolmogorov afin de définir une nouvelle mesure de similarité obtenue par compression sans perte. Finalement, un prototype de détection de code malveillant est proposé et évalué.

Att skydda sin IT-miljö mot olika typer av intrång och attacker som till exempel trojaner,skadliga Java applets eller DoS attacker med hjälp av brandväggar och antivirusprogramär två viktiga lager i skalskyddet. I den här uppsatsen undersöks hur väl ett Intrusion Prevention System skulle kunna fungera som ett ytterligare lager i skalskyddet. Fokus ligger på hur väl IPS-systemet klarar av att avvärja attacker, hur mycket tid som går åt till konfigurering och drift för att få ett fungerande IPS samt hur prestandan i nätverket påverkas av implementationen. För att mäta hur väl IPS systemet klarar av att upptäcka och blockera attacker utförs två experiment där ett mindre nätverk attackeras på olika sätt. I det första experimentet skyddas infrastrukturen av en brandvägg och klienterna är utrustade med antivirusprogram. I det andra experimentet genomförs samma attacker igen fast med ett Snort IPS implementerat i nätverket. Resultatet av de genomförda experimenten visar att en IPS klarar att blockera ca 87% av attackerna, men nätverksprestandan påverkas negativt. Slutsatsen är att endast brandväggar och antivirusprogram inte ger ett fullgott skydd.

The internet has permeated the lives of the modern men in more respects than can be tabulated simply. The ease of access to online shopping, social networking, simplified communication, etc. make the internet a modern panacea for a number of problems. However, the internet also opens up avenues that expose the user to vulnerabilities at the hand of hackers and malicious software coders. The use of the internet to exchange personal and fiscal information makes attacks all the more inviting. This is compounded by the fact that most online users are unaware of threats that affect them on a daily basis and how to protect themselves against such threats. Despite the fact that the level of awareness of the contemporary cyber threats, has significantly increased among online users within the last few years, there is a growing need to improve the efficiency and effectiveness of the countermeasures currently being used. Fortunately, there are a number of Human Computer Interaction (HCI) principles that can effectively be used to enhance online user interaction and reduce internet security threats.

Il est difficilement concevable de construire les systèmes de sécurité sans avoir une bonne connaissance préalable des activités malveillantes pouvant survenir dans le réseau. Malheureusement, celle-ci n'est pas aisément disponible, ou du moins elle reste anecdotique et souvent biaisée. Cette thèse a pour objectif principal de faire progresser l'acquisition de ce savoir par une solide méthodologie. Dans un premier temps, il convient de travailler sur un ensemble intéressant de données. Nous avons déployé un réseau distribué de sondes, aussi appelées pots de miel, à travers le monde. Ces pots de miel sont des machines sans activité particulière, qui nous ont permis de capturer un gros volume de données suspectes sur plusieurs mois. Nous présentons dans cette thèse une méthodologie appelée HoRaSis (pour Honeypot Traffic Analysis), qui a pour but d'extraire automatiquement des informations originales et intéressantes à partir de cet ensemble remarquable de données. Elle est formée de deux étapes distinctes: i) la discrimination puis ii) l'analyse corrélative du trafic collecté. Plus précisément, nous discriminons d'abord les activités observées qui partagent une empreinte similaire sur les sondes. La solution proposée s'appuie sur des techniques de classification et de regroupement. Puis, dans une seconde phase, nous cherchons à identifier les précédentes empreintes qui manifestent des caractéristiques communes. Ceci est effectué sur les bases d'une technique de graphes et de recherche de cliques. Plus qu'une technique, l'approche HoRaSis que nous proposons témoigne de la richesse des informations pouvant être récupérées à partir de cette vision originale du trafic malicieux de l'Internet. Elle prouve également la nécessité d'une analyse rigoureuse et ordonnée du trafic pour parvenir à l'obtention de cette base de connaissances susmentionnée.

L'analyse comportementale traditionnelle opère en général au niveau de l'implantation du comportement malveillant. Pourtant, elle s'intéresse surtout à l'identification d'un comportement donné, indépendamment de sa mise en œuvre technique, et elle se situe donc plus naturellement à un niveau fonctionnel. Dans cette thèse, nous définissons une forme d'analyse comportementale de programmes qui opère non pas sur les interactions élémentaires d'un programme avec le système mais sur la fonction que le programme réalise. Cette fonction est extraite des traces d'un programme, un procédé que nous appelons abstraction. Nous définissons de façon simple, intuitive et formelle les fonctionnalités de base à abstraire et les comportements à détecter, puis nous proposons un mécanisme d'abstraction applicable à un cadre d'analyse statique ou dynamique, avec des algorithmes pratiques à complexité raisonnable, enfin nous décrivons une technique d'analyse comportementale intégrant ce mécanisme d'abstraction. Notre méthode est particulièrement adaptée à l'analyse des programmes dans des langages de haut niveau ou dont le code source est connu, pour lesquels l'analyse statique est facilitée : les programmes conçus pour des machines virtuelles comme Java ou .NET, les scripts Web, les extensions de navigateurs, les composants off-the-shelf. Le formalisme d'analyse comportementale par abstraction que nous proposons repose sur la théorie de la réécriture de mots et de termes, les langages réguliers de mots et de termes et le model checking. Il permet d'identifier efficacement des fonctionnalités dans des traces et ainsi d'obtenir une représentation des traces à un niveau fonctionnel ; il définit les fonctionnalités et les comportements de façon naturelle, à l'aide de formules de logique temporelle, ce qui garantit leur simplicité et leur flexibilité et permet l'utilisation de techniques de model checking pour la détection de ces comportements ; il opère sur un ensemble quelconque de traces d'exécution ; il prend en compte le flux de données dans les traces d'exécution ; et il permet, sans perte d'efficacité, de tenir compte de l'incertitude dans l'identification des fonctionnalités. Nous validons nos résultats par un ensemble d'expériences, menées sur des codes malicieux existants, dont les traces sont obtenues soit par instrumentation binaire dynamique, soit par analyse statique.

Thesis (M. Sc.)--University of Alberta, 2009.
Title from PDF file main screen (viewed on Aug. 19, 2009). "A thesis submitted to the Faculty of Graduate Studies and Research in partial fulfillment of the requirements for the degree of Master of Science, Department of Computing Science, University of Alberta." Includes bibliographical references.

Measurement is a vital tool for organizations attempting to increase, evaluate, or simply maintain their overall security posture over time. Organizations rely on defense in depth, which is a layering of multiple defenses, in order to strengthen overall security. Measuring organizations' total security requires evaluating individual security controls such as firewalls, antivirus, or intrusion detection systems alone as well as their joint effectiveness when deployed together in defense in depth. Currently, organizations must rely on best practices rooted in ad hoc expert opinion, reports on individual product performance, and marketing hype to make their choices. When attempting to measure the total security provided by a defense in depth architecture, dependencies between security controls compound the already difficult task of measuring a single security control accurately. We take two complementary approaches to address this challenge of measuring the total security provided by defense in depth deployments. In our first approach, we use direct measurement where for some set of attacks, we compute a total detection rate for a set of security controls deployed in defense in depth. In order to compare security controls operating on different types of data, we link together all data generated from each particular attack and track the specific attacks detected by each security control. We implement our approach for both the drive-by download and web application attack vectors across four separate layers each. We created an extensible automated framework for web application data generation using public sources of English text. For our second approach, we measure the total adversary cost that is the total effort, resources, and time required to evade security controls deployed in defense in depth. Dependencies between security controls prevent us from simply summing the adversary cost to evade individual security controls in order to compute a total adversary cost. We create a methodology that accounts for these dependencies especially focusing on multiplicative relationships where the adversary cost of evading two security controls together is more than the sum of the adversary costs to evade each individually. Using the insight gained into the multiplicative dependency, we design a method for creating sets of multiplicative security controls. Additionally, we create a prototype to demonstrate our methodology for empirically measuring total adversary cost using attack tree visualizations and a database design capable of representing dependent relationships between security controls.

Τα τελευταία χρόνια το Διαδίκτυο αναπτύσσεται και επεκτείνεται με εκθετικούς ρυθμούς τόσο σε επίπεδο πλήθους χρηστών όσο και σε επίπεδο παρεχόμενων υπηρεσιών. Η ευρεία χρήση των κατανεμημένων βάσεων δεδομένων, των κατανεμημένων υπολογιστών και των τηλεπικοινωνιακών εφαρμογών βρίσκει άμεση εφαρμογή και αποτελεί θεμελιώδες στοιχείο στις επικοινωνίες, στην άμυνα, στις τράπεζες, στα χρηματιστήρια, στην υγεία, στην εκπαίδευση και άλλους σημαντικούς τομείς. Το γεγονός αυτό, έχει κάνει επιτακτική την ανάγκη προστασίας των υπολογιστικών και δικτυακών συστημάτων από απειλές που μπορούν να τα καταστήσουν τρωτά σε κακόβουλους χρήστες και ενέργειες. Αλλά για να προστατεύσουμε κάτι θα πρέπει πρώτα να καταλάβουμε και να αναλύσουμε από τι απειλείται. Η διαθεσιμότητα αξιόπιστων μοντέλων σχετικά με τη διάδοση απειλών στα δίκτυα υπολογιστών, μπορεί να αποδειχθεί χρήσιμη με πολλούς τρόπους, όπως το να προβλέψει μελλοντικές απειλές ( ένα νέο Code Red worm) ή να αναπτύξει νέες μεθόδους αναχαίτισης. Αυτή η αναζήτηση νέων και καλύτερων μοντέλων αποτελεί ένα σημαντικό τομέα έρευνας στην ακαδημαϊκή και όχι μόνο κοινότητα. Σκοπός της παρούσης εργασίας είναι η παρουσίαση κάποιων βασικών επιδημιολογικών μοντέλων και κάποιων παραλλαγών αυτών. Αναλύουμε για κάθε μοντέλο τις υποθέσεις που έχουν γίνει, τα δυνατά και αδύνατα σημεία αυτών. Αυτά τα μοντέλα χρησιμοποιούνται σήμερα εκτεταμένα προκειμένου να μοντελοποιηθεί η διάδοση αρκετών απειλών στα δίκτυα υπολογιστών, όπως είναι για παράδειγμα οι ιοί και τα σκουλήκια ( viruses and worms). Θα πρέπει εδώ να αναφέρουμε ότι οι ιοί υπολογιστών και τα σκουλήκια (worms) είναι οι μόνες μορφές τεχνητής ζωής που έχουν μετρήσιμη επίδραση-επιρροή στη κοινωνία. Επίσης αναφέρουμε συγκεκριμένα παραδείγματα όπως το Code Red worm, τον οποίων η διάδοση έχει χαρακτηριστεί επιτυχώς από αυτά τα μοντέλα. Τα επιδημιολογικά αυτά μοντέλα που παρουσιάζουμε και αναλύουμε είναι εμπνευσμένα από τα αντίστοιχα βιολογικά, που συναντάμε σήμερα σε τομείς όπως είναι για παράδειγμα ο τομέας της επιδημιολογίας στην ιατρική που ασχολείται με μολυσματικές ασθένειες. Αναλύουμε τις βασικές στρατηγικές σάρωσης που χρησιμοποιούν σήμερα τα worms προκειμένου να βρουν και να διαδοθούν σε νέα συστήματα. Παρουσιάζουμε τα πλεονεκτήματα και μειονεκτήματα αυτών. Επίσης παρουσιάζουμε αναλυτικά κάποιες βασικές κατηγορίες δικτύων που συναντάμε σήμερα και χαρακτηρίζουν τα δίκτυα υπολογιστών. Η γνώση αυτή που αφορά την τοπολογία των δικτύων είναι ένα απαραίτητο στοιχείο που σχετίζεται άμεσα με τη διάδοση κάποιων απειλών που μελετάμε στη συγκεκριμένη εργασία. Τέλος παρουσιάζουμε και αναλύουμε ένα δικό μας μοντέλο διάδοσης απειλών με τη χρήση ενός συστήματος διαφορικών εξισώσεων βασιζόμενοι στο θεώρημα του Wormald. Θεωρούμε ότι τα δίκτυα email, Instant messaging και P2P σχηματίζουν ένα social δίκτυο. Αυτά τα δίκτυα μακροσκοπικά μπορούν να θεωρηθούν σαν μία διασύνδεση ενός αριθμού αυτόνομων συστημάτων. Ένα αυτόνομο σύστημα είναι ένα υποδίκτυο που διαχειρίζεται από μία και μόνο αρχή. Παρουσιάζουμε λοιπόν ένα μοντέλο διάδοσης βασισμένο σε αυτή τη δομή δικτύου που θα αναλύσουμε, καθώς και στις συνήθειες επικοινωνίας των χρηστών. Το μοντέλο αυτό ενσωματώνει τη συμπεριφορά των χρηστών με βάση κάποιες παραμέτρους που ορίζουμε. Επίσης προτείνουμε ένα πιο ρεαλιστικό μοντέλο σχετικά με τη προοδευτική ανοσοποίηση των συστημάτων. Η μοντελοποίηση του δικτύου έγινε με βάση το Constraint Satisfaction Problem (CSP). Χρησιμοποιώντας αυτό το μοντέλο που προτείνουμε, μπορούμε να καθορίσουμε τη διάδοση κάποιων απειλών όταν δεν έχουμε εγκατεστημένο κάποιο πρόγραμμα προστασίας ή σωστά ενημερωμένους χρήστες.
In recent years the Internet grows and expands exponentially rates at many levels of users and service level. The widespread use of distributed databases, distributed computing and telecommunications applications is directly applicable and is an essential element in the communications, defense, banks, stock exchanges in the health, education and other important areas. This has made imperative the need to protect computer and network systems from threats that may make them vulnerable to malicious users and actions. But to protect something you must first understand and analyze what is threatened. The availability of reliable models for the spread of threats to computer networks, may prove useful in many ways, such as to predict future threats (a new Code Red worm) or develop new methods of containment. This search for new and better models is an important area of research in the academic community and not only. The purpose of this work is to present some basic epidemiological models and some variations thereof. We analyze each model assumptions made, the strengths and weaknesses of these. These models are currently used extensively to disseminate montelopoiithei several threats to computer networks, eg viruses and worms (viruses and worms). It should be mentioned here that the computer viruses and worms (worms) are the only artificial life forms that have a measurable impact-influence in society. Also cite specific examples, such as Code Red worm, whose spread has been described successfully by these models. Epidemiological models are presented and analyzed are inspired by their biological, which have been created in areas such as for example the field of epidemiology in medicine that deals with infectious diseases. We analyze the basic scanning strategies used today to find worms and spread to new systems. We present the advantages and disadvantages of these. Also present in detail some basic types of networks which have been characterized and computer networks. This knowledge on the topology of networks is an essential element directly related to the dissemination of some threats are studying in this work. Finally we present and analyze our own model proliferation threats using a system of differential equations based on the theorem of Wormald. We believe that networks email, Instant messaging and P2P form a social network. These networks can be considered macroscopically as an interconnection of a number of autonomous systems. An autonomous system is a subnet managed by a single authority. Presents a diffusion model based on the network structure to be analyzed, and the communication habits of users. This model incorporates the behavior of users based on some parameters set. Also propose a more realistic model of the progressive immune systems. The modeling system was based on the Constraint Satisfaction Problem (CSP). Using this model we propose, we can determine the spread of some threats when we have established a protection program or properly informed users.

Στην διδακτορική διατριβή αναπτύξαμε μοντέλα για την ασυνήθη δικτυακή κυκλοφορία βασισμένη σε χαρακτηριστικά της TCP/IP επικοινωνίας ανάμεσα σε υπολογιστικά συστήματα, αλλά και στην συμπεριφορά συστημάτων και χρηστών κάτω από επιθέσεις ιών και δικτυακών σκουληκιών. Για την ανάπτυξη συνδυάσαμε το μαθηματικό φορμαλισμό πάνω σε πραγματικά χαρακτηριστικά που εντοπίσαμε πως υπάρχουν σχεδόν σε όλες τις προσπάθειες επίθεσης προς υπολογιστικά και δικτυακά συστήματα από προσπάθειες επιτιθέμενων, αλλά και με αυτοματοποιημένα συστήματα μετάδοσης ιών. Υλοποιήσαμε ένα πραγματικό κατανεμημένο σύστημα έγκαιρης και έγκυρης προειδοποίησης και λήψης άμεσων μέτρων για την προστασία δικτύων υπολογιστών από τη διάδοση των ιών και από τις διαρκώς εξελισσόμενες επιθέσεις των hackers. Τέλος η αυξανόμενη παρουσία δυνατοτήτων για fast worms μας παρακίνησε να μοντελοποιήσουμε την συμπεριφορά ιών που μεταδίδονται μέσα από τα κοινωνικά δίκτυα που σχηματίζονται από τον κατάλογο που έχουν οι χρήστες για γνωστούς και φίλους σε e-mail και Instant Messaging. Προτείνουμε λοιπόν δύο μοντέλα: ένα μοντέλο που περιγράφει την συμπεριφορά fast worms βασισμένα σε κοινωνικά δίκτυα στηριζόμενοι στο μαθηματικό μοντέλο σε Constraint Satisfaction Problems (CSP), αλλά και ένα μοντέλο για τη μετάδοση ιών και την εξουδετέρωσή τους, που λαμβάνει υπόψη την δικτυακή κίνηση και την λειτουργία των εξυπηρετητών βασισμένοι στο M/M/1 μοντέλο ουρών. Στην διατριβή προτείνουμε ένα είδος διαδραστικότητας ανάμεσα στους antivirus Agents και τους ιούς και αναλύουμε ένα μαθηματικό μοντέλο για την διάδοση πληθυσμού ιών και antivirus βασισμένα σε θεωρίες ουρών.
In this PhD Thesis we developed models for the abnormal network traffic based on TCP/IP communication protocol of computer systems, and the behavior of systems and users under viruses and worms attacks. For the development we combined mathematical formalism on real attributes that characterize almost all attacking efforts of hackers, virus and worms against computers and networking systems. Our main goal was based upon the theoretic models we proposed, to provide a useful tool to deal with intrusions. Thus we developed a Software Tool for Distributed Intrusion Detection in Computer Networks. Based on an improved model we produced a real time distributed detection system for early warning administrators of worm and virus propagation and hackers’ attacks. Also in this work we propose a discrete worm rapid propagation model based on social networks that are built using the address book of e-mail and instant messaging clients using the mathematic formalism of Constraint Satisfaction Problems (CSP). The address book, which reflects the acquaintance profiles of people, is used as a “hit-list”, to which the worm can send itself in order to spread fast. We also model user reaction against infected email as well as the rate at which antivirus software is installed. We then propose a worm propagation formulation based on a token propagation algorithm, further analyzed with a use of a system of continuous differential equations, as dictated by Wormald’s theorem on approximating “well-behaving” random processes with deterministic functions. Finally in this work we present a virus propagation and elimination model that takes into account the traffic and server characteristics of the network computers. This model partitions the network nodes into perimeter and non-perimeter nodes. Incoming/outgoing traffic of the network passes through the perimeter of the network, where the perimeter is defined as the set of the servers which are connected directly to the internet. All network nodes are assumed to process tasks based on the M/M/1 queuing model. We study burst intrusions (e.g. Denial of Service Attacks) at the network perimeter and we propose a kind of interaction between these agents that results using the formalism of distribution of network tasks for Jackson open networks of queues.

Το κάτωθι κείμενο πραγματεύεται το φαινόμενο της εξάπλωσης αυτοαναπαραγόμενων αυτομάτων σε δίκτυα. Αρχικά προβαίνουμε σε μια εισαγωγή στα αυτοαναπαραγόμενα προγράμματα και στο περιβάλλον στο οποίο εξαπλώνονται και εν συνεχεία εμβαθύνουμε στον τρόπο με τον οποίο προσεγγίζουμε το φαινόμενο. Μελετάμε μεθόδους ανίχνευσης με χρήση φίλτρων Kalman και εντροπίας. Τέλος, ασχολούμαστε με μια σειρά παιγνίων και σεναρίων με σκοπό την ανάδειξη συγκεκριμένων πλευρών του όλου προβλήματος και την τροπή που παίρνει στις μέρες μας. Εν κατακλείδι, η παρούσα διπλωματική εργασία τονίζει βασικές ιδιότητες που χαρακτηρίζουν την διάδοση και εισάγει νέες βοηθητικές έννοιες και μοντέλα, με στόχο την κατανόηση και τον ενστερνισμό του πνεύματος των εξελίξεων στα σύγχρονα worms και viruses.
The text below considers the phenomenon of propagation of self replicating automata. We begin with an introduction to self replicating programs and to the environment in which they propagate and then we delve and explain the ways of approaching the phenomenon. We study detection methods via the use of Kalman filters and estimation of entropy. Finally, a series of games and scenarios are introduced and studied, in order to enlighten certain aspects of the problem and its current direction. In conclusion, this diploma thesis marks basic properties of the propagation and introduces auxiliary concepts and new models, having as a goal the comprehension and the adoption of the spirit of evolution of modern worms and viruses.