| |
Contents |
6 |
|
| |
Cyber Threat Intelligence: Challenges and Opportunities |
8 |
|
| |
1 Introduction |
8 |
|
| |
1.1 Cyber Threat Intelligence Challenges |
9 |
|
| |
1.1.1 Attack Vector Reconnaissance |
9 |
|
| |
1.1.2 Attack Indicator Reconnaissance |
10 |
|
| |
1.2 Cyber Threat Intelligence Opportunities |
10 |
|
| |
2 A Brief Review of the Book Chapters |
10 |
|
| |
References |
12 |
|
| |
Machine Learning Aided Static Malware Analysis:A Survey and Tutorial |
14 |
|
| |
1 Introduction |
15 |
|
| |
2 An Overview of Machine Learning-Aided Static Malware Detection |
16 |
|
| |
2.1 Static Characteristics of PE Files |
17 |
|
| |
2.2 Machine Learning Methods Used for Static-Based Malware Detection |
19 |
|
| |
2.2.1 Statistical Methods |
19 |
|
| |
2.2.2 Rule Based |
22 |
|
| |
2.2.3 Distance Based |
24 |
|
| |
2.2.4 Neural Networks |
25 |
|
| |
2.2.5 Open Source and Freely Available ML Tools |
26 |
|
| |
2.2.6 Feature Selection and Construction Process |
27 |
|
| |
2.3 Taxonomy of Malware Static Analysis Using Machine Learning |
27 |
|
| |
3 Approaches for Malware Feature Construction |
32 |
|
| |
4 Experimental Design |
33 |
|
| |
5 Results and Discussions |
36 |
|
| |
5.1 Accuracy of ML-Aided Malware Detection Using Static Characteristics |
38 |
|
| |
5.1.1 PE32 Header |
38 |
|
| |
5.1.2 Bytes n-Gram |
39 |
|
| |
5.1.3 Opcode n-Gram |
41 |
|
| |
5.1.4 API Call n-Grams |
46 |
|
| |
6 Conclusion |
47 |
|
| |
References |
47 |
|
| |
Application of Machine Learning Techniques to Detecting Anomalies in Communication Networks: Datasets and Feature Selection Algorithms |
53 |
|
| |
1 Introduction |
53 |
|
| |
1.1 Border Gateway Protocol (BGP) |
54 |
|
| |
1.2 Approaches for Detecting Network Anomalies |
56 |
|
| |
2 Examples of BGP Anomalies |
57 |
|
| |
3 Analyzed BGP Datasets |
61 |
|
| |
3.1 Processing of Collected Data |
63 |
|
| |
4 Extraction of Features from BGP Update Messages |
64 |
|
| |
5 Review of Feature Selection Algorithms |
67 |
|
| |
5.1 Fisher Algorithm |
68 |
|
| |
5.2 Minimum Redundancy Maximum Relevance (mRMR) Algorithms |
69 |
|
| |
5.3 Odds Ratio Algorithms |
70 |
|
| |
5.4 Decision Tree Algorithm |
71 |
|
| |
6 Conclusion |
73 |
|
| |
References |
73 |
|
| |
Application of Machine Learning Techniques to Detecting Anomalies in Communication Networks: Classification Algorithms |
77 |
|
| |
1 Introduction |
77 |
|
| |
1.1 Machine Learning Techniques |
79 |
|
| |
2 Classification Algorithms |
79 |
|
| |
2.1 Performance Metrics |
80 |
|
| |
3 Support Vector Machine (SVM) |
81 |
|
| |
4 Long Short-Term Memory (LSTM) Neural Network |
86 |
|
| |
5 Hidden Markov Model (HMM) |
89 |
|
| |
6 Naive Bayes |
90 |
|
| |
7 Decision Tree Algorithm |
94 |
|
| |
8 Extreme Learning Machine Algorithm (ELM) |
94 |
|
| |
9 Discussion |
95 |
|
| |
10 Conclusion |
96 |
|
| |
References |
96 |
|
| |
Leveraging Machine LearningTechniques for Windows Ransomware Network Traffic Detection |
99 |
|
| |
1 Introduction |
99 |
|
| |
2 Related Works |
100 |
|
| |
3 Methodology |
101 |
|
| |
3.1 Data Collection Phase |
101 |
|
| |
3.1.1 Malicious Applications |
102 |
|
| |
3.1.2 Benign Applications |
102 |
|
| |
3.2 Feature Selection and Extraction |
103 |
|
| |
3.3 Machine Learning Classifiers |
105 |
|
| |
4 Experiments and Results |
105 |
|
| |
4.1 Evaluation Measures |
107 |
|
| |
4.2 Malware Experiment and Results |
107 |
|
| |
4.3 Result Comparison |
109 |
|
| |
5 Conclusion and Future Works |
109 |
|
| |
References |
110 |
|
| |
Leveraging Support Vector Machine for Opcode Density Based Detection of Crypto-Ransomware |
113 |
|
| |
1 Introduction |
114 |
|
| |
2 Related Works and Research Literature |
115 |
|
| |
3 Methodology |
117 |
|
| |
3.1 Data Collection |
117 |
|
| |
3.2 Feature Extraction |
118 |
|
| |
3.3 Dataset Creation |
119 |
|
| |
3.3.1 Merging the Data |
119 |
|
| |
3.3.2 Normalising the Data |
119 |
|
| |
3.3.3 Opcode Breakdown |
120 |
|
| |
3.4 Machine Learning Classification |
122 |
|
| |
3.4.1 SVM and Kernel Functions |
122 |
|
| |
3.4.2 Feature/Attribute Selection Process |
122 |
|
| |
3.5 Implementation |
123 |
|
| |
3.5.1 Pre-processing the Dataset (1) |
124 |
|
| |
3.5.2 Creating the Training and Test Datasets (2) |
125 |
|
| |
3.5.3 Training and Testing the SVM Classifier (3.1) |
125 |
|
| |
3.5.4 Training and Testing the Attribute Selection Evaluators |
126 |
|
| |
3.5.5 Evaluation Metrics |
127 |
|
| |
3.5.6 Machine Specifications |
127 |
|
| |
4 Experiments and Results |
129 |
|
| |
4.1 SMO (Two Classes) |
129 |
|
| |
4.2 SMO (Six Classes) |
130 |
|
| |
4.3 Training and Testing the Attribute Selection Evaluators |
130 |
|
| |
4.3.1 CFSSubsetEval |
132 |
|
| |
4.3.2 CorrelationAttributeEval |
133 |
|
| |
4.3.3 GainRatioAttributeEval |
133 |
|
| |
4.3.4 InfoGainAttributeEval |
134 |
|
| |
4.3.5 OneRAttributeEval |
134 |
|
| |
4.3.6 PrincipalComponents |
135 |
|
| |
4.3.7 RelieffAttributeEval |
136 |
|
| |
4.3.8 SymmetricalUncertAttributeEval |
136 |
|
| |
4.4 Tuning the Attribute Selection Evaluators to Achieve Further Feature Reduction (4) |
137 |
|
| |
4.5 Important Opcodes |
137 |
|
| |
5 Conclusion |
138 |
|
| |
References |
140 |
|
| |
BoTShark: A Deep Learning Approach for Botnet Traffic Detection |
143 |
|
| |
1 Introduction |
144 |
|
| |
2 Related Work |
145 |
|
| |
3 Background: Deep Learning |
147 |
|
| |
3.1 Autoencoders |
147 |
|
| |
3.2 Convolutional Neural Network (CNN) |
148 |
|
| |
4 Data Collection and Primary Feature Extraction |
149 |
|
| |
5 Proposed BoTShark |
151 |
|
| |
5.1 BoTShark-SA: Using Stacked Autoencoders |
151 |
|
| |
5.2 SocialBoTShrak-CNN: Using CNNs |
153 |
|
| |
6 Evaluation |
154 |
|
| |
7 Conclusion |
156 |
|
| |
References |
156 |
|
| |
A Practical Analysis of the Rise in Mobile Phishing |
160 |
|
| |
1 Introduction |
160 |
|
| |
2 Measuring the Impact of Phishing |
162 |
|
| |
3 Methodology for Visitors to Phishing Websites |
163 |
|
| |
4 Mobile Phishing Kits in the Wild |
165 |
|
| |
5 Mobile Phishing Campaigns |
166 |
|
| |
6 Recommended Changes |
169 |
|
| |
7 Conclusion |
170 |
|
| |
A.1 Appendix |
171 |
|
| |
References |
172 |
|
| |
PDF-Malware Detection: A Survey and Taxonomyof Current Techniques |
174 |
|
| |
1 Introduction |
174 |
|
| |
2 Background on Malicious PDF Files |
176 |
|
| |
2.1 The Portable Document Format |
176 |
|
| |
2.2 PDF Document Obfuscation Techniques |
179 |
|
| |
3 Taxonomy of PDF Malware Detection Approaches |
180 |
|
| |
3.1 Features |
180 |
|
| |
3.1.1 Metadata |
182 |
|
| |
3.1.2 JavaScript |
183 |
|
| |
3.1.3 Whole File |
185 |
|
| |
3.1.4 Feature Selection |
186 |
|
| |
3.2 Detection Approaches |
186 |
|
| |
3.2.1 Statistical Analysis |
187 |
|
| |
3.2.2 Machine Learning Classification |
187 |
|
| |
3.2.3 Clustering |
187 |
|
| |
3.2.4 Signature Matching |
189 |
|
| |
4 State of the Art Discussion |
191 |
|
| |
4.1 Related Works |
193 |
|
| |
5 Conclusions |
194 |
|
| |
References |
194 |
|
| |
Adaptive Traffic Fingerprinting for Darknet Threat Intelligence |
197 |
|
| |
1 Introduction |
198 |
|
| |
2 Background |
200 |
|
| |
2.1 Analysis of Attack Vectors in Tor |
200 |
|
| |
2.2 Hidden Services |
202 |
|
| |
2.3 Combining Methods |
203 |
|
| |
3 Adaptive Traffic Association and BGP Interception Algorithm (ATABI) |
204 |
|
| |
3.1 BGP Interception Component |
206 |
|
| |
3.2 MITM Component |
207 |
|
| |
3.3 Detection Scheme |
208 |
|
| |
4 Experimentation and Results |
211 |
|
| |
4.1 Experiment Setup |
211 |
|
| |
4.2 Evaluation Criteria |
212 |
|
| |
4.3 Results |
213 |
|
| |
5 Discussion |
214 |
|
| |
5.1 Use Cases |
216 |
|
| |
5.2 Proposed Defences |
217 |
|
| |
6 Conclusion and Future Work |
218 |
|
| |
References |
219 |
|
| |
A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies |
222 |
|
| |
1 Introduction |
222 |
|
| |
1.1 Background |
224 |
|
| |
1.2 Impact Sub-Score |
225 |
|
| |
1.3 Exploitability Sub-Score |
227 |
|
| |
1.4 Research Data Set |
227 |
|
| |
1.5 The CVSS Analysis of Data Set |
229 |
|
| |
2 Proposed Model |
230 |
|
| |
2.1 Results and Discussion |
234 |
|
| |
3 Conclusions and Future Works |
237 |
|
| |
References |
238 |
|
| |
A Honeypot Proxy Framework for Deceiving Attackers with Fabricated Content |
241 |
|
| |
1 Introduction |
241 |
|
| |
2 Deceiving Cyber Adversaries |
242 |
|
| |
3 Desirable Properties for a Fake Content Generator |
244 |
|
| |
4 The Design and Implementation of a Fake Content Generator |
245 |
|
| |
4.1 A Conceptual Design of a Fake Content Generator |
245 |
|
| |
4.2 The Implementation |
246 |
|
| |
4.3 An Example on the Usage of Honeyproxy |
247 |
|
| |
4.4 Recognizing Names Using Regular Expressions |
249 |
|
| |
4.5 Fake Entity Generation |
250 |
|
| |
5 Experiments |
251 |
|
| |
5.1 Recognizing Entity Attributes |
251 |
|
| |
5.2 Performance |
252 |
|
| |
6 Discussion and Limitations |
254 |
|
| |
7 Related Work |
256 |
|
| |
8 Conclusions and Future Work |
257 |
|
| |
References |
258 |
|
| |
Investigating the Possibility of Data Leakage in Time of Live VM Migration |
261 |
|
| |
1 Introduction |
262 |
|
| |
2 Background on Live Virtual Machine Migration |
263 |
|
| |
2.1 Memory Migration |
264 |
|
| |
2.2 Migration Algorithms |
265 |
|
| |
2.3 Live VM Migration Process |
265 |
|
| |
3 Security Threat Model |
266 |
|
| |
3.1 Threat Model |
266 |
|
| |
3.2 Security Threats and Attacks |
266 |
|
| |
3.2.1 Control Plane |
267 |
|
| |
3.2.2 Data Plane |
267 |
|
| |
3.2.3 Migration Module |
268 |
|
| |
3.2.4 Insecure Algorithms and Implementations |
268 |
|
| |
4 Secure Live Migration |
269 |
|
| |
4.1 Essential Security Requirements |
269 |
|
| |
4.2 Existing Solutions |
269 |
|
| |
4.2.1 Trusted Computing |
270 |
|
| |
4.2.2 VM-vTPM Live Migration |
270 |
|
| |
4.2.3 Trusted Third Party |
272 |
|
| |
4.2.4 Role-Based Migration |
273 |
|
| |
4.2.5 VLANs |
274 |
|
| |
5 Uncovered Threats with Potential Research Directions |
275 |
|
| |
5.1 Bugs in VMM |
275 |
|
| |
5.2 Replay of VM Data Messages |
276 |
|
| |
5.3 Privileged Access |
277 |
|
| |
5.4 Lack of Access Control |
277 |
|
| |
6 Proposed Secure Live VM Migration Protocol |
278 |
|
| |
7 Conclusion |
280 |
|
| |
References |
280 |
|
| |
Forensics Investigation of OpenFlow-Based SDN Platforms |
282 |
|
| |
1 Introduction |
283 |
|
| |
2 Related Work |
284 |
|
| |
3 Framework Specification and Design |
285 |
|
| |
4 Framework Development and Implementation |
287 |
|
| |
5 SDN Southbound Forensics Tool |
288 |
|
| |
6 Testing Environment Setup |
290 |
|
| |
7 Evaluation and Discussion |
292 |
|
| |
8 Conclusion |
294 |
|
| |
References |
295 |
|
| |
Mobile Forensics: A Bibliometric Analysis |
298 |
|
| |
1 Introduction |
299 |
|
| |
2 Methodology |
299 |
|
| |
2.1 Web of Science |
301 |
|
| |
3 Finding in Publications Distribution |
301 |
|
| |
3.1 Productivity |
303 |
|
| |
3.2 Research Areas |
305 |
|
| |
3.3 Institutions |
306 |
|
| |
3.4 Impact Journals |
307 |
|
| |
3.5 Highly Cited Articles |
309 |
|
| |
4 Conclusion and Future Works |
309 |
|
| |
References |
310 |
|
| |
Emerging from the Cloud: A Bibliometric Analysis of Cloud Forensics Studies |
312 |
|
| |
1 Introduction |
312 |
|
| |
2 Methodology |
315 |
|
| |
3 Results and Discussion |
316 |
|
| |
3.1 Productivity |
317 |
|
| |
3.2 Research Areas |
320 |
|
| |
3.3 Institutions |
321 |
|
| |
3.4 Impact Journals |
321 |
|
| |
3.5 Highly-Cited Articles |
324 |
|
| |
3.6 Keywords Frequency |
324 |
|
| |
4 Challenges and Future Trends |
327 |
|
| |
4.1 Evidence Identification |
327 |
|
| |
4.2 Legal Issues in the Cloud |
328 |
|
| |
4.3 Data Collection and Preservation |
328 |
|
| |
4.4 Analysis and Presentation |
329 |
|
| |
4.5 Future Trends |
329 |
|
| |
5 Conclusion |
329 |
|
| |
References |
330 |
|
| |
Index |
333 |
|
