Biblio

Computer virus detection technology is an important basic security technology in the information age. The current detection technology has a high success rate for the detection of known viruses and known virus infection technologies, but the development of detection technology often lags behind the development of computer virus infection technology. Under Windows system, there are many kinds of file viruses, which change rapidly, and pose a continuous security threat to users. The research of new file virus infection technology can provide help for the development of virus detection technology. In this paper, a new virus infection technology based on dynamic binary analysis is proposed to execute file virus infection. Using the new virus infection technology, the infected executable file can be detected in the experimental environment. At the same time, this paper discusses the detection method of new virus infection technology. We hope to provide help for the development of virus detection technology from the perspective of virus design.

The relevance of data protection is related to the intensive informatization of various aspects of society and the need to prevent unauthorized access to them. World spending on ensuring information security (IS) for the current state: expenses in the field of IS today amount to \$81.7 billion. Expenditure forecast by 2020: about \$105 billion [1]. Information protection of military facilities is the most critical in the public sector, in the non-state - financial organizations is one of the leaders in spending on information protection. An example of the importance of IS research is the Trojan encoder WannaCry, which infected hundreds of thousands of computers around the world, attacks are recorded in more than 116 countries. The attack of the encoder of WannaCry (Wana Decryptor) happens through a vulnerability in service Server Message Block (protocol of network access to file systems) of Windows OS. Then, a rootkit (a set of malware) was installed on the infected system, using which the attackers launched an encryption program. Then each vulnerable computer could become infected with another infected device within one local network. Due to these attacks, about \$70,000 was lost (according to data from 18.05.2017) [2]. It is assumed in the presented work, that the software level of information protection is fundamentally insufficient to ensure the stable functioning of critical objects. This is due to the possible hardware implementation of undocumented instructions, discussed later. The complexity of computing systems and the degree of integration of their components are constantly growing. Therefore, monitoring the operation of the computer hardware is necessary to achieve the maximum degree of protection, in particular, data processing methods.

File timestamps do not receive much attention from information security specialists and computer forensic scientists. It is believed that timestamps are extremely easy to fake, and the system time of a computer can be changed. However, operating system for synchronizing processes and working with file objects needs accurate time readings. The authors estimate that several million timestamps can be stored on the logical partition of a hard disk with the NTFS. The MFT stores four timestamps for each file object in \$STANDARDİNFORMATION and \$FILE\_NAME attributes. Furthermore, each directory in the İNDEX\_ROOT or İNDEX\_ALLOCATION attributes contains four more timestamps for each file within it. File timestamps are set and changed as a result of file operations. At the same time, some file operations differently affect changes in timestamps. This article presents the results of the tool-based observation over the creation and update of timestamps in the MFT resulting from the basic file operations. Analysis of the results is of interest with regard to computer forensic science.

Windows is one of the popular operating systems in use today, while Universal Serial Bus (USB) is one of the mechanisms used by many people with practical plug and play functions. USB has long been used as a vector of attacks on computers. One method of attack is Keylogger. The Keylogger can take advantage of existing vulnerabilities in the Windows 10 operating system attacks carried out in the form of recording computer keystroke activity without the victim knowing. In this research, an attack will be carried out by running a Powershell Script using BadUSB to be able to activate the Keylogger program. The script is embedded in the Arduino Pro Micro device. The results obtained in the Keyboard Injection Attack research using Arduino Pro Micro were successfully carried out with an average time needed to run the keylogger is 7.474 seconds with a computer connected to the internet. The results of the keylogger will be sent to the attacker via email.

The most common defenses against malware threats involves the use of signatures derived from instances of known malware. However, the constant evolution of the malware threat landscape necessitates defense against unknown malware, making a signature catalog of known threats insufficient to prevent zero-day vulnerabilities from being exploited. Recent research has applied machine learning approaches to identify malware through artifacts of malicious activity as observed through dynamic behavioral analysis. We have seen that these approaches mimic common malware defenses by simply offering a method of detecting known malware. We contribute a new method of identifying software as malicious or benign through analysis of the frequency of Windows API system function calls. We show that this is a powerful technique for malware detection because it generates learning models which understand the difference between malicious and benign software, rather than producing a malware signature classifier. We contribute a method of systematically comparing machine learning models against different datasets to determine their efficacy in accurately distinguishing the difference between malicious and benign software.

The paper is devoted to the comparison of performance of prospective lightweight block cipher Cypress with performances of the known modern lightweight block ciphers such as AES, SPECK, SPARX etc. The measurement was done on different platforms: Windows, Linux and Android. On all platforms selected, the block cipher Cypress showed the best results. The block cipher Cypress-256 showed the highest performance on Windows x32 (almost 3.5 Gbps), 64-bit Linux (over 8 Gbps) and Android (1.3 Gbps). On Windows x64 the best result was obtained by Cypress- 512 (almost 5 Gbps).

Bitcoin is popular not only with consumers, but also with cybercriminals (e.g., in ransomware and online extortion, and commercial online child exploitation). Given the potential of Bitcoin to be involved in a criminal investigation, the need to have an up-to-date and in-depth understanding on the forensic acquisition and analysis of Bitcoins is crucial. However, there has been limited forensic research of Bitcoin in the literature. The general focus of existing research is on postmortem analysis of specific locations (e.g. wallets on mobile devices), rather than a forensic approach that combines live data forensics and postmortem analysis to facilitate the identification, acquisition, and analysis of forensic traces relating to the use of Bitcoins on a system. Hence, the latter is the focus of this paper where we present an open source tool for live forensic and postmortem analysing automatically. Using this open source tool, we describe a list of target artifacts that can be obtained from a forensic investigation of popular Bitcoin clients and Web Wallets on different web browsers installed on Windows 7 and Windows 10 platforms.

We consider the possibility of detecting malicious behaviors of the advanced persistent threat (APT) at endpoints during incident response or forensics investigations. Specifically, we study the case where third-party sensors are not available; our observables are obtained solely from inherent digital artifacts of Windows operating systems. What is of particular interest is an artifact called the Application Compatibility Cache (Shimcache). As it is not apparent from the Shimcache when a file has been executed, we propose an algorithm of estimating the time of file execution up to an interval. We also show guarantees of the proposed algorithm's performance and various possible extensions that can improve the estimation. Finally, combining this approach with methods of machine learning, as well as information from other digital artifacts, we design a prototype system called XTEC and demonstrate that it can help hunt for the APT in a real-world case study.

Confidentiality, authentication, privacy and integrity are the pillars of securing data. The most generic way of providing security is setting up passwords and usernames collectively known as login credentials. Operating systems use different techniques to ensure security of login credentials yet brute force attacks and dictionary attacks along with various other types which leads to success in passing or cracking passwords.The objective of proposed HS model is to enhance the protection of SAM file used by Windows Registry so that the system is preserved from intruders.

To protect sensitive information of an organization, we need to have proper access controls since several data breach incidents were happened because of broken access controls. Normally, the IT auditing process would be used to identify security weaknesses and should be able to detect any potential access control violations in advance. However, most auditing processes are done manually and not performed consistently since lots of resources are required; thus, the auditing is performed for quality assurance purposes only. This paper proposes an automated process to audit the access controls on the Windows server operating system. We define the audit checklist and use the controls defined in ISO/IEC 27002:2013 as a guideline for identifying audit objectives. In addition, an automated audit tool is developed for checking security controls against defined security policies. The results of auditing are the list of automatically generated passed and failed policies. If the auditing is done consistently and automatically, the intrusion incidents could be detected earlier and essential damages could be prevented. Eventually, it would help increase the reliability of the system.

Application whitelisting software allows only examined and trusted applications to run on user's machine. Since many malicious files don't require administrative privileges in order for them to be executed, whitelisting can be the only way to block the execution of unauthorized applications in enterprise environment and thus prevent infection or data breach. In order to assess the current state of such solutions, the access to three whitelisting solution licenses was obtained with the purpose to test their effectiveness against different modern types of ransomware found in the wild. To conduct this study a virtual environment was used with Windows Server and Enterprise editions installed. The objective of this paper is not to evaluate each vendor or make recommendations of purchasing specific software but rather to assess the ability of application control solutions to block execution of ransomware files, as well as assess the potential for future research. The results of the research show the promise and effectiveness of whitelisting solutions.

Robotics and the Internet of Things (IoT) are enveloping our society at an exponential rate due to lessening costs and better availability of hardware and software. Additionally, Cloud Robotics and Robot Operating System (ROS) can offset onboard processing power. However, strong and fundamental security practices have not been applied to fully protect these systems., partially negating the benefits of IoT. Researchers are therefore tasked with finding ways of securing communications and systems. Since security and convenience are oftentimes at odds, securing many heterogeneous components without compromising performance can be daunting. Protecting systems from attacks and ensuring that connections and instructions are from approved devices, all while maintaining the performance is imperative. This paper focuses on the development of security best practices and a mesh framework with an open-source, multipoint-to-multipoint virtual private network (VPN) that can tie Linux, Windows, IOS., and Android devices into one secure fabric, with heterogeneous mobile robotic platforms running ROSPY in a secure cloud robotics infrastructure.

Finding identical digital objects (or artifacts) during a forensic analysis is commonly achieved by means of cryptographic hashing functions, such as MD5, SHA1, or SHA-256, to name a few. However, these functions suffer from the avalanche effect property, which guarantees that if an input is changed slightly the output changes significantly. Hence, these functions are unsuitable for typical digital forensics scenarios where a forensics memory image from a likely compromised machine shall be analyzed. This memory image file contains a snapshot of processes (instances of executable files) which were up on execution when the dumping process was done. However, processes are relocated at memory and contain dynamic data that depend on the current execution and environmental conditions. Therefore, the comparison of cryptographic hash values of different processes from the same executable file will be negative. Bytewise approximation matching algorithms may help in these scenarios, since they provide a similarity measurement in the range [0,1] between similar inputs instead of a yes/no answer (in the range 0,1). In this paper, we introduce ProcessFuzzyHash, a Volatility plugin that enables us to compute approximation hash values of processes contained in a Windows memory dump.

This is very true for the Windows operating system (OS) used by government and private organizations. With Windows, the closed source nature of the operating system has unfortunately meant that hidden security issues are discovered very late and the fixes are not found in real time. There needs to be a reexamination of current static methods of malware detection. This paper presents an integrated system for automated and real-time monitoring and prediction of rootkit and malware threats for the Windows OS. We propose to host the target Windows machines on the widely used Xen hypervisor, and collect process behavior using virtual memory introspection (VMI). The collected data will be analyzed using state of the art machine learning techniques to quickly isolate malicious process behavior and alert system administrators about potential cyber breaches. This research has two focus areas: identifying memory data structures and developing prediction tools to detect malware. The first part of research focuses on identifying memory data structures affected by malware. This includes extracting the kernel data structures with VMI that are frequently targeted by rootkits/malware. The second part of the research will involve development of a prediction tool using machine learning techniques.

Biometric authentication has been extremely popular in large scale industries. The face biometric has been used widely in various applications. Handling large numbers of face images is a challenging task in authentication of biometric system. It requires large amount of secure storage, where the registered user information can be stored. Maintaining centralized data centers to store the information requires high investment and maintenance cost, therefore there is a need for deployment of cloud services. However as there is no guaranty of the security in the cloud, user needs to implement an additional or extra layer of security before storing facial data of all registered users. In this work a unique cloud based biometric authentication system is developed using Microsoft cognitive face API. Because most of the cloud based biometric techniques are scalable it is paramount to implement a security technique which can handle the scalability. Any users can use this system for single enterprise application base over the entire enterprise application. In this work the identification number which is text information associated with each biometric image is protected by AES algorithm. The proposed technique also works under distributed system in order to have wider accessibility. The system is also being extended to validate the registered user with an image of aadhar card. An accuracy of 96% is achieved with 100 registered users face images and aadhar card images. Earlier research carried out for the development of biometric system either suffers from development of distributed system are security aspects to handle multiple biometric information such as facial image and aadhar card image.

Rootkits detecting in the Windows operating system is an important part of information security monitoring and audit system. Methods of hided process detection were analyzed. The software is developed which implements the four methods of hidden process detection in a user mode (PID based method, the descriptor based method, system call based method, opened windows based method) to use in the monitoring and audit systems.