-
ProAPT: Projection of APT Threats with Deep Reinforcement Learning
Authors:
Motahareh Dehghan,
Babak Sadeghiyan,
Erfan Khosravian,
Alireza Sedighi Moghaddam,
Farshid Nooshi
Abstract:
The highest level in the Endsley situation awareness model is called projection when the status of elements in the environment in the near future is predicted. In cybersecurity situation awareness, the projection for an Advanced Persistent Threat (APT) requires predicting the next step of the APT. The threats are constantly changing and becoming more complex. As supervised and unsupervised learnin…
▽ More
The highest level in the Endsley situation awareness model is called projection when the status of elements in the environment in the near future is predicted. In cybersecurity situation awareness, the projection for an Advanced Persistent Threat (APT) requires predicting the next step of the APT. The threats are constantly changing and becoming more complex. As supervised and unsupervised learning methods require APT datasets for projecting the next step of APTs, they are unable to identify unknown APT threats. In reinforcement learning methods, the agent interacts with the environment, and so it might project the next step of known and unknown APTs. So far, reinforcement learning has not been used to project the next step for APTs. In reinforcement learning, the agent uses the previous states and actions to approximate the best action of the current state. When the number of states and actions is abundant, the agent employs a neural network which is called deep learning to approximate the best action of each state. In this paper, we present a deep reinforcement learning system to project the next step of APTs. As there exists some relation between attack steps, we employ the Long- Short-Term Memory (LSTM) method to approximate the best action of each state. In our proposed system, based on the current situation, we project the next steps of APT threats.
△ Less
Submitted 15 September, 2022;
originally announced September 2022.
-
An Evaluation and Enhancement of Seredynski-Bouvry CA-based Encryption Scheme
Authors:
Hossein Arabnezhad,
Babak Sadeghiyan
Abstract:
In this paper, we study a block cipher based on cellular automata, proposed by Seredynski and Bouvry in \cite{semabo04} against \emph{plain-text avalanche criteria} and \emph{randomness} tests. Our experiments shows that Seredynski-Bouvry encryption scheme does not pass some NIST statistical tests by neighborhood radius less than three. It also showed that if the CA rule is selected carelessly, it…
▽ More
In this paper, we study a block cipher based on cellular automata, proposed by Seredynski and Bouvry in \cite{semabo04} against \emph{plain-text avalanche criteria} and \emph{randomness} tests. Our experiments shows that Seredynski-Bouvry encryption scheme does not pass some NIST statistical tests by neighborhood radius less than three. It also showed that if the CA rule is selected carelessly, it weaken the security of scheme. Therefor, the selection of CA-rule as part of key can not be left to the user. Hence, cryptographic properties such as balancedness and non-linearity should be considered in the selection of CA-rules. This approach is more compliant with Kerckhoffs principle. So security should depend just on security of final data. We also improve Seredynski-Bouvry encryption scheme to satisfy strict avalanche criteria and NIST statistical test suite in about half number of iterations comparing to original scheme. This improvement is achieved by change in the definition of neighborhood.
△ Less
Submitted 10 December, 2021;
originally announced December 2021.
-
Reconstruction of Worm Propagation Path Using a Trace-back Approach
Authors:
Sara Asgari,
Babak Sadeghiyan
Abstract:
Worm origin identification and propagation path reconstruction are essential problems in digital forensics. However, a small number of studies have specifically investigated these problems so far. In this paper, we extend a distributed trace-back algorithm, called Origins, which is only able to identify the origins of fast-spreading worms. We make some modifications to this algorithm so that in ad…
▽ More
Worm origin identification and propagation path reconstruction are essential problems in digital forensics. However, a small number of studies have specifically investigated these problems so far. In this paper, we extend a distributed trace-back algorithm, called Origins, which is only able to identify the origins of fast-spreading worms. We make some modifications to this algorithm so that in addition to identifying the worm origins, it can also reconstruct the propagation path. We also evaluate our extended algorithm. The results show that our algorithm can reconstruct the propagation path of worms with high recall and precision, on average around 0.96. Also, the algorithm identifies the origins correctly in all of our experiments.
△ Less
Submitted 17 August, 2021;
originally announced August 2021.
-
A Secure Two-Party Computation Protocol for Intersection Detection between Two Convex Hulls
Authors:
Amirahmad Chapnevis,
Babak Sadeghiyan
Abstract:
Intersection detection between three-dimensional bodies has various applications in computer graphics, video game development, robotics as well as military industries. In some respects, entities do not want to disclose sensitive information about themselves, including their location. In this paper, we present a secure two-party protocol to determine the existence of an intersection between entitie…
▽ More
Intersection detection between three-dimensional bodies has various applications in computer graphics, video game development, robotics as well as military industries. In some respects, entities do not want to disclose sensitive information about themselves, including their location. In this paper, we present a secure two-party protocol to determine the existence of an intersection between entities. The protocol presented in this paper allows for intersection detection in three-dimensional spaces in geometry. Our approach is to use an intersecting plane between two spaces to determine their separation or intersection. For this purpose, we introduce a computational geometry protocol to determine the existence of an intersecting plane. In this paper, we first use the Minkowski difference to reduce the two-space problem into one-space. Then, the separating set is obtained and the separation of two shapes is determined based on the inclusion of the center point. We then secure the protocol by modifying the separating set computation method as a privacy-preserver and changing the Minkowski difference method to achieve this goal. The proposed protocol applies to any form of convex three-dimensional shape. The experiments successfully found a secure protocol for intersection detection between two convex hulls in geometrical shapes such as the pyramid and cuboid.
△ Less
Submitted 21 May, 2021; v1 submitted 31 October, 2020;
originally announced November 2020.
-
Towards Generating Benchmark Datasets for Worm Infection Studies
Authors:
Sara Asgari,
Babak Sadeghiyan
Abstract:
Worm origin identification and propagation path reconstruction are among the essential problems in digital forensics. Until now, several methods have been proposed for this purpose. However, evaluating these methods is a big challenge because there are no suitable datasets containing both normal background traffic and worm traffic to evaluate these methods. In this paper, we investigate different…
▽ More
Worm origin identification and propagation path reconstruction are among the essential problems in digital forensics. Until now, several methods have been proposed for this purpose. However, evaluating these methods is a big challenge because there are no suitable datasets containing both normal background traffic and worm traffic to evaluate these methods. In this paper, we investigate different methods of generating such datasets and suggest a technique for this purpose. ReaSE is a tool for the creation of realistic simulation environments. However, it needs some modifications to be suitable for generating the datasets. So we make required modifications to it. Then, we generate several datasets for Slammer, Code Red I, Code Red II and modified versions of these worms in different scenarios using our technique and make them publicly available.
△ Less
Submitted 30 May, 2021; v1 submitted 9 June, 2020;
originally announced June 2020.
-
Reconstruction of C&C Channel for P2P Botnet
Authors:
Mohammad Jafari Dehkordi,
Babak Sadeghiyan
Abstract:
Breaking down botnets have always been a big challenge. The robustness of C&C channels is increased, and the detection of botmaster is harder in P2P botnets. In this paper, we propose a probabilistic method to reconstruct the topologies of the C&C channel for P2P botnets. Due to the geographic dispersion of P2P botnet members, it is not possible to supervise all members, and there does not exist a…
▽ More
Breaking down botnets have always been a big challenge. The robustness of C&C channels is increased, and the detection of botmaster is harder in P2P botnets. In this paper, we propose a probabilistic method to reconstruct the topologies of the C&C channel for P2P botnets. Due to the geographic dispersion of P2P botnet members, it is not possible to supervise all members, and there does not exist all necessary data for applying other graph reconstruction methods. So far, no general method has been introduced to reconstruct C&C channel topology for all type of P2P botnet. In our method, the probability of connections between bots is estimated by using the inaccurate receiving times of several cascades, network model parameters of C&C channel, and end-to-end delay distribution of the Internet. The receiving times can be collected by observing the external reaction of bots to commands. The results of our simulations show that more than 90% of the edges in a 1000-member network with node degree mean 50, have been accurately estimated by collecting the inaccurate receiving times of 22 cascades. In case the receiving times of just half of the bots are collected, this accuracy of estimation is obtained by using 95 cascades.
△ Less
Submitted 8 April, 2020; v1 submitted 10 April, 2019;
originally announced April 2019.
-
ConsiDroid: A Concolic-based Tool for Detecting SQL Injection Vulnerability in Android Apps
Authors:
Ehsan Edalat,
Babak Sadeghiyan,
Fatemeh Ghassemi
Abstract:
In this paper, we present a concolic execution technique for detecting SQL injection vulnerabilities in Android apps, with a new tool we called ConsiDroid. We extend the source code of apps with mocking technique, such that the execution of original source code is not affected. The extended source code can be treated as Java applications and may be executed by SPF with concolic execution. We autom…
▽ More
In this paper, we present a concolic execution technique for detecting SQL injection vulnerabilities in Android apps, with a new tool we called ConsiDroid. We extend the source code of apps with mocking technique, such that the execution of original source code is not affected. The extended source code can be treated as Java applications and may be executed by SPF with concolic execution. We automatically produce a DummyMain class out of static analysis such that the essential functions are called sequentially and, the events leading to vulnerable functions are triggered. We extend SPF with taint analysis in ConsiDroid. For making taint analysis possible, we introduce a new technique of symbolic mock classes in order to ease the propagation of tainted values in the code. An SQL injection vulnerability is detected through receiving a tainted value by a vulnerable function. Besides, ConsiDroid takes advantage of static analysis to adjust SPF in order to inspect only suspicious paths. To illustrate the applicability of ConsiDroid, we have inspected randomly selected 140 apps from F-Droid repository. From these apps, we found three apps vulnerable to SQL injection. To verify their vulnerability, we analyzed the apps manually based on ConsiDroid's reports by using Robolectric.
△ Less
Submitted 8 August, 2019; v1 submitted 26 November, 2018;
originally announced November 2018.
-
Malware Dynamic Analysis Evasion Techniques: A Survey
Authors:
Amir Afianian,
Salman Niksefat,
Babak Sadeghiyan,
David Baptiste
Abstract:
The Cyber world is plagued with ever-evolving malware that readily infiltrates all defense mechanisms, operates viciously unbeknownst to the user and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a leverage to effectively combat them. This understanding, is pursued through dynamic analysis which is conducted manually or automatically. Malware…
▽ More
The Cyber world is plagued with ever-evolving malware that readily infiltrates all defense mechanisms, operates viciously unbeknownst to the user and surreptitiously exfiltrate sensitive data. Understanding the inner workings of such malware provides a leverage to effectively combat them. This understanding, is pursued through dynamic analysis which is conducted manually or automatically. Malware authors accordingly, have devised and advanced evasion techniques to thwart or evade these analyses. In this paper, we present a comprehensive survey on malware dynamic analysis evasion techniques. In addition, we propose a detailed classification of these techniques and further demonstrate how their efficacy hold against different types of detection and analysis approach. Our observations attest that evasive behavior is mostly interested in detecting and evading sandboxes. The primary tactic of such malware we argue is fingerprinting followed by new trends for reverse Turing test tactic which aims at detecting human interaction. Furthermore, we will posit that the current defensive strategies beginning with reactive methods to endeavors for more transparent analysis systems are readily foiled by zero-day fingerprinting techniques or other evasion tactics such as stalling. Accordingly, we would recommend pursuit of more generic defensive strategies with emphasis on path exploration techniques that have the potential to thwart all the evasive tactics.
△ Less
Submitted 3 November, 2018;
originally announced November 2018.
