Aman Jantan

An approach for malware behavior identification and classification

Malware is one of the major security threats that can break computer operation. However, commercial anti-virus or anti-spyware that used signature-based matching to detects malware cannot solve that kind of threats. Nowadays malware writers try to avoid detection by using several techniques such as polymorphic, metamorphic and also hiding technique. In order to overcome that issue, we proposed a new framework for malware behavior identification and classification that apply dynamic approach. This framework consists of two major processes such as behavior identification and malware classification. These two major processes will integrate together as interrelated process in our proposed framework. Result from this study is a new framework that able to identify and classify malware based on it behaviors.

A Framework for Malware Detection Using Combination Technique and Signature Generation

Malware detection must apply sophisticated technique to minimize malware thread that can break computer operation. Nowadays malware writers try to avoid detection by using several techniques such as polymorphic, hiding and also zero day of attack. However, commercial anti-virus or anti-spyware that used signature-based matching to detects malware cannot solve that kind of attack. In order to overcome this issue, we propose a new framework for malware detection that combines signature-based technique and genetic algorithm technique. This framework consists of three main components such as s-based detection, GA detection and signature generator. These three main components will work together as interrelated process in our propose framework. Result from this study is the new framework that design to solve new launce malware and also to generate signature automatically that can be used on signature-based detection.

An enhanced Bat algorithm with mutation operator for numerical optimization problems

This article introduces a new variation of a known metaheuristic method for solving global optimization problems. The proposed algorithm is based on the Bat algorithm (BA), which is inspired by the micro-bat echolocation phenomenon, and addresses the problems of local-optima trapping using a special mutation operator that enhances the diversity of the standard BA, hence the name enhanced Bat algorithm (EBat). The design of EBat is introduced and its performance is evaluated against 24 of the standard benchmark functions, and compared to that of the standard BA, as well as to several well-established metaheuristic techniques. We also analyze the impact of different parameters on the EBat algorithm and determine the best combination of parameter values in the context of numerical optimization. The obtained results show that the new EBat method is indeed a promising addition to the arsenal of metaheuristic algorithms and can outperform several existing ones, including the original BA algorithm.

Malware Behavior Analysis: Learning and Understanding Current Malware Threats

Malware is one of the major security threats in computer and network environment. However, Signature-based approach that commonly used does not provide enough opportunity to learn and understand malware threats that can be used in implementing security prevention mechanisms. In order to learn and understand the malwares, behavior-based technique that applied dynamic approach is the possible solution for identification, classification and clustering the malwares. In the paper, we present a new approach for conducting behavior-based analysis of malicious programs. One experiment was conducted on the campus network to generate an analysis of current malware behaviors. The result shows that the most potential malware threats in campus network are worm and Trojan.

SLA-based complementary approach for network intrusion detection

Enhancing the intrusion detection system is essential to maintain user confidence in network services security. However, the threat of intruders on Internet services is prevalent. This paper proposes a distributed edge-to-edge complementary approach for intrusion detection in a DiffServ/MPLS domain. The QoS metrics are inspected at the edges routers to determine anomalous behavior in the network traffic. Consumed ratios of one-way delay variation (OWDV) and packet loss are computed to monitor service level agreement (SLA) violations. The bandwidth ratio is measured to differentiate abnormal from normal traffic as well as to detect multiple intrusions launched simultaneously. We employed SLA as a comparison scale to infer the deviation between the users consumed ratios and the predefined ratios in the SLA. Service violation occurs and intrusion may be launched when the predefined ratios are exceeded. The complementary services of DiffServ and MPLS techniques guarantee accurate measurements, whereas the complementary measurements of active and passive techniques immunize network performance against scalability limitation. Simulation results indicate that the proposed approach is capable of monitoring SLA violations and can filter out traffic of intruders who breach SLA without disturbing the normal traffic of legitimate users.

Attack Intention Analysis Model for Network Forensics

In network forensics, attack intentions analyses play a major role to help and accelerate decision-making for apprehending the real perpetrator. In fact, attack intention analysis is a prediction factor to help investigators to conclude a case with high accuracy. However, current techniques in attack intention analysis only focus on recognizing an alert correlation for certain evidence and predicting future attacks. In reality, more prediction factors should be used by the investigators to come to a more concise decision such as attack intention, incident path ..., etc. This paper will propose an attack intention analysis model, which focus on reasoning of attacks under uncertainty intention. A new model will be introduced using a combination of a mathematical Dempster- Shafer (D-S) evidence theory with a probabilistic technique through a causal network to predict an attack intention. We found that by analyzing the attacker’s intention, forensic investigation agents will be able to audit and perform evidence in an efficient way. Experiments were performed on samples of probability of attack intentions to evaluate the proposed model. Arguably, attack intention analysis model may produce a clear and impact factor for investigator decision-making.

Hybridizing artificial bee colony with monarch butterfly optimization for numerical optimization problems

The aim of the study was to propose a new metaheuristic algorithm that combines parts of the well-known artificial bee colony (ABC) optimization with elements from the recent monarch butterfly optimization (MBO) algorithm. The idea is to improve the balance between the characteristics of exploration and exploitation in those algorithms in order to address the issues of trapping in local optimal solution, slow convergence, and low accuracy in numerical optimization problems. This article introduces a new hybrid approach by modifying the butterfly adjusting operator in MBO algorithm and uses that as a mutation operator to replace employee phase of the ABC algorithm. The new algorithm is called Hybrid ABC/MBO (HAM). The HAM algorithm is basically employed to boost the exploration versus exploitation balance of the original algorithms, by increasing the diversity of the ABC search process using a modified operator from MBO algorithm. The resultant design contains three components: The first and third component implements global search, while the second one performs local search. The proposed algorithm was evaluated using 13 benchmark functions and compared with the performance of nine metaheuristic methods from swarm intelligence and evolutionary computing: ABC, MBO, ACO, PSO, GA, DE, ES, PBIL, and STUDGA. The experimental results show that the HAM algorithm is clearly superior to the standard ABC and MBO algorithms, as well as to other well-known algorithms, in terms of achieving the best optimal value and convergence speed. The proposed HAM algorithm is a promising metaheuristic technique to be added to the repertory of optimization techniques at the disposal of researchers. The next step is to look into application fields for HAM.

Filtration model for the detection of malicious traffic in large-scale networks

Abstract This study proposes a capable, scalable, and reliable edge-to-edge model for filtering malicious traffic through real-time monitoring of the impact of user behavior on quality of service (QoS) regulations. The model investigates user traffic, including that injected through distributed gateways and that destined to gateways that are experiencing actual attacks. Misbehaving traffic filtration is triggered only when the network is congested, at which point burst gateways generate an explicit congestion notification (ECN) to misbehaving users. To investigate the behavior of misbehaving user traffic, packet delay variation (PDV) ratios are actively estimated and packet transfer rates are passively measured at a unit time. Users who exceed the PDV bit rates specified in their service level agreements (SLAs) are filtered as suspicious users. In addition, suspicious users who exceed the SLA bandwidth bit rates are filtered as network intruders. Simulation results demonstrate that the proposed model efficiently filters network traffic and precisely detects malicious traffic.

E-Cyborg: The cybercrime evidence finder

Today, cybercriminal activity has grown terrifically as there are growing numbers of internet users and also social networking site. The victim are not limited to adult but also child, not only involve personal attack but also involve the organization or country. The need for finding evidence is crucial as cybercrimes are also need to be treated as physical crimes. In this paper we discuss a mechanism to find cyber evidence that integrate Intrusion Detection System (IDS) and firewall system called Evidence Cyborg (E-Cyborg). E-Cyborg is to provide a solution that can assist network forensic in their cybercrime case. Based on several testing on the system simulation, the system is able to produce high quality of evidence. Hence, the investigation task becomes more efficient and effective.

Real-time detection of intrusive traffic in QoS network domains

A capable, scalable, and reliable model detects intrusive traffic by investigating the impact of user behavior on quality-of-service regulations in real time. The model also proposes reliable coordination for investigating user traffic, including traffic injected through several gateways. Traffic investigation is triggered only when the network is congested; at that moment, burst gateways generate an echo of explicit congestion notification to misbehaving users. The model investigates these users by measuring their bandwidth consumption ratios. User traffic that exceeds the service-level agreement bandwidth ratio is filtered as intrusive. Simulation results demonstrate that the proposed model efficiently monitors user behavior and detects intrusive traffic.