Masood Mansoori

A hybrid recognition and recall based approach in graphical passwords

Graphical password authentication was developed based on the premise that humans are better at recognizing visual data than text-based information. Most recognition-based graphical password algorithms (e.g. Passface) possess adequate usability features but are prone to password guessing and shoulder surfing attacks. The recall-based algorithms on the other hand contain fewer number of usability features but provide a set of strong security features for authentication. The proposed algorithm developed in this research integrates the usability attributes of the Passface recognition based and security features of a recognition-based (i.e. WIW (Man et al. 2003)) and Passpoint recall-based algorithms to overcome the drawbacks of existing designs. The security of the proposed algorithm was evaluated by carrying out shoulder-surfing and password guessing attacks. Usability features such as simplicity to learn, memorize and remember the password were evaluated by measuring the number of forgotten, mistyped passwords and login time for each individual user. A questionnaire was also designed and distributed to test subjects to gather feedback on several usability aspects of the proposed algorithm. The results of the security test and survey illustrate that the proposed algorithm has strong security measures against shoulder surfing and password guessing.

A Machine Learning Based Web Spam Filtering Approach

Web spam has the effect of polluting search engine results and decreasing the usefulness of search engines.Web spam can be classified according to the methods used to raise the web pages ranking by subverting web search engines algorithms used to rank search results. The main types are: content spam, link spam and cloaking spam. There has been little or no work on automatically classifying web spam by type. This paper has two contributions, (i) we propose a Dual-Margin Multi-Class Hypersphere Support Vector Machine (DMMH- SVM) classifier approach to automatically classifying web spam by type, (ii) we introduce novel cloaking-based spam features which help our classifier model to achieve high precision and recall rate, thereby reducing the false positive rates. The effectiveness of the proposed model is justified analytically. Our experimental results demonstrated that DMMH-SVM outperforms existing algorithms with novel cloaking features.

Application of HAZOP to the Design of Cyber Security Experiments

Hazard and Operability studies have been extensively used in chemical engineering and designing safety critical systems. Its rigorous analysis based on discovering deviations and hazard makes it ideal in the study of designs and experiments with confounding variables. In this paper, HAZOP methodology is applied to a case study of network security experiment to reliably measure the IP tracking behavior of malicious websites using a low interaction client honeypot. The experiments design involves a large number of factors and components which could potentially introduce bias in the study and result in invalid analysis. We demonstrate that HAZOP can be applied to security experiments to create a proper experimental design and properly control potential bias of confounding variables.

Real-world IP and network tracking measurement study of malicious websites with HAZOP

IP tracking and cloaking are practices for identifying users which are used legitimately by websites to provide services and content tailored to particular users. However, it is believed that these practices are also used by malicious websites to avoid detection by anti-virus companies crawling the web to find malware. In addition, malicious websites are also believed to use IP tracking in order to deliver targeted malware based upon a history of previous visits by users. In this paper, we empirically investigate these beliefs and collect a large data-set of suspicious URLs in order to identify at what level IP tracking takes place that is at the level of an individual address or at the level of their network provider or organization (network tracking). We perform our experiments using HAZard and OPerability study to control the effects of a large number of other attributes which may affect the result of the analysis. Our results illustrate that IP tracking is used in a small subset of domains within our data-set, while no strong indication of network tracking was observed.

Empirical Analysis of Impact of HTTP Referer on Malicious Website Behaviour and Delivery

Referer is a HTTP header field transmitted to a webserver, which allows the webserver to identify the origin of the request and the path taken by the visiting user to reach the final resource. Although referer is an optional field within an HTTP protocol header, many webservers use the information for logging, marketing and analytical purposes. Referer has, however, been abused in web spam cloaking and search engine optimization (SEO) attacks. The latter increases a malicious websites ranking in a search engine result with the aims of delivering spam to unwitting users. In this paper, we undertake a quantitative study to determine the effects of referer information on delivery of malicious content (excluding spam) and whether different referer values, mimicking an average user will yield dissimilar results in terms of the number and type of attacks. Our study of 500,000 suspicious websites confirms that similar to web spam, referer information is a HTTP header variable used by malicious websites to distinguish regular users from automated crawlers and security tools, and is abused to deliver malicious content accordingly.

Measurement of IP and network tracking behaviour of malicious websites

IP tracking and cloaking are practices for identifying users which are used legitimately by websites to provide services and content tailored to particular users. However, it is believed that these practices are also used by malicious websites to avoid detection by anti-virus companies crawling the web to find malware. In addition, malicious websites are also believed to use IP tracking in order to deliver targeted malware based upon a history of previous visits by users. In this paper we empirically investigate these beliefs and collect a large dataset of suspicious URLs in order to identify at what level IP tracking takes place that is at the level of an individual address or at the level of their network provider or organisation (Network tracking). Our results illustrate that IP tracking is used in a small subset of domains within our dataset while no strong indication of network tracking was observed.