Saed Alrabaee

OBA2: An Onion approach to Binary code Authorship Attribution

A critical aspect of malware forensics is authorship analysis. The successful outcome of such analysis is usually determined by the reverse engineer’s skills and by the volume and complexity of the code under analysis. To assist reverse engineers in such a tedious and error-prone task, it is desirable to develop reliable and automated tools for supporting the practice of malware authorship attribution. In a recent work, machine learning was used to rank and select syntax-based features such as n-grams and flow graphs. The experimental results showed that the top ranked features were unique for each author, which was regarded as an evidence that those features capture the author’s programming styles. In this paper, however, we show that the uniqueness of features does not necessarily correspond to authorship. Specifically, our analysis demonstrates that many “unique” features selected using this method are clearly unrelated to the authors’ programming styles, for example, unique IDs or random but unique function names generated by the compiler; furthermore, the overall accuracy is generally unsatisfactory. Motivated by this discovery, we propose a layered Onion Approach for Binary Authorship Attribution called OBA2. The novelty of our approach lies in the three complementary layers: preprocessing, syntax-based attribution, and semantic-based attribution. Experiments show that our method produces results that not only are more accurate but have a meaningful connection to the authors’ styles. a 2014 The Author. Published by Elsevier Ltd on behalf of DFRWS. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/3.0/).

SIGMA :A Semantic Integrated Graph Matching Approach for identifying reused functions in binary code *

The capability of efficiently recognizing reused functions for binary code is critical to many digital forensics tasks, especially considering the fact that many modern malware typically contain a significant amount of functions borrowed from open source software packages. Such a capability will not only improve the efficiency of reverse engineering, but also reduce the odds of common libraries leading to false correlations between unrelated code bases. In this paper, we propose SIGMA, a technique for identifying reused functions in binary code by matching traces of a novel representation of binary code, namely, the Semantic Integrated Graph (SIG). The SIG s enhance and merge several existing concepts from classic program analysis, including control flow graph, register flow graph, and function call graph into a joint data structure. Such a comprehensive representation allows us to capture different semantic descriptors of common functionalities in a unified manner as graph traces, which can be extracted from binaries and matched to identify reused functions, actions, or open source software packages. Experimental results show that our approach yields promising results. Furthermore, we demonstrate the effectiveness of our approach through a case study using two malware known to share common functionalities, namely, Zeus and Citadel.

Routing Management Algorithm Based on Spectrum Trading and Spectrum Competition in Cognitive Radio Networks

Traditionally in routing approaches, each node allows a maximum load through the selected route. The existing routing approaches in cognitive radio networks (CRN) do not take into account spectrum trading as well as spectrum competition among licensed users (PUs). This paper introduces a novel routing algorithm that is based on spectrum trading and spectrum competition for cognitive radio networks while supporting different QoS levels for unlicensed users (SUs). The proposed path selection algorithm among different paths is based on user profiles which contain parameters such as SU identification, number of hops, channel identification, neighbor identification, probabilities of idle slots and PU presence. Each node shares its profile with the neighbor PU, which then exchanges its profile with other PUs and decides based on the information received. In spectrum trading phase a PU calculates its price based on the SU requirements. In spectrum competition phase a new coefficient α is defined that controls the price because of competition among PUs and depends on many factors such as the number of primary users, available channels, and duration of the usage. All possible paths are managed and categorized based on the level of QoS requested by SUs and the price offered by the PU.

On the Feasibility of Malware Authorship Attribution

There are many occasions in which the security community is interested to discover the authorship of malware binaries, either for digital forensics analysis of malware corpora or for thwarting live threats of malware invasion. Such a discovery of authorship might be possible due to stylistic features inherent to software codes written by human programmers. Existing studies of authorship attribution of general purpose software mainly focus on source code, which is typically based on the style of programs and environment. However, those features critically depend on the availability of the program source code, which is usually not the case when dealing with malware binaries. Such program binaries often do not retain many semantic or stylistic features due to the compilation process. Therefore, authorship attribution in the domain of malware binaries based on features and styles that will survive the compilation process is challenging. This paper provides the state of the art in this literature. Further, we analyze the features involved in those techniques. By using a case study, we identify features that can survive the compilation process. Finally, we analyze existing works on binary authorship attribution and study their applicability to real malware binaries.

A game theory approach: Dynamic behaviours for spectrum management in cognitive radio network

The dynamic behavior for spectrum management in cognitive radio networks is considered in this paper, which consists of spectrum trading and spectrum competition among multiple spectrum owners and spectrum leasers. The primary users adjust their behaviors in renting the spectrum to secondary users in order to achieve higher profits. The secondary users adjust the spectrum renting by observing the changes in the price and the quality of the spectrum. It is however problematic when the primary users and secondary users make the decisions dynamically. A three layer game theoretic approach is introduced in this paper to address this problem. The upper layer models the spectrum competition among primary users; a Bertrand game is formulated where the Nash equilibrium is considered as the solution. The middle layer models the spectrum trading between the primary user and secondary user; a Stackelberg game is formulated where the Nash equilibrium is considered as the solution. The lower layer models the dynamic selection strategies among secondary users in order to select the offered spectrum; an evolutionary game is formulated where the Nash equilibrium is the solution. Basically, the solution in each game is found in terms of the size of the offered spectrum to the secondary users and the spectrum price. The proposed game theory model is used to examine network dynamics under different levels of QoS where the actions of each user are made dynamically.

Comparison of Spectrum Management without Game Theory (SMWG) and with Game Theory (SMG) for Network Performance in Cognitive Radio Network

In this paper, we have introduced two models for spectrum management (spectrum trading and spectrum competition) in cognitive radio network. The first model is without game theory and the second one is with game theory. The first model for spectrum management without game theory, called SMWG, which has been designed to provide an efficient and dynamic equations to enhance the network performance. SMWG provides a novel function, called QoS function, to support three levels of QoS. In addition, it provides a novel factor, called Competition Factor, to control the behaviors among spectrum owners (primary users). In the second model, we have applied the game theory concept into spectrum management (SMG) to compare the network performance in both cases (SMWG and SMG). SMG provides two games, the first one is to model the dynamic behavior of spectrum competition among primary users, a Bertrand game is formulated where the Nash equilibrium is considered as the solution. The second game is to model the spectrum trading between the primary user and the secondary user, a Stackelberg game is formulated where the Nash equilibrium is again considered as the solution. Basically, the solution is found in terms of the size of the offered spectrum to the secondary users with regards to the offered spectrum price. We compare SMWG with conventional scheme, also compare SMG with conventional scheme, and finally compare SMWG with SMG in terms of network performance.

Higher layer issues in cognitive radio network

Cognitive radio networks are smart networks that automatically sense the channel and adjust the network parameters accordingly. Cognitive radio is an emerging technology that enables the dynamic deployment of highly adaptive radios that are built upon software defined radio technology. The radio technology allows the unlicensed operation to be in the licensed band. The cognitive radio network paradigm therefore raises many technical challenges that appear in different layers, such as the power efficiency, spectrum management, spectrum detection, environment awareness, and distributed spectrum measurements in the physical layer, the route selection as well as the route robustness in the network layer, and the security issues like the unauthorized intrusion and malicious users in the application layer. In this paper we aim at presenting an overview of research issues especially in network and application layers as well as the proposed solutions for them.

FOSSIL : A Resilient and Efficient System for Identifying FOSS Functions in Malware Binaries

Identifying free open-source software (FOSS) packages on binaries when the source code is unavailable is important for many security applications, such as malware detection, software infringement, and digital forensics. This capability enhances both the accuracy and the efficiency of reverse engineering tasks by avoiding false correlations between irrelevant code bases. Although the FOSS package identification problem belongs to the field of software engineering, conventional approaches rely strongly on practical methods in data mining and database searching. However, various challenges in the use of these methods prevent existing function identification approaches from being effective in the absence of source code. To make matters worse, the introduction of obfuscation techniques, the use of different compilers and compilation settings, and software refactoring techniques has made the automated detection of FOSS packages increasingly difficult. With very few exceptions, the existing systems are not resilient to such techniques, and the exceptions are not sufficiently efficient. To address this issue, we propose FOSSIL, a novel resilient and efficient system that incorporates three components. The first component extracts the syntactical features of functions by considering opcode frequencies and applying a hidden Markov model statistical test. The second component applies a neighborhood hash graph kernel to random walks derived from control-flow graphs, with the goal of extracting the semantics of the functions. The third component applies z-score to the normalized instructions to extract the behavior of instructions in a function. The components are integrated using a Bayesian network model, which synthesizes the results to determine the FOSS function. The novel approach of combining these components using the Bayesian network has produced stronger resilience to code obfuscation. We evaluate our system on three datasets, including real-world projects whose use of FOSS packages is known, malware binaries for which there are security and reverse engineering reports purporting to describe their use of FOSS, and a large repository of malware binaries. We demonstrate that our system is able to identify FOSS packages in real-world projects with a mean precision of 0.95 and with a mean recall of 0.85. Furthermore, FOSSIL is able to discover FOSS packages in malware binaries that match those listed in security and reverse engineering reports. Our results show that modern malware binaries contain 0.10--0.45 of FOSS packages.Identifying free open-source software (FOSS) packages on binaries when the source code is unavailable is important for many security applications, such as malware detection, software infringement, and digital forensics. This capability enhances both the accuracy and the efficiency of reverse engineering tasks by avoiding false correlations between irrelevant code bases. Although the FOSS package identification problem belongs to the field of software engineering, conventional approaches rely strongly on practical methods in data mining and database searching. However, various challenges in the use of these methods prevent existing function identification approaches from being effective in the absence of source code. To make matters worse, the introduction of obfuscation techniques, the use of different compilers and compilation settings, and software refactoring techniques has made the automated detection of FOSS packages increasingly difficult. With very few exceptions, the existing systems are not resilient to such techniques, and the exceptions are not sufficiently efficient. To address this issue, we propose FOSSIL, a novel resilient and efficient system that incorporates three components. The first component extracts the syntactical features of functions by considering opcode frequencies and applying a hidden Markov model statistical test. The second component applies a neighborhood hash graph kernel to random walks derived from control-flow graphs, with the goal of extracting the semantics of the functions. The third component applies z-score to the normalized instructions to extract the behavior of instructions in a function. The components are integrated using a Bayesian network model, which synthesizes the results to determine the FOSS function. The novel approach of combining these components using the Bayesian network has produced stronger resilience to code obfuscation. We evaluate our system on three datasets, including real-world projects whose use of FOSS packages is known, malware binaries for which there are security and reverse engineering reports purporting to describe their use of FOSS, and a large repository of malware binaries. We demonstrate that our system is able to identify FOSS packages in real-world projects with a mean precision of 0.95 and with a mean recall of 0.85. Furthermore, FOSSIL is able to discover FOSS packages in malware binaries that match those listed in security and reverse engineering reports. Our results show that modern malware binaries contain 0.10--0.45 of FOSS packages.

Aggregation function using Homomorphic encryption in participating sensing application

Participatory Sensing Application is new emerging computing paradigm that uses the data collected by the participants via mobile devices and active sensors. It gives an opportunity with the help of increasing number of mobile users to share information acquired by their sensor equipped devices. However, security and privacy are the major concerns in the success of these applications. While several security implementation techniques have discussed by the research community, one of them is Homomorphic encryption that allows aggregating encrypted values and the result would be same as unencrypted data. In this paper, we simulate the aggregation function using homomorphic encryption in participating sensing application.

A game theoretic approach to spectrum management in cognitive radio network

In this paper, we propose cognitive radio network models for providing spectrum management which includes spectrum trading and spectrum competition. The models described are with and without using the concepts of game theory. For both the models, the spectrum trading that occurs between the primary user and the secondary user is considered first, and then the spectrum competition among the primary users is considered. Our model includes multiple levels of QoS for different secondary users. In the first phase, the secondary user selects the spectrum by observing the changes in the price and the level of QoS offered by different primary users. In the second phase, the primary user controls its strategy in renting the spectrum to secondary users to achieve the highest utility. To model the dynamic behavior of spectrum competition among primary users, a Bertrand game is formulated where the Nash equilibrium is considered as the solution. Moreover, to model the spectrum trading between the primary user and the secondary user, a Stackelberg game is formulated where the Nash equilibrium is again considered as the solution. Basically the solution is in terms of the size of offered spectrum to the secondary users and the offered spectrum price.