Victim Computer Research Articles

Structural Analysis of URL For Malicious URL Detection Using Machine Learning

Malicious websites are intentionally created websites that aid online criminals in carrying out illicit actions. They commit crimes like installing malware on the victim's computer, stealing private data from the victim's system, and exposing the victim online. Malicious codes can also be found on legitimate websites. Therefore, locating such a website in cyberspace is a difficult operation that demands the utilization of an automated detection tool. Currently, machine learning/deep learning technologies are employed to detect such malicious websites. However, the problem persists since the attack vector is constantly changing. Most research solutions use a limited number of URL lexical features, DNS information, global ranking information, and webpage content features. Combining several derived features involves computation time and security risk. Additionally, the dataset's minimal features don't maximize its potential. This paper exclusively uses URLs to address this problem and blends linguistic and vectorized URL features. Complete potential of the URL is utilized through vectorization. Six machine learning algorithms are examined. The results indicate that the proposed approach performs better for the count vectorizer with random forest algorithm

On Detecting Cryptojacking on Websites: Revisiting the Use of Classifiers.

Cryptojacking or illegal mining is a form of malware that hides in the victim's computer and takes the computational resources to extract cryptocurrencies in favor of the attacker. It generates significant computational consumption, reducing the computational efficiency of the victim's computer. This attack has increased due to the rise of cryptocurrencies and their profitability and its difficult detection by the user. The identification and blocking of this type of malware have become an aspect of research related to cryptocurrencies and blockchain technology; in the literature, some machine learning and deep learning techniques are presented, but they are still susceptible to improvement. In this work, we explore multiple Machine Learning classification models for detecting cryptojacking on websites, such as Logistic Regression, Decision Tree, Random Forest, Gradient Boosting Classifier, k-Nearest Neighbor, and XGBoost. To this end, we make use of a dataset, composed of network and host features' samples, to which we apply various feature selection methods such as those based on statistical methods, e.g., Test Anova, and other methods as Wrappers, not only to reduce the complexity of the built models but also to discover the features with the greatest predictive power. Our results suggest that simple models such as Logistic Regression, Decision Tree, Random Forest, Gradient Boosting, and k-Nearest Neighbor models, can achieve success rate similar to or greater than that of advanced algorithms such as XGBoost and even those of other works based on Deep Learning.

Analysis of Conti Ransomware Attack on Computer Network with Live Forensic Method

Ransomware viruses have become a dangerous threat increasing rapidly in recent years. One of the variants is Conti ransomware that can spread infection and encrypt data simultaneously. Attacks become a severe threat and damage the system, namely by encrypting data on the victim's computer, spreading it to other computers on the same computer network, and demanding a ransom. The working principle of this Ransomware acts by utilizing Registry Query, which covers all forms of behavior in accessing, deleting, creating, manipulating data, and communicating with C2 (Command and Control) servers. This study analyzes the Conti virus attack through a network forensic process based on network behavior logs. The research process consists of three stages, the first stage is simulating attacks on the host computer, the second stage is carrying network forensics by using live forensics methods, and the third stage is analysing malware by using statistical and dynamic analysis. The results of this study provide forensic data and virus behavior when running on RAM and computer networks so that the data obtained makes it possible to identify ransomware traffic on the network and deal with zero-day, especially ransomware threats. It is possible to do so because the analysis is an initial step in generating virus signatures based on network indicators.

Specifics of the organization and planning of the investigation of crimes committed with the malware

The number of cases of malicious computer programs in Russia has increased significantly over the past few years. The authors set out to establish the features of the organization and planning of the investigation of crimes of this type and to analyze the investigative activities in order to find ways to further improve the fight against computer crime. The purpose of the study is to determine the most promising areas of organizing and planning the investigation of crimes involving malware. The results of the study are expressed as follows: 1. At the stage of checking a crime report, where there is a high probability of malicious computer programs being used by the perpetrators, the investigator immediately establishes full control over the victim's computer equipment and access to his electronic accounts. The selection of explanations from the applicant, the examination of computer equipment and the appointment of a forensic computer-technical examination in order to establish the fact of infection with malware. 2. The focus of the investigator's actions is based on the promotion and verification of versions about the existence of a crime, the time of its commission, the establishment of harm to the applicant, the classification of malicious computer programs, the mechanism of infection of the victim's software and the methods of harming him. All this information is defined as the circumstances to be established for the initiation of a criminal case. 3. The tactical risks of organizing the investigation are the inability of the expert to classify the program as malicious in the presence of harm, as well as the use of a set of measures to anonymize the perpetrators of their actions, and even the unreliability of the information about the incident reported by the applicant himself. 4. The method of malware infection and the resulting traces depend on the model of interaction with the victim chosen by the criminals. Here you can find both the distribution of the program under the guise of a service, service, complementing other and expanding the capabilities of the computer, and the notification of the victim that the use of the program is illegal, but will bring him benefits from its use. In such cases, the investigator has to deal with organized, secret groups of criminals.

Zararlı Yazılımların Karekterislik Analizi: Cryptowall Fidye Yazılım Analizi

CryptoWalls ranks first among the Ransomware in terms of its design, objectives, and damages. Cybercriminals use CryptoWalls in a wide range of applications, from cross-country cyberterrorism to demanding ransom from an ordinary Internet user. Despite all the measures taken, an effective protection against CryptoWalls has still not been developed. This motivates cyber criminals, and new versions of updated CryptoWalls are released every day, becoming a more difficult problem to be solved. Current research studies discuss the general characteristics and consequences of CryptoWalls. How do CryptoWalls work? How the CryptoWall detection and technical analysis are done? Detailed studies on the answers to these questions will contribute to solving this problem. This study discusses detailed analysis of CryptoWall detection on a real victim's computer, targeted by the CryptoWall attack of cybercriminals. The study is of importance since it addresses how the CryptoWall attack infiltrates the target system, shows the analysis steps of its characteristic actions, and identifies the originating company of the CryptoWall malware.

Evolution of ransomware

Cybercrime has long since transformed from a world of Maverick attackers to a criminal business. Ransomware is a malware that renders a victim's computer or data unusable and is increasingly being used by criminals to generate revenue through extortion. This study contributes to the authors' knowledge by exploring the transition from the early-day scams, to extortion implemented by current ransomware. They examine the pathway from the first clumsy ransomware attempts to the present day sophisticated ransomware attack campaigns. This Crypto-warfare now accounts for estimated damages of $1 billion. Considering the fact that many Internet users appear to be unaware of ransomware and do little to protect themselves, they argue that this low-impact extortion, using highly automated methods, has proven very rewarding for the criminals. As criminals have been early adopters (or abusers) of Internet technology, they expect that ransomware will continue to evolve beyond the capability of present day defence solutions.

Shellix: An Efficient Approach for Shellcode Detection

Code injection attacks are widely used by attackers to compromise computer systems. Attackers could obtain the control of a victim's computer system by injecting shellcode to the vulnerable program. The existing solutions to detect shellcode can be grouped into two categories: static analysis and dynamic analysis. Static analysis can detect shellcode efficiently, but cannot handle the shellcode that employs obfuscation techniques. Dynamic analysis is able to detect the obfuscated shellcode, however it is still limited to detect the recent virtualization-aware shellcode. In this paper, we present a novel shellcode detection approach without using any virtualization technology. We implement our approach based on the commodity OS kernel which is compatible to the existing system. Our approach is able to detect the shellcode that could be aware of the virtualization environment and reduces the probability of exposing detection environment. Our experimental evaluations show that our system can effectively detect a large set of shellcode instances with good performance.

Advanced dynamic IPv6 activation-based defence for IPv6 router advertisement flooding (DoS) attack

IPv6 router advertisement (RA) flooding is an example of a DoS attack. It leads to denial of service attack on entire local area network. As a result, all systems connected to that LAN get frozen and unresponsive. Hence, it is very important to protect our LANs from IPv6 RA flood attack. In this paper, we describe IPv6 RA flood attack in virtual LAN using KALI Linux. We show its effects on the victim's computer. We propose a new approach to defend from IPv6 RA flooding DoS attack by dynamic IPv6 activation. Such a system would detect the attack and raise a warning alarm. It deactivates IPv6 temporarily. When the host recovers from the attack, the proposed system reactivates IPv6 again. So by using this approach users can use both IPv6 and IPv4 services even under attack. We have also provided pseudo code and experimental results in this paper.

Discovery and prevention of attack episodes by frequent episodes mining and finite state machines

This paper proposes a framework that applies frequent episode rules, implemented by finite state machines (FSMs), to design a real-time network-based intrusion prevention system (NIPS) for Probe/Exploit (hacking) intrusion. This type of Probe/Exploit (hacking) intrusion is executed by a series of relevant actions that occur in some sequence. In frequent episode rules mining, data are viewed as a sequence of events, where each event has an associated time of occurrence; thus, such mining technique has significant effect on discovering sophisticated Probe/Exploit intrusion attacks. Prior to a devastating attack on a victim's computer, the hacker must gather information about the victim, and transfer instructions or files to the victim's computer. The proposed system could detect such abnormal episodes and repel hackers from the firewall before they are able to launch a deadly attack. In one network service (a corresponding port number), mine frequent episode rules from the log files of a commercial honeypot system, then refine the rules, which eventually constructs a finite state machine to protect the network service, according to the refined rules. During implementation and simulation, this study applied the framework focus on protecting a Server Message Block (SMB) protocol, which is the most important protocol in Microsoft's Windows Network. As confirmed in the experiments, this study successfully mined sophisticated intrusion episodes and demonstrated the efficiency of tracing connections by a FSM. The framework of intrusion prevention proposed in this paper can be modified straightforward to protect other network services.

Collaborative Framework for Detection, Prevention, and Traceback of Flooding Attacks Using Marking and Filtering

ABSTRACT The basis of denial of service (DoS)/distributed DoS (DDoS) attacks lies in overwhelming a victim's computer resources by flooding them with enormous traffic. This is done by compromising multiple systems that send a high volume of traffic. The traffic is often formulated in such a way that it consumes finite resources at abnormal rates either at victim or network level. In addition, spoofing of source addresses makes it difficult to combat such attacks. This paper adopts a twofold collaborative mechanism, wherein the intermediate routers are engaged in markings and the victim uses these markings for detecting and filtering the flooding attacks. The markings are used to distinguish the legitimate network traffic from the attack so as to enable the routers near the victim to filter the attack packets. The marked packets are also helpful to backtrack the true origin of the spoofed traffic, thus dropping them at the source rather than allowing them to traverse the network. To further aid in the detection of spoofed traffic, Time to Live (TTL) in the IP header is used. The mappings between the IP addresses and the markings along with the TTLs are used to find the spurious traffic. We provide numerical and simulated experimental results to show the effectiveness of the proposed system in distinguishing the legitimate traffic from the spoofed. We also give a statistical report showing the performance of our system.

Getting to the Root of the Problem

ABSTRACT Despite its maturity in certain computing environments, there appears to be a void in our awareness and understanding of the rootkit security menace. Rootkits are a form of malware that, once surreptitiously installed onto a victim's computer, allow a perpetrator to gain administrative-level access, monitor activities, open backdoor access portals, and hide all evidence of its activities. After describing the position of rootkits in the malware family and their prevalence in the Unix and Windows worlds, a practical question is posed. That is, what do information technology (IT) users know about rootkits? To answer that question, data collected from three geographically separated state institutions of higher learning is collated to provide a baseline of rootkit security knowledge. Today, rootkit knowledge is far below that of computer viruses or spyware. However, there is hope that users will not suffer the full brunt of rootkits, particularly if the security community can raise awareness of rootkits and their consequences.

New Attack Tricks Antivirus Software

Traditionally, antivirus products stop malicious software by recognizing code signatures unique to different types of malware. When the applications encounter a file with a code string that matches one in their database for a known virus, they block its access to the intended victim's computer. However, with the advent of Web 2.0, in which Web sites make it easy for users to add content, hackers have found a new way to spread malicious code and short-circuit the pattern-matching antivirus approach. DCO employs algorithms to change and disguise JavaScript-based malware code without making it less harmful, thereby keeping pattern-matching antivirus software from recognizing exploits.

Hackers get to the root of the problem

One of the greatest threats computer and network users face today is a hacker gaining root-level access to a system. This, in essence, gives the intruder administrative control over the machine and thus a golden opportunity to cause problems. With this in mind, attackers are increasingly using rootkits, a collection of tools they can install on a victim's computer to gain administrative access.

Internet Poses Multiple Risks to Children and Adolescents

Computers and Internet usage, whether by children at home or at public places such as schools and libraries, are here to stay. Tremendous benefits in terms of educational opportunities, communication, and recreation can be expected. With all the benefits that such information technology provides, however, there is an element of risk that should not inhibit its use but must be attended to and managed. The methods child sexual offenders use to pursue their criminal interests will continue to evolve as technology evolves. The first and most important line of defense calls for parents and other caregivers to remain directly responsible for the safety of the children in their care. Parents, teachers, healthcare providers, and other caregivers need to learn continually about the Internet and remain aware of how best to protect children who use the computer and the Internet. Law enforcement agencies must also continue to prepare for advances in computer technology, to better anticipate the behavior of child sexual offenders, and to investigate and prosecute offenders. All law enforcement, medical, and social services personnel who have contact with children on a regular basis must continue to educate children and their parents or guardians about the dangers posed by the Internet. After a child is victimized, law enforcement, medical, and social services personnel also must remain cognizant that the victim's computer may contain evidence that may help identify and prosecute the offender. In short, all those charged with the protection of children and the prosecution of child sexual offenders must continue to adapt to our ever-evolving computer technology.