Proceedings of The Third International Conference On Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of The Third International Conference On Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of The Third International Conference On Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Conference Dates
Conference Venue
ISBN
Published by
Table of Contents
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
A file system of Ubuntu operating system can
conserve and manage a lot of configuration
information and the information with forensic
importance. Mining and analyzing the useful data of
the Ubuntu operating system have become essential
with the rise of the attack on the computer system.
Investigating the File System can help to collect
information relevant to the case. After considering
existing research and tools, this paper suggests a
new evidence collection and analysis methodology
and the UbuntuForensic tool to aid in the process of
digital forensic investigation of Ubuntu File System.
The paper also discusses a technique for the
identification of the files modified by the criminal.
KEYWORDS
File System, Digital Forensic, Integrated Analysis,
Timeline Analysis, Digital Evidence
1 INTRODUCTION
The Ubuntu operating system is one of the
distributions of the Linux operating system.
Most of the Ubuntu kernels are the default
Linux kernel. Ubuntu uses the Linux file
system which is usually considered as a tree
structure. Ubuntu is having Ext4 as its default
file system. Ext4 is an evolution of Ext3, which
was the default file system earlier. Linux
computers are very much prone to attack from
the hackers. Linux boxes are often used as
servers, essentially for a central control point.
In fact, roughly 70% of malware downloaded
by hackers to the honeypots is infected
with Linux/Rst-B [1]. Linux-based web servers
are constantly under attack. At SophosLabs, an
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
History
he history command lists commands that were
recently executed. This can help to track the
activity of an intruder.
3 EVIDENCE COLLECTION
PROPOSED TOOL
USING
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Figure 4. Flowchart depicting operation for identification of modified files using UbuntuForensic tool
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Function
Integrated
Analysis
Timeline
Analysis
Activity
GUI support
Analysis
UbuntuForensicTool
Running process,
Hash Generation
(Proposed)
The Sleuth kit(TSK)
Autopsy
Scalpel
DEFT
Data
Recovery
and
hashing,
Process
information
CAINE
Data Recovery
i-Nex
Display
device
information,
generate report
History
6 CONCLUSION
Recovers deleted
files
Recovers deleted
files
Recover
from disks
data
Lists
only
command history
10
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
2.
3.
4.
5.
6.
7.
8.
9.
10.
11
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
KEYWORDS
Digital Forensics, Memory Forensics, Memory
Dumps, Carving Variable Values, String Variables,
C Programs.
INTRODUCTION
12
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
BACKGROUND
13
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
INVESTIGATION MODEL
14
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
EXPERIMENTS
15
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Experiment #2
16
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
RESULTS
State 1
2
1
2
State 2
2
1
2
State 1
2
0
2
State 2
2
0
2
State 3
2
0
2
17
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
State 1
1
0
1
State 2
1
0
1
State 3
1
0
1
State 1
1
1
1
State 2
0
0
0
State 3
0
0
0
State 4
0
0
0
RELATED WORK
FUTURE WORK
CONCLUSION
18
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
19
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
In current times, anti-virus scanners are usually
built on signatures which look for known
patterns in order to decide if a file is virus
infected. Hackers have incorporated the code
obfuscation methods to generate highly
metamorphic system malware in order to evade
detection of signature based scanners. The
scanners which are signature based may not be
able to detect all existence of such viruses.
Since, the metamorphic malware changes their
appearance from one generation to another.
Metamorphic malware is one of the many
techniques that hackers use to attack systems.
This paper explores the common types of
computer malwares and metamorphic computer
viruses while reviewing the different techniques
of metamorphic malwares which are able to
avoid detection.
KEYWORDS
Malware, Compute Virus, Metamorphic virus,
Polymorphic Virus, Obfuscation.
1 INTRODUCTION
As information technology is growing and
improving, the need for endpoint protection is
getting more imperative. An end point can be a
laptop, desktop, server, or a mobile device that
connects to a network (internet). According to
Internet Live States, the number of Internet
users have amplified remarkably from 1999 to
2013 to the tenfold and today more than 40 %
20
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
2.2 Spyware
These type of malwares are either spying on or
monitoring users and gather information about
the web sites frequently visited by the users,
which may include credit cards or online
banking details, email addresses etc. This
software helps the hackers to collect
information about victims system without the
consent of the victim. A good example of this
malware is a keylogger software which is used
to monitor activities of a victim system [3].
2.3 Worms
It is a program which copies itself repeatedly
and eliminates all the data and files on the
victim computer. This program is designed to
steal data, delete files or create botnets.
According to Cisco, computer worms are
similar to viruses and can cause the same type
of damage [4]. The major difference is that
worms have the ability to work as a standalone
software and spread independently while
viruses need human help to propagate [2]. One
technique of distributing worm is via sending
large number of emails with infected
attachments to a users contact list.
2.4 Trojan Horse
Trojan Horse is a malicious program that acts to
be a harmless software. However, according to
Cisco, Trojan viruses are not able to re-create
themselves by infecting other files nor do they
self-replicate. In order to spread itself, this type
of malware requires the end user to interact
2.5 Botnet
Botnet, also known as zombie army, is a type of
malware that an attacker can use to control the
infected computer or any remote devices. The
word Botnet is a comprised version of the
words: bot and net. In this context, Bot is
derived from the word robot which usually
refers to a computer or device which is infected
by malicious software. On the other hand, Net
is generated from the word network which is
a group of interconnected computers connected
together. Attackers developing a malicious
application might not be able to log onto
individual computers which they might have
infected, therefore attackers utilize botnets in
order to control a massive quantity of infected
computers automatically [6].
2.6 Ransomware
This is a type of malicious software that blocks
or limits the user from accessing the computer
or the files contained by the computer. These
destructors work by locking either the systems
screen or the users files and the scammer
demanding a ransom in exchange for them to be
unlocked. It is also considered a scareware as it
forces user to pay a fee by scaring or
intimidating them [7].
2.7 Rootkit
A rootkit is another type of computer malware
that is intended to distantly access a system
21
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
DECRYPTED VIRUS
BODY
G1
G2
Gn
3.2 Metamorphic
According to Kaspersky, A metamorphic
malware is the one that can transform based on
the ability to edit, translate and rewrite its own
codes. Metamorphic malware is considered the
most infectious malicious software and can
cause serious damage to a system if it is not
detected quickly [10].
It is very difficult for antivirus programs to
detect metamorphic malware as it has the
ability to change the internal structure of the
code; reprogram and rewrite after each
infection to a computer system [14]. To prevent
computers in networks of infectious
metamorphic malware, user administrator
22
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
G0
Gn
G1
G2
G3
Figure 3. Two different generations of RegSwaps [11]
Figure 2. Generation of a metamorphic computer virus
[15]
23
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
EP
EP
4 RELATED WORKS
A research about metamorphic malware
dynamic analysis by Nair, V.P. [16] discuss a
technique for identifying unnoticed malware
samples via STraceNTx which basically
executes files in an emulated framework was
proposed. However the results of the test
concluded that NGVCK produced variants
showed lower level of inter and intra
constructor proximity. Another research in
opcode graph similarity and metamorphic
detection by Runwal,N. [17] in 2012 discusses
about the development of another graph based
malware detection tool. The deconstructed
malware files were used in order to generate an
opcode graph. The conclusion drawn was that
the HMM based scanner was not competent
against the graph based technique.
The journal in structural entropy and
metamorphic malware by Baysa, D [18]
discusses how a statistical malware detector
was developed which was based on structural
entropy and wavelet transform. For the G2
Viruses and MWORM a detection percentage
of 100 was achieved. Nonetheless, a false
positive rate was achieved for NGVCK virus of
larger capacity. The research by Vinod, P. in
2012 talks about implementing Bioinformatics
Multiple Sequence Alignment (MSA) technique
in order to detect metamorphic malware. [19]
This detector however was able to achieve a
better detection at the rate of 73.2% and was
awarded the third most accurate in comparison
to other malware commercial scanners.
The research paper by Raphel, J and Vinod, P
in 2015, proposed a system which is nonsignature based and is able to create a meta
feature area in order to detect metamorphic
malware [20]. In this paper it was discussed
how metamorphic malware was detected by
collecting metamorphic malware samples
where three combinations of function are taken
out from the files which are branch opcodes,
unigrams and bigrams. Toderici, A.H and
Stamp, M in 2015, constructed a hybrid
malware detector via combining HMM and
24
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[2]
[3]
[4]
[5]
[6]
5 CONCLUSION
The evolution of malware has become a great
challenge of this decade. Malwares are getting
more intelligent and spreading faster among the
worldwide computer networks. It will be an
interesting time for antivirus researchers to
explore some new methods for detection of
these destructors. Metamorphic malware family
is the most challenging threat today as they are
quite advanced and furthermore reduced the
significance of signature-based detection.
For an attacker, writing a metamorphic
malware is considered to be more difficult than
writing polymorphic, which needs to be
programmed to use multiple transformation
techniques such as register renaming, code
shrinking, code permutation and garbage code
insertion. Consequently, for detection of this
malware, different techniques such as generic
decryption techniques, negative heuristic
analysis and etc. are required to be applied.
In this research, we briefly surveyed the
common malware types such as adware,
spyware, worms, Trojan horse, botnet,
[7]
[8]
[9]
25
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
26
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
Due to the development of our information society
in recent years, the number of companies depending
on IT systems has increased. However, it has been
noticed that executives have not implemented
sufficient information security measures. This is due
to the poor consensus regarding information
security between executives and IT administrators
in an enterprise. Numerous approaches to solve this
problem have been carried out. The Cybersecurity
Framework developed by NIST is one approach.
However, the Cybersecurity Framework does not
have a function to select and enumerate specific
measures on the basis of mutual understanding
between executives and administrators. By applying
the Cybersecurity Framework and use cases of the
framework provided by the Intel Corporation, we
propose a method that can enumerate measures and
obtain the optimal combination of measures that
leads to mutual agreement between executives and
administrators. Moreover, the authors implemented
a system called Risk Communicator for Tier
(RC4T) to support the framework. By applying this
framework and RC4T to a small example, we were
able to enumerate specific measures for obtaining
mutual consensus between executives and
administrators.
KEYWORDS
Cybersecurity Framework
Information security management
Information security governance
Risk management
Consensus building
1 INTRODUCTION
27
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
2 OVERVIEW of CSF
The CSF is a framework that summarizes the
risk management principles for the purpose of
improving the cybersecurity of critical
infrastructures. In addition, the CSF can
possibly fill the gap between the current state
and the target state, and the gap of the level of
understanding
between
executives
and
administrators in a risk-based approach. The
CSF, which can be customized to fit the needs
of each organization, is composed of the
following three elements:
(1) Framework Core
(2) Framework Implementation Tiers
(3) Framework Profile
28
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Functions
Identify
Protect
Detect
Respond
Recover
Categories
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness / Training
Data Security
Protective Process / Procedures
Maintenance
Protective Technologies
Anomalies / Events
Security Continuous Monitoring
Detection Process
Response Planning
Communication
Analysis
Mitigations
Improvements
Recovery Planning
Improvements
Communication
of
CSF
by
INTEL
29
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Tier 2
The staff and
employees
have
received
cybersecurity
related
training.
A risk
management
process has
not been
formalized;
risks are
managed in a
reactive, ad
hoc manner.
Prioritization
of
cybersecurity
activities is
informed by
organizationa
l risk
objectives,
the threat
environment,
or mission
requirements
.
Tier 3
The staff
possesses the
knowledge
and skills to
perform their
appointed
roles and
responsibilitie
s.
Consistent risk
management
practices are
formally
approved and
expressed as
policy, and
there is an
organizationwide approach
to manage
cybersecurity
risk.
Tier 4
The staffs
knowledge
and skills are
regularly
reviewed for
currency and
applicability
and new
skills, and
knowledge
needs are
identified and
addressed.
Cybersecurity
risk
management
is an integral
part of the
organizational
culture.
30
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
31
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Administrators name
Work
Administrator of
planning
PUB
Administrator of public
relations
CYB
Administrator of
groupware
Planning events
and managing cost
of events.
Managing web
page of the
laboratory.
Managing
groupware of
laboratory.
7 TRIAL APPLICATION
7.1 Result of Trial Application
By using the processes shown in Fig. 5, we
showed that executives can enumerate
measures and obtain satisfactory combinations
of measures. A trial application was carried out
in the authors laboratory to confirm this result.
In our laboratory, different work tasks to
maintain operations of the laboratory were
assigned to the students. The leader of each task
is called an administrator. In the university,
members are changed every year. Therefore,
the administrator is replaced every year.
Category
ID
ID.AM
ID.BE
ID.RA
Protect
Respond
PR.AC
PR.AT
PR.DS
RS.IM
Category
Asset
management
Business
environment
Risk
assessment
Access control
Awareness /
Training
Data security
Improvement
Evaluation
of executive
2
Tar
get
3
3
3
3
4
3
2
3
3
32
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
3-1
3-2
3-3
4-1
4-2
4-3
Measure
name
M01
Organize
information
related to the
takeover
Short course
for the
awareness and
takeover
Short course
for asset
management
To include
information
about risk
assessment to
information of
the takeover.
Documentatio
n of
information of
the takeover
M02
M03
M04
M05
M06
M07
M08
M09
Admin
istrato
r ID
PUB
Categ
ory ID
Tier
definit
ion ID
2-1
Cost
(hour
)
0.5
PUB
CYB
PR.A
T
2-2
3-1
CYB
ID.A
M
2-2
3-1
PUB
CYB
ID.RA
2-1
2-2
3-2
PLA
PUB
CYB
PR.A
T
ID.A
M
ID.RA
PR.A
T
2-1
3-1
3-2
PR.A
T
ID.A
M
ID.RA
PR.A
C
3-3
0.5
3-1
3-2
3-3
PR.A
T
4-1
Improve the
takeover in
response to
the risk
To include
risk
management
in policy
PLA
PUB
Meeting for
dividing
administrative
account in
administrator
of public
relation
Make
processes for
improvement
PUB
PLA
PUB
CYB
PLA
PUB
CYB
PR.A
T
33
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
M10
M11
of takeover
Establish a
system to
perform a
regular
knowledge
confirmation
Make policies
for takeover in
the laboratory
with executive
layer
PLA
CYB
PR.A
T
4-2
PLA
PUB
CYB
PR.A
T
3-3
4-3
[2]
[3]
[4]
[5]
[6]
[7]
[8]
34
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
Because of todays sophisticated cyberattacks, IT
systems are required to take security into special
consideration from the design stage to the
operational stage. Therefore, industry organizations
as well as governments recommend that IT systems
comply with the security standards. It is necessary
for the system operator of an IT system to
comprehend these security standards and to verify
that specific security functions for the proper system
configuration are selected and implemented
appropriately. The operator is expected to perform
corresponding work for the cloud system, where the
system configuration can be changed flexibly and
quickly when necessary. However, the verification
method of security functions based on the security
standards depends on the system configuration.
Because each of the flexible changes of the cloud
system configuration needs specific security
functions and verification of installations, it is
difficult for the system operator to take full
advantage of the cloud infrastructure and it may
result in burden of the system operator. Therefore,
in order to maintain security functions by taking
advantage of the cloud infrastructure, we propose a
security evaluation method to verify security
functions automatically based on the modeled
system configuration and the security standards by
tracking the log analysis of an IT system in
operation constructed on the cloud infrastructure.
We developed a support tool to ensure that the
system complies with the security standard.
Moreover, we show the effectiveness of the
KEYWORDS
Operation Support, Log Analysis, Security
Evaluation, Security Standard, Cloud System,
System Configuration
1 INTRODUCTION
Because of the todays sophisticated
cyberattacks, IT systems are required to take
security into special consideration from the
design stage to the operational stage. Therefore,
industry organizations as well as governments
recommend that IT systems comply with the
security standards [1].
In the design stage, the tools that ensure the IT
system is based on security standards have been
discussed [2], but the standards must also be
ensured in the operation stage. Therefore, it is
necessary for the system operator of the IT
system to comprehend these security standards
and to verify that the specific security functions
selected are based on the security standards and
implemented for proper system configuration
The system configuration is composed of an
applications configuration in a machine
(machine configuration) and placement of the
machine in the IT system (network
configuration). However, in order to correspond
35
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
36
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
37
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
38
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
39
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
40
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
41
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
42
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
43
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
44
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
REFERENCES
[1]
http://www.nisc.go.jp/active/general/pdf/k305111.pdf
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
SCSK,
Obout
ArcSight
ESM,
https://www.scsk.jp/sp/sys/products/arcsight/
[12]
[13]
[14]
[15]
[16]
[17]
45
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
Damage caused by targeted attacks has
increased in recent years. In order to cope with
the issue, we previously developed the event
tree and defense tree combined (EDC) method
for obtaining the optimal combination of
countermeasures against targeted attacks based
on security analyses. However, the original
EDC method cannot deal with common events,
i.e., events that are the common cause of more
than one type of problem, here and in the main
text. In order to deal with common events,
instead of minimal cut set (MCS) operation, we
introduce the prime implicant set (PIS)
operation, which can obtain cut sets, including
negative events, for the sequence of the event
tree. The results of a numerical experiment
confirm that the occurrence probability can be
calculated correctly by introducing the PIS.
Moreover, if PIS operation is not implemented,
the overall risk may be underestimated by a
factor of three.
KEYWORDS
APT, Targeted attack, Risk assessment, Defense
tree, Attack tree.
1 Introduction
Proper quantitative risk analysis is essential in
order to employ proper countermeasures
against ever-increasing cyber-attacks. A
number of revised methods based on attack tree
analysis [1], developed by Bruce Schneier, have
been proposed. Bistarelli et al. [2] proposed a
defense tree in order to determine possible
countermeasures.
46
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
(1 , 2 , 3 , , ) +
(1)
=1
subject to
(2)
=1
47
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
(3)
(4)
R =
(5)
=1
48
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
P = (, )
= 1 (1 P P ) (1 P P )
= 1 (1 0.7 0.2) (1 0.7 0.4)
= 0.38
(6)
Next, we explain the method used to calculate
the top event probability after carrying out
measure to the lowest event for example .
First, the probability of event when the i-th
countermeasure was carried out can be
calculated as follows:
= {(1 ) + }
(7)
=1
49
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
50
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
(, ) = 1 (1 ) (1 )
= 1 (1 0.2) (1 0.04)
= 1 0.8 0.96
= 0.23
(11)
From Equations (10) and (11), we can
determine that the probability in the case of
deriving the MCS becomes approximately 1.5
times larger than that without MCS operation.
As shown here, if we do not consider the
common event, the risk can be easily
underestimated. It is easy to also use MCS
operation in the defense tree. However, in the
EDC method, event tree analysis and the
defense tree are used in combination.
The event tree illustrated in Fig. 1 has two
heading items. Let defense trees related to
heading items 1 and 2 be expressed as shown in
Fig. 4. Here, the extended defense tree, which
represents sequence 3, is shown in Fig. 5. This
extended defense tree is similar to the original
defense tree, and it is possible to use MCS
operation.
On the other hand, the extended defense tree,
which represents sequences 1 and 2, is shown
in Fig. 5. This extended defense tree includes a
negative event. It is impossible to apply MCS
operation to this type of tree. Therefore, instead
of MCS operation, we use PIS operation, which
is an extension of MCS operation, and was
studied in Boolean operations (See Table 1).
51
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
= (,
1
) =
(14)
For sequence 2
) = (, )(
(1)(2
)
= (, )(, )
(15)
For sequence 3
(1)(2) = (, )()
= (, )
= ()
(16)
(17)
2
2 = 0 1
= 0 (1 (1 )(1 ))( )
0 (1 (1 )(1 ))
(by
introducing a countermeasure as zero-one
variables, when one countermeasure is applied
to events and , respectively.)
= 0 (1
(1 ( ((1 1 ) + 1 1 )))
(1 ( ((1 1 ) + 1 1 )))) (18)
where 1 represents zero-one variables. If the
first countermeasure for event is adopted,
then 1 = 1, otherwise 1 = 0.
Here, 1 represents zero-one variables. If the
first countermeasure for event b is adopted,
then 1 = 1, otherwise 1 = 0.
Here, 1 represents the reduction rate when
countermeasure first for event , and 1
represents
the
reduction
rate
when
countermeasure first for event .
(by
3 = 0 1 2 = 0
introducing a countermeasure as zero-one
variables when one countermeasure is adopted
for events and c, respectively)
= 0 ((1 1 ) + 1 1 )
((1 1 ) + 1 1 ) (19)
where 1 represents zero-one variables. If the
first countermeasure for event is adopted,
then 1 = 1, otherwise 1 = 0.
Here, 1 represents the reduction rate when
the first countermeasure is adopted for event .
In Fig. 4, = 0.2, = 0.2, = 0.2 1 =
0.8, 1 = 0.8, and 1 = 0.8.
Step 5-4 Obtain a formulation such as
Equation (4) to calculate the risk for each
sequence.
Step 5-5 Obtain a formulation such as
Equation (5) to calculate the overall risk.
Table 1. Rules used in PIS operation
Rule
Idempotent rule
Absorption rule
Complementation rule
Example
aa => a
(a, ab) => a
(a, a) => Null
52
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
1
2
3
total
Proposed method
Previous study
probability risk probability
risk
0.64 6.40
0.64
6.40
0.41 41.0
0.35
35.0
0.04 400
0.01
100
447
141
1
2
3
tot
al
5 Conclusion
In the present paper, we proposed a method
that enables common event operation with the
original EDC method. Here, the EDC method,
which incorporates event tree analysis and
defense tree analysis, is used to obtain the
optimal combination of countermeasures
against targeted attacks.
In order to enable common mode operation,
instead of MCS operation, we introduce PIS
operation, which can obtain a cut set including
negative events for the sequence of the event
tree.
The results of the numerical experiment
confirmed that we can calculate occurrence
probability correctly by introducing the PIS.
Moreover, if we did not use PIS operation, the
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
http://www.symantec.com/connect/blogs/2013-istrshows-changing-cybercriminal-tactics (references
2016-7-27)
R. Ishii, R. Sasaki Proposal of Risk Evaluation
Method using Event Tree and Defense Tree and Its
Trial Application to Targeted Attack, in Japan
Society of Security Management, p.8 pp(2015) (in
Japanese).
N. Yuhara and H. Ujita, System Safety Studies.
kaibundo publishing, (2015) (in Jpanese)
D. KececiogluReliability Engineering Handbook,
vol.2Prentice Hall222-231 (1991)
K. Takaragi, R. Sasaki, and S. Shingai An
Algorithm for Obtaining Simplified Prime Implicant
Sets in Fault-Tree and Event-Tree Analysis, IEEE
Transactions on Reliability, vol.R-32, pp.386390(1983).
K. Ingols, R. Lippmann, and K. Piwowarski,
Practical Attack Graph Generation for Network
Defense,
in
Annual
Computer
Security
Applications Conference, ACSAC 2006, pp.121130(2006).
A. Roy, D. S. Kim and K. S. Trivedi, Attack
countermeasure trees (ACT): towards unifying the
constructs of attack and defense trees, in Security
and Communication Networks, vol.5, pp. 929943(2012).
Fault Tree Handbook with Aerospace Applications
https://www.hq.nasa.gov/office/codeq/doctree/fthb.p
df
53
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Proposal of Unified Data Management and Recovery Tool Using Shadow Copy
Naoki Matsutaka and Masato Eguchi, Takuya Okazaki,
Takashi Matsumoto, Tetsutaro Uehara*, Ryoichi Sasaki
Tokyo Denki University
Senjuasahicho 5, Adachi-ku, Tokyo-to, 120-8551 JAPAN
*Ritsumeikan University
Tojiinkitamachi 56-1, kita-ku, Kyoto-fu, 603-8577 JAPAN
[email protected]
ABSTRACT
In recent years, solid state drives (SSD) have started
to replace hard disk drives. An SSD is a high-speed
storage device with a TRIM function. However, an
SSD cannot restore deleted files. Therefore, the user
is required to back up data for protection. The
Microsoft Volume Shadow Copy Service (VSS) is
often recommended for backups. However,
although it has tools for backup, they are
complicated to use. In addition, VSS does not have
enough implemented functions. Therefore, we
propose a unified tool named ShadowBox, which
easily helps typical users to create a shadow copy
and to restore data from it. In addition, we discuss
the protection of shadow copy data from attacks due
to malicious persons and ransomware.
KEYWORDS
Backup, Shadow Copy, SSD, Ransomware, Data
Protection
1 INTRODUCTION
In recent years, solid state drives (SSDs) have
begun to replace hard disk drives (HDDs). An
SSD, which is a solid-state semiconductor
storage device, can read data at high speed,
because it does not move a head on the medium.
This feature is different from the data reading
of a HDD. The usage percentage of SSDs will
continue to increase as their data capacity is
expanded and their performance is improved.
On the other hand, SSDs have problems such
their inability to recover data for digital
54
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Processing time
Data capacity
Normal Copy
777.4 sec
100 GB
VSS
3.7 sec
55.5 MB
Figure 2. ShadowExplorer
55
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Function
Create SC*
Delete SC
Set storage
List SC
Restore file
Search file
Previous Versions
System Volume
Shadow
Explorer
*Shadow Copy
56
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
5 DEVELOPMENT of VSSManager
5.1 Development environment
VSSManager is written in C# and runs in
Windows 7. The total number of lines in the
developed program is approximately 4617.
Table 4 shows the development environment of
VSSManager. ShadowBox uses the AlphaVSS
library to create the shadow copy and to list the
backup files. [6]
Table 3. Development environment
OS
Language
Library
Lines
Windows 7
C#
.NET Framework4.0
AlphaVSS.1.2.4000.3
4617
57
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Problems with
existing tools
Cannot collectively
use the functions
VSSManager
Has centralized
functions (described
in Section 5.1)
Cannot create a
Selects volumes
shadow copy on a
when creating the
per-volume basis
shadow copy
Searches files that
Allows searches for
target a single
multiple shadow
shadow copy
copies
Difficult to set
Has an intuitive user
storage
interface
Not enough displayed Displays files with
file information
icons or thumbnails
Troublesome to move Implements back
between folders
and forward
buttons and displays
current folder path
We developed the user interface to help the
typical user to conduct backups easily. In
Previous Versions, the shadow copy is created
automatically and controlled by the Windows
OS. However, because a complex procedure is
required to create the shadow copy, it is
difficult for users to execute the application in a
timely manner. Therefore, we developed the
function to set the timing freely when creating
the shadow copy using Previous Versions.
VSSManager has the functions Create shadow
copy, Manage storage, Restore a file, and
Search for a file. Figures 4-7 show the dialog
boxes of VSSManager.
6 EVALUATION
6.1 Method of evaluation
An evaluation was conducted to determine
whether the developed tool is suitable for
operation by a typical user. Ten students in our
laboratory participated as users in the
experimental evaluation. They used the
developed VSSManager as well as existing
tools. The users were taught how to use the
tools in advance. They evaluated the usefulness
with a five-point score. Here, very hard to use
was 1 and very easy to use was 5. Moreover,
the users described their impressions of using
the tools.
58
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
7 FUTURE WORK
Function
Creation of
SC
Setting
storage
Searching
for file
Previous Shadow
VSS
Versions Explorer Manager
2.6
4.7
1.5
4.9
3.4
3.0
3.6
59
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
AlphaVSS, http://alphavss.codeplex.com/
60
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
In recent years, malware infections by Drive by
Download (DbD) attacks carried out with the
cooperation of malicious web sites have caused
serious damage. The blacklist method is a current
typical countermeasure that blocks access to a
malicious web site registered to a blacklist when the
users PC does a redirect. However, the attacker can
install malicious web sites one after another, and it
is impossible to add the malicious web sites to the
blacklist immediately. Thereby, countermeasures
against new malicious web sites are difficult using
this method. To cope with this issue, we propose a
method that utilizes a support vector machine
(SVM) and the data in a domain name system
(DNS) to identify the domain used in the DbD
attack. The result of an experiment showed a
detection rate of 92.75%.
KEYWORDS
Drive by Download
Domain Name System
WHOIS
Support Vector Machine,
Akaikes Information Criterion
1. Introduction
In recent years, malware infections by Drive
by Download (DbD) attacks have caused
serious damage. DbD attacks are carried out
with the cooperation of malicious web sites [1].
Figure 1 shows the flow of a DbD attack.
61
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
2. Related Work
Okayasu et al. proposed a specific method
using the SVM and domain information in the
DNS to classify a domain in order to identify
the command and control (C&C) server of a
botnet [4].
Ma et al. also proposed a countermeasure
using domain information to identify malicious
web sites used for phishing or spam attacks [5].
Moreover, approaches that detect obfuscated
JavaScript have been proposed by many
researchers to find a DbD. Here, obfuscated
JavaScript is JavaScript program code that
contains inserted characters representing
malicious behavior.
Jodavi et al. proposed a detection method
that uses the frequency of a hidden function in
JavaScript and the maximum value of the depth
of the eval nest [6]. Su et al. proposed a
countermeasure using an information theoretic
index against obfuscated JavaScript [7].
Jayasinghe [8] proposed a detection method
using the Opcode log obtained from the
JavaScript engine.
However, a method to classify a domain by
using SVM and DNS domain information to
identify web sites used for a DbD attack has not
previously been proposed.
3. Proposed Research Method
In this study, we conducted a classification
experiment using the SVM and domain
information. The SVM used a machine learning
library written in Python and named scikit-learn [9].
As a preliminary survey in the experiment,
first we obtained the domain information of a
DbD domain and a benign domain by querying
the DNS server. Next, the numbers and values
of the record of the acquired domain
62
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
3.2 SVM
The SVM is one of the supervised learning
models used in machine learning, and it can be
applied to classification and regression.
The first feature of the SVM is linear
mapping, which enables linear classification by
converting the data. The second feature is
margin maximization. A margin is the smallest
value of the distance to the identification
surface and the individuals belonging to each
group. Each individual is called a Support
Vector, which represents the shortest distance
to the identification surface. Learning is done to
maximize the margin between the identification
surface and the Support Vector, and as a result,
Support Vectors exhibit high identification
performance. Figure 2 shows a schematic
diagram of the classification by the SVM.
3.3 Cross-validation
If the sample data for obtaining test and
training data are small, an error in the
classification accuracy can possibly occur.
Therefore, we conducted the experiment by
using the cross-validation [12] method for
verifying the validity of the classification
accuracy.
Figure 3 shows a schematic diagram of the
cross-validation method. We experimented with
10-fold cross-validation. Primarily, we divided
the sample data by 10. One sample was test
data, and the rest were training data. After
replacing the test data and the training data,
63
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
5. Evaluation
5.1 Evaluation method
The detection rate was calculated based on
the number of domains that were determined
accurately. Table 4 shows the domain detection
results. The result is True Positive (TP) if the
DbD domain is correctly determined as a DbD
64
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Accuracy = +++
(6)
(7)
the accuracy of the classification results. The Fmeasure is calculated by formula (8). Precision,
which is an indicator of the accuracy of the
compliance rate, is calculated by formula (9). In
addition, Recall, which is an indicator of the
completeness, is calculated by formula (10).
F measure =
Precision =
Recall =
(8)
(9)
(10)
65
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
EXPIRE
6. Consideration
In the experiment, the detection rate of the
optimal parameters was 92.75%. Therefore, the
proposed method of this study is inferior in
terms of the detection rate in comparison with
the methods of related work.
[2]
URL.Blacklist.com, http://urlblacklist.com/
[3]
History
of
Support
Vector
http://www.svms.org/history.html
Machines,
66
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[4]
[5]
[6]
[7]
[8]
[9]
scikit learn:machine-learning in
http://scikit-learn.org/stable/index.html
[10]
[11]
DNS
Client
Library
for
http://simpledns.com/dns-client-lib.aspx
[12]
[13]
[14]
[15]
Alexa:
The
top
sites
http://alexa.com/topsites
[16]
Fortune: Fortune500-Daily&Breaking
News, http://fortune.com/
[17]
on
Python,
.NET,
the
web,
Business
67
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Abstract
Cyber crime has increased as a side effect of the
dramatic growth in Internet deployment. Identifying machines that are responsible about crimes
is a vital step in an attack investigation. Tracking the IP address of the attacker to its origin is
indispensable. However, apart from finding the attackers (possible) machine, it is inevitable to provide supportive proofs to bind the attack to the
attackers machine, rather than depending solely
on the IP address of the attacker, which can be dynamic. This paper proposes to implant such supportive proofs by utilizing the timestamps in the
TCP header. Our results show that unique timestamps can be recovered in target machines. In addition, because a violator is unaware of (and has
no control over) the internals of the TCP, the investigation process is empowered with stealth. To
the best of our knowledge, we are the first to utilize protocol remnants in fingerprinting violating
machines.
Introduction
Since cyber crimes are delivered through the network, security analysts need to understand the networks internal functionalities so they can reason
about attacks and draw conclusions. Basically, a
computer network is a set of nodes, links, and
protocols that enable the nodes to communicate
through the links. The protocols are the building blocks of computer networks, starting from the
physical layer (according to the OSI networking
model) up to the application layer.
A violating machine can be geolocated by tracking its IP address. An investigator might look
through the captured machine, seeking crime
proofs in high-level data sources. Such sources include (but are not limited to) files, processes, modules, registries, sockets, log files, browsing histories,
and strings. However, an attacker who is aware of
such sources might manage to hide or destroy them.
Furthermore, the captured machine might not really be the machine used in the attack because of
the dynamic nature of the IP addresses. Given
that, additional supportive proofs are needed to
show that the captured machine is really the machine that launched the attack. Practically, this
is not a problem with the machines having static
IP addresses. However, such binding is necessary
when DHCP is used.
This paper tries to bind the attack to the captured machine by inspecting the machine for some
intentionally remotely implanted marks in the internal data structure of the TCP. These marks are
unnoticed by the attacker because she is unaware
of how the TCP internally manage and store packets and she has no control over their functionalities.
This stealthiness is another advantage of this technique.
After receiving packets, network protocols do
some processing before delivering payloads to
68
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
higher protocols. That might include preparing/decoding headers, computing error checking
codes, and encrypting/decrypting data. All such
processing only takes place for data in memory:
data never goes to permanent storage unless some
monitoring or logging tools are explicitly activated
and configured to do so. This paper only seeks
in-memory artifacts.
This paper is organized as follows. In Section 2,
we give a brief overview of the TCP protocol and
highlight some of its header fields which we will
utilize in this study. Our investigation model is
presented in Section 3. This is followed by Section 4
that explains our experimental setup. Our results
are shown in Section 5. A discussion and future
work are covered in Section 6. This is followed by
related work and the conclusion.
Investigation Model
69
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
4.1
Experiments invariants
Experimental Setup
70
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
4.2
Results
In this section, we present our results for the experiments discussed in Section 4. Because the experiment was conducted on both Linux and Windows
machines, we will show two figures; one for Linux
and another for Windows. In addition, because the
experiment is conducted three times, the numbers
are averaged over three runs.
We want to check for the TCP timestamps in the
71
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Conclusion
Related work
The in-memory data have been considered in several works from security and forensics perspectives
[1, 8, 12, 10, 14, 11, 3, 7, 5, 4, 2, 9, 13].
Even after process termination, 90% of information about processes can still be recovered from the
non-paged memory of a Windows machine for more
than a day [10]. Data lifetime of the userspace portion of the process address space has been studied
by [12]. In addition, the lifetime of the freed memory portions is examined by [6]. Over time, only
15% of memory contents are changed in an idle
References
[1] M. I. Al-Saleh and Z. A. Al-Sharif. Utilizing
data lifetime of {TCP} buffers in digital forensics: Empirical study. Digital Investigation,
9(2):119 124, 2012.
[2] P. Broadwell, M. Harren, and N. Sastry.
Scrash: a system for generating secure crash
information. In Proceedings of the 12th conference on USENIX Security Symposium - Vol-
72
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[11] M. Simon and J. Slay. Recovery of skype application activity data from physical memory.
In ARES, pages 283288, 2010.
[12] J. Solomon, E. Huebner, D. Bem, and
M. Sze?ynska. User data persistence in physical memory. Digital Investigation, 4(2):68
72, 2007.
[13] R. M. Stevens and E. Casey. Extracting
windows command line details from physical memory. Digital Investigation, 7, Supplement(0):S57 S63, 2010. ce:titleThe Proceedings of the Tenth Annual {DFRWS} Conference/ce:title.
[14] A. Walters and N. L. Petroni. Volatools : Integrating volatile memory forensics into the digital investigation process. Digital Investigation,
pages 118, 2007.
[6] D. Farmer and W. Venema. Forensic Discovery. Addison Wesley Professional, 2004.
[7] T. Garfinkel, B. Pfaff, J. Chow, and M. Rosenblum. Data lifetime is a systems problem.
In Proceedings of the 11th workshop on ACM
SIGOPS European workshop, EW 11, New
York, NY, USA, 2004. ACM.
[8] H. Inoue, F. Adelstein, and R. A. Joyce.
Visualization in testing a volatile memory forensic tool.
Digital Investigation,
8(Supplement):S42S51, 2011.
[9] J. Sammons. The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Elsevier, 2012.
[10] A. Schuster. The impact of microsoft windows
pool allocation strategies on memory forensics.
Digital Investigation, 5, Supplement(0):S58
S64, 2008. The Proceedings of the Eighth Annual DFRWS Conference.
73
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Method for Detecting a Malicious Domain by using WHOIS and DNS features
MASAHIRO KUYAMA, YOSHIO KAKIZAKI and RYOICHI SASAKI
Tokyo Denki University
Tokyo, Japan
[email protected]
ABSTRACT
Damages caused by targeted attacks are a serious
problem. It is not enough to prevent only the initial
infections, because techniques for targeted attacks
have become more sophisticated every year,
especially those seeking to illegally acquire
confidential information. In a targeted attack,
various communications are performed between the
command and control server (C&C server) and the
local area network (LAN), including the terminal
infected with malware. Therefore, it is possible to
find the infected terminal in the LAN by monitoring
the communications with the C&C server. In this
study, we propose a method for identifying the
C&C server by using supervised machine learning
and the feature points obtained from WHOIS and
the DNS of domains of C&C servers and normal
domains. Moreover, we conduct an experiment that
applies real data, and we verify the usefulness of
our method by a cross-validation method. As a
result of the experiment, we could obtain a high
detection rate of about 98.5%.
KEYWORDS
Malware, C&C server, Neural network, SVM
1 Introduction
Damages caused by targeted attacks are a
serious problem [1]. Many targeted attacks aim
at illegal acquisition of confidential information,
such as intellectual property and private
information. A target of this type of attack is a
specific company or organization. To achieve
their objectives, attackers infect terminals with
malware attached to e-mail and use the driveby-download attack.
74
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
75
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
76
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ID
Name
Organization name
Address
Postal code
Phone number
Country
FAX number
E-mail address
77
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
a)
b)
c)
d)
e)
f)
g)
h)
A record
SOA record
HINFO record
MX record
NS record
CNAME record
WKS record
TXT record
Fig. 6 NS records
Fig. 7 NS records
Hardly any records are registered in the C&C
domains, although many records are registered
in the normal domains.
78
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
4 Results
For evaluation, 80 normal and 54 C&C
domains were used.
Because the data amount is small, the accuracy
has a large error by how we chose the test data.
The amount of provided data of a particular
domain used for targeted attacks is small. Thus,
we evaluate the data with a cross-validation
method, because it can reduce the error margin
even if the data amount is a little.
The cross-validation method is an evaluation
method to divide the original data as learning
data in block units [17]. One of the blocks is the
test data, and the others are the learning data for
evaluation.
The evaluation consists of calculating the
average of each evaluation result as the
estimated accuracy (Fig. 9).
This evaluation method can reduce the error
margin of the estimated accuracy, even if the
data amount is a little. It can be calculated in
the following equation.
Let
be the total number of test data,
be
the total number of data classified accurately,
and be the n-th evaluation
accuracy. the estimation accuracy to be
determined is as follows:
(1)
79
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
98.5%
97.8%
[4]
[5]
[6]
[7]
[8]
[9]
[10]
REFERENCES
[11]
[12]
[13]
[14]
[15]
[16]
[17]
80
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
Cloud storage services are widely getting
acceptance and gaining popularity, since it is
used mostly by companies and students in
Malaysian higher learning institutions. While
cloud storage services got popular within last
two years, most of the people are still trying to
adapt to this new technology and some people
still does not fully understand what cloud
storage services are. In this paper, the authors
present the results and an analysis of survey
conducted on the awareness and concerns of
Malaysians about cloud storage services, and its
forensics and security issues. Questionnaires
were administered to two hundred fifty users of
cloud storage in Malaysia and fifty to the public
to get the responses of people, especially
student concerning about the cloud storage
services. The responses from participants
revealed valuable information about the public
awareness and knowledge on cloud services.
Relevant areas that required improvements are
also investigated and discussed in this paper.
KEYWORDS
Cloud Computing, Cloud Storage, Cloud
Forensics, Cloud Security, Cloud Forensics
Awareness
1 INTRODUCTION
Cloud storage services are increasingly used by
various types of ordinary consumers and
professional businesses, as well as government
81
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
82
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
18%
17%
7%
7%
25%
13%
13%
Information Technology
Forensic and Security Computing
Software Engineering
Business Administration
Mobile Technology
Others
Figure 1: Education Background
83
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
20%
5%
75%
84
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
23%
77%
15
78
2
10
88
30
10
5
Lack of experiences
10
60
15
80
15
75
14
Neutral
95
10
Significant
86
20
30
40
50
60
70
80
90
100
Very Significant
85
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
24%
76%
86
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
8 CONCLUSION
The analysis of results in this study has shown a
very low level of awareness for cloud storage
services amongst the Malaysians, at the
moment. It could be from many aspects of
view, culture of Malaysia or governments
policies. Furthermore, the cloud forensics raise
significant challenges of cloud storage forensics
and those challenges are not ignorable by the
related departments such as polices, forensic
investigation departments and cloud computing
experts. Hence, that is an urgent need in the
establishment of cloud storage forensics
abilities and performance, which included a set
of procedures for conducting an investigation.
However, cloud storage services are bringing
some new opportunities to the society as people
will change the way they are living and get
things done efficiency and faster. Lastly, a
preparation for Malaysia to control and
supervise the internet must be considered, as so
far no serious cloud storage services crime has
been happened or reported, in Malaysia. This
might be the thing that caused the lack of
experienced investigator. Thus, the society and
the related departments will get panicky if it
happens. Furthermore, to become a developed
country, improving and increase Information
Technology is one of the main concerns. This is
because, the IT can improve different aspects of
developments in a country. For example, the
demand of the IT is getting wide and huge as
the market shaped by the modern technologies.
Consumers are tending to search information
about products through IT platforms like
Alibaba or other online purchase websites.
9 FUTURE RECOMMENDATIONS
This study has shown high satisfaction and
responses in most of the items in the
questionnaires. Through this research, the
authors are able to know the level of awareness
for the Malaysians about cloud storage services
in this country. Furthermore, even though the
level of awareness is very low and it should be
87
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
88
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Abstract
Recently, damage by targeted attacks has been
increasing and has also become diversified. A
targeted attack is any malicious attack targeted
toward a specific individual or organization. It has
the characteristic that damage is likely to expand
because it is hardly noticeable. Therefore, the
assumed countermeasures, such early detection and
damage reduction, are important factors for the
prevention of targeted attacks. In this paper, we
propose attack methods that are able to avoid
filtering by using web translation services, and then
we propose countermeasure methods. Also, to
evaluate our proposals, we surveyed other attack
methods, including those used in combination, such
as shortened URL services and web archive services.
Keywords
Targeted
attack,
Malware,
C&C
communications, Web translation service, URL
Shortener
Figure 1. Targeted attack
Introduction
89
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Related Work
90
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Experiments
URL filtering
Google Translate
Excite Translator
Yahoo! translation
Infoseek translation
So-net translation
WorldLingo
SDL
Internet Archive
Web Fish Print
: Acquisition successful
: Blocked
91
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
URL
Excite
Translator
http://www.excite-webtl.jp/world/english/
web/?wb_url=http%3A%2F%2F
web.dendai.ac.jp%2F&wb_lp=JAEN
Google
Translate
https://translate.google.co.jp/translate?hl=j
a&sl=auto&tl=en&u=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fw
eb.dendai.ac.jp%2F
92
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
SDL
Other service
Internet Archive
93
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
5.1 Purpose
As described in the relevant research [4], it is
effective to use a URL shortener for the
avoidance filtering with web translation services.
The URL shortener generates a short URL
specifying a targeted URL. If access to a
shortened URL is given, it is moved to the web
page of the unshortened full URL by the redirect.
By using the URL shortener, the URL of the
C&C server is shortened, and access to the
shortened URL from the web translation service
is done with filtering avoidance. We conducted
an experiment to investigate whether avoidance
filtering together with a URL shortener can be
applied for a targeted attack. In this experiment,
we used the bit.ly [16] as the URL shortener.
5.2 Command transmitting method
We confirmed that the transmission of a
command is possible in an environment of
filtering combined with a URL shortener. In this
experiment, we created a shortened URL for the
filtering target and then accessed the shortened
URL via a web translation service from a web
browser. We found that filtering avoidance was
possible.
Table 6. Filtering avoidance results by translation
service with URL shorter
service
Normal
IP address
Domain
URL
Google Translate
Excite Translator
Yahoo! translation
Infoseek translation
So-net translation
WorldLingo
SDL
94
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
2. https decode
3. Content filtering
4. Ban URL
shorteners
6. Ban translation
services
95
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
https://www.bing.com/translator(access 2016-04).
7. Conclusion
[7]
[8]
[9]
Reference
[1]
[3]
[4]
[5]
[6]
Bing Translator,
96
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
KEYWORDS
Feature selection, Mutual information, Intrusion
detection system
INTRODUCTION
Feature selection is a technique for eliminating irrelevant and redundant features and selecting the optimal subset of features that produces a better characterisation of patterns belonging to different classes. The feature selection problem has been around since the early
1970s. Due to its computational complexity, it
remains an open area for researchers. Feature
selection reduces computational cost, facilitates data understanding, improves the performance of modelling and prediction and speeds
up the detection process of IDS [1].
A feature is relevant to the class if it contains
important information about the class; otherwise it is irrelevant or redundant. Since mutual
information is good at quantifying the amount
of information shared by two random variables, it is often used as an evaluation criterion
to evaluate the relevance between features and
class labels.
Several feature selection algorithms, including
those in [2, 3, 4, 5, 6, 7, 8], have been proposed in literature based on the principle of
mutual information. Battitis MIFS [2] is one
of the earliest methods that evaluate features
based on their relevance to classification. Numerous studies, including [3] to [8], have been
conducted to improve Battitis MIFS. A clearer
and more detailed explanation of these methods and their limitations is given in Section 2.
The key contributions of this paper are as follows.
1. This work proposes a new feature selection algorithm in which mutual information is introduced to evaluate the
dependence between features and output
classes. The most relevant features are retained and used to construct classifiers for
their respective classes. This method is an
enhancement of Mutual Information Feature Selection (MIFS) [2] and Modified
Mutual Information-based Feature Selection (MMIFS) [7].
2. After tackling feature selection, the selected features is then used to train the
classifier and build an IDS.
3. We conduct complete experiments on
three well-known IDS datasets. This is
very important in evaluating the performance of IDS since these datasets contain most recent and novel attack patterns. In addition, these datasets are fre-
97
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
I(X; Y ) =
XX
xX yY
p(x, y) log
p(x, y)
. (2)
p(x)p(y)
where is a user-defined parameter that is applied to regulate the relative significance of the
redundancy between the current feature and the
set of previously selected features.
As can be seen, Eq. (3) consists of two terms.
The left-hand side term, I(C; fi ), represents
the amount of information that feature fi carries about the class C. A relevant feature is the
one that maximizes this term. The right-hand
98
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
P
side term, I(fs ; fi ), is used to eliminate
the redundancy among the selected features.
In follow-up research, various methods have
been proposed to enhance Battitis MIFS. Most
of the studies have been conducted on the righthand side term of Eq. (3). Kwak and Choi in
[3] made a better estimation of MI between input features and output classes and proposed a
greedy selection algorithm named MIFS-U, in
which U stands for uniform information distribution. MIFS-U shows a better estimation of
I(C; fi ) than MIFS. The algorithm of MIFS-U
differs from that of MIFS in the right-hand side
term as shown in Eq. (4).
I(C; fi )
X I(C; fs )
I(fi ; fs )
H(fs )
f S
(4)
)
I(fi ; fs ),
I(C; fi ) (
| S | f S
(5)
99
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
(7)
The proposed intrusion detection system is depicted in Figure 1. It comprises four main
stages: (1) data collection, where a sequence of
network packets is collected; (2) data preprocessing, where training and test data are preprocessed and important features that can distinguish one class from another are selected;
(3) classifier training, where the model for classification is trained; and (4) attack recognition,
where the trained classifier is used to detect intrusions on the test data. One can find more
details about these stages in [11].
4.1
Data Collection
This is the first and most important stage to intrusion detection where a sequence of network
packets is collected.
4.2
Data Pre-processing
Classifier Training
Attack Recognition
To validate performance fairly, three wellknown benchmark datasets are adopted in our
experiments. These three datasets are KDD
Cup 99 datasets [12], NSL-KDD datasets [13]
and Kyoto 2006+ datasets [14]. All of these
100
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Feature
41
41
23
Class
5
5
2
Training
500
500
500
Testing
500
500
500
Experimental Setup
101
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
DoS
IDS + MIFSA
SVM [17]
Bayesian [18]
FNT [19]
Probe U2R
R2L
System
IDS + MIFSA
DMNB [21]
TUIDS [22]
HTTP-IDS [23]
Hybrid IDS [24]
# Feature
16
all
all
13
all
DR
99.15
n/a
98.88
99.03
99.10
FPR
0.81
3.0
1.12
1.0
1.2
102
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Table 4. Comparison performance of classification on the Kyoto 2006+ dataset (the days 2007, Nov. 1,2 and 3)
Iteration count
1
2
3
4
5
6
7
8
9
10
6
IDS + MIFSA
DR
FPR
96.14
97.83
97.93
97.98
97.98
97.99
98.01
98.03
98.07
98.18
0.80
0.51
0.50
0.49
0.43
0.41
0.37
0.33
0.33
0.31
CSV-ISVM [25]
T rain(s) T est(s)
0.106
0.213
0.525
1.040
1.235
1.228
1.723
2.392
2.775
3.299
CONCLUSION
This paper has proposed a supervised feature selection algorithm, namely MutualInformation-based Feature Selection Algorithm (MIFSA). MIFSA is a modified version
of MIFS and MMIFS. MIFSA eliminates the
need for setting the redundancy parameter
required in MIFS and MMIFS. This is useful
in practice since there is no specific guideline
for setting the best value for this parameter.
The feasibility of MIFSA is evaluated in the
cases of intrusion detection by building an intrusion detection system using the features selected by our proposed MIFSA. The proposed
IDS + MIFSA has been evaluated using three
well-known intrusion detection datasets: KDD
Cup 99, NSL-KDD and Kyoto 2006+. The
performance of IDS + MIFSA on all datasets
showed better classification performance in
terms of classification accuracy, detection rate
and false positive rate compared to existing detection systems.
Although the proposed MIFSA has produced
encouraging results, it could be further improved by enhancing the search strategy. We
will put this into consideration when optimizing our method in the future.
REFERENCES
[1] P. Louvieris, N. Clewley, X. Liu, Effects-based
feature identification for network intrusion detection, Neurocomputing 121 (2013) 265273.
0.213
0.286
0.550
1.023
1.073
1.633
1.779
2.572
3.081
3.728
DR
FPR
T rain(s)
T est(s)
79.65
84.72
85.58
86.08
86.81
87.24
88.08
88.10
89.64
90.15
4.54
4.03
3.92
3.80
3.54
3.33
3.03
3.01
2.52
2.31
1.823
3.463
5.26
9.662
11.302
13.593
14.348
17.475
23.02
27.257
7.76
10.363
15.443
19.532
22.735
25.887
28.23
31.615
35.547
40.097
103
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[10] T. M. Cover, J. A. Thomas, Elements of information theory, John Wiley & Sons, 2012.
[21] M. Panda, A. Abraham, M. R. Patra, Discriminative multinomial naive bayes for network intrusion
detection, in: International Conference on Information Assurance and Security (IAS), IEEE, 2010,
pp. 510.
[15] C.-F. Tsai, Y.-F. Hsu, C.-Y. Lin, W.-Y. Lin, Intrusion detection by machine learning: A review,
Expert Systems with Applications 36 (10) (2009)
1199412000.
[16] S. Mukkamala, A. H. Sung, Significant feature selection using computational intelligent techniques
for intrusion detection, in: Advanced Methods
for Knowledge Discovery from Complex Data,
Springer, 2005, pp. 285306.
[17] S. Mukkamala, A. H. Sung, A. Abraham, Intrusion detection using an ensemble of intelligent
paradigms, Journal of network and computer applications 28 (2) (2005) 167182.
[18] S. Chebrolu, A. Abraham, J. P. Thomas, Feature
deduction and ensemble design of intrusion detection systems, Computers & Security 24 (4) (2005)
295307.
[19] Y. Chen, A. Abraham, B. Yang, Feature selection
and classification flexible neural tree, Neurocomputing 70 (1) (2006) 305313.
[20] A. Chandrasekhar, K. Raghuveer, An effective
technique for intrusion detection using neurofuzzy and radial svm classifier, in: Computer Net-
104
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
Asia Pacific University of Technology & Innovation (APU), 2Universiti Putra Malaysia(UPM)
[email protected], [email protected], {ramlan, izura}@upm.edu.my
ABSTRACT
Cloud computing provides dynamic capacity and
capabilities, and it imparts resources as services
over the Internet. In cloud computing, information
migrated to third parties and it poses enormous
security challenges such as privacy leakage and
illegal access. This paper presents an authentication
logic to protect data from illegal access before and
during the usage in cloud computing. Proposed
authentication logic can be modified and adapted to
different requirements in various types of cloud
computing services. It achieved by changing the
formulas through assigning new parameters and
brings a flexible and reusable authentication model.
Decision makings are performed by four functions.
The authentication and requirement functions
control the access request before the usage.
Authorization and obligation functions are executed
during the usage based on right requests. The
implementation demonstrates the theoretical result
of the proposed model.
KEYWORDS
Authentication, Authorization, Cloud computing,
Data Security, Formal Method.
1 INTRODUCTION
In recent years, cloud computing environment
has grown fast without emerging new
infrastructure, licensing new software and
training personnel. Cloud computing delivers
services to end users in three layers as shown in
figure 1. They include [1]:
105
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
106
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
107
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
108
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
=>
(1)
Figure 4. Ao Function
Figure 3. Ae Function
(2)
=>
(Ae
(3)
(Ao
(ATT(Sub),
ATT(Obj),
ObjR))
=>Permitted Right Request (Sub, Obj, ObjR)
(4)
Figure 5: Re Function
109
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
(8)
Figure 6. Ob Function
// Ae Function
(1) If (Ae (ATT(Sub), ATT(Obj), IObjR)
= False)
// Subject Authentication is not
successful.
a. Access Terminate
(2) End if
// Ao (check based on events or
periodic)
(3) If (Ae (ATT(Sub), ATT(Obj), IobjR)
= False)
// Subject Authentication is not
successful.
a. Access Terminate
(4) Else
a. If (Ao (ATT(Sub), ATT(Obj),
ObjR) = False)
//Subject Authorization is not
successful.
i. Right Request Terminate
b. End if
(5) End if
// Re Function
(6) If (Re (Sub, Obj) = False)
// Requirement is not fulfilled
a. Access Terminate
(7) End if
// Ob (check based on events or
periodic)
(8) If (Re (Sub, Obj) = False)
// Requirement is not fulfilled
a. Access Terminate
(9) Else
a. If (Ob (Sub, Obj, ObjR) =
False)
// Obligation is not fulfilled.
i. Right Request Terminate
b. End if
(10) End if
Right request permit
110
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
111
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[10]
[11]
[12]
[24]
[25]
[26]
[13]
[14]
[27]
[15]
[28]
[16]
[29]
[17]
[30]
[31]
[18]
[19]
[20]
[21]
[22]
[23]
Oprea, "HAIL: a
layer for cloud
the 16th ACM
communications
112
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
ABSTRACT
Over the years, data theft has been rampant in
financial institutions, however at present medical
data is in the spotlight. Healthcare industry is
considered as a potential target for hackers and cyber
criminals for accessing patients data. Electronic
Health Record (EHR) provide flexibility, timely
access and interoperability of patient information
which is key in decision making by physicians and
medical officers. With the advancement of
technology, cloud has been spotted as a solution for
healthcare practitioners to implement interconnected
EHR as it reduces cost and hassle of infrastructure
maintenance. Cloud platform allows data to be
replicated in different geographical locations and
retrieved and shared among various organizations in
a timely manner. Healthcare sector is facing a
dilemma on how patients information can be
protected while it is being managed by cloud
vendors. Several cloud-based EHR apply
cryptographic techniques to encrypt data at rest/data
in motion and access control to eliminate
unauthorized access. As a result, existing access
control mechanisms in cloud mainly focuses on
giving data access to physicians and other medical
officers but overlooks privacy requirements of
patients. This research discusses various access
control models, their merits, limitations, and roles to
promote privacy in cloud based solutions.
KEYWORDS
Access Control, Electronic Health Records, Privacy,
Security, Cloud Platform.
1 INTRODUCTION
Electronic Health Records (EHR) assist
healthcare organizations towards fast and better
delivery of services and treatment to patients [1]
According to technology report, it is clearly
indicated that Malaysia healthcare industries
gradually adopting to EHR technology,
however, paper-based records are also still in use
[2]. Paper based records cannot be completely
eliminated in healthcare however it can be
reduced to a certain magnitude [3]. Due to
advancement in technology, healthcare
organizations have started to integrate several IT
systems to facilitate interoperability however
privacy still remains a very big concern for
healthcare consumers [4].
Advancement in technology has opened avenues
for the healthcare sector. Consequently, cloud
computing has been recognized as a costeffective technique for small healthcare
providers due to the eradication of IT
infrastructure to be individual managed. Attracts
EHR to be deployed in the cloud and
harmoniously be managed by cloud vendors [5].
Recent study highlights that 60 percent of
independent physicians have resorted to
adopting the use of EHR due to costs incurred in
the implementation of a cloud-based EHR is
profoundly low as compared to a decentralized
EHR system.
113
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
114
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
2.3.1 Confidentiality
This refers to the ability to safeguard
information in the EHR system so that it can
only be accessed by authorized subjects.
Typically, authorized subjects will gain access
based on the predefined role-based privileges
[10]. Therefore, no information about patients
should be released without their consent unless
otherwise as stated by privacy rule.
Authorization is mainly carried out by a security
mechanism called an access control. It is a
greater challenge for healthcare organizations
since the medical data in the cloud based EHR is
stored in cloud vendor centers which are usually
distributed around several regions.
2.3.2 Integrity
Integrity can be understood as preserving the
initial representation of data even in the case of
any alterations [20]. Ensuring integrity is key in
EHR systems since it guarantees the accuracy of
data thus minimizing errors and improving the
safety of patients. Currently, authorized users
can also participate greatly in creating
inaccuracies if inadequately trained on the use of
the system, for instance, the use of cut and paste
feature, drop down menus have been reported as
one of the main cause of data inaccuracies in
115
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
116
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
117
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
118
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
119
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[18]
[19]
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
120
Proceedings of the Third International Conference on Digital Security and Forensics (DigitalSec), Kuala Lumpur, Malaysia, 2016
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
121