Pub Date : 2019-10-01DOI: 10.1109/VizSec48167.2019.9161583
S. O’Shaughnessy
Anti-virus (AV) software is effective at distinguishing between benign and malicious programs yet lack the ability to effectively classify malware into their respective family classes. AV vendors receive considerably large volumes of malicious programs daily and so classification is crucial to quickly identify variants of existing malware that would otherwise have to be manually examined. This paper proposes a novel method of visualizing and classifying malware using Space-Filling Curves (SFC's) in order to improve the limitations of AV tools. The classification models produced were evaluated on previously unseen samples and showed promising results, with precision, recall and accuracy scores of 82%, 80% and 83% respectively. Furthermore, a comparative assessment with previous research and current AV technologies revealed that the method presented her was robust, outperforming most commercial and open-source AV scanner software programs.
{"title":"Image-based Malware Classification: A Space Filling Curve Approach","authors":"S. O’Shaughnessy","doi":"10.1109/VizSec48167.2019.9161583","DOIUrl":"https://doi.org/10.1109/VizSec48167.2019.9161583","url":null,"abstract":"Anti-virus (AV) software is effective at distinguishing between benign and malicious programs yet lack the ability to effectively classify malware into their respective family classes. AV vendors receive considerably large volumes of malicious programs daily and so classification is crucial to quickly identify variants of existing malware that would otherwise have to be manually examined. This paper proposes a novel method of visualizing and classifying malware using Space-Filling Curves (SFC's) in order to improve the limitations of AV tools. The classification models produced were evaluated on previously unseen samples and showed promising results, with precision, recall and accuracy scores of 82%, 80% and 83% respectively. Furthermore, a comparative assessment with previous research and current AV technologies revealed that the method presented her was robust, outperforming most commercial and open-source AV scanner software programs.","PeriodicalId":242942,"journal":{"name":"2019 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125232569","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-10-01DOI: 10.1109/VizSec48167.2019.9161504
S. Subramanian, P. Pushparaj, Zerong Liu, Aidong Lu
Online social networks are prone to be targeted by various frauds and attacks, which are difficult to detect due to their complexity and variations. The challenge is to make sense of all information with suitable exploration tools for different groups of users. This project focuses on an explainable visualization approach to study collaborative behaviors of vandal users on Wikipedia. Our approach creates visualization with commonly used techniques from cartography and statistical graphics that are familiar to the general public for effectiveness and explainability. We have built a large-scale visualization system which supports an illustrative interface with multiple data query, filtering, analysis, and interactive exploration functions. Examples and case studies are provided to demonstrate that our approach can be used effectively for a set of Wikipedia behavior analysis tasks.
{"title":"Explainable Visualization of Collaborative Vandal Behaviors in Wikipedia","authors":"S. Subramanian, P. Pushparaj, Zerong Liu, Aidong Lu","doi":"10.1109/VizSec48167.2019.9161504","DOIUrl":"https://doi.org/10.1109/VizSec48167.2019.9161504","url":null,"abstract":"Online social networks are prone to be targeted by various frauds and attacks, which are difficult to detect due to their complexity and variations. The challenge is to make sense of all information with suitable exploration tools for different groups of users. This project focuses on an explainable visualization approach to study collaborative behaviors of vandal users on Wikipedia. Our approach creates visualization with commonly used techniques from cartography and statistical graphics that are familiar to the general public for effectiveness and explainability. We have built a large-scale visualization system which supports an illustrative interface with multiple data query, filtering, analysis, and interactive exploration functions. Examples and case studies are provided to demonstrate that our approach can be used effectively for a set of Wikipedia behavior analysis tasks.","PeriodicalId":242942,"journal":{"name":"2019 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130605185","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-10-01DOI: 10.1109/VizSec48167.2019.9161524
M. Angelini, G. Blasilli, Luca Borzacchiello, Emilio Coppa, Daniele Cono D'Elia, C. Demetrescu, S. Lenti, S. Nicchi, G. Santucci
Modern software systems require the support of automatic program analyses to answer questions about their correctness, reliability, and safety. In recent years, symbolic execution techniques have played a pivotal role in this field, backing research in different domains such as software testing and software security. Like other powerful machine analyses, symbolic execution is often affected by efficiency and scalability issues that can be mitigated when a domain expert interacts with its working, steering the computation to achieve the desired goals faster. In this paper we explore how visual analytics techniques can help the user to grasp properties of the ongoing analysis and use such insights to refine the symbolic exploration process. To this end, we discuss two real-world usage scenarios from the malware analysis and the vulnerability detection domains, showing how our prototype system can help users make a wiser use of symbolic exploration techniques in the analysis of binary code.
{"title":"SymNav: Visually Assisting Symbolic Execution","authors":"M. Angelini, G. Blasilli, Luca Borzacchiello, Emilio Coppa, Daniele Cono D'Elia, C. Demetrescu, S. Lenti, S. Nicchi, G. Santucci","doi":"10.1109/VizSec48167.2019.9161524","DOIUrl":"https://doi.org/10.1109/VizSec48167.2019.9161524","url":null,"abstract":"Modern software systems require the support of automatic program analyses to answer questions about their correctness, reliability, and safety. In recent years, symbolic execution techniques have played a pivotal role in this field, backing research in different domains such as software testing and software security. Like other powerful machine analyses, symbolic execution is often affected by efficiency and scalability issues that can be mitigated when a domain expert interacts with its working, steering the computation to achieve the desired goals faster. In this paper we explore how visual analytics techniques can help the user to grasp properties of the ongoing analysis and use such insights to refine the symbolic exploration process. To this end, we discuss two real-world usage scenarios from the malware analysis and the vulnerability detection domains, showing how our prototype system can help users make a wiser use of symbolic exploration techniques in the analysis of binary code.","PeriodicalId":242942,"journal":{"name":"2019 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122281540","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-10-01DOI: 10.1109/VizSec48167.2019.9161633
Alex Ulmer, D. Sessler, J. Kohlhammer
Network traffic log data is a key data source for forensic analysis of cybersecurity incidents. Packet Captures (PCAPs) are the raw information directly gathered from the network device. As the bandwidth and connections to other hosts rise, this data becomes very large quickly. Malware analysts and administrators are using this data frequently for their analysis. However, the currently most used tool Wireshark is displaying the data as a table, making it difficult to get an overview and focus on the significant parts. Also, the process of loading large files into Wireshark takes time and has to be repeated each time the file is closed. We believe that this problem poses an optimal setting for a client-server infrastructure with a progressive visual analytics approach. The processing can be outsourced to the server while the client is progressively updated. In this paper we present NetCapVis, an web-based progressive visual analytics system where the user can upload PCAP files, set initial filters to reduce the data before uploading and then instantly interact with the data while the rest is progressively loaded into the visualizations.
{"title":"NetCapVis: Web-based Progressive Visual Analytics for Network Packet Captures","authors":"Alex Ulmer, D. Sessler, J. Kohlhammer","doi":"10.1109/VizSec48167.2019.9161633","DOIUrl":"https://doi.org/10.1109/VizSec48167.2019.9161633","url":null,"abstract":"Network traffic log data is a key data source for forensic analysis of cybersecurity incidents. Packet Captures (PCAPs) are the raw information directly gathered from the network device. As the bandwidth and connections to other hosts rise, this data becomes very large quickly. Malware analysts and administrators are using this data frequently for their analysis. However, the currently most used tool Wireshark is displaying the data as a table, making it difficult to get an overview and focus on the significant parts. Also, the process of loading large files into Wireshark takes time and has to be repeated each time the file is closed. We believe that this problem poses an optimal setting for a client-server infrastructure with a progressive visual analytics approach. The processing can be outsourced to the server while the client is progressively updated. In this paper we present NetCapVis, an web-based progressive visual analytics system where the user can upload PCAP files, set initial filters to reduce the data before uploading and then instantly interact with the data while the rest is progressively loaded into the visualizations.","PeriodicalId":242942,"journal":{"name":"2019 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129653324","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-10-01DOI: 10.1109/VizSec48167.2019.9161577
M. Varga, C. Winkelholz, Susan Träber-Burdin
This paper reports a study on Cyber Symbology conducted by the North Atlantic Treaty Organization (NATO) Research Task Group on Exploratory Visual Analytics. There is a clear need to develop military cyber symbology to enable visualization of cyber situation; but, there is no clear solution or methodology as to how it can best be done. This paper discusses existing approaches and considers necessary aspects of the future research required. It also lays out questions that must be answered by the research. It therefore provides a foundation and context for future research programmes to develop military cyber symbology.
{"title":"An Exploration of Cyber Symbology","authors":"M. Varga, C. Winkelholz, Susan Träber-Burdin","doi":"10.1109/VizSec48167.2019.9161577","DOIUrl":"https://doi.org/10.1109/VizSec48167.2019.9161577","url":null,"abstract":"This paper reports a study on Cyber Symbology conducted by the North Atlantic Treaty Organization (NATO) Research Task Group on Exploratory Visual Analytics. There is a clear need to develop military cyber symbology to enable visualization of cyber situation; but, there is no clear solution or methodology as to how it can best be done. This paper discusses existing approaches and considers necessary aspects of the future research required. It also lays out questions that must be answered by the research. It therefore provides a foundation and context for future research programmes to develop military cyber symbology.","PeriodicalId":242942,"journal":{"name":"2019 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129076832","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2019-10-01DOI: 10.1109/VizSec48167.2019.9161590
Brett Fouss, Dennis M. Ross, A. Wollaber, Steven R. Gomez
Attackers seeking to deceive web users into visiting malicious websites can exploit limitations of the tools intended to help browsers translate domain names containing non-ASCII characters, or internationalized domain names (IDNs). These attacks, called homograph phishing, involve registering Unicode domain names that are visually similar to legitimate ones but direct users to distinct servers. Tools exist to identify when domains use non-ASCII characters, which get translated by the Punycode protocol to work with the Domain Name System (DNS); however, these tools cannot automatically distinguish between benign use cases and ones with malicious intent, leading to high rates of false-positive alerts and increasing the workload of analysts looking for evidence of homograph phishing.To address this problem, we present PunyVis, a visual analytics system for exploring and identifying potential homograph attacks on large network datasets. By targeting instances of Punycode that use easily-confusable ASCII characters to spoof popular websites, PunyVis quickly condenses large datasets into a small number of potentially malicious records. Using the interactive tool, analysts can evaluate potential phishing instances and view supporting information from multiple data sources, as well as gain insight about overall risk and threat regarding homograph attacks. We demonstrate how PunyVis supports analysts in a case study with domain experts, and identified divergent analysis strategies and the need for interactions that support how analysts begin exploration and pivot around hypotheses. Finally, we discuss design implications and opportunities for cyber visual analytics.
{"title":"PunyVis: A Visual Analytics Approach for Identifying Homograph Phishing Attacks","authors":"Brett Fouss, Dennis M. Ross, A. Wollaber, Steven R. Gomez","doi":"10.1109/VizSec48167.2019.9161590","DOIUrl":"https://doi.org/10.1109/VizSec48167.2019.9161590","url":null,"abstract":"Attackers seeking to deceive web users into visiting malicious websites can exploit limitations of the tools intended to help browsers translate domain names containing non-ASCII characters, or internationalized domain names (IDNs). These attacks, called homograph phishing, involve registering Unicode domain names that are visually similar to legitimate ones but direct users to distinct servers. Tools exist to identify when domains use non-ASCII characters, which get translated by the Punycode protocol to work with the Domain Name System (DNS); however, these tools cannot automatically distinguish between benign use cases and ones with malicious intent, leading to high rates of false-positive alerts and increasing the workload of analysts looking for evidence of homograph phishing.To address this problem, we present PunyVis, a visual analytics system for exploring and identifying potential homograph attacks on large network datasets. By targeting instances of Punycode that use easily-confusable ASCII characters to spoof popular websites, PunyVis quickly condenses large datasets into a small number of potentially malicious records. Using the interactive tool, analysts can evaluate potential phishing instances and view supporting information from multiple data sources, as well as gain insight about overall risk and threat regarding homograph attacks. We demonstrate how PunyVis supports analysts in a case study with domain experts, and identified divergent analysis strategies and the need for interactions that support how analysts begin exploration and pivot around hypotheses. Finally, we discuss design implications and opportunities for cyber visual analytics.","PeriodicalId":242942,"journal":{"name":"2019 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"64 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124828985","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: