Sharif Digital Repository

Due to advantages of Peer-to-Peer (P2P) networks, many internet users use them for content distribution (Many internet users distribute content using them). These systems may be categorized to Centralized, Pure, and Hybrid. Gnutella is a heavily decentralized and unstructured file sharing P2P networks that are responsible for a good part of the traffic on the internet. These P2P networks are at risk of many security threats from internet worms. Internet worms and their threats are a major concern to the networking community. In this thesis we concentrate on passive non-scanning worms and propose a novel approach to detect such worms. As part of our work, we collected data from the Gnutella... 

One of the most famous attacks through the internet is the phishing attack. There have been several tools which have been applied in order to discover and confront against this type of attack. Since attackers can change their approaches by spending little cost, they apply methods in order to elude these tools. One of the tricks which has been popular between attackers recently is utilization of Fast-Flux Service Networks. By using these destructive networks, recognition of the main server becomes more complicated. Therefore, the server obtains more accessibility in comparison to the past situation and the life time becomes longer.In this thesis, by collecting data of Sharif server and... 

A set of infected computers which are coordinated in some manner by one’s willingness and can perform malicious activities and provide threats in the cyberspace forms a network of bots, namely botnet. Botnet threats are more important and significant than other malwares due to their huge scale. A lot of computers coming together in a network obeying one’s commands allows their controller to conduct, for example, DoS attacks larger than ever seen incidents. This thesis, introduces botnets, their various threats, and an effective technique for detecting them. For this reason, different probable states of bots will be studied and modeled as a coherent bot life-cycle. The bot life-cycle allows... 

During recent decade huge number of new malware samples and their complexity have caused challenges to malware detection procedure. additionally the use of kernel level rootkit has been grew up. while rootkits usually defeat current security products which are cheifly relied on Operating system for gathering information and also running, existing nti-rootkit solutions can not cover all kinds of rootkits.In this work we have studied the problem of kernel-level rootkits in Windows operating system. we believe that focusing on kernel drivers features, will result in an overall view needs for monitoring kernel activity of the rootkits. Thus with regards to proves for lower volume of obfuscation... 

Advances in computing and networking areas lead to advent of malwares with new and sophisticated features. One of these type of malwares are environment sensitive malwares which behave differently when finding out specific signs in the execution environment. They first was considered and defined in the context of malware analysis systems; meaning that these types of malwares stop their malicious behavior when detecting analysis machine as their execution environment. In this way they could challenge and evade analysis process. Afterwards, the domain of environment sensitive malwares went beyond the analysis systems and covered all environmental sensitivities which hinder the progress of... 

Denial of service (DoS) attacks is the main challenges of service providers due to their purpose to makes their service unavaillable. Nowadays this attacks are changed from centralized to distributed (DDoS) by means of botnets. In addition botnets allow attackers to launch attack on higher layers of network, such as application layer. In new application layer DDoS attacks, attacker send HTTP requests to waste victims resources. In addition, attacker can start attack during flash crowd event which makes attack more undetectable. In this research, in order to migigating such attacks, we introduced a method based on user’s history.
This history consist of user’s request rate for each... 

Android phones are widely used now. Convenient user interface and various applications for these devices has played a significant role in their success. The wide usage of these devices besides the nature of their applications lead to collect lots of sensitive information on them. Consequently the protection of this information is very important. The unfamiliarity and the inattention of the most of smart phone users to security issues highlight the importance of the data protection and the privacy. The permission access in Android operating system is static and users should permit applications to access the requested permissions on installing them. Also these programs can use their... 

Widespread growth in popularity of Android apps stimulates malware authors to consider Android-based devices as an atractive target platform. To defend against this severe increase of Android malwares and help users make a beter evaluation of apps, several approaches have been proposed. However, most of them suffer from some shortcomings such as being computationally expensive, not being general, or not being robust enough.According to obfuscation, encryption, and transformation techniques used in malwares, the static detection techniques are not efficient. Another approach is to use dynamic detection techniques, but existing dynamic techniques suffer from lack of atention to semantic... 

Researchers show that one of the critical sources of bugs is API incorrect usage which in some cases can cause serious security vulnerabilities. The lack of knowledge about API correct usage rules is one of the main reasons that APIs are employed incorrectly by programmers, however, nding a correct usage rule for an API is time-consuming and error-prone particularly without having access to API documentation in most cases. Existing approaches to automatically extract correct usage rules, consider the majority usages as the correct rule for an API. Although statistically extracting API correct usage rules can achieve reasonable accuracy, it cannot work correctly in the absence of fair amount... 

Obfuscation transformations complicate a software and make it incomprehensible via syntactical changes. This provides high incentive for malware authors to employ different obfuscation techniques. The practical nature of this problem and lack of common definitions in this area have limited the encountering fronts. Whenever a new obfuscation method becomes known in the wild, ad-hoc deobfuscation solutions follow it, trying to recognize it in details and reverse it step by step. As more obfuscation transformations become readily available for malware developers, this approach becomes more costly and impractical. This rises the perceived need for automated deobfuscation. For example, the... 

Defending software against different types of attacks is challenging enough, but for server-side programs it is even harder. The ever-changing nature of technologies used on server-side programs makes it more complex. In this thesis we try to identify these challenges in regard to two specific technologies: multi-service architectures and asynchronous I/O. Then, we present a new framework for running software in asynchronous multi-service architectures with native support for access control rules. Our framework acts as an intermediate between services and can support rules based on the distributed request context that exists between services.
 

As the size and complexity of software increase, the number of software vulnerabilities also increases. An examination of vulnerability reports shows that in addition to the fact that a large number of unknown vulnerabilities still exist in software, there is still no proper solution for identifying vulnerabilities that have been observed one sample of them exit in real-world software. The main reason for such an event is the lack of a suitable template for recognized vulnerabilities, which ultimately makes searching for them in other software a problem of scalability and high search cost. This thesis, recognizing the importance of the issue, presents a framework for extracting robust and... 

Web-based malware is recognized as one of the top-ranked threats in Web. It includes harmful codes or scripts embedded in infected websites which spread in victim’s system while an infected website is visited. These malicious scripts will automatically install malicious programs on victim’s system without user’s knowledge and consent. By taking the control of victim’s system, the attacker can steal sensitive data from the system or uses the computational power of the system in malicious activities like spamming and DoS attacks. Malware authors have started using more advanced techniques like obfuscation to circumvent detection of malicious activities by conventional security tools such as... 

The increasing use of the Internet as the main communications method, has increased the importance of user privacy and the security of their information. Different protocols and different methods have been proposed to provide security, but sometimes they are used to violate the network’s obligations. Increasing the users’ privacy and security, leads to the reduction of the network administrators power to control and manage the network, and this can create vulnerabilities which could be exploited by attackers to violate usage policies. Traffic analysis can be used by administrators to collect information from their network, without having to prohibit the use of security protocols. Different... 

Network Telescopes are used to extract security features of large a?a?s targeted large net-works.In this method all tra?cs received targeted to an unused address blo? are processedto ?nd useful informations about descriptive parameters of work propagation.Currently all resear?es are focused on dark addresses or unused address blo?s, in this re-sear? the idea is generalized to cover used and white address blo?s. Also the structure ofnetwork telescope is de?ned with a new manner whi?added more details to prediction andestimation methods. To extract security features of a?a?events, a newmethod have been introduced for inferenceabout a?a? parameters. ?e proposed method may be used to predict... 

A study of the recent trends in cyber-attacks reveals that the large families of controllable compromised computers known as botnets are the prominent sources of threats in the internet. Sending stolen information and receiving commands are the principal activities of bots through C&C channels. Thus maximizing availability of these vital mediums is one of their necessities. In order to achieve this aim, new evasion techniques such as fast-flux has evolved botnets in which a domain name with multiple resolved IPs is used rather than assigning a fix IP to the C&C servers. Although a numerous approaches have been proposed for detecting fast-flux networks, needing a large amount of labeled data... 

The scope of cyber-crime and related complexity is growing rapidly. Keeping a history of communications and exchanged data for analysis is very important and inevitable. Maintenance of data related to history enables the reconstruction of the events that have happened, but storing everything in raw would require large storage. The highly needed volume for storing these data causes great challenges such as very long time for inserting and searching data. Moreover privacy concerns are another problem in this context, so saving all raw data is not possible.Using methods like compressing and hashing can help in solving such problems. Accordingly, Payload Attribution techniques have been proposed... 

Virtualization is one of the widely used technologies which has enhanced the utilization of the hardware resources and made the computer management easier. Cloud computing is one of its appealing application providing various electronic services in the form of virtual machines to users. A common security threat in the virtual machines in cloud services is the vulnerabilities the programs and operating systems have. Attackers can take the advantage of these vulnerable machines and abuse them to carry out attacks. Virtual Machine Introspection (VMI) techniques are proposed and used by the cloud providers utilizing the management capabilities in the hypervisor to intercept hardware accesses and... 

Today, lots of vulnerabilities are discovered by researchers who are analyzing the software. Some researchers study these discovered vulnerabilities and find new ones that are similar to them. So they need to first characterize each previously discovered vulnerability and extract the vulnerable context of the program, then extract new vulnerabilities based on that. Some vulnerabilities are emerging because of developer mistakes in the implementation phase. Software developers use different function calls to do the goal of the program. Incorrect invocation for functions can lead to critical vulnerabilities. Our investigation shows that the root cause for some vulnerabilities is incorrect... 

Today one of the most important challenges of internet is protecting the privacy of its users. Now, there are just a few practical anonymity systems over internet and one prominent is Tor anonymity network that works based on well-known onion routing. Although Tor is designed for providing low latency anonymity, but its users face long delays using this network and most of them do not tolerate these delays. So they leave the network and this leads to decreasing the members of anonymity set and in a smaller anonymity set, it’s easier attacking the network and violating the privacy of users.The most important factor affecting the performance and security of Tor is how selecting a path...