Hiran V Nath

The embodiments herein disclose a system and method for detecting a ransomware and preventing data breach. The method identifies whether a process for file access is initiated and executed by a user or by a malware program. The method uses keystrokes, mouse events along with OCR output extracted from recorded background screen image for checking if user has initiated the process. If a new process or file replication request is initiated automatically without any pattern in Key Strokes, Mouse Strokes and background screen, then the process is identified as a ransomware or data breach.

The various embodiments herein disclose a system and method for detecting zero-day privilege escalation malware at host level. The method identifies whether a privileged escalation state is initiated and executed by a user or by a malware program. The method uses keystrokes, Mouse events along with OCR output extracted from recorded background screen image for checking if user has initiated the privilege escalation. If a new process starts automatically without any pattern in Key Strokes, Mouse Strokes and background screen, then the process is identified as zero-day privilege escalation malware.

In 1990s, burglars used to break into house, while the residents were viewing some interesting television shows. This type of attacks happened mainly in the physical world and it was expected that cyber world is free from such crimes. Unfortunately, this is not true. A skilled hacker could compromise a system, while the user is viewing (an interesting) video file. Quite often computer users, use their machines for viewing (interesting) videos. Such users may be naive users or could even be those who work on mission critical systems, like banking, defence, nuclear power-plant, space agencies etc. So playing a video file can lead to high security risk. In this paper, we have analysed video files, for detecting multistage attacks. We found that some video files contain malicious link through which an exploit gets downloaded into the host machine. The contribution of this paper is the discovery of novel attacks that are hidden (by perpetrator) in innocuous video files with the objective of staging a targeted attack in multiple stages. Finally, we propose a new method for detection of such attacks (carried through video files) using API calls.

Portable Document Format (PDF) is used as a defacto standard for sharing documents. Even though pdf is a document description language, it has lot of features similar to programming language. With the add on support of JavaScript (Malicious script) and the facility to embed any file into a PDF document, creates a big potential for disastrous cyber attacks. From 2008 onwards, the malicious users are concentrating more on embedding malicious codes into pdf documents. Compared to PE, pdf files pose higher risk since the embedded content can be encrypted and/or encoded. Recently multistage delivery of malware is used for APTs and targeted attacks. Here pdf documents are used for accomplishing one or more stages, like mini-duke, where pdf file was used for first stage. It went undetected for almost two years. These files could be considered as a carrier of k-ary codes. In this paper, we bring out the importance of analyzing the data encoded in the stream tag along with other structural information. We are giving a proof of concept by embedding JavaScript into PDF document. This is not detected by any of the existing pdf parsers. Finally, we propose ensemble learning for detecting such pdf files.

Malware analysis forms a critical component of cyber defense mechanism. In the last decade, lot of research has been done, using machine learning methods on both static as well as dynamic analysis. Since the aim and objective of malware developers have changed from just for fame to political espionage or financial gain, the malware is also getting evolved in its form, and infection methods. One of the latest form of malware is known as targeted malware, on which not much research has happened. Targeted malware, which is a superset of Advanced Persistent Threat (APT), is growing in its volume and complexity in recent years. Targeted Cyber attack (through targeted malware) plays an increasingly malicious role in disrupting the online social and financial systems. APTs are designed to steal corporate / national secrets and/or harm national/corporate interests. It is difficult to recognize targeted malware by antivirus, IDS, IPS and custom malware detection tools. Attackers leverage compelling social engineering techniques along with one or more zero day vulnerabilities for deploying APTs. Along with these, the recent introduction of Crypto locker and Ransom ware pose serious threats to organizations/nations as well as individuals. In this paper, we compare various machine-learning techniques used for analyzing malwares, focusing on static analysis.

It is a general belief that executable creates more security risk than any other file types. So most of host based as well as network based security systems are not programed to detect threats in non-executable files. These non-executable files includes images, movies and other document files like office or pdf files. Moreover, the non-executable files like movies are of very huge size, which prevents these scanners from scanning these files, since it will take more processing power as well as delays the mission critical process. But these non-executable files are constantly used by all users. These users may be naive or professional users. So it is very much important for us to understand whether these could be a security risk for a mission critical system or not. In recent security breaches, attackers are focusing on the usage of these non-executable files to initiate Advanced Persistent Threats (APTs) or multistage attacks. In this paper, we are analyzing a video file, downloaded from a popular torrent website. Finally, we are extracting the malicious content embedded into it. After analyzing, we have found that the file contains malicious link through which another executable gets downloaded into the host machine. This could be considered as a first stage in multistage attack. This is used for initiating targeted attacks based on victim's interest. Here we are also coming to a conclusion that the multistage attacks are not a totally new method to compromise a system. In this paper we are explaining one of the method followed by the attacker. Here the aim of the attacker was to infect machines with an adware.

Database relations are widely used over the Internet. Since these data can be easily tampered with, it is critical to ensure the integrity of these data. In this paper, we propose to make use of fragile watermarks to detect malicious alterations made to a database relation. The proposed scheme is distortion free, unlike other watermarking schemes which inevitably introduce distortions to the cover data. In our algorithm, the watermark is calculated from the linear feedback shift register generating values of the key. Watermarks are embedded and verified in database independently and hence any modifications can be detected.

The objective of steganalysis is to detect messages hidden in a cover images, such as digital images. The ultimate goal of a steganalyst is to extract and decipher the secret message. In this paper, we present a powerful new blind steganalytic scheme that can reliably detect hidden data with a relatively small embedding rate in JPEG images as well as using a technique known as calibration. This would increase the success rate of steganalysis by detecting data in transform domain. This scheme is feature based in the sense that features that are sensitive to embedding changes are being employed as means of steganalysis. The features are extracted in DCT domain. DCT domain features have extended DCT features and Markovian features merged together in calibration technique to eliminate the drawbacks of both(inter and intra block dependency) respectively. For the lesser embedding rate, the features are considered separately to evolve a better classification rate. The blind steganalytic technique has a broad spectrum of analyzing different embedding techniques The feature set contains 274 features by merging both DCT features and Markovian features. The extracted features are being fed to a classifier which helps to distinguish between a cover and stego image. Support Vector Machine is used as classifier here.

This paper reviews the major contributions in the field of Vulnerability Assessment from 1990 onwards. Even well administered networks are vulnerable to attack .Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. Researchers have proposed a variety of methods like graph-based algorithms to generate attack trees (or graphs), “black-box” and “whitebox” analysis, using Mobile Ambients, using Honepots, different Vulnerability tools and their Scoring System’s, and so on. After surveying lot of research papers in the field, the amount of existing works for each method is identified and classified. Especially, the graph-based algorithms itself is a major area for researchers. The paper concludes with some inferences and results obtained in each method so can be used as a guideline for researchers.