Our task is to produce test data for a research program developing a new generation of insider threat detection technologies. Test data is created by injecting fictional malicious activity into a background of real user activity. We rely on fictional narratives to specify threats that simulate realistic social complexity, with “drama as data” as a central organizing metaphor. Test cases are scr...

Malicious users on chat network systems would reduce the willingness of benevolent users to chat on the same network. Thus it is often desirable to classify malicious users based on their personal profile and chat contents. In this study, different algorithms including Naive Bayes, SVM, Decision Table, Multilayer Perceptron, and Logistic classification are applied on the dataset from an anonymo...

The goal of rootkit is often to hide malicious software running on a compromised machine. While there has been significant amount of research done on different rootkits, we describe a new type of rootkit that is kernel-independent – i.e., no aspect of the kernel is modified and no code is added to the kernel address space to install the rootkit. In this work, we present PIkit – Processor-Interc...

One way a malicious insider can attack a network is by masquerading as a different user. Various algorithms have been proposed in an effort to detect when a user masquerade attack has occurred. In this paper, two unsupervised algorithms are proposed with the intended goal of detecting user masquerade attacks. The effectiveness of these two unsupervised algorithms are then compared against super...

In 2010, Lewko, Sahai and Waters proposed an efficient revocation system but they neglected the security differences between one-to-one encryption and one-to-many encryption. In their system, an authority generates all users’ decryption keys once and for all. We remark that the inherent drawback results in that the system is vulnerable to an attack launched by some malicious users. These malici...

Client-side attacks have become an increasing problem on the Internet today. Malicious web pages launch so-called drive-by-download attacks that are capable to gain complete control of a user’s machine by merely having that user visit a malicious web page. Criminals that are behind the majority of these malicious web pages are highly sensitive to location, language and economic trends to increa...

Automated understanding of natural language is a challenging problem, which has remained open for decades. We have investigated its special case, focused on identifying relevant concepts in natural-language text in the context of a specific given task. We have developed a set of general-purpose language interpretation techniques and applied them to the task of detecting malicious websites by an...

Traditionally, viruses and other malware were distributed using push techniques – viruses directly or malware authors actively distributed copies around. With the exception of auto-executing worms this method of distribution requires user intervention – a user has to click on an email attachment or launch a program. And users have been told for years to be very cautious about all unsolicited em...

The protection qualities of discretionary access control systems realised by today's prevalent operating systems are based on an assessment of the trustworthiness of users. By starting a program a user transfers his trustworthiness to it, ie, there is the tacit assumption that the program's trustworthiness at least matches that of the user. However, malicious programs are a growing source of th...