Browsing by Author "Al-Mohannadi, Hamad"

Now showing 1 - 2 of 2
  • Thumbnail Image
    Item
    Detection of Malicious Portable Executables using Evidence Combinational Theory with Fuzzy Hashing
    (IEEE, 2016) Namanya, Anitta Patience; Khan Ali Mirza, Qublai; Al-Mohannadi, Hamad; Awan, Irfan U.; Ferdinand Pagna Disso, Jules
    Fuzzy hashing is a known technique that has been adopted to speed up malware analysis processes. However, Hashing has not been fully implemented for malware detection because it can easily be evaded by applying a simple obfuscation technique such as packing. This challenge has limited the usage of hashing to triaging of the samples based on the percentage of similarity between the known and unknown. In this paper, we explore the different ways fuzzy hashing can be used to detect similarities in a file by investigating particular hashes of interest. Each hashing method produces independent but related interesting results which are presented herein. We further investigate combination techniques that can be used to improve the detection rates in hashing methods. Two such evidence combination theory based methods are applied in this work in order propose a novel way of combining the results achieved from different hashing algorithms. This study focuses on file and section Ssdeep hashing, PeHash and Imphash techniques to calculate the similarity of the Portable Executable files. Our results show that the detection rates are improved when evidence combination techniques are used.
  • Thumbnail Image
    Item
    Performance Security Trade-off of Network Intrusion Detection and Prevention Systems
    (UK Performance Engineering Workshop and Cyber Security Workshop, 2016) Munir, Rashid; Ahmed, Botan; Al-Mohannadi, Hamad; Mufti, M. Rafiq; Namanya, Anitta Patience; Awan, Irfan
    Security cyber threats are increasing with most companies being overwhelm by the complexity attached to prevention against attacks. Network Intrusion detection and prevention systems (NIDPS) are now a stable in any enterprise network with the purpose of filtering through the network traffic and sniffing for malicious traffic. Given the amount of traffic generated on enterprise networks nowadays, any NIDPS is sure to go through a big number of packets that a need arises for a performance- security trade-off. On any given day, based on the rules used in the NIDPS, the number of alerts it generates are in thousands. This can be quite overwhelming to security analysts who analyse them to understand the cyber threat landscape. Although it is true the more alerts, the higher the probability of detecting malicious traffic, it is also true that alerts require the traffic to go through many rules which can be quite a performance hindrance. This is the paradox plagued by the cyber security community currently. In this paper, we examine 2 scenarios to evaluate the performance security trade-off for the purpose of propose ways of improving the performance while minimising the impact on the security purpose for the NIDPS.