Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
A Taxonomy of Malicious Programs For An End User

A Taxonomy of Malicious Programs For An End User

Ratings: (0)|Views: 17 |Likes:
Published by ijcsis
Computer and network attacks have become highly sophisticated and complex with different names and multiple characteristics. In order to understand and find solutions against new and old attacks, different types of computer and network taxonomies are utilized. However, such taxonomies are being actively developed for expert users; research efforts towards making attack taxonomy for basic end users are still isolated. In this work we present taxonomy for the end users that will help in identifying attacks, the precaution measures they need to adapt and how to categorize new attacks. Moreover, through an empirical survey of the taxonomy, it is concluded that end users will be more protected than before and validity of the taxonomy was also checked.
Computer and network attacks have become highly sophisticated and complex with different names and multiple characteristics. In order to understand and find solutions against new and old attacks, different types of computer and network taxonomies are utilized. However, such taxonomies are being actively developed for expert users; research efforts towards making attack taxonomy for basic end users are still isolated. In this work we present taxonomy for the end users that will help in identifying attacks, the precaution measures they need to adapt and how to categorize new attacks. Moreover, through an empirical survey of the taxonomy, it is concluded that end users will be more protected than before and validity of the taxonomy was also checked.

More info:

Published by: ijcsis on Feb 19, 2012
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 2011
A Taxonomy of Malicious Programs For AnEnd User
Muhammad Azhar Mushtaq
Departemnt of Computer Science and ITUniversity of SargodhaSargodha, Pakistan.
azhar.mushtaq@uos.edu.pk Madiha Sarwar
Department of Computer science and ITUniversity of SargodhaSargodha, Pakistanmadiha.sarwar@uos.edu.pk 
- Computer and network attacks have become highlysophisticated and complex with different names and multiplecharacteristics. In order to understand and find solutionsagainst new and old attacks, different types of computer andnetwork taxonomies are utilized. However, such taxonomiesare being actively developed for expert users; research effortstowards making attack taxonomy for basic end users are stillisolated. In this work we present taxonomy for the end usersthat will help in identifying attacks, the precaution measuresthey need to adapt and how to categorize new attacks.Moreover, through an empirical survey of the taxonomy, it isconcluded that end users will be more protected than beforeand validity of the taxonomy was also checked.
 Keywords-Computer and netwrok attack; taxonomy; end users
Attacks on computers and networks have a long lastinghistory, which requires constant attention. Different attack techniques are carried out by attackers to fulfill theirobjectives. In the recent years they have spread more rapidlyand since 1999 there is a marked increase in the number of incidents reported by Computer emergency response team(CERT). Moreover, in year 2008 F-secure managed tocollect more than ten million suspicion samples [6] [7].
Thissituation is alarming and deep rooted and end user feel to bemore insecure than any one else. One of the strongestreasons is that, in the beginning launching these attacksrequired relatively more technical knowledge and expertisebut today they have become user friendly and theirpropagation is much faster and easier than ever before. It istherefore the need of the time to make aware not only thecorporate or big business but end users working for thesebusiness and those sitting in homes to be well informativeregarding these malicious attacks.In order to answer all these serious concerns manytaxonomies were proposed by the researchers and their solepurpose was to present and provide a meaningful way of classifying these attacks. Unfortunately, all the earliertaxonomies employ a unique way of classifying attacks.Some classify attacks by their distinctive names like virus,worm and others classify attacks according to the weaknessin the system. Because of different classification schemesand categorizing attacks differently, it is not possible for endusers to understand these attacks and it creates confusion intaking proper precautionary measures. Due to this fact, a newtaxonomy model is proposed in this area for the bettermentof end users. The proposed taxonomy is based on fourdistinctive aspects damage, cost, propagation, andprecaution.Every attack has some damaging effects, some attacksmay cause severe damages and some may have no damagingeffect. For example, a virus may cause damage at computerlevel by infecting hardware or other parts of it but cannotdamage the network; where as a simple worm with no extrathreat only attacks the network by overloading it. Cost is thesecond aspect through which a user can classify orunderstand attacks. Cost can be referred to in two ways; costof damages and cost of fixing these damages. Most attack types have some kind of propagation mechanism, i.e. theytry to replicate themselves and spread. In many cases thepropagation depends upon human interaction with them. Incase of a virus, propagation will not take place until it comesin contact with an end user. On the other hand, a wormspreads by itself. Precaution is most important part of thetaxonomy, because this can be used in classifying attacks andit will keep end users protected from attacks. Precautionmust be taken on two levels; one is the administration leveland second is the end user level. Administration levelprecautions are not discussed here in detail becauseadministrators already have the knowledge and skills toprotect the network. The end user must take certainprecautions on their personal computer in order to keep thecomputer safe from attacks.The remainder of this paper is organized as follows.Some of the previous related taxonomies are reviewed insection 2. Section 3 presents empirical survey of thetaxonomy where as proposed taxonomy model is covered insection 4.Section 5 concludes the paper and present futurework.II.
 In the following section some of the prominenttaxonomies are presented.
Taxonomy based on Computer Vulnerabilities1)
Protection analysis report 1978
67http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 2011
 In 1978, Information Science Institute at University of Southern California launched project called ProtectionAnalysis (PA). It was an effort to sort errors in operatingsystem, applications and discover techniques which candetect weaknesses in software errors [1]. The PA report firstcame up with ten categories but after further the numbers of categories were reduced to four global errors: domain errors,validation error, naming error, and serialization error.
 Bishop taxonomy
In 1995, Bishop presented his vision of a taxonomy whichwas different from the previous taxonomies. His work includes vulnerabilities in UNIX and the classificationschemes were based on the basics of these vulnerabilities.Bishop presented his taxonomy in the form of 6 axes(Nature, Time of introduction, Exploitation domain, Effectdomain, Minimum number, Minimum number and Source)[2].
Taxonomy based on Computer Attacks1)
 Landwehr et al., taxonomy
Landwehr presented their taxonomy on computerprograms and security flaws along with 50 actual flaws. Asearlier taxonomies collected data during the development of the software Landwehr paid attention to the security flawsthat happen after the software is released for use. Landwehrtaxonomy mainly emphasize on organizing flaws, addingnew ones and users can get information on which part of thesystem is causing more trouble. The flaws were broken downon the basis of genesis (how), time of introduction (when),and location (where). These three categories are explained indetail in the next section [3].
Origin of flaw
The important part in this section is the method throughwhich security flaw is inserted into the system. First find outwhether it was done by proper planning or it happenedaccidentally. Landwehr argued that sometimes this could beconfusing because program like remote debugging havedeliberately given functions which at the same time canprovide unintentional security flaws.The next category is the harmfulness of the flaws.Damaging flaws contain trojan horse, trapdoor, and logicbomb; these threats can further be classified in duplicatingand non-duplicating threats. Another category underintentional flaw is covert channels which transferinformation against the will of the system designer [3].
Time of introduction
To find exactly when the flaw was introduced duringsoftware development, Landwehr proposed the second stagecalled time of introduction which was further divided intothree components: development, maintenance, and operation.During the development phase different implementations aredone in order to meet certain conditions. If theseimplementations are not properly done there are chances of aflaw being activated. Programmers can make differentmistakes in these activities such as not complying with theterms of software requirements during source coding.Maintenance is the time when the software is released butstill being used on testing purposes. Landwehr pointed outthat during the maintenance time programmers usually fix aflaw but do not track it back to the source, this could awakemore flaws. Moreover, due to viruses or unauthorized accessthere could be changes done in the software during theoperation time. Operation time is when the software is out inthe market and organizations are using them [3].
The third phase in the taxonomy was the location of theflaw. The location was divided in two parts, software andhardware. Because mainly emphasis was on software, so itwas further divided into operating system, support software,and application software. Some of the flaws under operatingsystem can take place if the system did not accuratelyinitialized the defense measure or an outsider gainadmittance because of a fault in memory management [3].
 Howard Taxonomy
Howard presented in his PhD thesis the taxonomy of computer and network attacks. His taxonomy was based onthe trail an attack goes along rather than the security flaws.His process-based taxonomy consists of five stages:attackers, tools, access, results and objectives [4].An attacker could be any one who purposefully cracksinto a computer. Attackers could be different types of peoplesuch as hackers, terrorists, and vandals. These attackersutilize some form of tools in order to get admittance. Varietyof tools is available, ranging from user command to datatapping. By using the vulnerabilities in implementation,design, and configuration an attacker can get access. Theresults of this can be corruption of information, disclosure of information or denial of service. Through this process theattackers accomplish the objectives which can be financial orpolitical gain. This process based taxonomy is very useful forunderstanding how the attack process works. However, if motivation and objectives are not given any importance thistaxonomy is not valuable. Howard and Thomas (1998) madechanges in the process-based taxonomy but failed infulfilling the requirements [4].
 Hansman Taxonomy
Hansman criticized on Howard’s taxonomy because itexplains the attack process and does not clarify attacks whichhappen on daily basis. For example the Code Red wormcannot be classified using the Howard taxonomy. Hansman’sapproach was to categorize computer attacks such as virus,worms, and trojans; attacks which a user faces every day.Also, Hansman wanted a taxonomy in which attacks withmultiple threats (blended attacks) can be classified. For thesereasons Hansman proposed a new taxonomy which consistsof dimensions [5].
First dimension
In the first dimension attacks are classified by attack vectors. Attack vector is the way attackers gain access totheir targets so that certain payloads or harmful contents canbe transported. It provides the path for hackers to break intoa system or network; it can also give exact information aboutan attack. For example, Melissa virus propagates through e-
68http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 11, November 2011
 mail so according to first dimension it is considered as mass-mailing worm [5] [8].
Second dimension
Second dimension is based on the attack targets. If attack has more than one target, more than one entry can be madein this dimension. For example, if Server A is attackedtargets would be operating system and service rather then theserver. In case Code Red attacks server A, the target wouldbe
Internet Information Server (IIS) and not Server A itself [5].
Third dimension
Third dimension is based on the vulnerabilities that anattack exploits. If attack utilizes more then one vulnerability,there could be multiple entries in third dimension. AsCommon Vulnerabilities and Exposures (CVE) provides aneasier and a general name for a weakness, that is whyHansman included it in his taxonomy. The CVE data sourcesstrongly indicate the fact that Code Red worm can takeadvantage of the weakness in Microsoft internet informationservices. Hansman also proposed that in case thevulnerabilities are not found under CVE database then one of Howard’s vulnerabilities should be selected. Howard threevulnerabilities were vulnerability in implementations,vulnerability in design, and vulnerability in configuration[5].
Fourth dimension
Hansman fourth dimension depends upon the payloads oreffects which have extra features. Such as a worm maysimply demolish some files and also have a trojan payload atthe same time. Hansman further discussed that the taxonomycan be improved by adding more dimensions [5].III.
Before proposing the taxonomy, a survey was conductedin order to measure the awareness level about computerattacks and the threat level among end users in Pakistan .Thesample of the study was taken from different universitystudents from all over Pakistan. A total of 500 questionerswere distributed randomly among different universitiesstudents in Pakistan. Out of the 500 distributed 450 wereuseable for conducting further analysis.The data sample was analyzed using SPSS statisticalpackage and this can be a key element when proposing thetaxonomy. The survey was divided in two sections. The firstsection covers demographic questions such as gender, age,qualification and etc. The demographic section is notincluded in this paper because for proposing taxonomy thesedemographic questions are irrelevant. The aim is to provide acomputer attack taxonomy which can be beneficial for allend-users. The second section consists of statementquestions which focus on the respondent’s awareness, effectof computer attack and the precautions against such attacks.The survey questionnaire was designed based upon likertscale of 1-5 with 1 strongly disagreed to 5 strongly agreed.This method was used so that respondent’s answers can beclear and no ambiguity between answers should rise.The item reliability was measured using cornbach alphawhich is type of internal reliability estimation used tomeasure the consistency of responses on a compositemeasure that contains more than 1 item. The value closer to 1is considered as a good measure. In our case the cornbachalpha values above .60 is considered acceptable. In thesurvey analysis values ranged between .65 to .78. The resultsof one sample t-test show high significance level <.001 on allthe attributes. The overall mean value of attribute 1 damageis 2.64, which states that there exists a partial awareness of damage among the respondents. Similar results have beenfound on cost and propagation attributes having an overallmean value of 2.49 and 2.86. This indicates an alarmingsituation that end users have partial awareness about the costand they have to pay in the shape of loss of losing thereimportant data, confidential information, personal identity,etc. As far as precautionary measures are concerned againstall kind of threats it has been seen that the level of awarenessis moderate with the mean values ranging between 3.0 to 3.3on all the attributes namely precaution against virus, worm,Trojan, spam and phishing. An inference that could be drawnis that the end users at one end have either zero or partialawareness about the consequences of threats while on theother end they have prepared themselves against these threatsat quite a moderate precautionary level. According to tabel 1the conclusion can be drawn depending on the mean value of each question about whether the end user posses highawarness (H.A), moderate awarness (M.A) or partialawarness (P.A) about each questionaaire. It is worthmentioning here that end users are not aware of what kind of protection they might need against different type of threats.IV.
 The attacks are categorized according to their harmfulpurpose. The harmful purpose can be for example, damagingcomputer or network resources, stealing of confidential files,financial fraud, identity theft, etc. virus, worm, trojan horse,spam and phishing are the subcategories of a malware attack.Spam and phishing are both a part of spoofing which meanslying about ones own identity. As these attacks havemalicious purpose they are included in the category of malware attacks in the proposed taxonomy. In table 2 thetaxonomy is explained in detail for end user benefit.
First aspect 
Virus can damage both computers and networks. Atcomputer level, the hardware damages are done to processor,hard disk, CD ROM and in software it can damage parts of application, file or the whole operating system. Virus cannotdamage the network but utilizes the network in order topropagate [9]. Worms are different in means of damaging asthey can install backdoors in the system that can then beremotely accessed by attackers. Worm usually uses up thewhole network bandwidth for replicating purpose making thenetwork to crash or slow down. With the help of trojans aattacker can view someone else’s desktop, or can notice the
69http://sites.google.com/site/ijcsis/ISSN 1947-5500

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->