Fraudulent and malicious web sites pose a significant threat to desktop security, integrity, and privacy. This paper examines the threat from different perspectives. We harvested URLs linking to web sites from different sources and corpora, and conducted a study to examine these URLs in-depth. For each URL, we extract its domain name, determine its frequency, IP address and geographic location, and check if the web site is accessible. Using 3 search engines (Google, Yahoo!, and Windows Live), we check if the domain name appears in the search results; and using McAfee SiteAdvisor, we determine the domain name’s safety rating. Our study shows that users can encounter URLs pointing to fraudulent and malicious web sites not only in spam and phishing messages but in legitimate email messages and the top search results returned by search engines. To provide better countermeasures against these threats, we present a proxy-based approach to dynamically block access to fraudulent and malicious web sites based on the safety ratings set by McAfee SiteAdvisor.

Malicious software in the form of worms, Trojan horses, spyware, and bots has become an effective tool for financial gain. To effectively infect the computers of unsuspecting users with malware, attackers use malicious Web pages. When a user views a malicious Web page using a Web browser, the malicious Web page delivers a Web-based exploit that targets browser vulnerabilities. Successful exploitation of a browser vulnerability can lead to an automatic download and execution of malware on the victim's computer.

This thesis presents a honeypot that uses Internet Explorer as bait to identify malicious Web pages, which successfully download and execute malware via Web-based exploits. When the honeypot instructs Internet Explorer to visit a Web page, the honeypot monitors and records process and file creation activities of Internet Explorer and processes spawned by Internet Explorer. The recorded activities are analyzed to find deviations from normal behavior, which indicate successful exploitation. The Web-based exploits delivered by the malicious Web pages and the malware downloaded by the exploits are automatically collected by the honeypot after successful exploitations. Additionally, the honeypot constructs an analysis graph to find relationships between different malicious Web pages and identify the Web pages that download the same malware.

This thesis also presents an analysis of data collected by the honeypot after processing 33,811 URLs collected from three data sets. Observations and case studies are presented to provide insights about Web-based exploits and malware, malicious Web pages, and the techniques used by attackers to deliver and obfuscate the exploits.

Malicious attacks are getting smarter, more widespread and increasingly difficult to detect, and dozens more are added to the menagerie each day. Identifying and classifying the type of malicious program spreading across global networks is a crucial step in developing strategies to contain and eradicate it. This paper describes the most common attacks used these days to paralyze computer and network resources. It provides network traces of malicious traffic and strategies for providing better countermeasures. Data sets captured at the University of Calgary are analzyed to classify intrusion attempts and identify security holes in the University’s network.

With the enormous amount of spam messages propagating on the Internet these days, anti-spam researchers and developers are trying to build spam filters to get rid of such unsolicited messages as accurately as possible. In this paper, I describe a machine learning approach based on Bayesian analysis to filter spam. The filter learns how spam and nonspam messages look like, and is capable of making a binary classification decision (spam or non-spam) whenever a new email message is presented to it. The evaluation of the filter showed its ability to make decisions with high accuracy (96.24% in the worst case and 99.66% in the best case).

Honeypots are closely monitored computing resources that can provide early warning about new vulnerabilities and exploitation techniques, distract attackers from valuable computer systems, or allow in-depth examination of attackers during and after exploitation of a honeypot. Extensive research into honeypot technologies has been done in the past several years to provide better countermeasures against malicious attacks and track attackers. This paper describes honeypots in-depth and discusses how honeypots can be used to fight spam and spammers effectively.

Public key cryptographic techniques have been used to protect email messages via encryption and digital signatures for more than 26 years. Such techniques, however, failed to adopt secure email messaging due to a combination of technical, social, and usability issues. We present a new approach to email security that uses fingerprint recognition and cryptographic hash functions to secure access to email accounts and messages, and to sign and verify email messages. Our approach does not require doing expensive computations to verify a user’s signature as opposed to public key cryptographically protected email. We keep the amount of user interaction required to the minimum, and provide email users with security features that include state-of-the-art biometric authentication schemes.

Biometric systems were proposed and developed to provide a better and stronger factor of authentication. Such systems authenticate individuals based on physical and behavioral traits such as fingerprints, iris, face, palm print, hand geometry, voice, etc. The use of biometric traits to replace existing passwords or as access keys has proven to be highly secure against physical attacks. It is a fact that malicious attacks are getting smarter, more widespread and increasingly difficult to detect, and dozens more are added to the menagerie each day. Attacking biometric systems physically is quite difficult indeed. However, by mounting digital attacks one can see how biometric systems are vulnerable. We discuss the different types of software and hardware vulnerabilities that exist in biometric systems, and show how biometric template security can be compromised. We present a new attack point at the application level that has not been addressed and discussed in previous work. We also describe how biometric cryptosystems can overcome some of the disadvantages in traditional biometric recognition systems, and show how such systems can be used effectively in Digital Rights Management (DRM) systems.

Broadcast encryption is an interesting application of cryptography which allows one to broadcast a secret to a changing group of intended recipients in such a way that no one outside this group can view the secret. Interest in using broadcast encryption techniques has grown considerably in recent years and such techniques have been integrated in many applications and technologies such as virtual private networks, cable TV networks, mobile and wireless networks and many more. This report describes broadcast encryption in depth along with the related techniques, threats, protocols and applications.