Upload
doreen-austin
View
217
Download
0
Embed Size (px)
Citation preview
Cybersecurity Research Overview
Victor
1/6/2014
1
2
Outline
Introduction Types of Research Systems Research Malware Analysis Botnets Digital Forensics Hacker Forum Research IRC Channel Research Conclusion
3
Introduction As computers become more ubiquitous throughout society, the
security of networks and information systems is a growing concern. An increasing amount of critical infrastructure relies on computers and
information technologies Advancing technologies have enabled hackers to commit cybercrime much
more easily now than in the past.
At the same time, accessibility to technologies and methods to commit cybercrime has grown (Radianti & Gonzalez, 2009) Availability of technologies and methods to commit cybercrime have become
more available (Moore & Clayton, 2009) Legitimate services such as such as DNS servers and search engines have
uses to promote cybercriminal activity
4
Introduction
With growing importance of cybersecurity, researchers have taken interest in both areas of cybersecurity research Studies to improve system security and malware analysis techniques New research on observing and analyzing hackers within their communities
Here we discuss the various forms of cybersecurity research Both technical- and hacker community-focused studies Including discussions of tools used to conduct your own analyses and
research
Types of Research
There are various forms of cybersecurity research ranging from technical research to sociological studies:
Systems & Network Security Malware Analysis Botnet Research Digital Forensics Hacker Forums Hacker IRC Networks
Traditional cybersecurity research has focused on technological challenges and improvements to mitigate cyberattacks (Hopper et al, 2009; Holt & Kilger, 2012)
Systems and security research for purposes such as intrusion detection systems, autonomous networks, etc. (Garcίa-Teodoro et al, 2009; Dsouza et al, 2013)
Improved malware analysis techniques to detect more advanced malware that may be obfuscated or previously unknown (Cova et al, 2010; Ismail & Zainal, 2012)
Botnet tracking and identification (Lu & Ghorbani, 2009; Zhang et al, 2011)
5
6
Types of Research
Such focus on technological improvements to enhance security has been largely dominated past cybersecurity research
However, in comparison to more technical works, there is little research done to investigate hackers themselves and the human element behind cybercrime More research on black hat hackers, i.e. cybercriminals, would offer new knowledge
on securing cyberspace against those with malicious intent (Siponen et al, 2010) Specifically, developing “methods to model adversaries” is one of the critical but
unfulfilled research needs recommended in the “Trustworthy Cyberspace” report by the National Science and Technology Council. (National Science and Technology Council, 2011)
Types of Research As a result, many recent studies in cyber security have taken different paths to
study cyber adversaries Content and topological analysis of hacker forums Observation of hacker Internet Relay Chat (IRC) chat interactions
Hacker social media, such as forums and IRC channels, are important resources for many cybercriminals
Since hacking knowledge is not typically found in formal education, the use of web-based resources to advance skills and knowledge is common among both black and white hats
Hackers often utilize forums and IRC channels to disseminate hacking knowledge(Radianti et al, 2009; Motoyama et al, 2011)
Forums and IRC channels also serve as black markets, where cybercriminal assets are traded and sold (Radianti et al, 2009; Holt & Lampke, 2010)
Each type of research is valuable in and necessary to improve the overall security of cyber infrastructure
7
8
Systems Security Improving security mechanisms incorporated into systems
and networks has been a traditional focus of security research Automated and integrated management of cyber infrastructure, including
intrusion detection systems and autonomous networks (Chen et al, 2007; Aydin et al, 2009)
Protocol-level security to mitigate known security vulnerabilities (Pervaiz et al, 2010)
Research often consists of collecting data and performing experiments by simulating networks and systems
For example, collecting network traffic data under normal operations and comparing it to network traffic data during simulated cyber attacks can help anomaly detection methods (García-Teodoro et al, 2009)
Wireshark (http://www.wireshark.org/) is a tool commonly used for packet capturing and analysis
Systems Security
Cyber-infrastructure
Close PortsChange Policies
Isolate router
Monitoring
Feature Selection
Aggregate and
Correlate
Anomaly Behavior Analysis
Risk and Impact
Analysis
Automated
Semi Automated
Actions
Automated and Integrated Management (AIM) Methodology (Dong et al, 2003):
Systems Security
Time
SysCall
Fault Injection Point
Abnormal TransactionNormal Transaction
10
Distribution of Normal vs Abnormal System Calls for Anomaly Detection (Qu et al, 2005)
11
Systems Security Systems security research is becoming increasingly important as
computers become more prevalent throughout society Security concerns over SCADA systems, or systems that control the electric grid,
water distribution, and other industrial systems, is growing as these systems are increasingly reliant on cyber infrastructure (Goel, 2011)
Cloud services and infrastructure have grown rapidly in recent years, necessitating increased security practices (Ramgovind et al, 2010; Rong et al, 2013)
In particular, these areas present a new set of challenges for security researchers
SCADA systems often run custom firmware or other software requiring specialized knowledge or new skillsets for researchers
Cloud services and service-oriented architecture (SOA) are of great concern due to their exposure on the Internet and necessity to remain online
Port scanners such as NMAP (http://nmap.org) are often used in security audits on such systems
12
Systems Security Growing interest in further developing:
Resilient systems that can automatically mitigate and circumvent cyber attacks (Dsouza et al, 2013)
Moving Target Defense, or evolving defenses that can counter changing and improving cyber attacks (Carvalho et al, 2012)
While improving system and network security can help cyber infrastructure mitigate and recover from cyber attacks, research in other areas of security would be fruitful
Understanding more about the malware deployed against cyber infrastructure could aid in development of effective cyber defenses
Malware Analysis
To improve systems security, some researchers are interested in developing better defenses against malware (Shabtai et al, 2011; Sahs & Kahn, 2012)
Increasingly advanced malware variants appearing in the wild Affecting servers, computers, mobile phones, etc.
Two forms of malware analysis (Willems et al, 2007; Ismail & Zainal, 2012)
Dynamic analysis - Executing malware and observing run-time behaviors, system calls, registry edits, etc.
Static analysis – Studying malware source code or opcode (operation code) without malware execution
13
Malware Analysis
By its nature, dynamic analysis will lead to malware infection of computers used for analysis
Requires controls and security measures to avoid malware spread on network Can be time and resource intensive May miss hidden execution behaviors if malware does not execute full source code
Conversely, static analysis does not require malware execution Source code or opcode can be analyzed without malware execution Full malware source can be analyzed, revealing code that could be hidden and only
executed under special circumstances However, code that is obfuscated can be difficult to analyze and understand
Both techniques are equally useful in different contexts, complementing each other well
14
Malware Analysis
Data is often collected through the use of honeypots
Honeypots are computers or clients that are setup with the purpose of attracting and logging cyber-attacks in real time
Often emulate or are exposed to live security vulnerabilities in order to capture malware and monitor cyberattacks
Can be used to better understand threats “in the wild”
Two types of honeypots exist (Zhuge et al, 2008; Cova et al, 2010): Low-interaction honey pots: Emulate known vulnerabilities to capture malware
payloads and hacker behavior. Honey pot machine is not actually compromised, and thus only a limited amount of data is captured. Multiple low-interaction honeypots can be hosted simultaneously on one machine.
High-interaction honey pots: Allow full operating system to be compromised in order to gather more data on cyberattacker patterns. Can reveal previously unknown exploits as honeypot does not rely on emulating already known vulnerabilities. However, real infection increases security risks, and more computing resources are required for high-interaction honeypots.
15
16
Malware Analysis
Many honeypot tools are developed and made available by The Honeynet Project - http://www.honeynet.org/
International team of volunteer security researchers and practitioners Investigate cyberattacks, discover new exploits Develop to improve Internet security
All projects are open sourced and available for free Low-interaction and high-interaction honeypots Tools for other security applications
Open source tools provided by the Honeynett Project, as well as other sources, can be utilized to implement honeypot systems
17
Malware Analysis To build a low-interaction honeypot with malware capturing capabilities,
deploy the following tools simultaneously on a Linux-based machine:Tool Name Description URL
Argus A layer 2+ (i.e. OSI model) auditing tool which helps in collecting network flow information. Can help with network
traffic analysis.
http://nsmwiki.org/index.php?title=Argus#Introduction
Dionaea A honeypot which emulates various services with the aim of trapping malware and shellcode, malicious code
remotely executed through security exploits. Captured payloads can be further analyzed for research.
http://dionaea.carnivore.it/
Kippo SSH honeypot meant to trap, view, and record malicious activity. Can allow hackers to log into a simulated SSH
environment where attempts of more advanced operations may be observed.
http://code.google.com/p/kippo/
p0f Tool to passively fingerprint different attackers behind TCP/IP communications. May help reveal advanced
persistent threats (APTs)
http://lcamtuf.coredump.cx/p0f3/
Snort Network intrusion detection system, allows for detailed network packet capture of cyberattacks
http://www.snort.org/
18
Malware Analysis
Unfortunately, high-interaction honeypot tools are scarce Much more complicated than low-interaction honeypots Require significantly more resources to implement and maintain Strict safeguards must be built around honeypot to ensure network security
Popular high-interaction honeypot packages: Capture-HPC Developed by the Honeynet project Problem: last updated in 2008 Runs virtual machines as honeypot systems, but has trouble interfacing with latest virtualization
software (e.g. VMWare, VirtualBox) due to lack of recent updates
One can build their own high-interaction honeypot by deploying vulnerable machines with system-level logging
System-level logging generally requires operating system kernel hooks Difficult to implement for most individuals Many researchers and practitioners opting for low-interaction honeypots with
malware capture capability
Malware Analysis Preliminary study presented at IEEE Intelligence and Security Informatics,
2013 (Benjamin & Chen, 2013) Both low-interaction and high-interaction honeypots can be configured to
capture shellcode samples used by cyber attackers When deploying several honeypots, potential to capture large volume of shellcode
samples Can become difficult to analyze samples as volume increases
We collected nearly 4,000 malicious source code and shellcode samples from a exploit-sharing website
Four distinct attack vector categories: local memory attacks, remote code execution attacks, web application exploits, and denial of service
Several shellcode samples similar to potential honeypot captures Motivated to develop automated technique to classify samples by attack
vector category
19
Malware Analysis
20
An example of a Perl exploit that attempts a remote buffer overflow attack on a popular enterprise Windows and Unix mailserver software. Malicious code such as this can be difficult for researchers to interpret in their explorations. Automated
static analysis tools can help in such scenarios.
Shellcode
Low-level instructions to access vulnerable application’s memory space
Program loads library for network communications
Malware Analysis Research cites feature selection for malware analysis is difficult
We utilize a hybrid-GA approach by pairing a genetic algorithm with a classifier to select features based on their helpfulness to accurately classify samples
Features based semantic contents of sample files
Samples are run through a series of classification experiments Compared SVM and C4.5 decision tree algorithms for classification using a series of experiment
configurations; accuracy averaged 86% Experiment could be extended to include true honeypot shellcode samples, more robust GA or
feature selection technique
21
22
Botnets Malware captured by honeypots can sometimes reveal botnets
Outbound network traffic generated by malware may be connecting to a botnet command and control (C&C) channel
These channels are used by cybercriminal “botmasters” to give commands to collections of malware-infected computers that covertly join the IRC channel and wait for instruction.
23
Botnets
C&C identification techniques have generally utilized honeypots Honeypots are systems that are configured to simulate computer
systems with software vulnerabilities Can allow wild malware to intentionally exploit honeypot
vulnerabilities; malware behaviors can be captured and studied in a sandboxed environment (Rajab et al, 2006; Lu et al, 2009).
All code execution, system changes, and network traffic are tracked and logged within a honeypot (Mielke & Chen, 2008; Zhu et al, 2008).
By observing outbound network traffic generated by malware, researchers may potentially reveal botnet C&C channels and other hacker-related web addresses.
24
Botnets
There are two common techniques used to collect IRC chat data, but both involve logging of real-time chat.
Logging IRC chat in real-time manually or using automated bots. (Fallman et al, 2010) Scraping IRC packet contents generated by a honeypot’s local network traffic (Lu et
al, 2009)
Several strategies can be taken to effectively use bots and ensure comprehensive data collection (Fallmann et al, 2010):
Swap strategy – Some IRC channels will automatically disconnect users who appear idle. Thus, it can be useful to occasionally rotate bots into different IRC channels for logging, avoiding some problems with idling
Use of multiple bots in the same channel can be used to help ensure comprehensive collection in case some bots get disconnected
Packet scraping requires the use of network traffic analyzer software Wireshark can be used for this purpose
25
Botnets Different forms of analysis should be used depending on research goals
and data. For example, the goals and methods used for analysis would be different in:
Botnet research with data from command & control channels Research on IRC channels affiliated with hacker forums or acting as social hubs
The simplest method of analysis, much like hacker forums, is to manually sift through data (Franklin et al, 2007; Fallmann et al. 2010; Motoyama et al. 2011)
Automated content and network analyses could be extended to IRC datasets as well when studying hacker IRC channels
Can reveal emerging threats, popular tools and methods May help with attack attribution
26
Botnets For botnet C&C channels, there common themes for analysis
Characterizing botmaster activity Paxton et al, 2011 investigate the different operational styles used by
botmasters by computing some usage statistics per botnet master Mielke & Chen, 2008 use clustering to identify potential collaboration
between botmasters based on their participation across different known C&C channels
Identifying botnets based on network traffic Much research is spent analyzing honeypot captures and network logs to
develop new techniques to combat evolving botnets (Lu et al, 2009; Choi & Lee, 2012)
Botnets are becoming increasingly more sophisticated in evading detection
Botnets Published in IEEE Intelligence and Security Informatics, 2008 (Mielke & Chen, 2008)
A botnet monitoring group, the ShadowServer Foundation, provided the AI Lab with logs from multiple botnet IRC command & control channels.
Text mining techniques were used to differentiate bot masters from connected zombie computers
Bot master names were tracked across all channels Several names appeared frequently across the data set
By clustering bot masters according to their channel
participation, potential collaboration between bot masters
can be identified
The roles of individuals within each group,
and the overall operational style of each group
can be identified by further analyzing C&C logs
Additionally, logs could be used to identify C&C activity patterns; this could help automatically identify future C&C channels
27
28
Digital Forensics
As increasingly complex malware and cyber attacks are deployed by individuals and groups, advancements in digital forensics becomes necessary to investigate computer crime
Digital forensics entails identification of security failures within a system, and also the prevention of future incidents (Hay et al, 2011, Sridhar et al, 2012) Conducting “postmortem” analysis on cybercrime Can reveal information concerning cyber attackers Usually paired with other malware and botnet analysis techniques
29
Digital Forensics Often requires examining file systems, RAM\volatile memory, and
network traffic for for traces of data pertaining to cyber attack Recovered data often used in persecution of cybercriminals or to identify advanced
persistent threats
Research opportunity: there exist only a few standards and benchmarks for existing digital forensics investigations (Yates & Chi, 2011) Increase of computing platforms has lead to lack of standard practices, no
established “science” for forensics on newer operating systems and cyber infrastructure
Growing importance in cloud, mobile, and SCADA systems Emerging challenges due to growing usage of complex encryption and data
obfuscation techniques Much research focuses on new practices and standards
30
Digital Forensics For hands-on experience, SANS Institute offers a version of Linux pre-
loaded with digital forensics tools (http://computer-forensics.sans.org/community/downloads)
Other tools:
Name Platform URL
Blacklight Windows/Mac https://www.blackbagtech.com/
EnCase Windows https://www.encase.com/
DumpZillaWindows/Linux Mozilla Browsers
(e.g. Firefox)http://www.dumpzilla.org/
The Sleuth Kit Linux/Windows http://www.sleuthkit.org/
Hacker Forum Research
Left: A cybercriminal on hackhound.org publishes the latest version of his hacking tool meant to help others steal cached passwords on victims’ computers Right: A hacker of the Chinese community Unpack.cn posts sample code demonstrating how to reverse engineer software written in the Microsoft .NET framework
Hackhound.org
Unpack.cn
Embedded sample of code
Attached Hacking Tool
Hacking tool interface
Description of code functionality
Hacker’s Reputation
Score
31
32
Hacker Forum Research
Hacker forums can be useful to researchers for various reasons: Asses emerging threats and their prevalence in hacker social media Observing black market activity Tracking the cybercriminal supply chain and how assets move throughout the global
hacker community Allow researchers to study hackers across different geopolitical regions
Unfortunately, hacker forum data is hard to obtain as many hacker communities employ anti-crawling features (Fallman et al, 2010; Goel, 2011)
No hacker forum datasets available to researchers Anti-crawling measures, such as bandwidth monitoring or detection of bot-like behaviors,
prevent many researchers from using automated techniques to build a dataset Thus, most current studies utilize manual data collection (Holt, 2010; Yip 2011).
33
Hacker Forum Research To employ automated collection, anti-crawling measures must be
circumvented Reduce bot-like behaviors during collection Practice identify obfuscation We may also want to mask our true identity
Reducing crawling rate is useful for circumventing anti-crawling measures that monitor bandwidth usage or page views
To mask our identity, we can utilize proxy servers or peer-to-peer networks to route traffic through
Lets us even regain access to forums than ban us via IP bans Stand-alone web proxies can be used for traffic routing and identity obfuscation Peer-to-peer networks, such as the Tor Network, offer similar services as stand-
alone web proxies with added capabilities
34
Hacker Forum Research
Traditional proxy server configuration
35
Hacker Forum Research
36
Hacker Forum Research
37
Hacker Forum Research
38
Hacker Forum Research
Various screenshots of the graphical Tor controller Vidalia. Left: A map allows users to view the locations of all published Tor relay nodes Middle: A real-time log of Tor network events allows users to monitor Tor activity. The Tor client automatically handles many Tor networking functions Right: A basic interface that allows Tor users to quickly assume a new identity by routing traffic through a new circuit. Applications such as web browsers and crawlers can utilize the Tor network by routing their network traffic to the local Tor client.
39
Hacker Forum Research
Proxy Servers Tor Network
Requirements None The Tor network client (~9MB)
Protocol Typically HTTP or SOCKS SOCKS only
Usage Send local network traffic to proxy server for re-routing to destination server
Tunnel local network traffic to local Tor client; Tor client automatically handles peer-to-peer
networking and routing traffic to the destination server
Assuming a new identity?
A new proxy server must be used in replacement of current the current proxy
Tor client can automatically select new relay nodes when a new identity is needed
Finding new servers?
Lists of public proxy servers exist across various websites that can be identified through keyword searches (e.g.
“public proxies”)
The Tor client will automatically find new relays for the user. Selection parameters can be used
to only use or exclude relays from specific countries
What does hacker community server
see?Proxy server IP address IP address of the last Tor relay used to route
your message to the destination server
40
Hacker Forum Research
After hacker forum contents are collected, they can be analyzed using traditional social media techniques
Can make use of commonly used text mining tools Content analysis would be useful for understanding the discuss and information
inside hacker social media Topological analyses often aim to observe hacker forum structure and the
relationships between forum participants (Motoyama et al, 2011, Holt et al, 2012)
41
Hacker Forum Research
Hacker forum reputation system
Password-protected file containing tutorial
documents
Password to open attached file
Description of attached hacking
tutorial
Iranian hacker forum participant ‘elvator’ is sharing a tutorial on shellcode, which refers to cyberattack payloads that grant hackers unauthorized access over compromised machines. This hacker has gained a total of 20,305 reputation points from his
peers over 1,641 messages posted, which is above average for Ashyane.org.
42
Hacker Forum Research
A forum participant of the Russian hacker forum Xekapok.net shares a vulnerability scanning tool with others. This participant’s message is relatively “media rich” compared to other forum posts due to the usage of images, font styling, and
attachments. Additionally, they possess high reputation and thus appear to be well-established in the Xekapok.net community.
Hacker forum reputation score
Screenshot of vulnerability scanning
tool
Participant explicitly asks others to give him reputation
points
Tool download link
Hacker Forum Research Preliminary hacker reputation study presented at IEEE Intelligence and
Security Informatics, 2012 (Benjamin & Chen, 2012) Collected two hacker communities from the United States and China to
examine the mechanisms in which key actors arise within forums Both communities featured reputation systems How did hackers earn high levels of reputation among their peers?
Found that hackers who participated frequently and contributed the most towards the cognitive advance of their community had the highest reputation
43
44
Hacker Forum Research
Main challenges in hacker forum research are: Identifying data sources Collecting complete datasets If not a security expert, some subject matter may be difficult to interpret
After collection of data, hacker forum research can utilize the same text mining techniques as traditional social media research
Topic modeling Forum participant analysis Social network analysis Etc.
45
IRC Channel Research
Internet Relay Chat (IRC) is a protocol for real-time, multi-user text chat
IRC channels are used by hackers to communicate in real-time through text chat (Mielke & Chen, 2008, Motoyama et al, 2011)
Sometimes affiliated directly with hacker forums Other times are independent communities only accessible through IRC Contents can be analyzed through traditional text mining techniques
IRC is comprised of three major components: IRC Networks (i.e. servers) Chat channels existing within IRC networks IRC Clients, or users
Understanding these three components is important for developing data collection methods
46
IRC Channel Research
IRC Networks Usually defined by an address such as irc.domain.com An IRC network is generally comprised of one server, or a
network of servers directly connected to one another Servers share information with one another such as user
information, existing channels, chat information, etc. New servers can be added to an existing network to scale-up
network capacity Different IRC networks are completely independent of one
another Every IRC channel exists within an IRC network
47
IRC Channel Research
Public vs Private networks Network accessibility has many implications for data collection If hackers decide to host their channel on a public network, it is theoretically
possible to collect data from that channel by volunteering a server to support the network; many public networks are entirely volunteer-run
One limitation to volunteering a server to a public IRC network is that public IRC networks often require very significant bandwidth capacity (hundreds of GBs of transfer per month)
Conversely, if a hacker-related IRC channel is hosted within a private network, it is unlikely that we will be able to volunteer a server to the network. Client-bots can be used to collect data from such channels
48
IRC Channel Research
IRC Channels IRC Channels are usually times separated by topic Channel naming convention is #ChannelName Each channel exists within a single IRC network
Two channels with the same name but different networks are two different channels
Two channels within the same network cannot share the same name A list of all users connected to a particular channel is provided to
each channel participant User-chat is broadcasted to everyone within a channel
49
IRC Channel Research
An example of a hacker IRC channel. A list of users, their messages, and timestamps for each message can be seen. The participants are discussing sqlmap, a tool for automated SQL injection and database hijacking, as well as programming concepts. The top header also includes links to other IRC channels affiliated with this one.
50
IRC Technical Information
IRC Users Connect to IRC servers, can join multiple channels
simultaneously Can broadcast messages to all other users within channels Can initiate private messages with other users that are hidden
from all other chat participants Such private messages cannot be collected with the client-bot
method of collection They can be collected when hosting a server, though many public
IRC networks have privacy rules that prohibit server operators from such behavior
51
IRC Channel Research
Data must be captured in real-time as chat data is not archived Unlike forums, IRC is not a medium that supports natural archiving of data If a message is not received by your client at the moment the message was
transmitted, that message is unrecoverable
Can use automated bots to monitor and log IRC channels Perl Object Environment Bot - http://poe.perl.org/?POE_Cookbook/IRC_Bots Supybot - http://irc-wiki.org/Supybot
Bots can support features such as: Auto-rejoining channels if connection is lost Automated usage of proxy servers and peer-to-peer networks (e.g. Tor) Monitoring multiple channels simultaneously
52
Conclusion Many branches of cybersecurity research exist
Ranging from social media analytics to more technical works Interdisciplinary problem
Hacker forum and IRC channels are relatively unexplored compared to other forums of social media
What insights can be gained from studying such communities? What similarities and differences exist in hacker communities from different geopolitical regions?
Honeypots also provide ample opportunities for research Provide data for attack pattern and malware classification studies Honeypot captures can be cross-referenced with hacker social media: can any insights be gained
by combining data sources?
Cybersecurity is a challenge of growing importance
53
References Abu Rajab, M., Zarfoss, J., Monrose, F., & Terzis, A. (2006). A multifaceted approach to understanding the botnet
phenomenon. Proceedings of the 6th ACM SIGCOMM on Internet measurement - IMC ’06, 41. Akhoondi, M., Yu, C., & Madhyastha, H. V. (2012). LASTor: A Low-Latency AS-Aware Tor Client. 2012 IEEE Symposium on
Security and Privacy, 476–490. Benjamin, V., & Chen, H. (2012). Securing Cyberspace : Identifying Key Actors in Hacker Communities. IEEE Intelligence
and Security Informatics. Binde, B. E., Mcree, R., & Connor, T. J. O. (2011). Assessing Outbound Traffic to Uncover Advanced Persistent Threat.
SANS Technology Institute. Cova, M., Kruegel, C., & Vigna, G. (2010). Detection and analysis of drive-by-download attacks and malicious JavaScript
code. Proceedings of the 19th international conference on World wide web - WWW ’10, 281. Crandall, J. R., Forrest, S., & Ladau, J. (2011). The Ecology of Malware. Proceedings of the 1st ACM workshop on Security
and privacy in smartphones and mobile devices, 99–106. Dholakia, Uptal M.; Bagozzi, Richard P.; Pearo, Lisa Klein. A Social Influence Model of Consumer Participation in
Network- and Small-group-based Virtual Communties. International Journal of Research in Marketing. 2004. Dolfsma, Wilfred; Soete, Loe. Understanding the Dynamics of a Knowledge Economy. Edward Elgar
Publishing. 2006. Emerson, R. M. (1976). Social Exchange Theory. nnual Review of Sociology, 2, 335–362. Fallmann, H., Wondracek, G., & Platzer, C. (2010). Covertly Probing Underground Economy Marketplaces. Proceedings of
the 7th international conference on Detection of intrusions and malware, and vulnerability assessment (DIMVA), 101– 110.
Franklin, J., Paxson, V., Perrig, A., & Savage, S. (2007). An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. Proceedings of the 14th ACM conference on Computer and communications security, 375–388.
Fu, X., Ling, Z., Yu, W., & Luo, J. (2010). Cyber Crime Scene Investigations (C2SI) through Cloud Computing. 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops, 26–31.
54
References
Fuller, R. M., & Valacich, J. S. (2008). T HEORY AND R EVIEW M EDIA , T ASKS , AND C OMMUNICATION P ROCESSES : MIS Quarterly, 32(3), 575–600.
Geer, D. (2005). Malicious Bots Threaten Network Security. IEEE Computer Society, 38(1), 18–20. Goel, S. (2011). Cyberwarfare Connecting the Dots in Cyber Intelligence. Communications of the ACM, 54(8), 132. Hall, Angela T; Blass, Fred R; Ferris, Geral R; Massengale, Randy. Leader Reputation and Accountability in
Organizations: Implications for Dysfunctional Leader Behavior. The Leadership Quarterly. Volume 15. Issue 4. August, 2004.
Holt, T. J. (2010). Exploring Strategies for Qualitative Criminological and Criminal Justice Inquiry Using OnLine Data. Journal of Criminal Justice Education, 21(4), 466–487.
Holt, T. J., & Kilger, M. (2012). Know Your Enemy : The Social Dynamics of Hacking. The Honeynet Project, 1–17. Holt, T. J., & Lampke, E. (2010). Exploring stolen data markets online: products and market forces. Criminal Justice
Studies: A Critical Journal of Crime, Law, and Society, 23(1), 33–50. Holt, T. J., Strumsky, D., Smirnova, O., & Kilger, M. (2012). Examining the Social Networks of Malware Writers and
Hackers. International Journal of Cyber Criminology, 6(1), 891–903. Hopper, L., Hopper, R., & Womble, P. (2009). Identifying network attacks from a social perspective. 2009 IEEE Conference
on Technologies for Homeland Security, 511–515. Hutchins, Eric M, Michael Cloppert, R. A. (2011). Intelligence-Driven Computer Network Defense Informed by Analysis of
Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, (July 2005). II, C. J. M., & Chen, H. (2008). Botnets, and the CyberCriminal Underground. IEEE International Conference on Intelligence
and Security Informatics 2008, 206–211. Imperva. (2012). Imperva Hacker Intelligence Intitiative. Monthly Trend Report #13. doi:10.1002/ana.23759 Lampe, Klaus Von; Johansen, Per Ole. Organized Crime and Trust: On the Conceptualization and Empirical
Relevance of Trust in the Context of Criminal Networks. Global Crime. Volume 6. Issue 2. 2004. Jang, D., Kim, M., Jung, H., & Noh, B. (2009). Analysis of HTTP2P Botnet : Case Study Waledac. IEEE 9th Malaysia
International Conference on Communications, 15–17.
55
References
Kshetri, N. (2006). The Simple Economics of Cybercrimes. IEEE Security & Privacy, Jan-Feb, 33–39. Leavitt, N. (2009). Anonymization Technology Takes a High Profile. IEEE Computer Society, (November), 15–18. Ling, Z., Luo, J., Yu, W., & Fu, X. (2011). Equal-Sized Cells Mean Equal-Sized Packets in Tor? 2011 IEEE International
Conference on Communications (ICC), 1–6. Lu, W., & Ghorbani, A. a. (2008). Botnets Detection Based on IRC-Community. IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference, (1), 1–5.
Lu, W., Tavallaee, M., & Ghorbani, A. a. (2009). Automatic discovery of botnet communities on large- scale communication networks. Proceedings of the 4th International Symposium on Information, Computer, and Communications Security - ASIACCS ’09, 1.
McCusker, R. (2006) Transnational organised cyber crime: distinguishing threat from reality. Crime, Law and Social Change. 46 (4-5), 257-273.
Motoyama, M., McCoy, D., Levchenko, K., Savage, S., & Voelker, G. M. (2011). An analysis of underground forums. Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference - IMC ’11,
71. Moore, T., & Clayton, R. (2009). Evil Searching : Compromise and Recompromise of Internet Hosts for Phishing.
Financial Cryptography and Data Security, 256–272. Muller, Paul. Reputation, Trust and the Dynamics of Leadership in Communities of Practice. Journal of Management
and Governance. Volume 10. Number 4. November, 2006. Radianti, J. (2010). A Study of a Social Behavior inside the Online Black Markets. 2010 Fourth International
Conference on Emerging Security Information, Systems and Technologies, 88–92. Radianti, J., Rich, E., & Gonzalez, J. J. (2007). Using a Mixed Data Collection Strategy to Uncover Vulnerability Black
Markets. Workshop for Information Security and Privacy. Radianti, J., Rich, E., & Gonzalez, J. J. (2009). Vulnerability Black Markets : Empirical Evidence and Scenario
Simulation. 42nd Hawaii International Conference on, 1–10. Rieck, K., Trinius, P., Willems, C., & Holz, T. (2011). Automatic Analysis of Malware Behavior using Machine
Learning. Journal of Computer Security, 1–30.
56
References
Spencer, J. F. (2008). Using XML to map relationships in hacker forums. Proceedings of the 46th Annual Southeast Regional Conference on XX - ACM-SE 46, 487.
Tschorsch, F., & Scheuermann, B. (2011). Tor is unfair — And what to do about it. 2011 IEEE 36th Conference on Local Computer Networks, 432–440.
Turrini, Elliot. (2010) Cybercrimes: A Multidisciplinary Analysis. Springer Publishing. Yadav, S., Reddy, A. K. K., & Reddy, A. L. N. (2010). Detecting Algorithmically Generated Malicious Domain Names
Categories and Subject Descriptors. Proceedings of the 10th ACM SIGCOMM conference on Internet measurement.
Yip, M. (2011). An Investigation into Chinese Cybercrime and the Applicability of Social Network Analysis. ACM Web Science Conference.
Yip, M., Shadbolt, N., & Webber, C. (2013). Why Forums ? An Empirical Analysis into the Facilitating Factors of Carding Forums. ACM Web Science, May.
Zhang, L., Yu, S., Wu, D., & Watters, P. (2011). A Survey on Latest Botnet Attack and Defense. 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, 53–60.
Zhu, Z., Lu, G., Chen, Y., Fu, Z. J., Roberts, P., & Han, K. (2008). Botnet Research Survey. 2008 32nd Annual IEEE International Computer Software and Applications Conference, 967–972.
Zhuge, J., Holz, T., Song, C., Guo, J., & Han, X. (2008). Studying Malicious Websites and the Underground Economy on the Chinese Web. Workshop on the Economics of Information Security, 225–244.