Dennis Tusiime Rwatooro
2014-M142-2002
Dept of Computer Science
Abstract — The more our lives continue to depend on digital communication networks and media to perform daily activities such as communication, access to information and critical services such as health, financial transactions, entertainment, and public utilities like electricity, the more we get exposed to security risks. These security risks include breach of confidentiality of communication and transactions, violation of personal privacy, crime and fraud, disruption of services, and distribution of inappropriate content, among others. The goal of digital security is to research into and develop mechanisms to address these security risks. In this paper we briefly survey some of the emerging issues in digital security. The literature shows that while some domains in digital security have remained unchanged over a long time, for example cryptography, new areas have emerged including steganography.
Keywords – digital forensic techniques, volatitle data extraction, digital image forensics, malware investigations, email security, symmetric key cryptography, asymmetric key cryptography, public key cryptography.
Introduction
Forensic science is defined as the application of the sciences as it pertains to legal matters or problems (Gialamas, 2000). One of the branches/fields of forensic science, namely criminalistics, is the profession and scientific discipline oriented to the recognition, identification, individualization and evaluation of physical evidence by the application of natural science to law-science problems (Gialamas, 2000) [1]. Digital forensics is the process of identifying, preserving, analysing, and presenting evidence in a manner that is legally acceptable [2], [3], [4], [5]. Digital forensics has also been defined as the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data [6]. Digital evidence collected should be admissible in court, can be used for internal disciplinary hearing, should be used to support data for internal incident reports as well as furthering other investigation among other things.
Digital evidence is data which helps reconstruct past events or activity (timelines), shows possession/handling of digital data, shows evidence of policy violation or illegal activity.
Potential sources of evidence include but are not limited to hard disks, tapes, external/removable media, network infrastructure logs (firewall, IDS, proxy), application and audit log files, email, captured network traffic, other server content such as windows shares, web servers, databases, etc. [7]. The main areas of digital forensics are computer forensics (hard disk, removable media acquisition and analysis), network forensics (network intrusions, abuse), software forensics (examining malicious code, malware) and live system forensics (compromised host, system abuse, etc.) Organizations that use digital forensics include but are not limited to law enforcement agencies (police), military, government agencies, law firms, data recovery firms and of late corporate organizations.
The annual Police crime and traffic report indicated a 14.9% surge in economic crimes, rising from 9,574 cases in 2011 to 11,006 in 2012, mainly registered in banks, public service providers and non-governmental organizations (NGOs). “In 2012, a total of 700 victims lost over sh1.2b by use of scheming devices from ATM locations in Kampala and other areas,” the report launched by both the Police chief, Gen. Kale Kayihura and criminal investigations and intelligence directorate boss Grace Akullo, noted [8].
Today there is increased use of digital communication networks and media for communication, information, and service access in almost all facets of human life including health, education, finance, government, entertainment, and commerce. While this has resulted in tremendous improvements in the quality of life for humanity, digital communication networks and media pose serious security issues that threaten the very purpose they were created to serve. These security issues and threats include, but are not limited to, violation of the confidentiality of communications and transactions, unauthorized access to services, theft and misappropriation of personal and financial identity information, and perpetration of criminal and terrorist activities. Others include commission of fraud, infringement on personal privacy, creation and distribution of inappropriate content, and disruption to communication and other online services as well as public utilities. Generally speaking digital security aims to research into and develop mechanisms and technologies to address these security issues and threats. The goals of digital and information security may be summarized into five broad categories as confidentiality/privacy, integrity of message, entity and message authentication, authorization, and non-repudiation [1]. Over the years various approaches, strategies, and techniques have been developed and/or proposed to achieve the goals of digital security.
This paper is a brief survey on the roles of digital forensics within a corporate organization and/or government establishment that organizations, companies and the Government of Uganda need to adopt if they are to successfully fight cybercrime. It also discusses the need for computer and network forensics and provides guidance on establishing and organizing a forensics capability for an organization.. some of the state-of-the-art approaches, strategies, and techniques that have been developed and/or proposed in the literature to address them. For each issue examined, an attempt is made to predict the future over the next several years. The discussion in this paper is based on the framework of the Advances in Digital Security course offered at Makerere University’s School of Computing and Information Technology. The rest of this paper is organized as follows. In section 2 we discuss the emerging issues in digital security and conclude the paper in section 3.
emerging issues in digital security
We survey the emerging issues in digital security under various subtitles. These include digital forensic techniques, forensic data extraction from live systems, digital image forensics, malware investigations, electronic mail security, symmetric key cryptography, and asymmetric/public key cryptography. The subtitling has been adopted for convenience of discussion, otherwise the issues discussed overlap.
1 Digital forensic techniques
Due to the increased use of digital communication networks and media to perpetrate crime today, the demand for digital forensic services in government and the private sector is on the rise. Digital forensics [2] is the use of scientifically proven methods for the acquisition and analysis of digital evidence for purposes of reconstructing an event that may be considered criminal. Digital forensics is a broad, emerging field still characterized by immature methodology (processes, techniques, and tools) upon which the reliability of digital evidence must depend. Aspects of digital data communications and storage important to forensic investigations include communication protocols, data storage media structure, data/file formats, user network access devices, and network equipment/devices. A wide range of techniques and tools are applicable and available for extraction and analysis of data from these different aspects of digital data communication and storage for evidentiary purposes. These include search queries applicable to file searching to data extraction from “live” systems. We discuss some of the important issues below.
2 Forensic data extraction from live systems
Data from a “live” system, also called volatile data, refers to data that is in a state of constant change such as that found in the memory of a computer system when it is operational. Such data may be lost when electricity to the system is lost. Live data collection is arguably one of the most challenging tasks in digital forensics due to the “delicate” nature of the data; the high likelihood of it being tampered with due to the tools and techniques that the analyst may use in the course of extracting the data [3, 4, 5, and 6]. There are two aspects to data extraction from a live computer system, the methodological process and the techniques and tools. The techniques and tools for volatile data collection and extraction for forensic purposes are used to extract and analyze data on the current or previous state of the operational system. The techniques and tools used on a particular system are dependent on the platform of the system i.e., the operating system, the application programs currently running, the device capabilities of the systems, etc. The approach used for data extraction from a live system may be manual or automated. In this survey we focus only on automated data extraction and analysis.
Increasingly attempts are being made to automate the process of data extraction and analysis from a live system for digital forensic purposes [7, 8, and 9]. The main factor driving this trend is the delicate nature and the huge volume of data in a live system that an analyst must deal with. To address the latter challenge data mining techniques [7] have been proposed. There are two trends in data acquisition from a live system, static analysis and dynamic analysis. Static analysis is the traditional approach that involves halting the operational system to make a copy of the image of the live system. The target of static analysis is often secondary storage media such as hard drives and USB devices connected to the system at the time of an incident. The image acquired is then later analyzed using a different trusted system to recover any evidentiary data from the storage medium. The main weakness of the static analysis approach to data acquisition from a live system is that it requires the operational system to be shut down before any data can be recovered from the system. The problem is that the process of shutting down the system, whether orderly shutdown or forced shutdown, may alter, delete or make the data inaccessible to the forensics investigator. Dynamic analysis [10, 11, 4, 12, 15, 13, and 14], on the other hand does not require that the running system be shut down in order to extract data from it. Two strategies for dynamic analysis include extracting data directly from the physical system, and secondly using a virtual environment [15, 16, and 17]. A review of the strengths and limitations of current techniques and tools for dynamic forensic data extraction is provided in [18]. A number of frameworks have also been proposed in the literature to streamline various aspects of the digital forensics process, including data collection from volatile memory [12, 21], incident response [19], data collection from Windows mission-critical systems [20], and for honey pot analysis [22].
3 Digital image forensics
Over the last several years there has been an increase in access to and use of image and multimedia data as a result of advances in multimedia technologies. However, multimedia content has become one of the latest sources of problems for digital security. Information hiding or steganography, an ancient practice as described in [23], has found new foothold in digital multimedia content. Digital image steganography is the art and science of writing and communicating hidden messages using digital images as carrier [24]. The goal of the sender is to avoid detection of the fact of the communication by other parties except the intended recipient. A fairly recent examination of the current status and challenges in information hiding can be found in [25]. The three related security goals of a steganographic scheme include undetectability, a high capacity for the payload, and robustness to steganalysis, which are often statistical-based attacks. Undetectability refers to the fact that after embedding the message to be hidden in the cover image, there should be no distortion in the resultant image that is noticeable to the human visual system (HVS) [26 and 27]. Robustness of a scheme refers to its ability to resist steganalytic attacks (steganalysis), which is the art and science of detecting hidden messages in digital images [28]. High capacity refers to the ability of the cover image to store a large amount of payload without compromising the other security goals. Image steganography techniques are broadly categorized into spatial domain-based and transform domain-based. The former techniques manipulate the bits of the cover image [29], often the least significant bits (LSB) to hide a message while the latter transform the signals of the cover image to hide a message. Transform based steganography techniques include discrete cosine transform (DCT) [24], discrete wavelet transform (DWT) [30], and of recent discrete Pascal transform (DPT) [31]. Transform based techniques are robust to image steganalysis and undetectability to the HVS although they have low capacity. Spatial domain based techniques on the other hand have high capacity but have low robustness and undetectability properties. A few studies have focused on forensic aspects of digital image steganography and steganalysis, for example [32, 33, 34, 35, and 36].
One of the key challenges in both steganography and steganalysis is the lack of standardization especially for evaluating algorithms; as a result a few proprietary attempts have been made in that direction including [37, 38, and 39]. Owing to the importance of digital image steganography and steganalysis, a number of literature surveys on the subject have been conducted. For example [40] provides the latest survey on the state of the art in steganography, while [41] surveys steganalysis. A survey of the state-of-the-art in digital image forensics in general is provided in [42]. In [43] a forecast of the future of digital forensics research over the next 10 years is made.
4 Malware investigation
Malware refers to software or code whose execution is intended to have adverse impact on the expected performance of other software or system. Some commonly used categorization of malware includes virus, worm, spyware, Trojan horse, and key logger. Tools used to investigate malware make use of statistical techniques to statically or dynamically characterize (fingerprinting/signature generation), classify, and cluster malware. Traditionally malware classification and clustering has used manual techniques. However, the trend today is towards fully automated classification and clustering of malware using machine learning techniques. Recent attempts in this direction include [44, 45, 46, 47, 48, 49, and 50]. The need for automation is being driven by the large number in type and variation in malware that makes manual classification and clustering both less effective and efficient.
There are basically two approaches to malware characterization for classification and clustering. Traditional techniques for malware classification and clustering use content-based analysis of the sequences or patterns of system calls made by the malicious code to system resources during its execution. This approach however, is said to be less concise in semantics, incomplete in implementation, and inconsistently applied across attack vectors. The result is low effectiveness in classification and clustering of malware. Incorrect classification of malware will misinform the selection of mitigation measures. As a result a new approach to malware classification and clustering based on malware behavior [46, 48, 44, 50, 51, 45, 49, 51, 52, and 53] has been proposed, with high accuracy rates being reported. According to [54] however, caution needs to be exercised over the high accuracy rates reported by the behavioral techniques. The reason for this is that the high accuracy rates achieved could be biased due to the methods used for selecting ground rule datasets in the evaluation of the techniques.
5 Electronic mail security
We identify three key security issues in electronic mail (email) communication. These issues include confidentiality/privacy of messages, message integrity, authentication of email source, and unwanted solicitation commercial email (spam).
The three security goals of message confidentiality, message integrity, and message/entity authentication in email communication are achieved by PKC. Message confidentiality and message integrity are achieved by using encryption, while message/entity authentication is provided by digital signing of email messages. The most widely used email standards, the Secure/Multipurpose Internet Mail Extensions (S/MIME) and Open Pretty Good Privacy (OpenPGP) [55] both implement PKC for message encryption based on the RSA and Diffie-Hellman algorithms. Encryption (and signing) of email can be done at two levels. The first involves encrypting the email header information and/or the body (content) of the email. This takes place at the application layer of the Transmission Control Protocol/Internet Protocol (TCP/IP) suite using email standards such as S/MIME and OpenPGP. Email communication can also be secured by encrypting the communication channel between two email systems by implementing a virtual private network (VPN) using the IP Security (IPSec) protocol at the network layer of the TCP/IP suite. The IPSec protocol also implements the RSA cryptosystem. Although the most widely used standard for encryption at the network layer of the TCP/IP protocol, there have been long standing questions regarding the cryptographic implementation of IPSec, which is believed to make it less secure. The security issues in the implementation of IPSec are discussed in detail in [56]. In addition to S/MIME and OpenPGP, other less known/used email encryption standards exist including the Privacy Enhanced Mail (PEM) [57] and MIME Object Security Services (MOSS) [58].
Today the main challenge facing email communication appears to be the huge magnitude of unwanted solicitation commercial email experienced by users on the Internet. According to [59], over two-thirds of email messages exchanged on the Internet is spam that constitutes billions of messages. The negative impacts of spam include bandwidth waste and loss of staff productive time due to the enormous amount of time spent deleting and/or managing email systems to control spam. A multitude of approaches, strategies, and methods have been proposed and/or developed to address the problem of spam, ranging from managerial to educational to technological. A discussion of these different approaches and techniques can be found in [60]. In this survey however, we focus on techniques for controlling spam on email systems. Techniques for controlling spam on email systems employ filters, which classify email messages as either spam or non-spam. The classifiers may be based on statistical techniques as discussed in e.g., [61] or machine learning techniques, for example Bayes classifiers [62], support vector machines (SVM) [63 and 64].
Three important issues emerge from the literature necessary for improving the capability of classifiers used in email filters in order to successfully address the problem of spam. These issues include the need to reduce training time for classifiers, the high computational cost of classifiers, and the need for classifiers that can continuously learn. The need for continuous learning by classifiers is important because the concepts used to filter spam are constantly changing, often driven by the spammers themselves. A number of methods have been proposed to address this including case-based learning [65]. In references [66, 67, 68, and 69] survey and/or evaluate the performance of various machine learning techniques for spam filtering. Machine learning based techniques are shown to generally perform better than statistical techniques in spam filtering, although the former have higher computational cost.
Another growing problem in email communication systems on the Internet is the use of computer programs to automate the process of signing up for an email account, especially on free email services by companies such as Yahoo!, Google Mail (GMail), etc. The email accounts automatically created using bots may be used to generate and send spam on the Internet. To address this problem the captcha test has been proposed [70]. A captcha is an Artificial Intelligence (AI) based test that humans can pass but not current computer programs. The test involves typing a distorted text into a field when signing up for an email account. The captcha test is argued to hold high potential to address other related problems on the Internet such as, preventing unauthorized web page indexing, dictionary attacks on passwords, and even implementing online poll integrity.
6 Symmetric key cryptography
Confidentiality in communication over insecure digital channels using symmetric key encryption is achieved through sharing a secret key among the communicating parties. The main benefit of symmetric key encryption schemes is computational efficiency owing to the short length of the key used for encryption and decryption. Symmetric key encryption is classified into stream ciphers and block ciphers; the latter further being divided into substitution ciphers and transposition ciphers. In this survey we focus on block ciphers because they are more widely researched and implemented in industry than stream ciphers. A recent survey of block ciphers and stream ciphers, and cryptanalytic attacks on them can be found in [71].
The majority of current implementations of symmetric key encryption are based on block ciphers. A block cipher, according to [1], “encrypts groups of characters of plaintext using a fixed encryption transformation.” Block ciphers may operate in various modes including electronic code block (ECB) mode, cipher block chaining (CBC) mode, cipher feedback (CFB) mode, output feedback (OFB) mode, and counter (CTR) [72]. There are two well-known and widely used standard implementations of block ciphers. The first is the Data Encryption Standard (DES) that uses a 56-bit key for encryption and decryption. Later the Triple DES standard, a variant of the DES, increased the key length to 168 bits, although this caused a significant impact on its computational efficiency leading to its eventual abandonment. As successor to the DES algorithm addressing the problem of shortness of key, the Advanced Encryption Standard (AES) is the second standard for symmetric encryption that is based on block ciphers. The AES is based on the Rijndael algorithm, and has three different implementations using 128-bit, 192-bit, and 256-bit key lengths. Various criteria are available for evaluating the performance of block ciphers but the level of security achieved and efficiency of the algorithm being the most important [1]. A number of classes of attacks on block ciphers have been proposed, including differential cryptanalysis, linear cryptanalysis, weak key attacks, and algebraic attacks [73, 74, and 75]. Other types of attacks include side channel attacks [76] and gradient statistical attacks [77]. A good examination of cryptanalysis on block ciphers is provided in [78 and 79] while [80] propose a security evaluation for block ciphers against differential and linear cryptanalysis. Nawaz [81] provides a literature survey of cryptanalysis on block ciphers. Reference [82] examines some of the current research challenges in symmetric cryptanalysis.
The greatest challenge in symmetric key based communication is key sharing, a problem referred to as the key distribution problem. Various key establishment and key management approaches and strategies have been proposed and/or developed, see [1]. The commonest approach however, involves the use of asymmetric key encryption for symmetric key exchange. The commonest asymmetric key algorithm used for symmetric key exchange on the Internet is the Diffie-Hellman algorithm.
7 Asymmetric/public key cryptography
Asymmetric key encryption, also known as public key cryptography (PKC), uses two keys, a public key and a private key, to achieve confidentiality in communicating over insecure channels. The public key is used for encryption and the corresponding private key, that must be kept secret by the owner, is used for decryption. PKC currently provides the basis for security on the Internet. Because of its high computational cost however, the main benefit of PKC is its use for symmetric key exchange over insecure channels. The origin of PKC is attributed to Diffie and Hellman who first published the idea in a paper in 1976, see [83] for background information. The first practical implementation of PKC is however credited to Rivest, Shamir, and Adleman who invented the RSA cryptosystem in 1977. To date, the RSA cryptosystem, based on the integer factorization problem (IFP), remains the most secure and widely used cryptosystem. The current digital signature scheme is also based on the RSA algorithm. For a thorough discussion of the implementation of the RSA cryptosystem the reader is referred to [83 and 84]. Attacks on asymmetric key cryptography, especially RSA, are well discussed in a number of texts and surveys including [85, 86, 87, 88, 84, 89, and 90]. It is incredible to note that despite being invented over thirty five years ago, RSA remains the only PKC cryptosystem in use to this day. Of course a new class of cryptosystems based on elliptic curves, referred to as Elliptic Curve Cryptography (ECC) has emerged, which has been shown to be more efficient than RSA. This is because ECC uses a shorter key length than RSA to provide the same level of security. A number of sources discussing ECC include [91, 92, 93, and 94]. Certicom has been the main organization of ECC [95].
Conclusion
The current trend is that our daily lives have continued to increasingly rely on digital data communication networks and media for access to information and essential services in finance, health, and public utilities. This reliance however, has also increased our exposure to security risks. This survey has shown that new areas are emerging that pose a threat to digital security. Some of these threats include digital image steganography and spam. Steganography and steganalysis have seen increased research activity over the last ten years, probably more than any other area of digital security. Some aspects of digital security seem to have stagnated over a long period of time, for example the original ideas and implementations of cryptography have remained relatively the same, although new cryptographic scheme such as ECC have emerged. There has also been an increase in malware and increase in its impacts. We expect the current trends to continue over the next few years.
As future work, this survey may be extended to address other aspects of digital security such as forensic digital storage media analysis, Web security, network security, hacking human and automobile security, and biometric user identification and authentication.
References
1] A. J. Menezes, P. C. van Oorschot, and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press Inc., 1997.
2] M. A. Caloyannides, “Privacy Protection and Computer Forensics.” 2004. 2nd ed. Norwood: Artech House, Inc.
3] B. Schwittay, “Towards automating analysis in computer forensics.” Diploma Thesis. RWTH Aachen University, 2006. Available at http://www1.informatik.uni-erlangen.de/filepool/thesis/diplomarbeit-2006-schwittay.pdf
4] B. D. Carrier, “Risks of live digital 2. Forensic analysis,” Comm. ACM, vol. 49, no. 2, 2006, pp. 56–61. DOI:10.1145/1113034.1113069.
5] B. Hay, K. Nance, and M. Bishop, “Live analysis: progress and challenges,” IEEE Computer and Reliability Societies, Mar/April 2009, pp. 30-37. Available at http://nob.cs.ucdavis.edu/bishop/papers/2009-ieeesp-2/liveanal.pdf
6] M. Barrere, G. Betarte, and M. Rodriguez, “Towards machine-assisted fromal proceedures for collection of digital evidence,” 2011 9th Annual International Conference on Privacy, Security and Trust (PST), July 19-21, 2011, pp. 32-35. Available at http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5971960&abstractAccess=no&userType=
7] N. Beebe and J. Clark, “Dealing with terabyte data sets in digital investigations,” Advances in Digital Forensics, IFIP International Federation for Information Processing, vol. 194/2005, 2005, pp. 3-16. DOI: 10.1007/0-387-31163-7_1. Available at http://www.springerlink.com/content/g2922321644m101r/
8] B. Lempereur, M. Merabti, and Q. Shi, “Automating evidence extraction and analysis for digital forensics,” PGNet, 2009. Available at http://www.cms.livjm.ac.uk/pgnet2009/Proceedings/Papers/2009052.pdf
9] S. Lee, A. Savoldi, K. S. Lim, J. H. Park, and S. Lee, “A proposal for automating investigations in live forensics,” Computer Standards & Interfaces, vol. 32, no. 5-6, Oct. 2010, pp. 246-255. Available at http://www.sciencedirect.com/science/article/pii/S0920548909000762
10] B. D. Carrier and J. Grand, “A hardware-based memory acquisition for digital investigations,” Digital Investigation, vol. 1, no. 2, 2004, pp. 50–60.
11] F. Adelstein, “Live forensics: diagnosing your system without killing it first,” Comm. ACM, vol. 49, no. 2, 2006, pp. 63–66. DOI:10.1145/1113034.1113070.
12] N. Petroni, A. Walters, T. Fraser, and W. Arbaugh, “FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory,” Digital Investigation Journal, vol. 3, no. 4, Dec. 2006, pp. 197-210.
13] A. Walters and N. L. Petroni, “Volatools: integrating volatile memory forensics into the digital investigation process,” Komoku, Inc., USA, 2007.
14] E. Libster and J.D. Kornblum, “A proposal for an integrated memory acquisition mechanism,” Operating Systems Rev., vol. 42, no. 3, 2008, pp. 14–20. DOI: 10.1145/1368506.1368510.
15] B. Hay and K. Nance, “Forensics examination of volatile system data using virtual introspection,” Operating Systems Rev., vol. 42, no. 3, 2008, pp. 74–82. DOI: 10.1145/1368506.1368517.
16] B. K. Nance, B. Hay, and M. Bishop, “Investigating the implications of virtual machine introspection for digital forensics,” IEEE Computer Society, 2009, pp. 1024-1029.
17] S. Mrdovic, A. Huseinovic, and E. Zajko, “Combining static and live digital forensic analysis in virtual environments,” IEEE, 2009. Available at http://people.etf.unsa.ba/~smrdovic/publications/ICAT2009-Mrdovic_Huseinovic_Zajko.pdf
18] I. Sutherland, J. Evans, T. Tryfonas, and A. Blyth, “Acquiring volatile operating system data tools and techniques,” ACM SIGOPS Operating Systems Review, vol. 42, n. 3, April 2008, pp. 65-73. Available at http://dl.acm.org/citation.cfm?id=1368516
19] F. C. Freiling and Bastian Schwittay, “A common process model for incident response and computer forensics.” University of Mannhein, Germany and Symantec GmbH, Germany. 2007. Available at http://www1.informatik.uni-erlangen.de/filepool/publications/imf2007-common-model.pdf
20] A. Savoldi and P. Gubian, “Volatile memory collection and analysis for Windows mission-critical computer systems,” International Journal of Digital Crime and Forensics (IJDCF), vol. 1, no. 3, 2009. DOI: 10.4018/jdcf.2009070103. Available at http://www.igi-global.com/article/volatile-memory-collection-analysis-windows/3908
21] Volatile Systems, The volatility framework: volatile memory artifact extraction utility framework; www.volatilesystems.com/default/volatility
22] K. D. Fairbank, “Forensic framework for honeypot analysis,” PhD Thesis. Georgia Institute of Technology, 2010. Available at http://smartech.gatech.edu/bitstream/handle/1853/33977/fairbanks_kevin_d_201005_phd.pdf?sequence=1
23] G. J. Simmons, “The prisoners’ problem and the subliminal channel,” Proceedings of Crypto’83, 1984, pp. 51–67. Available
24] N. Provos, and P. Honeyman, “Hide and Seek: An introduction to steganography,” IEEE Security and Privacy, vol. 1, no. 3, May-June 2003, pp. 32-44.
25] N-I. Wu and M-S. Hwang, “Data hiding: current status and key issues,” International Journal of Network Security, vol. 4, no. 1, Jan. 2007, pp. 1-9.
26] R. Chandramouli, M. Kharrazi, and N. Memon, Image steganography and steganalysis concepts and practice, Proc. of IWDW'03, vol. 2939, pp. 35-49, Springer, 2003.
27] J. Fridrich, M. Goljan, and R. Du, “Reliable Detection of LSB Steganography in Grayscale and Color Images,” Proceedings of ACM, Special Session on Multimedia Security and Watermarking, Ottawa, Canada, Oct. 5, 2001, pp. 27-30.
28] W. Lie and G. Lin, “A feature-based classification technique for blind image steganalysis,” IEEE Transactions on Multimedia, vol. 7, no. 6, Dec. 2005
29] R. Yadav, R. Saini, and G. Chawla, “A novel approach for image steganography in spatial domain using last two bits of pixel value,” International Journal of Security (IJS), vol. 5, no. 2, Oct. 2011, pp. 51 – 61.
30] P-Y. Chen and H-J. Lin “A DWT based approach for image steganography,” International Journal of Applied Science and Engineering, vol. 4, no. 3, 2006, pp. 275-290.
31] E. E. Varsaki, V. E. Fotopoulos, and A. N. Skodras, “On the use of the Pascal transform in hiding data in images,” Optics, Photonics, and Digital Technologies for Multimedia Applications, edited by Peter Schelkens, Touradj Ebrahimi, Gabriel Cristóbal, Frédéric Truchetet, Pasi Saarikko, Proc. of SPIE Vol. 7723, 77230L, 2010 SPIE. Available at http://dsmc2.eap.gr/userdownloads/Varsaki%20Eleni/7723_20.pdfH
32] R. Brown, B. Pham, and O. de Vel, “Design of a Digital Forensics Image Mining System,” Queensland University of Technology and Defence Science and Technology Organization, Australia.
33] G. C. Kessler, “An overview of steganography for computer forensics examiners,” Champlain College, Burlington
34] J. A. Redi, W. Taktak, and J-L. Dugelay, “Digital Image Forensics: a booklet for Beginners,” Multimedia Tools Appl, vol. 51, 2011, pp. 133-162. DOI: 10.1007/s11042-010-0620-1. Available at http://engweb.info/courses/ecfa/Reading/Digital%20image%20forensics%20a%20booklet%20for%20beginners.pdf
35] R. Poisel, “Forensics investigations of multimedia data: a review of the state-of-the-art,” 2011 Sixth International Conference on IT Security Incident Management and IT Forensics (IMF), 10-12 May, 2011, St. Polten, Austria, pp. 48-61. Available at http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5931112&abstractAccess=no&userType=inst
36] A. Rocha, W. Scheirer, and T. Boult, “Vision of the unseen: current trends and challenges in digital image and video forensics,” ACM Computing Surveys, 2011. Available at http://www.ic.unicamp.br/~rocha/teaching/2011s2/mo447/docs/vision-of-the-unseen-rocha-et-al-copyright-protected.pdf
37] M. Kharrazi, H. T. Sencar, and N. Memon, “Benchmarking steganography and steganalysis,” EI SPIE: San Jose, CA, 2005.
38] A. D. Ker, “The ultimate steganalysis benchmark?,” MM&Sec ’07, September 20 – 21, 2007, Dallas, Texas, USA
39] T. Pevny and J. Fridrich, “Benchmarking for steganography,” Lecture Notes in Computer Science, vol. 5248/2008, Springer, 2008 pp. 251 – 267.
40] B. Li, J. He, J. Huang, and Y. Q. Shi, “A survey on image steganography and steganalysis,” Journal of Information hiding and multimedia Signal Processing, vol. 2, no. 2, April 2011, pp. 142-172. Available at http://bit.kuas.edu.tw/~jihmsp/2011/vol2/JIH-MSP-2011-03-005.pdf
41] R. Chandramouli and K. P. Subbalakshmi, “Current trends in steganalysis: a critical survey,” Stevens Institute of Technology, 2004. Available at http://www.ece.stevens-tech.edu/~mouli/iccarv.pdf
42] T. Sencar and N. Memon, “Overview of the state-of-the-art in digital image forensics,” WSPC – Proceedings, Sept. 25, 2007.
43] S. L. Garfinkel, “Digital forensics research: the next 10 years,” Digital Investigation Elsevier, vol. 7, Elsevier, 2010, pp. 64-73. Avaialble at http://www.dtic.mil/dtic/tr/fulltext/u2/a549288.pdf
44] M Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario, “Automated classification and analysis of Internet malware,” In C. Kruegel, R. Lippmann, and A. Clark (Eds.) RAID, 2007, LNCS 4637, pp. 178-197, 2007. Springer-Verlag Berlin Heidelberg, 2007.
45] U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda, “Scalable, behavior-based malware clustering.” Proceedings of the Network and Distributed System Security Symposium, 2009. Available at
46] M. Gheorghescu, “An automated virus classification system,” Proceedings of the Virus Bulletin Conference, VB, 1994. Available at
47] X. Hu, T. Chiueh, and K. G. Shin, “Large-scale malware indexing using function-call graphs,” Proceedings of 16th ACM Conference on Computer and Communications Security, 2009. Available at
48] T. Lee and J. J. Mody, “Behavioral classification,” 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, 2006. Available at
49] R. Perdisci, W. Lee, and N. Feamster, “Behavioral clustering of http-based malware and signature generation using malicious network traces,” In: USENIX Symposium on Networked Systems Design and Implementation, NSDI, 2010.
50] K. Rieck, T. Holz, C. Willems, P. Dussel, and P. Laskov, “Learning and classification of malware behavior,” In D. Zamboni (Ed.) DIMVA 2008. LNCS, vol. 5137, 2008, pp. 108–125. Springer, Heidelberg. Available at
51] K. Rieck, P. Trinius, C. Willems, and T. Holz, “Automatic analysis of malware behavior using machine learning.” Technical Report 18-2009, Berlin Institute of Technology, 2009. Available at http://www.mlsec.org/malheur/docs/malheur-jcs.pdf
52] Y. Park, D. Reeves, V. Mulukutla, and B. Sundaravel, “Fast malware classification by automated behavioral graph matching,” CSIIRW’10, April 21-23, Oak Ridge, Tennessee, USA, 2010. Available at http://modusoperandi.csc.ncsu.edu/papers/graphmatch.pdf
53] A. Moser, C. Kruegel, and E. Kirda, “Exploring multiple execution paths for malware analysis,” Technical University Vienna. n.d. Available at http://iseclab.net/papers/explore.pdf
54] P. Li, L. Liu, D. Gao, and M. K. Reiter, “On challenges in evaluating malware clustering,” In S. Jha, R. Sommer, and C. Kreibich (Eds.): RAID 2010, LNCS 6307, pp. 238-255, 2010. Springer-Verlag Berlin Heidelberg 2010. Available at http://www.cs.unc.edu/~reiter/papers/2010/RAID.pdf
55] M. Tracy, W. Jansen, K. Scarfone, J. Butterfield, “Guidelines on electronic mail security,” National Institute of Standards and Technology, Special Publication 800-45 Version 2, Feb. 2007.
56] N. Ferguson and B. Schneier, “A cryptographic evaluation of IPSec,” Counterpane Internet Security, Inc., 2000. Available at http://ftp.csci.csusb.edu/ykarant/courses/f2007/csci530/papers/counterpane-ipsec.pdf
57] M. Bishop, “Privacy-enhanced electronic mail,” Technical Report PCS-TR91-150, Revision 3, 1991. Available at http://129.170.212.26/reports/TR91-150.pdf
58] M. Elkins, D. D. Torto, R. Levien, and T. Roessler, “MIME Security with OpenPGP,” RFC3156, 2001. Available at http://www.hjp.at/doc/rfc/rfc3156.html
59] J. Goodman, D. Heckerman, and R. Rounthwaite, “Stopping spam,” Scientific American, March 2005. Available at http://davidjf.free.fr/new/Xscientific%20american_%20stopping%20spam.pdf
60] W. Gansterer, M. Ilger, P. Lechner, R. Neumayer, and J. Straub, “Anti-spam methods – state-of-the-art,” March 2005, University of Vienna, Austria. Available at http://spam.ani.univie.ac.at/files/FA384018-1.pdf
61] A. Bratko, G. V. Cormack, B. Filipic, T. R. Lynam, and B. Zupan, “Spam filtering using statistical data compression models,“ Journal of Machine Learning Research, vol. 7, Dec. 2006, pp. 2673-2698. Available at http://www.icst.pku.edu.cn/course/Mining/11-12Spring/%E5%8F%82%E8%80%83%E6%96%87%E7%8C%AE/07-02%20Spam%20Filtering%20Using%20Statistical%20Data%20Compression%20Models.pdf
62] M Sahami, S. Dumais, D. Heckerman, and E. Horvitz, “A Bayesian approach to filtering junk email,” 2004, Stanford University and Microsoft Research. Available at http://www.searchforum.org.cn/dataflowgroup/Reading/2004Paper/SpamPaper/ContentandStatistical/A%20Bayesian%20Approach%20to%20Filtering%20Junk%20E-Mail.pdf
63] A. Kolcz and J. Alspector, “SVM based filtering of email spam with content-specific misclassification costs,” In Proceedings of the TextDM’01 Workshop on Text Mining, 2001 IEEE International Conference on Data Mining, 2001.
64] D. Sculley and G. M. Wachman, “Relaxed online SVM for spam filtering,” SIGIR’07, Amsterdam, The Netherlands, July 23-27, 2007, pp. 415-422. Available at http://axon.cs.byu.edu/Dan/778/papers/Active%20Learning/sculley1.pdf
65] S. J. Delany, P. Cunningham, A. Tsymbal, and L. Coyle, “A case-based technique for tracking concept drift in spam filtering,” Knowledge-based Systems, vol. 18, no. 4-5, Aug. 2005, pp. 187-195. DOI: 10.1016/j.knosys.2004.10.002. Available at http://arrow.dit.ie/cgi/viewcontent.cgi?article=1061&context=dmcart&sei-redir=1&referer=http%3A%2F%2Fscholar.google.com%2Fscholar%3Fq%3Dhow%2Bto%2Bcombat%2Bspam%26btnG%3D%26hl%3Den%26as_sdt%3D0%252C5#search=%22how%20combat%20spam%22
66] E. Blanzieri and A. Bryl, “A survey of learning-based techniques of email spam filtering,” Technical Report #DIT-06-056, 2008 (updated version), 2004, University of Trento, Italy. Available at http://eprints.biblio.unitn.it/1070/1/056.pdf
67] F. D. Garcia, J-H. Hoepman, and J. van Nieuwenhuizan, “Spam filter analysis,” University of Twente and University of Nijmegen, The Netherlands, 2004. Available at http://arxiv.org/pdf/cs/0402046.pdf
68] I. Androutsopoulos, G. Paliouras, and E. Michelakis, “Learning to filter unsolicited commercial e-mail,” NCSR “Demokritos” Technical Report, No. 2004/2, March 2004. Available at http://nlp.cs.aueb.gr/pubs/TR2004_updated.pdf
69] G. V. Cormack, “Email spam filtering: a systematic review,” Foundations and Trends in Information Retrieval, vol. 1, no. 4, 2006, pp. 335-455. DOI: 10.1561/1500000006.
70] L. von Ahn, M. Blum, N. J. Hopper, and J. Langford, “CAPTCHA: Using hard AI problems for security,” Carnegie Mellon University, 2003.
71] A. Biryukov, “Block ciphers and stream ciphers: the state of the art,” Katholieke Iniversiteit Leuven, Belgium, 2004. Available at http://eprint.iacr.org/2004/094.pdf
72] M. Dworkin, “Recommendation for block cipher modes of operation: methods and techniques,” National Institute of Standards and Technology (NIST) Special Publication 800-38A, 2001 Edition, 2001. Available at http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA400014
73] RSA Labs, “What are the most important attacks on symmetric block ciphers.” Available http://www.rsa.com/rsalabs/node.asp?id=2204
74] D. L. Cook, M. Yung, and A. D. Keromytis, “Methods for linear and differential cryptanalysis of elastic block ciphers,” Bell Labs USA, Google Inc. USA, and Columbia University NY USA, 2008. Available at http://www.cs.columbia.edu/~angelos/Papers/2008/ebc-cryptanalysis.pdf
75] C. Clavier, “Passive and active combined attacks on AES: combining fault attacks and side channel attacks,” Universite de Limoges, France.
76] I. Dinur and A. Shamir, “Side channel cube attacks on block ciphers,” The Weizmann Institute, 2009. Available at http://eprint.iacr.org/2009/127.pdf
77] B. Y. Ryabko, V. A. Monarev, and Y. I. Shokin, “A new type of attack on block ciphers,” Problems of Information Transmission, vol. 41, no. 4, 2005, pp. 385-394. Available at http://boris.ryabko.net/ppi-e-05.pdf
78] J. Lu, “Cryptanalysis of block ciphers,” Technical Report RHUL-MA-2008-19, 30 July 2008. PhD Thesis. Royal Holloway University, 2008. Available at http://www.ma.rhul.ac.uk/static/techrep/2008/RHUL-MA-2008-19.pdf
79] D. Khovratovich, “Methods of symmetric cryptanalysis,” Microsoft Research Redmond, USA, July 2011.
80] S. Wu and M. Wang, “Security evaluation against differential cryptanalysis for block cipher structures,” Chinese Academy of Sciences Beijing China. 2011. Available at http://eprint.iacr.org/2011/551.pdf
81] Y. Nawaz, “Cryptanalysis of block ciphers: a survey,” Communications Security Lab, Univerisity of Waterloo, April 2004. Available at http://www.comsec.uwaterloo.ca/~ynawaz/pub/crypt_survey.pdf
82] D. Khovratovich, “Open prolems in symmetric cryptanalysis,” Microsoft Research Redmond, USA, Aug. 2010. Available at http://research.microsoft.com/en-us/people/dkhovrat/open.pdf
83] P. Wegner, “RSA public key cryptography,” Book Chapter, Cryptanalytic Attacks on RSA, Springer: Yan, 2008. ISBN: 978-0-387-48741-0. Available at http://www.springer.com/978-0-387-48741-0.
84] P. Q. Nguyen, “Public key cryptanalysis,” Recent Trends in Cryptography, In I. Luengo (Ed.), Contemporary Mathematics series, AMS-RSME, 2008. Available at ftp://ftp.di.ens.fr/pub/users/pnguyen/Santander.pdf
85] P. C. Kocher, “Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems,” Dec. 1995, Stanford, USA. Available at http://www.cryptography.com/public/pdf/TimingAttacks.pdf
86] B. de Weger, “Cryptanalysis of RSA with small prime difference,” Applicable Algebra in Engineering, Communication, and Computing (AAECC), vol. 13, 2002, pp. 17-28. Available at http://deweger.xs4all.nl/papers/%5B33%5DdW-SmlPrDif-AAECC%5B2002%5D.pdf
87] C. F. Cid, “Cryptanalysis of RSA: a survey,” SANS Institute, 2003. Available at http://www.sans.org/reading_room/whitepapers/vpns/cryptanalysis-rsa-survey_1006
88] S. Wang, Z. Cao, M. A. Strangio, and L. Wang, “Cryptanalysis and improvement of an Elliptic Curve Diffie-Hellman key agreement protocol,” IEEE Communications Letters, Dec. 2007. Available at http://eprint.iacr.org/2007/026.pdf
89] D. Brumley and D. Boneh, “Remote timing attacks are practical,” Stanford University, USA. n.d. Available at http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
90] B. B. Brumley and N. Tuveri, “Remote timing attacks are still practical,” Alto University School of Science, Finland. N.d. Available at http://eprint.iacr.org/2011/232.pdf
91] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, vol. 48, no. 177, Jan. 1987, pp. 203-209. Available at http://www.ams.org/journals/mcom/1987-48-177/S0025-5718-1987-0866109-5/S0025-5718-1987-0866109-5.pdf
92] V. Gupta, S. Gupta, and S. Chang, “Performance analysis of Elliptic Curve Cryptography for SSL,” WiSe’02, Sept. 28, 2002, Atlanta, Georgia, USA.
93] S. Turner, D. Brown, K. Yiu, and R. Hously, “Elliptic curve cryptography subject public key information,” July 2007.
94] D. Brown, “Additional algorithms and identifiers for use of elliptic curve cryptography with PKIX,” Oct. 2006
95] SEC 1, “Elliptic Curve Cryptography, version 2,” Standards for Efficient Cryptography Group. Certicom, Canada, 2009. Available at http://www.secg.org/collateral/sec1.pdf.
96] Title
97] Abstract
98] Introduction ✓ Background to the topic ✓ Previous work ✓ Purpose of the study
99] Body
100] Conclusion
