Computing Research Education Best Paper Award

PhD Candidate Masood Mansoori's paper "YALIH, Yet Another Low Interaction Honeyclient" was awarded the 2014 Computing Research & Education Best Paper for best graduate paper presented at the annual Australasian Information Security Conference (ACSW-AISC). His supervisors and co-authors are Dr Ian Welch and Dr Qiang Fu from the School of Engineering and Computer Science.

The paper describes an improved method for detecting web sites infected with a drive-by-download exploit. This type of exploit allows a hacker to deliver a computer virus to a victim's computer simply by luring the victim to the web site, for example by embedding the URL in an email sent to the victim. Exisiting methods for detection called low interaction honeyclients suffer from high rates of missed infections (false negatives). Low interaction honeyclients emulate sufficient functionality of a real web browser to allow web site executable content to be retrieved and searched for patterns known to be associated with drive-by-download exploits. Unfortunately, hackers have responded to the development of this technique by creating code obfuscation tools that randomly rewrite expoit code on-the-fly so it doesn't match known signatures.

Masood's main contribution described in this paper is to reduce the missed infection rate by implementing de-obfuscation techniques within a low interaction honeyclient. Code de-obfuscation attempts to transform multiple reordered versions of the same exploit into a single canonical version allowing more reliable matching against known drive-by-download exploit signatures. He has implemented this idea as an opensource tool called YALIH (Yet Another Low Interaction Honeyclient) and shown that YALIH achieves a significantly lower missed infection rate compared to other well-known low interaction honeyclients (Monkey-Spider, HoneyC, SpyBye and Thug).