Image Source

THE INVASION can take different forms. A simple email that appears to come from the customer's bank, or a piece of computer code that arrives via a web browser or as spam or through a CD you innocently load into your computer.

By whatever means it sneaks into the computer, the malicious software invader is usually out to steal your identity and your money. Malware, as it is known in the trade, includes different types of computer code such as viruses, worms, trojan horses, spyware and crimeware.

Malware is more sophisticated than bogus messages from the wife of a now-deceased Nigerian general who has US$10 billion and wants your help - and your bank details - to dispose of it.

Large criminal organisations, akin to the mafia with their worldwide network of operatives, are operating out of Russia and other former Soviet Union countries, as well as from China and South America. The groups use malicious software to steal from individuals or financial institutions and the annual cost to the global computer-using community runs into hundreds of billions of dollars.

In Australia, the loss to cyber crime is estimated to be as much as $4 billion a year. Worse still, experts believe the rate of production by criminal gangs of these potentially devastating electronic intruders could now be greater than that of legitimate software applications.

Fortunately for Australians, teams of researchers at Deakin University in Melbourne and the University of Ballarat in regional Victoria are devising novel ways of countering the cyber attacks.

Backed by some of the big banks, the computer giant IBM, the international computer security company CA Inc and the Victorian government, the two groups of researchers are taking different approaches but with the same aim: to protect you and your computer from hackers and online criminals.

At Ballarat University, Associate Professor Paul Watters describes a classical example of cyber theft called 'phishing' and how criminals use a 'bait' to steal a person's identity - and their money. The message typically arrives as an email and appears to be genuinely from the customer's bank with a warning "Your account has been temporarily suspended".

The email explains that to regain access to the account, the customer must update the billing information by following a link and filling in the required details. The message seems official, the language bureaucratic, but there is a sense of urgency that demands immediate action.

Watters says phishing is a serious problem because it enables criminals to use social engineering to steal money. People who respond to emails pretending to be from a bank or a lottery or even the Tax Office are redirected to a fake website that looks authentic.

If they then provide their name, account details and the user password, the criminals can log into the person's account and withdraw money. Of course, the banks respond as soon as a customer reports this and will track the fake site and ensure it is shut down; but this can take days and by that time the customer can have his or her identity stolen along with their money.

As the term implies, phishing refers to the baits used by cyber criminals to 'catch' financial information and passwords. This is part of credit card fraud which Watters says costs Australians and the financial institutions about $100 million a year.

The banks or credit unions have to repay the stolen money incurred by this type of theft and such attacks have the potential to cause huge losses if the criminals are widely successful. For customers, having their money stolen is like having their house burgled: "They feel their privacy has been invaded and it can be a nightmare."

Watters is director of a unique research centre at Ballarat called the Internet Commerce Security Laboratory. This is an unusual joint venture between the university, Westpac Bank, IBM Australia and the Victorian government.

With a staff of 34 academics and IT experts, the centre was set up two years ago to fight financial cyber crime. The researchers are like detectives confronted with a serial killer so they profile the activities of criminal groups and try to identify who they are.

The aim, of course, is not just to catch the offenders - who might be on the other side of the world - but to develop technologies to protect consumers and businesses, allowing them to use internet commerce with confidence.

Meanwhile, Deakin University mathematician Professor Lynn Batten heads a team of two dozen researchers in Melbourne at the university's Information Security Group. For the past five years, Batten and her researchers have been working in the fields of information security management, data management and individual privacy, security and the internet, information privacy and security, digital forensics and the law.

Although the two groups at Deakin and Ballarat work in different ways and on different aspects of malware, they keep in contact and discuss each other's findings. Batten says malware has traditionally been identified by software security companies through a manual forensic approach where their staff studied individual pieces of malicious software, analysing it and deciding if the code had been seen before.

But this takes a great deal of time and expertise while keeping up with the ever increasing number of new malware threats is a major challenge, she says.

As is the case with phishing, such malware remains dangerous until the banks and financial institutions, or the security software companies, identify it and develop a response. Meanwhile, of course, the damage and possible theft has already occurred.

Working with international security software company, CA Inc, the Deakin researchers are developing an automated process for classifying malicious software that could help markedly reduce the time taken to identify computer viruses and other internet threats.

With further research and development, Batten says it will soon be possible to have a computer program that identifies new malware as it arrives more quickly and effectively than is possible today. It will then isolate the problem so it can cause no harm.

"Our research group has had contacts with internet security companies and the state government since 2005 and we had been talking for some time with them about opportunities to improve information security," she says. "We wanted to make people aware of the work that was being done and how cyber security could protect their businesses."

The Deakin team developed a relationship with staff at CA Inc over several years and Batten says this resulted in mutual understanding and trust. From the long-term association arose the idea of putting together a joint project and seeking international support.

"Malicious software was a major focus of CA at the time and it was clear they needed assistance in moving from a process that was slow and manual to one that could be automated," Batten says. "They saw an advantage in us helping them because of our expertise is using algorithms and the techniques we had that might automate their procedures."

In mathematics, an algorithm is a way of solving a problem "expressed as a finite sequence of instructions", as Wikipedia describes it. Algorithms are used in data processing or in other fields in computer science and the Deakin researchers were able to apply them to considerable effect.

CA gave the researchers access to its 'malware zoo', a secure database with active malicious codes the company had located over several years and stored in a way they could not escape "into the wild", as Batten says. Tapping into the zoo provided the researchers with their own database they could then analyse and apply their algorithms and techniques to in order to develop an automated process of detection.

A key problem facing any researcher investigating malware is that much of it is the same or a variant of some previous code. But, because malware can be designed to disassemble and reassemble itself, each type has a different outward appearance.

The CA analysts - and those in other security companies - must then try to quickly identify two pieces of code that may look different but are in fact the same program. Under the Deakin plans, the goal was to automatically strip malware of its protective layers of disguise, break down its component parts into common classifications and use that information to generate an automatic warning response.

"We were able to use our techniques to try to figure out in a general way how each piece of code worked but also how each piece related to the others," Batten says. "We were looking for families: a lot of malware operates in the same way and while it may look different from the outside, when you study its internal operations it is actually working the same way as other pieces.

"Our job was to try to see if we could classify and identify families and do this quickly. We hoped the major outcome would be a system on your machine, part of your anti-virus program, that would immediately detect whether or not software trying to access your computer was malicious or not."

The system devised by the Deakin researchers uses what is known about existing malware to classify new threats automatically. Preliminary results have shown the system can do this with up to 98 per cent accuracy, so automating the classification process could result in new malware being identified and responded to significantly faster than is currently possible.

Their work is being brought to the product stage by an Indian-based company, HDL Technology, which established a partnership with CA in 2007 to take over its research and development product division concerned with threat management security.

Batten's team is working with HDL to introduce a new anti-malware program. Although the outcome of the research arose from collaboration with CA, she says the findings have been published and all the information is freely accessible to any organisation that might want to use it.

"When I go to an international conference and explain how we are trying to stop malicious software writers from getting into a computer system, I know some of the writers are actually in the audience or reading the conference papers," she says.

"This is a real challenge because once you publish your findings, the people you want to prevent producing malware will try to work around it. That is why we try to look for features that complement each other but are not totally aligned so if someone changes an aspect of the malware it would not stop us detecting it because they haven't changed other features."

Back at Ballarat University, Watter's cyber detectives are working along the same lines. The group is divided between academics with expertise in areas such as data mining and psychology and IT, and groups of research fellows who work on specific projects, with postgraduate students involved in some aspect of the overall program.

"We do a lot of data analysis and that requires people who can write software and understand statistics, which is a large part of what we do," Watters says. "But essentially we are looking at profiling individuals and groups so the psychology aspect is also important. My own background is in psychology and IT."

Speaking about IBM's involvement and commitment to the venture at the opening of the laboratory in 2008, Peter Campbell, general manager of IBM Australia's Global Technology Services, said: "We expect the [laboratory] will play a key role in building the 'connective tissue' needed to enable greater collaboration, both vertically between individuals and organisations and also horizontally among organisations and lead to innovative solutions to combat organised - and random - cyber criminal activities."

Watters took up the directorship at the laboratory after working at University College, London. Formerly an associate professor in IT at Macquarie University in Sydney, he has worked for research organisations in Australia, including CSIRO.

"The laboratory is set up quite differently to that of most university research laboratories and the way we go about our work is also different to traditional academic research," he says. "Ours is a four-way partnership structure, rather like the cooperative research centres in that we have an end user, Westpac, and an enabling partner, IBM, which provides consulting services and solution provisions to large corporations."

Phishing is a key focus of one group of researchers at the laboratory and the aim is to achieve the same outcome as their counterparts at Deakin. Watters says the team is working to devise a tool that will automatically classify messages arriving in an inbox as phishing or not.

"Some email applications offer this service but they rely on a blacklist and on people reporting an email as a phishing expedition," he says. "But customers might respond to a message that has not been blacklisted so we want a system that automatically classifies in real time anything that looks suspicious and advises the person receiving the email not to open the link."

One of the big challenges facing phishing investigators is that the criminals change their tactics: if the Ballarat team finds a particular structure in a phishing email, or a bank responds and updates its blacklist, the criminals react by changing the way they operate.

As also happens at Deakin, the Ballarat team searches for elements of a phishing email that do not change over time. Watters says this is "a fairly large part of our work although I wouldn't want to say too much about that for fear of alerting the criminals!"

The researchers, however, do study various types of authorship analysis: how criminals write their code or the way they write the code that writes their email. They try to identify these kinds of signatures while also tracking individual emails; the goal is to stay one step ahead by focusing on obtaining more intelligence about the people writing the emails than the mail itself.

As well as investigating phishing, a significant aspect of the research undertaken at the Ballarat laboratory is "data mining" using millions of phishing emails that have been collected and stored on a large data base at the university.

Experts in statistics identify the characteristics of how an email is written. They then pass this on to a group of analysts who match the information with known groups they are tracking.

"We focus on the main issues in cyber crime: phishing and profiling, malware viruses and botnets, and identity theft and recovery," Watters says. "The latter is a big problem because it relates to fraud and requires forensic analysis - not the CSI sort of stuff you see on television but forensic analysis of hard disk drives and image forensics as it relates to biometric authentication and identification."

He says the innovative discoveries being made in Victoria offer a great opportunity for Australia to develop technology that could be exported and licensed to other countries. One advantage of being a smaller country than say the US, he says, is that the number of people dealing with this type of problem is also smaller so they tend to get along well and cooperate more easily than they otherwise might.