Papers by Justin David Pineda
A Security Information Event Management (SIEM) System accepts packet logs from different network ... more A Security Information Event Management (SIEM) System accepts packet logs from different network devices, analyzes the logs, groups and summarizes events according to its patterns and gives reports and recommendations afterwards that can be warnings, notices or alarms. [3] The process involves log collection, log normalization, log consolidation, event action and documentation. In a typical Local Area Network (LAN), the logs collected from different network devices (i.e. device type and identification) come with different formats, thus, making it difficult to be consolidated. However, Request for Comments (RFC) 3164 has mandated that all devices should have a logging system which is popularly known as a Syslog with fields date/time, IP address, facility, severity and message. Syslog could have answered the conflicts regarding the commonalities of different logs yet companies of these proprietary network devices modified the message field of the Syslog and created their own proprietary features in their logging system. A Log Normalizer is responsible for transforming logs into a standardized format that the software can easily understand and put in the Normalized Log Database afterwards. The Log Normalizer uses dynamic loading as an answer to compatibility issues with other and future network devices. The concept inherits existing necessary attributes from a super class (i.e. Syslog) and creates new subclasses for a particular device with attributes to comply in standardizing its own logs without recompiling the whole system. With the emergence of the Log Normalizer, a standardized log format is created by the SIEM that helps in log consolidation, event action and documentation. The normalization of a proprietary router, firewall, personal computer, laptop and an IDS of different Syslog formats became uniform and more organized after the log normalization process seen in the experiment.
The Onion Router (TOR) is a free anonymizer software available in the Internet. It uses chain of ... more The Onion Router (TOR) is a free anonymizer software available in the Internet. It uses chain of proxy servers all over the world, called nodes, that accepts minutiae of data to be sent over the Internet. Tracing the content sent to the TOR is challenging because it uses encrypted protocol such as HTTPS. Filtering whether information sent to the TOR is legal or not becomes a problem. The Proactive Response and Detection for TOR (PReDTOR) is an adaptable security tool that can detect outbound TOR traffic in a Local Area Network (LAN) environment using signature and heuristic-based mechanisms. It also contains an incident response and reporting feature where a TOR connection can be closed and the offending IP address be blocked for investigation. Businesses can use the PReDTOR to complement and integrate it to the functions of the firewall and the Intrusion Detection System (IDS) to monitor their network.
The proliferation of malicious Command and Control (C&C) servers or botnets is a very big securit... more The proliferation of malicious Command and Control (C&C) servers or botnets is a very big security issue in the Internet today. Triggering malware can be found in most known, popular and visited websites. Any user who is tricked in clicking something interesting (usually an advertisement) is redirected to a malicious website or unknowingly forced to install a malware that makes them a victim (also known as zombie). When a lot of users have been victimized, malware is stored in their computers in stealth mode. When thousands or millions of computers are infected, the leader can order all infected machines to do something malicious like attacking servers to cause Distributed Denial of Service (DDOS) and other attacks on confidentiality. Only in 2013, the FBI discovered millions of machines were infected by a botnet called Citadel. The agency was able to shutdown the server leaving the victims still infected. Anti-virus and firewall solutions are defenseless in this type of attacks bec...
2nd International Research Conference on Emerging Information Technology Trends in Asia and the Pacific 2018, 2018
Online harassment is rampant specially in the Philippines. The researchers of this paper develope... more Online harassment is rampant specially in the Philippines. The researchers of this paper developed a Harassment Exposure Model (HEM) and Heuristic formula that can determine the probability of someone getting harassed if a Facebook user joins a Facebook page. As part of the HEM, it requires the use of data mining techniques such as classification and clustering. It is also dependent onNatural Language Processing specifically, Sentiment Analysis. The HEM model can be used by the government to help detect the unreported cases of Online Harassment. Facebook could also adopt the model to discourage users from joining a Facebook page if it has a high Harassment Exposure value. At the same time, it will encourage Facebook page’s moderator(s) to strictly implement rules and regulations related to Online Harassment
roceedings of the 15th National Conference on IT Education (NCITE 2017), 2017
Tree Correlation is a type of log correlation that minimizes logs, predict the next possible atta... more Tree Correlation is a type of log correlation that minimizes logs, predict the next possible attack and recommend a possible solution that is to be applied by a network administrator. Using Tree Correlation as a basis for detecting and alerting attacks as well as predicting the next possible attack, a solution is met to mitigate the incoming attacks. The objective of this study would improve upon the current Tree Correlation technique in the solution provider part by introducing a new algorithm that handles and ranks the solutions to provide the best possible solution for network-based attacks. The new algorithm uses a certain criterion that ranks each solution based from factors specified in the study. The expected result of this study is to prove the efficiency, reliability and accuracy of the new solution algorithm from the old solution provider of the Tree Correlation technique. The benefits from using this improvement of Tree Correlation significantly decreases the logs, prevents any upcoming network-based attacks, and optimizes itself to find the best possible solution. The new algorithm ranks and sorts the solutions depending on some factors stated by the researchers. Some tests have been executed to demonstrate how the new algorithm handles in giving out a solution based from the type of attack.
roceedings of the 15th National Conference on IT Education (NCITE 2017), 2017
One of the major problems that most people are facing right now is the existence of system vulner... more One of the major problems that most people are facing right now is the existence of system vulnerabilities. It is affecting the efficiency and accessibility of the systems used by millions of industries. With most organizations today depending on a substantial number of computers and devices, managing a complex network system can be demanding in terms of human effort and cost. Given the sensitive data that networks give access to, networks are one of the most targeted public faces of an organization. In this paper, the researchers present Penta.py, an agent-based network model, that incorporates self-healing mechanism to allow the network to remediate itself once vulnerabilities are detected. The network model follows a sequence of security controls which are technical countermeasures implemented to minimize and mitigate damage resulting from network vulnerabilities. The study will only focus on one of the most common network security vulnerabilities namely missing patches. A missing patch on a server can permit an unauthenticated command prompt or other backdoor path into the web environment which makes an attacker or a rogue insider to easily penetrate the system. A prototype focused on the corrective phase of the approach is developed to show the effectiveness and scalability of the model. By defining all supported platforms, along with its vulnerabilities, the issues found in the network is automatically resolved thus exhibiting a self-healing attribute for the network.
Early malicious software (malware) were released to annoy, harm and damage end devices particular... more Early malicious software (malware) were released to annoy, harm and damage end devices particularly consumer computers. When intruders realized that there are more sinister attacks, they introduced more sophisticated and stealthy malware that can reside in the victim’s computer for a long time. In today’s view, intruders have found a new reason to launch these malware- to make a profit through attacks called ransomware. A ransomware is a malicious software that encrypts the victim’s entire computer making it unusable. The victim has to pay the ransom to decrypt his/her files. According to Symantec’s 2016 Security Report, there are 100,000 computers worldwide that are victimized by ransomware monthly. (Symantec, 2016) This paper discusses the technical and non-technical security aspects of ransomware. It also showcases proof-of-concept features of a ransomware through test simulations and actual implementation from code to execution. Lastly, the paper provides best practices to help prevent, detect and respond from ransomware attacks.
The implementation of Security Incident Event Management (SIEM) system in the IT infrastructure i... more The implementation of Security Incident Event Management (SIEM) system in the IT infrastructure is the direction of the enterprise networks for monitoring malicious and anomalous traffic in Security Operation Centers (SOC). Log management is the challenge of SIEM solutions due to the voluminous amount of data collected from different types of devices daily. Another challenge is the classification of true alerts by analyzing the logs collected. The Project Coordinate (Correlation of Relevant Data in Network Access Technologies) explores different correlation techniques that identify patterns based on specific components in the logs. The researchers also present Tree Correlation, a newly-created correlation technique that can be used to aid in determining potential attacks that can happen by analyzing series of logs based on header, content and behavior. The system is tested in an isolated network environment where different attacks are executed to compare how the different correlation techniques summarize the logs.
Data corruption is a crucial issue for all computer users especially those in the academe, indust... more Data corruption is a crucial issue for all computer users especially those in the academe, industry and the government. For business critical and mission critical documents, proprietary data recovery applications are available with significant monetary cost and increased overhead in processing utilization. The Hydra Data Protection (HDP) is a working prototype that provides real-time, seamless and mobile capabilities that allows users to conduct backup on the background while maintaining normal computing behavior. Successful tests have been conducted to prove the efficiency and accuracy of HDP through various test scenarios using a Universal Serial Bus (USB) flash drive and a computer
The Security Information and Event Management (SIEM) enhances the security management of an organ... more The Security Information and Event Management (SIEM) enhances the security management of an organization by storing and analyzing logs coming from different network devices and giving possible recommendations that can be warnings, notices or alarms. Companies are beginning to invest in SIEM to protect their data and to help network or system administrators monitor the state of their workplace. A lot of SIEM products focus on security tools and lack log consolidation and incident management solutions. The Adaptable Software-based Log Consolidation and Incident Management (AdLCIM) is a type of SIEM that works on a typical Local Area Network (LAN) where various network devices report status to the system. The system is capable of collecting different logs coming from different, identified network devices. It is also capable of standardizing logs into its format, consolidates and correlates patterns through its inventories. All resolvable attack logs are event sniped, while non-resolvable logs are flagged as alerts. The system is capable of handling different scenarios with different devices, and tests result confirmed successful log analysis. The system, moreover, is capable in running for long durations of time to see if the system is capable of analyzing all the logs coming from different, identified network devices. Overall, the performance of the system came up with the correct and accurate results in verifying log analysis from different network devices having different scenarios.
Facebook (FB) is one of the most popular social networking sites all over the world. According to... more Facebook (FB) is one of the most popular social networking sites all over the world. According to Zephoria, there are approximately 1.71 billion FB users worldwide as of July 2016. There are 4.75 billion contents that are shared daily which include status posts, notes, images, videos, etc. [1] On the business perspective, FB remains (and will remain) free as that they continue to make profit from ads in their website. This paper aims to investigate how FB utilizes its collection of big data and draw competitive intelligence that helps them earn a lot of money yet still be able to produce free and quality services. It also discusses the techniques, methodologies and technologies that FB uses that continuously make them one of the richest and most successful companies worldwide.
The Onion Router (TOR) is a free anonymizer software available in the Internet. It uses chain of ... more The Onion Router (TOR) is a free anonymizer software available in the Internet. It uses chain of proxy servers all over the world, called nodes, that accepts minutiae of data to be sent over the Internet. Tracing the content sent to the TOR is challenging because it uses encrypted protocol such as HTTPS. Filtering whether information sent to the TOR is legal or not becomes a problem. The Proactive Response and Detection for TOR (PReDTOR) is an adaptable security tool that can detect outbound TOR traffic in a Local Area Network (LAN) environment using signature and heuristic-based mechanisms. It also contains an incident response and reporting feature where a TOR connection can be closed and the offending IP address be blocked for investigation. Businesses can use the PReDTOR to complement and integrate it to the functions of the firewall and the Intrusion Detection System (IDS) to monitor their network.
Mobile malware is an underrated yet prevalent trend in the Internet age. As the number of applica... more Mobile malware is an underrated yet prevalent trend in the Internet age. As the number of applications that are free to download and install increases, determining its integrity becomes very challenging. Although there is an internal regulation in the virtual market, most of the applications available can be downloaded for free and only earn through advertisements. This paper discusses a common mobile advertisement malware such as the Trojanized Adware and how it can harm mobile phones using Android OS. It also tests the features a malware can do after escalating the privilege to “root” such as device control and system tuner using Android 4.4.2 (Kitkat).
Moreover, most advertisements are not properly checked and become the major cause of malware spread. This paper discusses a common mobile advertisement malware such as the Trojanized Adware and how it can harm mobile phones using Android OS. It also tests the features a malware can do after escalating the privilege to “root” such as device control and system tuner using Android 4.4.2 (Kitkat). Lastly, securing and baselining Android Rooting from malware through different layers of protection is also discussed.
Rogue devices are one of the security issues that are being faced by various organizations today.... more Rogue devices are one of the security issues that are being faced by various organizations today. These are unauthorized and unwanted devices that connect to the network and utilize network resources of the organization. These devices connect using wired communication or it can be wireless using radio waves. To address the problem with rogue devices, there are security solutions being implemented, examples are port security and MAC address filtering. However, these preventive solutions act as a first later of defense that can be bypassed. The Rogue Device Detector (RDD) is a security solution that
periodically checks for the devices that are connected to the network and determine whether a device is a known (legitimate) device or unknown (rogue) device. It also acts as a logger that notes when devices connect and disconnect to the network for auditing purposes. The system checks all types of devices that connect to the network using various parameters (logical and physical address, device type, version etc.) without prejudice on its type (e.g. laptop, smart phone etc.) and brand (iPhone, Cisco etc.)
The Onion Router (TOR) is an open-source software program that allows users to protect their priv... more The Onion Router (TOR) is an open-source software program that allows users to protect their privacy and security against internet surveillance and provides online anonymity to protect personal privacy of network users (Techopedia, 2010-2013). However, TOR-based solutions pose a threat to computer users. Unscrupulous individuals may use TOR to deface and harm target web services without getting tracked down by authorities. The TOR Detector checks for potential TOR traffic based on customized and automated Intrusion Detection System (IDS) signatures based on known exit nodes and behavior. The known exit nodes are being chosen based on IP reputation. The behavioral aspect is determined based on how majority of the TOR packets look like. A detected suspicious traffic is automatically reported, logged and for some instances, mitigated. The system places a block in Access Control List (ACL) in the firewall to prevent inbound and outbound illegal TOR connection. The system updates its list of known exit nodes periodically to
maintain a level of accuracy with its IP list. Several tests on both TOR browsing and normal Internet browsing are being done to check the efficiency and accuracy of the system. The TOR Detector is very useful in corporate networks to determine whether users are following the enforced company Acceptable Use Policy (AUP).
A Security Information Event Management (SIEM) System
accepts packet logs from different network ... more A Security Information Event Management (SIEM) System
accepts packet logs from different network devices, analyzes
the logs, groups and summarizes events according to its patterns and gives reports and recommendations afterwards
that can be warnings, notices or alarms. [3] The process
involves log collection, log normalization, log consolidation,
event action and documentation. In a typical Local Area
Network (LAN), the logs collected from different network
devices (i.e. device type and identification) come with different
formats, thus, making it difficult to be consolidated.
However, Request for Comments (RFC) 3164 has mandated
that all devices should have a logging system which is popularly
known as a Syslog with fields date/time, IP address,
facility, severity and message. Syslog could have answered
the conflicts regarding the commonalities of different logs
yet companies of these proprietary network devices modified
the message field of the Syslog and created their own
proprietary features in their logging system. A Log Normalizer
is responsible for transforming logs into a standardized
format that the software can easily understand and put in
the Normalized Log Database afterwards. The Log Normalizer
uses dynamic loading as an answer to compatibility
issues with other and future network devices. The concept
inherits existing necessary attributes from a super class (i.e.
Syslog) and creates new subclasses for a particular device
with attributes to comply in standardizing its own logs without
recompiling the whole system. With the emergence of
the Log Normalizer, a standardized log format is created by
the SIEM that helps in log consolidation, event action and
documentation. The normalization of a proprietary router,
firewall, personal computer, laptop and an IDS of different
Syslog formats became uniform and more organized after
the log normalization process seen in the experiment.
Service operation based on Information Technology Infrastructure Library (ITIL) is the most tangi... more Service operation based on Information Technology Infrastructure Library (ITIL) is the most tangible phase of bringing value to clients. Service Level Agreement (SLA) in service operation is a contract between the client and service provider that state levels of responsibilities and response times depending on certain events encountered. The Stand-Alone Heartbeat Checker (SAHC) is a tool used to meet SLA in service operation by checking for the availability of any server deployed in the network. It is implemented using a multi-protocol checking system that determines the health status of a device. Based on SLA set, SAHC responds and resolves
system ensures High Availability (HA) to critical devices and detective control for network incidents that need to be resolved.
A BANK HAS INVESTED in securing its resources against
unauthorized access both from exter... more A BANK HAS INVESTED in securing its resources against
unauthorized access both from external and internal
environment. They are so paranoid that they have deployed
different security hardware like firewalls and IDS for the network. They also deployed IP cameras and security guards to secure the vicinity. All security devices are properly installed and the security guards are well-armed. One night, the IT staff on-shift called the System Admin who's at home and told him that there's a malware compromise in the network. She said that the VP of the company asked her to call the SysAd to get the admin access for the firewall and database to check the configuration and data integrity. The SysAd was so shocked and scared and he gave the details. Early morning, the SysAd rushed to the bank to check the status of the issue but everything looked normal. He realized that there was no compromise and the call last night was just a theatrical act. Worse, he realized that he gave the access to the “IT Staff” which really is a big deal because the credit card and account numbers are in the database and security configurations are found in the firewall. Now the company is in peril!
The proliferation of malicious Command and Control (C&C) servers or botnets is a very big securit... more The proliferation of malicious Command and Control (C&C) servers or botnets is a very big security issue in the Internet today. Triggering malware can be found in most known, popular and visited websites. Any user who is tricked in clicking something interesting (usually an advertisement) is redirected to a malicious website or unknowingly forced to install a malware that makes them a victim (also known as zombie). When a lot of users have been victimized, malware is stored in their computers in stealth mode. When thousands or millions of computers are infected, the leader can order all infected machines to do something malicious like attacking servers to cause Distributed Denial of Service (DDOS) and other attacks on confidentiality. Only in 2013, the FBI discovered millions of machines were infected by a botnet called Citadel. The agency was able to shutdown the server leaving the victims still infected. Anti-virus and firewall solutions are defenseless in this type of attacks because botnets cannot be prevented using rule-based and signature-based solutions. The Botnet Correlator Module (BCM) is a mobile and powerful tool used to determine presence of active C&C activities in a Local Area Network (LAN) topology. It is capable of reading the most updated C&C knowledgebase from reputable sources and correlating it with Intrusion Detection System (IDS) rules as a detective control. The module loads the C&C information to the firewall as primary preventive control and consolidates traffic for further analysis and incident response.
Uploads
Papers by Justin David Pineda
Moreover, most advertisements are not properly checked and become the major cause of malware spread. This paper discusses a common mobile advertisement malware such as the Trojanized Adware and how it can harm mobile phones using Android OS. It also tests the features a malware can do after escalating the privilege to “root” such as device control and system tuner using Android 4.4.2 (Kitkat). Lastly, securing and baselining Android Rooting from malware through different layers of protection is also discussed.
periodically checks for the devices that are connected to the network and determine whether a device is a known (legitimate) device or unknown (rogue) device. It also acts as a logger that notes when devices connect and disconnect to the network for auditing purposes. The system checks all types of devices that connect to the network using various parameters (logical and physical address, device type, version etc.) without prejudice on its type (e.g. laptop, smart phone etc.) and brand (iPhone, Cisco etc.)
maintain a level of accuracy with its IP list. Several tests on both TOR browsing and normal Internet browsing are being done to check the efficiency and accuracy of the system. The TOR Detector is very useful in corporate networks to determine whether users are following the enforced company Acceptable Use Policy (AUP).
accepts packet logs from different network devices, analyzes
the logs, groups and summarizes events according to its patterns and gives reports and recommendations afterwards
that can be warnings, notices or alarms. [3] The process
involves log collection, log normalization, log consolidation,
event action and documentation. In a typical Local Area
Network (LAN), the logs collected from different network
devices (i.e. device type and identification) come with different
formats, thus, making it difficult to be consolidated.
However, Request for Comments (RFC) 3164 has mandated
that all devices should have a logging system which is popularly
known as a Syslog with fields date/time, IP address,
facility, severity and message. Syslog could have answered
the conflicts regarding the commonalities of different logs
yet companies of these proprietary network devices modified
the message field of the Syslog and created their own
proprietary features in their logging system. A Log Normalizer
is responsible for transforming logs into a standardized
format that the software can easily understand and put in
the Normalized Log Database afterwards. The Log Normalizer
uses dynamic loading as an answer to compatibility
issues with other and future network devices. The concept
inherits existing necessary attributes from a super class (i.e.
Syslog) and creates new subclasses for a particular device
with attributes to comply in standardizing its own logs without
recompiling the whole system. With the emergence of
the Log Normalizer, a standardized log format is created by
the SIEM that helps in log consolidation, event action and
documentation. The normalization of a proprietary router,
firewall, personal computer, laptop and an IDS of different
Syslog formats became uniform and more organized after
the log normalization process seen in the experiment.
system ensures High Availability (HA) to critical devices and detective control for network incidents that need to be resolved.
unauthorized access both from external and internal
environment. They are so paranoid that they have deployed
different security hardware like firewalls and IDS for the network. They also deployed IP cameras and security guards to secure the vicinity. All security devices are properly installed and the security guards are well-armed. One night, the IT staff on-shift called the System Admin who's at home and told him that there's a malware compromise in the network. She said that the VP of the company asked her to call the SysAd to get the admin access for the firewall and database to check the configuration and data integrity. The SysAd was so shocked and scared and he gave the details. Early morning, the SysAd rushed to the bank to check the status of the issue but everything looked normal. He realized that there was no compromise and the call last night was just a theatrical act. Worse, he realized that he gave the access to the “IT Staff” which really is a big deal because the credit card and account numbers are in the database and security configurations are found in the firewall. Now the company is in peril!
Moreover, most advertisements are not properly checked and become the major cause of malware spread. This paper discusses a common mobile advertisement malware such as the Trojanized Adware and how it can harm mobile phones using Android OS. It also tests the features a malware can do after escalating the privilege to “root” such as device control and system tuner using Android 4.4.2 (Kitkat). Lastly, securing and baselining Android Rooting from malware through different layers of protection is also discussed.
periodically checks for the devices that are connected to the network and determine whether a device is a known (legitimate) device or unknown (rogue) device. It also acts as a logger that notes when devices connect and disconnect to the network for auditing purposes. The system checks all types of devices that connect to the network using various parameters (logical and physical address, device type, version etc.) without prejudice on its type (e.g. laptop, smart phone etc.) and brand (iPhone, Cisco etc.)
maintain a level of accuracy with its IP list. Several tests on both TOR browsing and normal Internet browsing are being done to check the efficiency and accuracy of the system. The TOR Detector is very useful in corporate networks to determine whether users are following the enforced company Acceptable Use Policy (AUP).
accepts packet logs from different network devices, analyzes
the logs, groups and summarizes events according to its patterns and gives reports and recommendations afterwards
that can be warnings, notices or alarms. [3] The process
involves log collection, log normalization, log consolidation,
event action and documentation. In a typical Local Area
Network (LAN), the logs collected from different network
devices (i.e. device type and identification) come with different
formats, thus, making it difficult to be consolidated.
However, Request for Comments (RFC) 3164 has mandated
that all devices should have a logging system which is popularly
known as a Syslog with fields date/time, IP address,
facility, severity and message. Syslog could have answered
the conflicts regarding the commonalities of different logs
yet companies of these proprietary network devices modified
the message field of the Syslog and created their own
proprietary features in their logging system. A Log Normalizer
is responsible for transforming logs into a standardized
format that the software can easily understand and put in
the Normalized Log Database afterwards. The Log Normalizer
uses dynamic loading as an answer to compatibility
issues with other and future network devices. The concept
inherits existing necessary attributes from a super class (i.e.
Syslog) and creates new subclasses for a particular device
with attributes to comply in standardizing its own logs without
recompiling the whole system. With the emergence of
the Log Normalizer, a standardized log format is created by
the SIEM that helps in log consolidation, event action and
documentation. The normalization of a proprietary router,
firewall, personal computer, laptop and an IDS of different
Syslog formats became uniform and more organized after
the log normalization process seen in the experiment.
system ensures High Availability (HA) to critical devices and detective control for network incidents that need to be resolved.
unauthorized access both from external and internal
environment. They are so paranoid that they have deployed
different security hardware like firewalls and IDS for the network. They also deployed IP cameras and security guards to secure the vicinity. All security devices are properly installed and the security guards are well-armed. One night, the IT staff on-shift called the System Admin who's at home and told him that there's a malware compromise in the network. She said that the VP of the company asked her to call the SysAd to get the admin access for the firewall and database to check the configuration and data integrity. The SysAd was so shocked and scared and he gave the details. Early morning, the SysAd rushed to the bank to check the status of the issue but everything looked normal. He realized that there was no compromise and the call last night was just a theatrical act. Worse, he realized that he gave the access to the “IT Staff” which really is a big deal because the credit card and account numbers are in the database and security configurations are found in the firewall. Now the company is in peril!