Gilbert Peterson | Air Force Institute of Technology (original) (raw)

Uploads

Papers by Gilbert Peterson

Research paper thumbnail of REDIR: Automated static detection of obfuscated anti-debugging techniques

Reverse Code Engineering (RCE) to detect anti-debugging techniques in software is a very difficul... more Reverse Code Engineering (RCE) to detect anti-debugging techniques in software is a very difficult task. Code obfuscation is an anti-debugging technique makes detection even more challenging. The Rule Engine Detection by Intermediate Representation (REDIR) system for automated static detection of obfuscated anti-debugging techniques is a prototype designed to help the RCE analyst improve performance through this tedious task. Three tenets form the REDIR foundation. First, Intermediate Representation (IR) improves the analyzability of binary programs by reducing a large instruction set down to a handful of semantically equivalent statements. Next, an Expert System (ES) rule-engine searches the IR and initiates a sense-making process for anti-debugging technique detection. Finally, an IR analysis process confirms the presence of an anti-debug technique. The REDIR system is implemented as a debugger plug-in. Within the debugger, REDIR interacts with a program in the disassembly view. Debugger users can instantly highlight anti-debugging techniques and determine if the presence of a debugger will cause a program to take a conditional jump or fall through to the next instruction.

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Feature detection and matching on atmospheric nuclear detonation video

IET Computer Vision, 2016

Bookmarks Related papers MentionsView impact

Research paper thumbnail of WoLF Ant

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Improving occupancy grid FastSLAM by integrating navigation sensors

2011 IEEE/RSJ International Conference on Intelligent Robots and Systems, 2011

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Steganography anomaly detection using simple one-class classification

Proceedings of Spie the International Society For Optical Engineering, 2007

... against the embedded image and manipulates nearby DCT blocks to maintain DCT histogram. ... D... more ... against the embedded image and manipulates nearby DCT blocks to maintain DCT histogram. ... DCT as well as some commonly used wavelet decompositions used in image processing. ... The features are then generated by calculating the difference between a target coefficient in ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Dynamic coalition formation under uncertainty

2009 Ieee Rsj International Conference on Intelligent Robots and Systems, Oct 1, 2009

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Extracting Forensic Artifacts from Windows O/S Memory

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Workload-Adaptive Human Interface to Aid Robust Decision Making in Human-System Interface. Year 1 Report

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Graduate Digital Forensics Education at the Air Force Institute of Technology

2007 40th Annual Hawaii International Conference on System Sciences, Jan 3, 2007

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Timing mark detection on nuclear detonation video

2014 Ieee Applied Imagery Pattern Recognition Workshop, Oct 1, 2014

Bookmarks Related papers MentionsView impact

Research paper thumbnail of The Enhancement of Graduate Digital Forensics Education via the DC3 Digital Forensics Challenge

Hicss, 2009

... The last step was to read the optical image with WinHex [24]. When this step was performed, t... more ... The last step was to read the optical image with WinHex [24]. When this step was performed, the text “QDueling is legal in Paraguay as long as both parties are registered blood donors” was repeated for several hundred megabytes. ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Using Modeling and Simulation to Examine the Benefits of a Network Tasking Order

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Genetic evolution of hierarchical behavior structures

Proceedings of the 9th Annual Conference on Genetic and Evolutionary Computation, 2007

Bookmarks Related papers MentionsView impact

Research paper thumbnail of The latest generation Whegs

Bookmarks Related papers MentionsView impact

Research paper thumbnail of An Effective and Efficient Real Time Strategy Agent

Twenty Third International Flairs Conference, 2010

Bookmarks Related papers MentionsView impact

Research paper thumbnail of An Abstract Behavior Representation for Robust, Dynamic Sequencing in a Hybrid Architecture

Bookmarks Related papers MentionsView impact

Research paper thumbnail of HAMR: A Hybrid Multi-Robot Control Architecture

Flairs, 2009

Highly capable multiple robot architectures often resort to micromanagement to provide enhanced c... more Highly capable multiple robot architectures often resort to micromanagement to provide enhanced cooperative abilities, sacrificing individual autonomy. Conversely, multi-robot ar-chitectures that maintain individual autonomy are often lim-ited in their cooperative abilities. This ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of The Enhancement of Graduate Digital Forensics Education via the DC3 Digital Forensics Challenge

2009 42nd Hawaii International Conference on System Sciences, 2009

... The last step was to read the optical image with WinHex [24]. When this step was performed, t... more ... The last step was to read the optical image with WinHex [24]. When this step was performed, the text “QDueling is legal in Paraguay as long as both parties are registered blood donors” was repeated for several hundred megabytes. ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Simulating windows-based cyber attacks using live virtual machine introspection

... VM. CMAT-V provides situational awareness during simulated cyber attack scenarios. Using stat... more ... VM. CMAT-V provides situational awareness during simulated cyber attack scenarios. Using static forensic analysis techniques, CMAT-V derives semantically relevant information from an arbitrary Windows memory dump. This ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Steganalysis feature improvement using expectation maximization

Proceedings of Spie the International Society For Optical Engineering, 2007

ABSTRACT Images and data files provide an excellent opportunity for concealing illegal or clandes... more ABSTRACT Images and data files provide an excellent opportunity for concealing illegal or clandestine material. Currently, there are over 250 different tools which embed data into an image without causing noticeable changes to the image. From a forensics perspective, when a system is confiscated or an image of a system is generated the investigator needs a tool that can scan and accurately identify files suspected of containing malicious information. The identification process is termed the steganalysis problem which focuses on both blind identification, in which only normal images are available for training, and multi-class identification, in which both the clean and stego images at several embedding rates are available for training. In this paper an investigation of a clustering and classification technique (Expectation Maximization with mixture models) is used to determine if a digital image contains hidden information. The steganalysis problem is for both anomaly detection and multi-class detection. The various clusters represent clean images and stego images with between 1% and 10% embedding percentage. Based on the results it is concluded that the EM classification technique is highly suitable for both blind detection and the multi-class problem.

Bookmarks Related papers MentionsView impact

Research paper thumbnail of REDIR: Automated static detection of obfuscated anti-debugging techniques

Reverse Code Engineering (RCE) to detect anti-debugging techniques in software is a very difficul... more Reverse Code Engineering (RCE) to detect anti-debugging techniques in software is a very difficult task. Code obfuscation is an anti-debugging technique makes detection even more challenging. The Rule Engine Detection by Intermediate Representation (REDIR) system for automated static detection of obfuscated anti-debugging techniques is a prototype designed to help the RCE analyst improve performance through this tedious task. Three tenets form the REDIR foundation. First, Intermediate Representation (IR) improves the analyzability of binary programs by reducing a large instruction set down to a handful of semantically equivalent statements. Next, an Expert System (ES) rule-engine searches the IR and initiates a sense-making process for anti-debugging technique detection. Finally, an IR analysis process confirms the presence of an anti-debug technique. The REDIR system is implemented as a debugger plug-in. Within the debugger, REDIR interacts with a program in the disassembly view. Debugger users can instantly highlight anti-debugging techniques and determine if the presence of a debugger will cause a program to take a conditional jump or fall through to the next instruction.

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Feature detection and matching on atmospheric nuclear detonation video

IET Computer Vision, 2016

Bookmarks Related papers MentionsView impact

Research paper thumbnail of WoLF Ant

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Improving occupancy grid FastSLAM by integrating navigation sensors

2011 IEEE/RSJ International Conference on Intelligent Robots and Systems, 2011

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Steganography anomaly detection using simple one-class classification

Proceedings of Spie the International Society For Optical Engineering, 2007

... against the embedded image and manipulates nearby DCT blocks to maintain DCT histogram. ... D... more ... against the embedded image and manipulates nearby DCT blocks to maintain DCT histogram. ... DCT as well as some commonly used wavelet decompositions used in image processing. ... The features are then generated by calculating the difference between a target coefficient in ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Dynamic coalition formation under uncertainty

2009 Ieee Rsj International Conference on Intelligent Robots and Systems, Oct 1, 2009

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Extracting Forensic Artifacts from Windows O/S Memory

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Workload-Adaptive Human Interface to Aid Robust Decision Making in Human-System Interface. Year 1 Report

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Graduate Digital Forensics Education at the Air Force Institute of Technology

2007 40th Annual Hawaii International Conference on System Sciences, Jan 3, 2007

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Timing mark detection on nuclear detonation video

2014 Ieee Applied Imagery Pattern Recognition Workshop, Oct 1, 2014

Bookmarks Related papers MentionsView impact

Research paper thumbnail of The Enhancement of Graduate Digital Forensics Education via the DC3 Digital Forensics Challenge

Hicss, 2009

... The last step was to read the optical image with WinHex [24]. When this step was performed, t... more ... The last step was to read the optical image with WinHex [24]. When this step was performed, the text “QDueling is legal in Paraguay as long as both parties are registered blood donors” was repeated for several hundred megabytes. ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Using Modeling and Simulation to Examine the Benefits of a Network Tasking Order

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Genetic evolution of hierarchical behavior structures

Proceedings of the 9th Annual Conference on Genetic and Evolutionary Computation, 2007

Bookmarks Related papers MentionsView impact

Research paper thumbnail of The latest generation Whegs

Bookmarks Related papers MentionsView impact

Research paper thumbnail of An Effective and Efficient Real Time Strategy Agent

Twenty Third International Flairs Conference, 2010

Bookmarks Related papers MentionsView impact

Research paper thumbnail of An Abstract Behavior Representation for Robust, Dynamic Sequencing in a Hybrid Architecture

Bookmarks Related papers MentionsView impact

Research paper thumbnail of HAMR: A Hybrid Multi-Robot Control Architecture

Flairs, 2009

Highly capable multiple robot architectures often resort to micromanagement to provide enhanced c... more Highly capable multiple robot architectures often resort to micromanagement to provide enhanced cooperative abilities, sacrificing individual autonomy. Conversely, multi-robot ar-chitectures that maintain individual autonomy are often lim-ited in their cooperative abilities. This ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of The Enhancement of Graduate Digital Forensics Education via the DC3 Digital Forensics Challenge

2009 42nd Hawaii International Conference on System Sciences, 2009

... The last step was to read the optical image with WinHex [24]. When this step was performed, t... more ... The last step was to read the optical image with WinHex [24]. When this step was performed, the text “QDueling is legal in Paraguay as long as both parties are registered blood donors” was repeated for several hundred megabytes. ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Simulating windows-based cyber attacks using live virtual machine introspection

... VM. CMAT-V provides situational awareness during simulated cyber attack scenarios. Using stat... more ... VM. CMAT-V provides situational awareness during simulated cyber attack scenarios. Using static forensic analysis techniques, CMAT-V derives semantically relevant information from an arbitrary Windows memory dump. This ...

Bookmarks Related papers MentionsView impact

Research paper thumbnail of Steganalysis feature improvement using expectation maximization

Proceedings of Spie the International Society For Optical Engineering, 2007

ABSTRACT Images and data files provide an excellent opportunity for concealing illegal or clandes... more ABSTRACT Images and data files provide an excellent opportunity for concealing illegal or clandestine material. Currently, there are over 250 different tools which embed data into an image without causing noticeable changes to the image. From a forensics perspective, when a system is confiscated or an image of a system is generated the investigator needs a tool that can scan and accurately identify files suspected of containing malicious information. The identification process is termed the steganalysis problem which focuses on both blind identification, in which only normal images are available for training, and multi-class identification, in which both the clean and stego images at several embedding rates are available for training. In this paper an investigation of a clustering and classification technique (Expectation Maximization with mixture models) is used to determine if a digital image contains hidden information. The steganalysis problem is for both anomaly detection and multi-class detection. The various clusters represent clean images and stego images with between 1% and 10% embedding percentage. Based on the results it is concluded that the EM classification technique is highly suitable for both blind detection and the multi-class problem.

Bookmarks Related papers MentionsView impact