Biblio

Filters: Author is Zeltser, Benjamin  [Clear All Filters]
2019-06-24
Copty, Fady, Danos, Matan, Edelstein, Orit, Eisner, Cindy, Murik, Dov, Zeltser, Benjamin.  2018.  Accurate Malware Detection by Extreme Abstraction. Proceedings of the 34th Annual Computer Security Applications Conference. :101–111.

Modern malware applies a rich arsenal of evasion techniques to render dynamic analysis ineffective. In turn, dynamic analysis tools take great pains to hide themselves from malware; typically this entails trying to be as faithful as possible to the behavior of a real run. We present a novel approach to malware analysis that turns this idea on its head, using an extreme abstraction of the operating system that intentionally strays from real behavior. The key insight is that the presence of malicious behavior is sufficient evidence of malicious intent, even if the path taken is not one that could occur during a real run of the sample. By exploring multiple paths in a system that only approximates the behavior of a real system, we can discover behavior that would often be hard to elicit otherwise. We aggregate features from multiple paths and use a funnel-like configuration of machine learning classifiers to achieve high accuracy without incurring too much of a performance penalty. We describe our system, TAMALES (The Abstract Malware Analysis LEarning System), in detail and present machine learning results using a 330K sample set showing an FPR (False Positive Rate) of 0.10% with a TPR (True Positive Rate) of 99.11%, demonstrating that extreme abstraction can be extraordinarily effective in providing data that allows a classifier to accurately detect malware.

2018-01-10
Rotenberg, Nadav, Shulman, Haya, Waidner, Michael, Zeltser, Benjamin.  2017.  Authentication-Bypass Vulnerabilities in SOHO Routers. Proceedings of the SIGCOMM Posters and Demos. :68–70.
SOHO routers act as a gateway to the Internet for Small Office/Home Office networks. Despite the important role that they fulfill, there is a long history of vulnerabilities allowing attackers to breach security and availability of the clients and services on SOHO networks. Following the multiple disclosures and recommendations for patches in the last two decades it seems an obvious question to verify whether the reality meets the expectation. We focus on an important class of vulnerabilities called 'authentication bypass', which allow an attacker to take control over a network device by subverting the authentication procedure. We perform a stealthy and non disruptive evaluation of authentication bypass vulnerabilities in SOHO routers. Our study focuses on a number of selected countries, to detect presence of vulnerable devices. The results of our study are worrisome: we find a large fraction of misconfigurations and insecurity issues in configuration of SOHO routers, which stand in sharp contrast to the awareness of the security and research communities to the vulnerabilities as well as a large body of work studying related topics.