Malware Analysis 2014, Part 1 (ACM)
SoS Newsletter- Advanced Book Block
 |
Malware Analysis, 2014, (ACM) Part 1 |
The ACM published nearly 500 articles about malware analysis in 2014, making the topic one of the most studied. The bibliographical citations presented here, broken into several parts, should be of interest to the Science of Security community.
Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, Aggelos Kiayias; Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System; ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference, December 2014, Pages 386-395. Doi: 10.1145/2664243.2664252 Abstract; Malware is one of the biggest security threats on the Internet today and deploying effective defensive solutions requires the rapid analysis of a continuously increasing number of malware samples. With the proliferation of metamorphic malware the analysis is further complicated as the efficacy of signature-based static analysis systems is greatly reduced. While dynamic malware analysis is an effective alternative, the approach faces significant challenges as the ever increasing number of samples requiring analysis places a burden on hardware resources. At the same time modern malware can both detect the monitoring environment and hide in unmonitored corners of the system. In this paper we present DRAKVUF, a novel dynamic malware analysis system designed to address these challenges by building on the latest hardware virtualization extensions and the Xen hypervisor. We present a technique for improving stealth by initiating the execution of malware samples without leaving any trace in the analysis machine. We also present novel techniques to eliminate blind-spots created by kernel-mode rootkits by extending the scope of monitoring to include kernel internal functions, and to monitor file-system accesses through the kernel's heap allocations. With extensive tests performed on recent malware samples we show that DRAKVUF achieves significant improvements in conserving hardware resources while providing a stealthy, in-depth view into the behavior of modern malware.
Keywords: dynamic malware analysis, virtual machine introspection (ID#: 15-4661)
URL: http://doi.acm.org/10.1145/2664243.2664252
Shahid Alam, Ibrahim Sogukpinar, Issa Traore, Yvonne Coady; In-Cloud Malware Analysis and Detection: State of the Art; SIN '14 Proceedings of the 7th International Conference on Security of Information and Networks, September 2014, Pages 473. Doi: 10.1145/2659651.2659730 Abstract: With the advent of Internet of Things, we are facing another wave of malware attacks, that encompass intelligent embedded devices. Because of the limited energy resources, running a complete malware detector on these devices is quite challenging. There is a need to devise new techniques to detect malware on these devices. Malware detection is one of the services that can be provided as an in-cloud service. This paper reviews current such systems, discusses there pros and cons, and recommends an improved in-cloud malware analysis and detection system. We introduce a new three layered hybrid system with a lightweight antimalware engine. These features can provide faster malware detection response time, shield the client from malware and reduce the bandwidth between the client and the cloud, compared to other such systems. The paper serves as a motivation for improving the current and developing new techniques for in-cloud malware analysis and detection system.
Keywords: Cloud computing, In-cloud services, Malware analysis, Malware detection (ID#: 15-4662)
URL: http://doi.acm.org/10.1145/2659651.2659730
Markus Wagner, Wolfgang Aigner, Alexander Rind, Hermann Dornhackl, Konstantin Kadletz, Robert Luh, Paul Tavolato; Problem Characterization and Abstraction for Visual Analytics in Behavior-Based Malware Pattern Analysis; VizSec '14 Proceedings of the Eleventh Workshop on Visualization for Cyber Security, November 2014, Pages 9-16. Doi: 10.1145/2671491.2671498 Abstract: Behavior-based analysis of emerging malware families involves finding suspicious patterns in large collections of execution traces. This activity cannot be automated for previously unknown malware families and thus malware analysts would benefit greatly from integrating visual analytics methods in their process. However existing approaches are limited to fairly static representations of data and there is no systematic characterization and abstraction of this problem domain. Therefore we performed a systematic literature study, conducted a focus group as well as semi-structured interviews with 10 malware analysts to elicit a problem abstraction along the lines of data, users, and tasks. The requirements emerging from this work can serve as basis for future design proposals to visual analytics-supported malware pattern analysis.
Keywords: evaluation, malicious software, malware analysis, problem characterization and abstraction, visual analytics (ID#: 15-4663)
URL: http://doi.acm.org/10.1145/2671491.2671498
Jae-wook Jang, Jiyoung Woo, Jaesung Yun, Huy Kang Kim; Mal-Netminer: Malware Classification Based on Social Network Analysis of Call Graph; WWW Companion '14 Proceedings of the Companion Publication of The 23rd International Conference on World Wide Web Companion, April 2014, Pages 731-734. Doi: 10.1145/2567948.2579364 Abstract: In this work, we aim to classify malware using automatic classifiers by employing graph metrics commonly used in social network analysis. First, we make a malicious system call dictionary that consists of system calls found in malware. To analyze the general structural information of malware and measure the influence of system calls found in malware, we adopt social network analysis. Thus, we use social network metrics such as the degree distribution, degree centrality, and average distance, which are implicitly equivalent to distinct behavioral characteristics. Our experiments demonstrate that the proposed system performs well in classifying malware families within each malware class with accuracy greater than 98%. As exploiting the social network properties of system calls found in malware, our proposed method can not only classify the malware with fewer features than previous methods adopting graph features but also enables us to build a quick and simple detection system against malware.
Keywords: degree distribution, dynamic analysis, malware, social network analysis (SNA), system call graph (ID#: 15-4664)
URL: http://dl.acm.org/citation.cfm?id=2579364
Tobias Wüchner, Martín Ochoa, Alexander Pretschner; Malware Detection With Quantitative Data Flow Graphs; ASIA CCS '14 Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, June 2014, Pages 271-282. Doi: 10.1145/2590296.2590319 Abstract: We propose a novel behavioral malware detection approach based on a generic system-wide quantitative data flow model. We base our data flow analysis on the incremental construction of aggregated quantitative data flow graphs. These graphs represent communication between different system entities such as processes, sockets, files or system registries. We demonstrate the feasibility of our approach through a prototypical instantiation and implementation for the Windows operating system. Our experiments yield encouraging results: in our data set of samples from common malware families and popular non-malicious applications, our approach has a detection rate of 96% and a false positive rate of less than 1.6%. In comparison with closely related data flow based approaches, we achieve similar detection effectiveness with considerably better performance: an average full system analysis takes less than one second.
Keywords: behavioral malware analysis, data flow tracking, intrusion detection, malware detection, quantitative data flows (ID#: 15-4665)
URL: http://doi.acm.org/10.1145/2590296.2590319
Ashish Saini, Ekta Gandotra, Divya Bansal, Sanjeev Sofat; Classification of PE Files using Static Analysis ; SIN '14 Proceedings of the 7th International Conference on Security of Information and Networks, September, Pages 429. Doi: 10.1145/2659651.2659679 Abstract: Malware is one of the most terrible and major security threats facing the Internet today. Anti-malware vendors are challenged to identify, classify and counter new malwares due to the obfuscation techniques being used by malware authors. In this paper, we present a simple, fast and scalable method of differentiating malwares from cleanwares on the basis of features extracted from Windows PE files. The features used in this work are Suspicious Section Count and Function Call Frequency. After automatically extracting features of executables, we use machine learning algorithms available in WEKA library to classify them into malwares and cleanwares. Our experimental results provide an accuracy of over 98% for a data set of 3,087 executable files including 2,460 malwares and 627 cleanwares. Based on the results obtained, we conclude that the Function Call Frequency feature derived from the static analysis method plays a significant role in distinguishing malware files from benign ones.
Keywords: Classification, Machine Learning, Static Malware Analysis (ID#: 15-4666)
URL: http://doi.acm.org/10.1145/2659651.2659679
Bernhard Grill, Christian Platzer, Jürgen Eckel; A Practical Approach for Generic Bootkit Detection and Prevention; EuroSec '14 Proceedings of the Seventh European Workshop on System Security, April 2014, Article No. 4. Doi: 10.1145/2592791.2592795 Abstract: Bootkits are still the most powerful tool for attackers to stealthily infiltrate computer systems. In this paper we present a novel approach to detect and prevent bootkit attacks during the infection phase. Our approach relies on emulation and monitoring of the system's boot process. We present results of a preliminary evaluation on our approach using a Windows system and the leaked Carberp bootkit.
Keywords: bootkit detection and prevention, dynamic malware analysis, x86 emulation (ID#: 15-4667)
URL: http://doi.acm.org/10.1145/2592791.2592795
Dennis Gamayunov; Falsifiability of Network Security Research: The Good, the Bad, and the Ugly; TRUST '14 Proceedings of the 1st ACM SIGPLAN Workshop on Reproducible Research Methodologies and New Publication Models in Computer Engineering, June 2014, Article No. 4. Doi: 10.1145/2618137.2618141 Abstract: A falsifiability criterion helps us to distinguish between scientific and non-Scientific theories. One may try to raise a question whether this criterion is applicable to the information security research, especially to the intrusion detection and malware research fields. In fact, these research fields seems to fail to satisfy the falsifiability criterion, since they lack the practice of publishing raw experimental data which were used to prove the theories. Existing public datasets like the KDD Cup'99 dataset and VX Heavens virus dataset are outdated. Furthermore, most of current Scientific research projects tend to keep their datasets private. We suggest that the Scientific community should pay more attention to creating and maintaining public open datasets of malware and any kinds of computer attack-related data. But how can we bring this into reality, taking into account legal and privacy concerns?
Keywords: intrusion detection, malware analysis, network security, research methodology (ID#: 15-4668)
URL: http://doi.acm.org/10.1145/2618137.2618141
TaeGuen Kim, Jung Bin Park, In Gyeom Cho, Boojoong Kang, Eul Gyu Im, SooYong Kang; Similarity Calculation Method for User-Define Functions to Detect Malware Variants; RACS '14 Proceedings of the 2014 Conference on Research in Adaptive and Convergent Systems,October 2014, Pages 236-241. Doi: 10.1145/2663761.2664222 Abstract: The number of malware has sharply increased over years, and it caused various damages on computing systems and data. In this paper, we propose techniques to detect malware variants. Malware authors usually reuse malware modules when they generate new malware or malware variants. Therefore, malware variants have common code for some functions in their binary files. We focused on this common code in this research, and proposed the techniques to detect malware variants through similarity calculation of user-defined function. Since many malware variants evade malware detection system by transforming their static signatures, to cope with this problem, we applied pattern matching algorithms for DNA variations in Bioinformatics to similarity calculation of malware binary files. Since the pattern matching algorithm we used provides the local alignment function, small modification of functions can be overcome. Experimental results show that our proposed method can detect malware similarity and it is more resilient than other methods.
Keywords: malware analysis, smith-waterman algorithm, static analysis (ID#: 15-4669)
URL: http://doi.acm.org/10.1145/2663761.2664222
Timothy Vidas, Jiaqi Tan, Jay Nahata, Chaur Lih Tan, Nicolas Christin, Patrick Tague; A5: Automated Analysis of Adversarial Android Applications; SPSM '14 Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, November 2014, Pages 39-50. Doi: 10.1145/2666620.2666630 Abstract: Mobile malware is growing - both in overall volume and in number of existing variants - at a pace rapid enough that systematic manual, human analysis is becoming increasingly difficult. As a result, there is a pressing need for techniques and tools that provide automated analysis of mobile malware samples. We present A5, an open source automated system to process Android malware. A5 is a hybrid system combining static and dynamic malware analysis techniques. Android's architecture permits many different paths for malware to react to system events, any of which may result in malicious behavior. Key innovations in A5 consist of novel methods of interacting with mobile malware to better coerce malicious behavior, and in combining both virtual and physical pools of Android platforms to capture behavior that could otherwise be missed. The primary output of A5 is a set of network threat indicators and intrusion detection system signatures that can be used to detect and prevent malicious network activity. We detail A5's distributed design and demonstrate applicability of our interaction techniques using examples from real malware. Additionally, we compare A5 with other automated systems and provide performance measurements of an implementation, using a published dataset of 1,260 unique malware samples, showing that A5 can quickly process large amounts of malware. We provide a public web interface to our implementation of A5 that allows third parties to use A5 as a web service.
Keywords: dynamic analysis, malicious behavior, mobile malware, sandbox, static analysis, virtualization (ID#: 15-4670)
URL: http://doi.acm.org/10.1145/2666620.2666630
M. Zubair Rafique, Ping Chen, Christophe Huygens, Wouter Joosen; Evolutionary Algorithms for Classification of Malware Families Through Different Network Behaviors; GECCO '14 Proceedings of the 2014 Conference on Genetic and Evolutionary Computation, July 2014, Pages 1167-1174. Doi: 10.1145/2576768.2598238 Abstract: The staggering increase of malware families and their diversity poses a significant threat and creates a compelling need for automatic classification techniques. In this paper, we first analyze the role of network behavior as a powerful technique to automatically classify malware families and their polymorphic variants. Afterwards, we present a framework to efficiently classify malware families by modeling their different network behaviors (such as HTTP, SMTP, UDP, and TCP). We propose protocol-aware and state-space modeling schemes to extract features from malware network behaviors. We analyze the applicability of various evolutionary and non-evolutionary algorithms for our malware family classification framework. To evaluate our framework, we collected a real-world dataset of 6,000 unique and active malware samples belonging to 20 different malware families. We provide a detailed analysis of network behaviors exhibited by these prevalent malware families. The results of our experiments shows that evolutionary algorithms, like sUpervised Classifier System (UCS), can effectively classify malware families through different network behaviors in real-time. To the best of our knowledge, the current work is the first malware classification framework based on evolutionary classifier that uses different network behaviors.
Keywords: machine learning, malware classification, network behaviors (ID#: 15-4671)
URL: http://doi.acm.org/10.1145/2576768.2598238
Mu Zhang, Yue Duan, Heng Yin, Zhiruo Zhao; Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1105-1116. Doi: 10.1145/2660267.2660359 Abstract: The drastic increase of Android malware has led to a strong interest in developing methods to automate the malware analysis process. Existing automated Android malware detection and classification methods fall into two general categories: 1) signature-based and 2) machine learning-based. Signature-based approaches can be easily evaded by bytecode-level transformation attacks. Prior learning-based works extract features from application syntax, rather than program semantics, and are also subject to evasion. In this paper, we propose a novel semantic-based approach that classifies Android malware via dependency graphs. To battle transformation attacks, we extract a weighted contextual API dependency graph as program semantics to construct feature sets. To fight against malware variants and zero-day malware, we introduce graph similarity metrics to uncover homogeneous application behaviors while tolerating minor implementation differences. We implement a prototype system, DroidSIFT, in 23 thousand lines of Java code. We evaluate our system using 2200 malware samples and 13500 benign samples. Experiments show that our signature detection can correctly label 93\% of malware instances; our anomaly detector is capable of detecting zero-day malware with a low false negative rate (2\%) and an acceptable false positive rate (5.15\%) for a vetting purpose.
Keywords: android, anomaly detection, graph similarity, malware classification, semantics-aware, signature detection (ID#: 15-4672)
URL: http://doi.acm.org/10.1145/2660267.2660359
Shahid Alam, Issa Traore, Ibrahim Sogukpinar; Current Trends and the Future of Metamorphic Malware Detection; SIN '14 Proceedings of the 7th International Conference on Security of Information and Networks, September 2014, Pages 411. Doi: 10.1145/2659651.2659670 Abstract: Dynamic binary obfuscation or metamorphism is a technique where a malware never keeps the same sequence of opcodes in the memory. This stealthy mutation technique helps a malware evade detection by today's signature-based anti-malware programs. This paper analyzes the current trends, provides future directions and reasons about some of the basic characteristics of a system for providing real-time detection of metamorphic malware. Our emphasis is on the most recent advancements and the potentials available in metamorphic malware detection, so we only cover some of the major academic research efforts carried out, including and after, the year 2006. The paper not only serves as a collection of recent references and information for easy comparison and analysis, but also as a motivation for improving the current and developing new techniques for metamorphic malware detection.
Keywords: End point security, Malware detection, Metamorphic malware, Obfuscations (ID#: 15-4673)
URL: http://doi.acm.org/10.1145/2659651.2659670
Zhaoyan Xu, Antonio Nappa, Robert Baykov, Guangliang Yang, Juan Caballero, Guofei Gu; AUTOPROBE: Towards Automatic Active Malicious Server Probing Using Dynamic Binary Analysis; CCS '14 Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 179-190. Doi: 10.1145/2660267.2660352 Abstract: Malware continues to be one of the major threats to Internet security. In the battle against cybercriminals, accurately identifying the underlying malicious server infrastructure (e.g., C&C servers for botnet command and control) is of vital importance. Most existing passive monitoring approaches cannot keep up with the highly dynamic, ever-evolving malware server infrastructure. As an effective complementary technique, active probing has recently attracted attention due to its high accuracy, efficiency, and scalability (even to the Internet level). In this paper, we propose Autoprobe, a novel system to automatically generate effective and efficient fingerprints of remote malicious servers. Autoprobe addresses two fundamental limitations of existing active probing approaches: it supports pull-based C&C protocols, used by the majority of malware, and it generates fingerprints even in the common case when C&C servers are not alive during fingerprint generation. Using real-world malware samples we show that Autoprobe can successfully generate accurate C&C server fingerprints through novel applications of dynamic binary analysis techniques. By conducting Internet-scale active probing, we show that Autoprobe can successfully uncover hundreds of malicious servers on the Internet, many of them unknown to existing blacklists. We believe Autoprobe is a great complement to existing defenses, and can play a unique role in the battle against cybercriminals.
Keywords: active probing malware fingerprint generation c&c server (ID#: 15-4674)
URL: http://doi.acm.org/10.1145/2660267.2660352
Ekta Gandotra, Divya Bansal, Sanjeev Sofat; Integrated Framework for Classification of Malwares; SIN '14 Proceedings of the 7th International Conference on Security of Information and Networks, September 2014, Pages 417. Doi: 10.1145/2659651.2659738 Abstract: Malware is one of the most terrible and major security threats facing the Internet today. It is evolving, becoming more sophisticated and using new ways to target computers and mobile devices. The traditional defences like antivirus softwares typically rely on signature based methods and are unable to detect previously unseen malwares. Machine learning approaches have been adopted to classify malwares based on the features extracted using static or dynamic analysis. Both type of malware analysis have their pros and cons. In this paper, we propose a classification framework which uses integration of both static and dynamic features for distinguishing malwares from clean files. A real world corpus of recent malwares is used to validate the proposed approach. The experimental results, based on a dataset of 998 malwares and 428 cleanware files provide an accuracy of 99.58% indicating that the hybrid approach enhances the accuracy rate of malware detection and classification over the results obtained when these features are considered separately.
Keywords: Classification, Dynamic Analysis, Machine Learning, Malware, Static Analysis (ID#: 15-4675)
URL: http://doi.acm.org/10.1145/2659651.2659738
Hao Zhang, Danfeng Daphne Yao, Naren Ramakrishnan; Detection of Stealthy Malware Activities With Traffic Causality and Scalable Triggering Relation Discovery; ASIA CCS '14 Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, June 2014, Pages 39-50. Doi: 10.1145/2590296.2590309 Abstract: Studies show that a significant portion of networked computers are infected with stealthy malware. Infection allows remote attackers to control, utilize, or spy on victim machines. Conventional signature-scan or counting-based techniques are limited, as they are unable to stop new zero-day exploits. We describe a traffic analysis method that can effectively detect malware activities on a host. Our new approach efficiently discovers the underlying triggering relations of a massive amount of network events. We use these triggering relations to reason the occurrences of network events and to pinpoint stealthy malware activities. We define a new problem of triggering relation discovery of network events. Our solution is based on domain-knowledge guided advanced learning algorithms. Our extensive experimental evaluation involving 6+ GB traffic of various types shows promising results on the accuracy of our triggering relation discovery.
Keywords: anomaly detection, network security, stealthy malware (ID#: 15-4676)
URL: http://doi.acm.org/10.1145/2590296.2590309
Timothy Vidas, Nicolas Christin; Evading Android Runtime Analysis via Sandbox Detection; ASIA CCS '14 Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, June 2014, Pages 447-458. Doi: 10.1145/2590296.2590325 Abstract: The large amounts of malware, and its diversity, have made it necessary for the security community to use automated dynamic analysis systems. These systems often rely on virtualization or emulation, and have recently started to be available to process mobile malware. Conversely, malware authors seek to detect such systems and evade analysis. In this paper, we present techniques for detecting Android runtime analysis systems. Our techniques are classified into four broad classes showing the ability to detect systems based on differences in behavior, performance, hardware and software components, and those resulting from analysis system design choices. We also evaluate our techniques against current publicly accessible systems, all of which are easily identified and can therefore be hindered by a motivated adversary. Our results show some fundamental limitations in the viability of dynamic mobile malware analysis platforms purely based on virtualization.
Keywords: android, evasion, malware, sandbox (ID#: 15-4677)
URL: http://doi.acm.org/10.1145/2590296.2590325
Yiming Jing, Ziming Zhao, Gail-Joon Ahn, Hongxin Hu; Morpheus: Automatically Generating Heuristics to Detect Android Emulators; ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference, December 2014, Pages 216-225. Doi: 10.1145/2664243.2664250 Abstract: Emulator-based dynamic analysis has been widely deployed in Android application stores. While it has been proven effective in vetting applications on a large scale, it can be detected and evaded by recent Android malware strains that carry detection heuristics. Using such heuristics, an application can check the presence or contents of certain artifacts and infer the presence of emulators. However, there exists little work that systematically discovers those heuristics that would be eventually helpful to prevent malicious applications from bypassing emulator-based analysis. To cope with this challenge, we propose a framework called Morpheus that automatically generates such heuristics. Morpheus leverages our insight that an effective detection heuristic must exploit discrepancies observable by an application. To this end, Morpheus analyzes the application sandbox and retrieves observable artifacts from both Android emulators and real devices. Afterwards, Morpheus further analyzes the retrieved artifacts to extract and rank detection heuristics. The evaluation of our proof-of-concept implementation of Morpheus reveals more than 10,000 novel detection heuristics that can be utilized to detect existing emulator-based malware analysis tools. We also discuss the discrepancies in Android emulators and potential countermeasures.
Keywords: Android, emulator, malware (ID#: 15-4678)
URL: http://doi.acm.org/10.1145/2664243.2664250
Hien Thi Thu Truong, Eemil Lagerspetz, Petteri Nurmi, Adam J. Oliner, Sasu Tarkoma, N. Asokan, Sourav Bhattacharya; The Company You Keep: Mobile Malware Infection Rates and Inexpensive Risk Indicators; WWW '14 Proceedings of the 23rd International Conference on World Wide Web, April 2014, Pages 39-50. Doi: 10.1145/2566486.2568046 Abstract: There is little information from independent sources in the public domain about mobile malware infection rates. The only previous independent estimate (0.0009%) [11], was based on indirect measurements obtained from domain-name resolution traces. In this paper, we present the first independent study of malware infection rates and associated risk factors using data collected directly from over 55,000 Android devices. We find that the malware infection rates in Android devices estimated using two malware datasets (0.28% and 0.26%), though small, are significantly higher than the previous independent estimate. Based on the hypothesis that some application stores have a greater density of malicious applications and that advertising within applications and cross-promotional deals may act as infection vectors, we investigate whether the set of applications used on a device can serve as an indicator for infection of that device. Our analysis indicates that, while not an accurate indicator of infection by itself, the application set does serve as an inexpensive method for identifying the pool of devices on which more expensive monitoring and analysis mechanisms should be deployed. Using our two malware datasets we show that this indicator performs up to about five times better at identifying infected devices than the baseline of random checks. Such indicators can be used, for example, in the search for new or previously undetected malware. It is therefore a technique that can complement standard malware scanning. Our analysis also demonstrates a marginally significant difference in battery use between infected and clean devices.
Keywords: android, infection rate, malware detection, mobile malware (ID#: 15-4679)
URL: http://doi.acm.org/10.1145/2566486.2568046
Qian Feng, Aravind Prakash, Heng Yin, Zhiqiang Lin; MACE: High-Coverage and Robust Memory Analysis for Commodity Operating Systems; ACSAC '14 Proceedings of the 30th Annual Computer Security Applications Conference, December 2014, Pages 196-205. Doi: 10.1145/2664243.2664248 Abstract: Memory forensic analysis collects evidence for digital crimes and malware attacks from the memory of a live system. It is increasingly valuable, especially in cloud computing. However, memory analysis on on commodity operating systems (such as Microsoft Windows) faces the following key challenges: (1) a partial knowledge of kernel data structures; (2) difficulty in handling ambiguous pointers; and (3) lack of robustness by relying on soft constraints that can be easily violated by kernel attacks. To address these challenges, we present MACE, a memory analysis system that can extract a more complete view of the kernel data structures for closed-source operating systems and significantly improve the robustness by only leveraging pointer constraints (which are hard to manipulate) and evaluating these constraint globally (to even tolerate certain amount of pointer attacks). We have evaluated MACE on 100 memory images for Windows XP SP3 and Windows 7 SP0. Overall, MACE can construct a kernel object graph from a memory image in just a few minutes, and achieves over 95% recall and over 96% precision. Our experiments on real-world rootkit samples and synthetic attacks further demonstrate that MACE outperforms other external memory analysis tools with respect to wider coverage and better robustness.
Keywords: memory analysis, random surfer, rootkit detection (ID#: 15-4680)
URL: http://doi.acm.org/10.1145/2664243.2664248
Ali Zand, Giovanni Vigna, Xifeng Yan, Christopher Kruegel; Extracting Probable Command and Control Signatures for Detecting Botnets; SAC '14 Proceedings of the 29th Annual ACM Symposium on Applied Computing, March 2014, Pages 1657-1662. Doi: 10.1145/2554850.2554896 Abstract: Botnets, which are networks of compromised machines under the control of a single malicious entity, are a serious threat to online security. The fact that botnets, by definition, receive their commands from a single entity can be leveraged to fight them. To this end, one requires techniques that can detect command and control (C&C) traffic, as well as the servers that host C&C services. Given the knowledge of a C&C server's IP address, one can use this information to detect all hosts that attempt to contact such a server, and subsequently disinfect, disable, or block the infected machines. This information can also be used by law enforcement to take down the C&C server. In this paper, we present a new botnet C&C signature extraction approach that can be used to find C&C communication in traffic generated by executing malware samples in a dynamic analysis system. This approach works in two steps. First, we extract all frequent strings seen in the network traffic. Second, we use a function that assigns a score to each string. This score represents the likelihood that the string is indicative of C&C traffic. This function allows us to rank strings and focus our attention on those that likely represent good C&C signatures. We apply our technique to almost 2.6 million network connections produced by running more than 1.4 million malware samples. Using our technique, we were able to automatically extract a set of signatures that are able to identify C&C traffic. Furthermore, we compared our signatures with those used by existing tools, such as Snort and BotHunter.
Keywords: (not provided) (ID#: 15-4681)
URL: http://doi.acm.org/10.1145/2554850.2554896
Tom Deering, Suresh Kothari, Jeremias Sauceda, Jon Mathews; Atlas: A New Way to Explore Software, Build Analysis Tools; ICSE Companion 2014 Companion Proceedings of the 36th International Conference on Software Engineering, May 2014, Pages 588-591. Doi: 10.1145/2591062.2591065 Abstract: Atlas is a new software analysis platform from EnSoft Corp. Atlas decouples the domain-specific analysis goal from its underlying mechanism by splitting analysis into two distinct phases. In the first phase, polynomial-time static analyzers index the software AST, building a rich graph database. In the second phase, users can explore the graph directly or run custom analysis scripts written using a convenient API. These features make Atlas ideal for both interaction and automation. In this paper, we describe the motivation, design, and use of Atlas. We present validation case studies, including the verification of safe synchronization of the Linux kernel, and the detection of malware in Android applications. Our ICSE 2014 demo explores the comprehension and malware detection use cases. Video: http://youtu.be/cZOWlJ-IO0k
Keywords: Analysis platform, Human-in-the-loop, Static analysis (ID#: 15-4682)
URL: http://doi.acm.org/10.1145/2591062.2591065
Christopher Kruegel; Fighting Malicious Code: An Eternal Struggle; ASIA CCS '14 Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, June 2014, Pages 1-1. Doi: 10.1145/2590296.2590348 Abstract: Despite many years of research and significant commercial investment, the malware problem is far from being solved (or even reasonably well contained). Every week, the mainstream press publishes articles that describe yet another incident where millions of credit cards were leaked, a large company discloses that adversaries had remote access to its corporate secrets for years, and we discover a new botnet with tens of thousands of compromised machines. Clearly, this situation is not acceptable, but why isn't it getting any better? In this talk, I will discuss some of the reasons why the malware problem is fundamentally hard, and why existing defenses in industry are no longer working. I will then outline progress that researchers and industry have made over the last years, and highlight a few milestones in our struggle to keep malicious code off our computer systems. This part will not focus on advances related to the analysis of malicious code alone, but take a broader perspective. How can we prevent malicious code from getting onto our machines in the first place? How can we detect network communication between malware programs and remote control nodes? And how can we lower the benefits that attackers obtain from their compromised machines? Finally, I will point out a few areas in which I believe that we should make progress to have the most impact in our fight against malicious code.
Keywords: intrusion/anomaly detection and malware mitigation (ID#: 15-4683)
URL: http://doi.acm.org/10.1145/2590296.2590348
Sebastián García, Vojtěch Uhlíř, Martin Rehak; Identifying and Modeling Botnet C&C Behaviors; ACySE '14 Proceedings of the 1st International Workshop on Agents and CyberSecurity, May 2014, Article No. 1. Doi: 10.1145/2602945.2602949 Abstract: Through the analysis of a long-term botnet capture, we identified and modeled the behaviors of its C&C channels. They were found and characterized by periodicity analyses and statistical representations. The relationships found between the behaviors of the UDP, TCP and HTTP C&C channels allowed us to unify them in a general model of the botnet behavior. Our behavioral analysis of the C&C channels gives a new perspective on the modeling of malware behavior, helping to better understand botnets.
Keywords: botnet, malware, network behavior, network security (ID#: 15-4684)
URL: http://doi.acm.org/10.1145/2602945.2602949
Youn-sik Jeong, Hwan-taek Lee, Seong-je Cho, Sangchul Han, Minkyu Park; A Kernel-Based Monitoring Approach for Analyzing Malicious Behavior on Android; SAC '14 Proceedings of the 29th Annual ACM Symposium on Applied Computing, March 2014, Pages 1737-1738. Doi: 10.1145/2554850.2559915 Abstract: This paper proposes a new technique that monitors important events at the kernel level of Android and analyzes malicious behavior systematically. The proposed technique is designed in two ways. First, in order to analyze malicious behavior that might happen inside one application, it monitors file operations by hooking the system calls to create, read from, and write to a file. Secondly, in order to analyze malicious behavior that might happen in the communication between colluding applications, it monitors IPC messages (Intents) by hooking the binder driver. Our technique can detect even the behavior of obfuscated malware using a run-time monitoring method. In addition, it can reduce the possibility of false detection by providing more specific analysis results compared to the existing methods on Android. Experimental results show that our technique is effective to analyze malicious behavior on Android and helpful to detect malware.
Keywords: Android malware, kernel-based monitoring, malware detection, monitoring, signature based detection (ID#: 15-4685)
URL: http://doi.acm.org/10.1145/2554850.2559915
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.