Malware Analysis, Part 2

	Malware Analysis, Part 2

Malware detection, analysis, and classification are perennial issues in cybersecurity.  The research presented here advances malware analysis in some unique and interesting ways.  The works cited were published or presented in 2014.  Because of the volume of work, the bibliography is broken into multiple parts.

Sheng Wen; Wei Zhou; Jun Zhang; Yang Xiang; Wanlei Zhou; Weijia Jia; Zou, C.C., "Modeling and Analysis on the Propagation Dynamics of Modern Email Malware," Dependable and Secure Computing, IEEE Transactions on, vol. 11, no.4, pp.361,374, July-Aug. 2014. doi: 10.1109/TDSC.2013.49 Due to the critical security threats imposed by email-based malware in recent years, modeling the propagation dynamics of email malware becomes a fundamental technique for predicting its potential damages and developing effective countermeasures. Compared to earlier versions of email malware, modern email malware exhibits two new features, reinfection and self-start. Reinfection refers to the malware behavior that modern email malware sends out malware copies whenever any healthy or infected recipients open the malicious attachment. Self-start refers to the behavior that malware starts to spread whenever compromised computers restart or certain files are visited. In the literature, several models are proposed for email malware propagation, but they did not take into account the above two features and cannot accurately model the propagation dynamics of modern email malware. To address this problem, we derive a novel difference equation based analytical model by introducing a new concept of virtual infected user. The proposed model can precisely present the repetitious spreading process caused by reinfection and self-start and effectively overcome the associated computational challenges. We perform comprehensive empirical and theoretical study to validate the proposed analytical model. The results show our model greatly outperforms previous models in terms of estimation accuracy.
Keywords: invasive software; electronic mail; email-based malware; malware countermeasures ;malware propagation dynamics; reinfection feature; repetitious spreading process; security threats; self-start feature; virtual infected user concept; Analytical models; Computational modeling; Computers; Electronic mail; Malware; Mathematical model; Topology; Network security; email malware; propagation modeling (ID#: 15-4904)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6671578&isnumber=6851971

Suarez-Tangil, G.; Tapiador, J.E.; Lombardi, F.; Di Pietro, R., "Thwarting Obfuscated Malware via Differential Fault Analysis," Computer, vol.47, no.6, pp.24,31, June 2014. doi: 10.1109/MC.2014.169 Detecting malware in mobile applications has become increasingly complex as malware developers turn to advanced techniques to hide or obfuscate malicious components. Alterdroid is a dynamic-analysis tool that compares the behavioral differences between an original app and numerous automatically generated versions of it containing carefully injected modifications.
Keywords: invasive software; mobile computing; software fault tolerance; system monitoring; Alterdroid; differential fault analysis; dynamic-analysis tool; injected modifications; malicious components; malware detection; mobile applications; obfuscated malware; Computational modeling; Fault diagnosis; Feature extraction; Malware; Payloads; Smart phones; Alterdroid; Android; automatic testing; differential fault analysis; dynamic analysis; fuzzy testing; grayware; malware; privacy; security; smartphones (ID#: 15-4905)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6838909&isnumber=6838865

Arora, Anshul; Garg, Shree; Peddoju, Sateesh K., "Malware Detection Using Network Traffic Analysis in Android Based Mobile Devices," Next Generation Mobile Apps, Services and Technologies (NGMAST), 2014 Eighth International Conference on, pp.66,71, 10-12 Sept. 2014. doi: 10.1109/NGMAST.2014.57 Smart phones, particularly Android based, have attracted the users community for their feature rich apps to use with various applications like chatting, browsing, mailing, image editing and video processing. However the popularity of these devices attracted the malicious attackers as well. Statistics have shown that Android based smart phones are more vulnerable to malwares compared to other smart phones. None of the existing malware detection techniques have focused on the network traffic features for detection of malicious activity. To the best of our knowledge, almost no work is reported for the detection of Android malware using its network traffic analysis. This paper analyzes the network traffic features and builds a rule-based classifier for detection of Android malwares. Our experimental results suggest that the approach is remarkably accurate and it detects more than 90% of the traffic samples.
Keywords: Feature extraction; Malware; Mobile communication; Mobile computing; Servers; Smart phones; Telecommunication traffic; Analysis; Android; Detection; Malware; Mobile Devices; Network Traffic (ID#: 15-4906)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6982893&isnumber=6982871

Dadlani, A.; Kumar, M.S.; Kiseon Kim; Sohraby, K., "Stability and Immunization Analysis of a Malware Spread Model Over Scale-Free Networks," Communications Letters, IEEE, vol.18, no.11, pp.1907, 1910, Nov. 2014. doi: 10.1109/LCOMM.2014.2361525 The spreading dynamics and control of infectious agents primarily depend on the connectivity properties of underlying networks. Here, we investigate the stability of a susceptible- infected-susceptible epidemic model incorporated with multiple infection stages and propagation vectors to mimic malware behavior over scale-free communication networks. In particular, we derive the basic reproductive ratio (R0) and provide results for stability analysis at infection-free and infection-chronic equilibrium points. Based on R0, the effectiveness of four prevailing immunization strategies as countermeasures is studied and compared. The outperformance of proportional and targeted immunization is justified via numerical results.
Keywords: computer crime; invasive software; R0;connectivity properties; immunization analysis; immunization strategies; infection stages; infection-chronic equilibrium points; infection-free equilibrium points; infectious agents control; malware behavior; malware spread model; propagation vectors; proportional immunization; reproductive ratio; scale-free communication networks; spreading dynamics; stability analysis; susceptible- infected-susceptible epidemic model; targeted immunization; Analytical models; Computational modeling; Malware; Mathematical model; Numerical models; Stability analysis; Vectors; Malware modeling; basic reproductive ratio; epidemiology; immunization; scale-free network; stability analysis; stability analysis (ID#: 15-4907)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6915859&isnumber=6949702

Mas'ud, M.Z.; Sahib, S.; Abdollah, M.F.; Selamat, S.R.; Yusof, R., "Analysis of Features Selection and Machine Learning Classifier in Android Malware Detection," Information Science and Applications (ICISA), 2014 International Conference on, pp.1,5, 6-9 May 2014. doi: 10.1109/ICISA.2014.6847364 The proliferation of Android-based mobile devices and mobile applications in the market has triggered the malware author to make the mobile devices as the next profitable target. With user are now able to use mobile devices for various purposes such as web browsing, ubiquitous services, online banking, social networking, MMS and etc, more credential information is expose to exploitation. Applying a similar security solution that work in Desktop environment to mobile devices may not be proper as mobile devices have a limited storage, memory, CPU and power consumption. Hence, there is a need to develop a mobile malware detection that can provide an effective solution to defence the mobile user from any malicious threat and at the same time address the limitation of mobile devices environment. Prior to this matter, this research focused on evaluating the best features selection to be used in the best machine-learning classifiers. To find the best combination of both features selection and classifier, five sets of different feature selection are applies to five different machine learning classifiers. The classifier outcome is evaluated using the True Positive Rate (TPR), False Positive Rate (FPR), and Accuracy. The best combination of both features selection and classifier can be used to reduce features selection and at the same time able to classify the infected android application accurately.
Keywords: Android (operating system); invasive software; learning (artificial intelligence);mobile computing; pattern classification; Android malware detection; Android-based mobile devices; FPR;TPR; accuracy; classifier outcome; false positive rate; features selection; information exploitation; machine learning classifier; mobile applications; mobile devices environment; mobile malware detection; true positive rate; Accuracy; Androids; Feature extraction; Humanoid robots; Malware; Mobile communication; Mobile handsets (ID#: 15-4908)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6847364&isnumber=6847317

Junghwan Rhee; Riley, R.; Zhiqiang Lin; Xuxian Jiang; Dongyan Xu, "Data-Centric OS Kernel Malware Characterization," Information Forensics and Security, IEEE Transactions on, vol. 9, no.1, pp.72, 87, Jan. 2014. doi: 10.1109/TIFS.2013.2291964 Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures.
Keywords: data encapsulation; digital signatures; invasive software; operating system kernels; attack patterns; code-centric approach; data access patterns; data object manipulation; data-centric OS kernel malware characterization architecture; dynamic data object hiding; low level data access behavior modeling; malware attack characterization; malware signatures; real-world kernel rootkits; runtime kernel object mapping system; Data structures; Dynamic scheduling; Kernel; Malware; Monitoring; Resource management; Runtime; OS kernel malware characterization; data-centric malware analysis; virtual machine monitor (ID#: 15-4909)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6671356&isnumber=6684617

Farhadi, M.R.; Fung, B.C.M.; Charland, P.; Debbabi, M., "BinClone: Detecting Code Clones in Malware," Software Security and Reliability (SERE), 2014 Eighth International Conference on, pp.78,87, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.21 To gain an in-depth understanding of the behaviour of a malware, reverse engineers have to disassemble the malware, analyze the resulting assembly code, and then archive the commented assembly code in a malware repository for future reference. In this paper, we have developed an assembly code clone detection system called BinClone to identify the code clone fragments from a collection of malware binaries with the following major contributions. First, we introduce two deterministic clone detection methods with the goals of improving the recall rate and facilitating malware analysis. Second, our methods allow malware analysts to discover both exact and inexact clones at different token normalization levels. Third, we evaluate our proposed clone detection methods on real-life malware binaries. To the best of our knowledge, this is the first work that studies the problem of assembly code clone detection for malware analysis.
Keywords: invasive software; program diagnostics; reverse engineering; Bin Clone; BinClone; assembly code analysis; assembly code clone detection system; code clone fragment identification; commented assembly code archiving; deterministic clone detection method; inexact clone discovery; malware analysis; malware behaviour understanding; malware binaries; malware disassembly; malware repository; recall rate; reverse engineers; token normalization level; Assembly; Cloning; Detectors; Feature extraction; Malware; Registers; Vectors; Assembly Code Clone Detection; Binary Analysis; Malware Analysis; Reverse Engineering (ID#: 15-4910)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895418&isnumber=6895396

Yen-Ju Liu; Chong-Kuan Chen; Cho, M.C.Y.; Shiuhpyng Shieh, "Fast Discovery of VM-Sensitive Divergence Points with Basic Block Comparison," Software Security and Reliability (SERE), 2014 Eighth International Conference on, pp.196,205, June 30 2014-July 2 2014. doi: 10.1109/SERE.2014.33 To evade VM-based malware analysis systems, VM-aware malware equipped with the ability to detect the presence of virtual machine has appeared. To cope with the problem, detecting VM-aware malware and locating VM-sensitive divergence points of VM-aware malware is in urgent need. In this paper, we propose a novel block-based divergence locator. In contrast to the conventional instruction-based schemes, the block-based divergence locator divides malware program into basic blocks, instead of binary instructions, and uses them as the analysis unit. The block-based divergence locator significantly decrease the cost of behavior logging and trace comparison, as well as the size of behavior traces. As the evaluation showed, behavior logging is 23.87-39.49 times faster than the conventional schemes. The total number of analysis unit, which is highly related to the cost of trace comparisons, is 11.95%-16.00% of the conventional schemes. Consequently, VM-sensitive divergence points can be discovered more efficiently. The correctness of our divergence point discovery algorithm is also proved formally in this paper.
Keywords: invasive software; virtual machines; VM-based malware analysis systems; VM-sensitive divergence points; basic block comparison; binary instructions; block-based divergence locator; virtual machine; Emulation; Hardware; Indexes; Malware; Timing; Virtual machining; Virtualization; Malware Behavior Analysis; VM-Aware Malware; Virtual Machine (ID#: 15-4911)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6895430&isnumber=6895396

Guri, M.; Kedma, G.; Kachlon, A.; Elovici, Y., "Resilience of Anti-malware Programs to Naïve Modifications of Malicious Binaries," Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pp.152,159, 24-26 Sept. 2014. doi: 10.1109/JISIC.2014.31 The massive amounts of malware variants which are released each day demand fast in-lab analysis, along with fast in-field detection. Traditional malware detection methodology depends on either static or dynamic in-lab analysis to identify a suspicious file as malicious. When a file is identified as malware, the analyst extracts a structural signature, which is dispatched to subscriber machines. The signature should enable fast scanning, and should also be flexible enough to detect simple variants. In this paper we discuss 'naïve' variants which can be produced by a modestly skilled individual with publically accessible tools and knowhow which, if needed, can be found on the Internet. Furthermore, those variants can be derived directly from the malicious binary file, allowing anyone who has access to the binary file to modify it at his or her will. Modification can be automated, to produce large amounts of variants in short time. We describe several naïve modifications. We also put them to test against multiple antivirus products, resulting in significant decline of the average detection rate, compared to the original (unmodified) detection rate. Since the aforementioned decline may be related, at least in some cases, to avoidance of probable false positives, we also discuss the acceptable rate of false positives in the context of malware detection.
Keywords: invasive software; Internet; anti-malware program resilience; antivirus products; average detection rate; malicious binary file; naive variants; Conferences; Informatics; Joints; Security; crafty malware; false positive; malware analysis; malware detection; malware variants (ID#: 15-4912)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6975567&isnumber=6975536

Belaoued, M.; Mazouzi, S., "Statistical Study of Imported APIs by PE Type Malware," Advanced Networking Distributed Systems and Applications (INDS), 2014 International Conference on, pp.82,86, 17-19 June 2014. doi: 10.1109/INDS.2014.22 In this paper we introduce a statistical study which enable us to know which are Windows APIs that are most imported by malware codes. To do that, we have used a given number of infected Portable Executable (PE) files and another number of none infected ones. We used statistical Khi2 test to set if an API is likely used by malware or not. We guess that a given work is necessary and important for behavior-based malware detection, especially which use API importations to analyze PE codes. For experimentation purpose, we have used a large set of PE files extracted from known databases to perform our analysis and establish our conclusions.
Keywords: application program interfaces; invasive software; operating systems (computers); statistical testing; API importations; PE type malware; Windows API; behavior-based malware detection; infected portable executable files; malware codes; statistical Khi2 test; statistical study; Computers; Data mining; Malware; Operating systems; Testing; Malware; Malware analysis; Statistical hypothesis testing; windows API (ID#: 15-4913)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6969062&isnumber=6969040

Yamamoto, T.; Kawauchi, K.; Sakurai, S., "Proposal of a Method Detecting Malicious Processes," Advanced Information Networking and Applications Workshops (WAINA), 2014 28th International Conference on, pp. 518, 523, 13-16 May 2014. doi: 10.1109/WAINA.2014.164 Malwares' communication detection methods based on communication characteristics have been proposed. However as malwares are getting more sophisticated and legitimate software communication is getting diverse, it becomes harder to correctly tell malwares' communication and legitimate software communication apart. Therefore we propose a method to check whether a process generating suspicious communication is malicious or not. This method focuses on malwares which impersonate a legitimate process by injecting malicious codes into the process. This method extracts two process images. One is obtained from a process to be checked (target process) generating suspicious communication. The other is obtained by executing the same executable as the target process in a clean Virtual Machine. Then the two process images are compared to extract injected codes. Finally the codes are verified whether the codes are malicious or not.
Keywords: invasive software; virtual machines; legitimate software communication; malicious codes; malicious process detection; malware communication detection methods; suspicious communication; virtual machine; Binary codes; Cryptography; Data mining; Malware; Organizations; Ports (Computers);Software; Malware; communication; process; code injection; memory analysis (ID#: 15-4914)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6844689&isnumber=6844560

Xin Li; Xinyuan Wang; Wentao Chang, "CipherXRay: Exposing Cryptographic Operations and Transient Secrets from Monitored Binary Execution," Dependable and Secure Computing, IEEE Transactions on, vol. 11, no. 2, pp.101,114, March-April 2014. doi: 10.1109/TDSC.2012.83 Malwares are becoming increasingly stealthy, more and more malwares are using cryptographic algorithms (e.g., packing, encrypting C&C communication) to protect themselves from being analyzed. The use of cryptographic algorithms and truly transient cryptographic secrets inside the malware binary imposes a key obstacle to effective malware analysis and defense. To enable more effective malware analysis, forensics, and reverse engineering, we have developed CipherXRay - a novel binary analysis framework that can automatically identify and recover the cryptographic operations and transient secrets from the execution of potentially obfuscated binary executables. Based on the avalanche effect of cryptographic functions, CipherXRay is able to accurately pinpoint the boundary of cryptographic operation and recover truly transient cryptographic secrets that only exist in memory for one instant in between multiple nested cryptographic operations. CipherXRay can further identify certain operation modes (e.g., ECB, CBC, CFB) of the identified block cipher and tell whether the identified block cipher operation is encryption or decryption in certain cases. We have empirically validated CipherXRay with OpenSSL, popular password safe KeePassX, the ciphers used by malware Stuxnet, Kraken and Agobot, and a number of third party softwares with built-in compression and checksum. CipherXRay is able to identify various cryptographic operations and recover cryptographic secrets that exist in memory for only a few microseconds. Our results demonstrate that current software implementations of cryptographic algorithms hardly achieve any secrecy if their execution can be monitored.
Keywords: cryptography; invasive software; reverse engineering; Agobot; CipherXRay; KeePassX; Kraken; OpenSSL; Stuxnet; avalanche effect; binary analysis framework; block cipher operation; cryptographic algorithms; cryptographic functions; cryptographic operations; forensics; malware analysis; monitored binary execution; reverse engineering; third party softwares; transient cryptographic secrets; transient secrets; Algorithm design and analysis; Encryption; Malware; Monitoring; Transient analysis; Binary analysis; avalanche effect; key recovery attack on cryptosystem; reverse engineering; secrecy of monitored execution; transient cryptographic secret recovery (ID#: 15-4915)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6311407&isnumber=6785951

Yuan Zhang; Min Yang; Zhemin Yang; Guofei Gu; Peng Ning; Binyu Zang, "Permission Use Analysis for Vetting Undesirable Behaviors in Android Apps," Information Forensics and Security, IEEE Transactions on, vol. 9, no.11, pp.1828,1842, Nov. 2014. doi: 10.1109/TIFS.2014.2347206 The android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for generally analyzing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid proposes a systematic permission use analysis technique to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid, a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help to identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.
Keywords: Android (operating system);invasive software; mobile computing; Android system; Google Play; TaintDroid; VetDroid; analysis technique; android apps; android platform; critical interactions; dynamic analysis platform; internal sensitive behaviors; malicious behaviors; malware analysis; permission use analysis; real-world Android malware; security analysts; sensitive resource protection; systematic permission; vetting undesirable behaviors; Androids; Humanoid robots; Kernel; Linux; Malware; Smart phones; Android security; android behavior representation; permission use analysis; vetting undesirable behaviors (ID#: 15-4916)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6876208&isnumber=6912034

Hirono, S.; Yamaguchi, Y.; Shimada, H.; Takakura, H., "Development of a Secure Traffic Analysis System to Trace Malicious Activities on Internal Networks," Computer Software and Applications Conference (COMPSAC), 2014 IEEE 38th Annualpp.305, 310, 21-25 July 2014. doi: 10.1109/COMPSAC.2014.41 In contrast to conventional cyberattacks such as mass infection malware, targeted attacks take a long time to complete their mission. By using a dedicated malware for evading detection at the initial attack, an attacker quietly succeeds in setting up a front-line base in the target organization. Communication between the attacker and the base adopts popular protocols to hide its existence. Because conventional countermeasures deployed on the boundary between the Internet and the internal network will not work adequately, monitoring on the internal network becomes indispensable. In this paper, we propose an integrated sandbox system that deploys a secure and transparent proxy to analyze internal malicious network traffic. The adoption of software defined networking technology makes it possible to redirect any internal traffic from/to a suspicious host to the system for an examination of its insidiousness. When our system finds malicious activity, the traffic is blocked. If the malicious traffic is regarded as mandatory, e.g., For controlled delivery, the system works as a transparent proxy to bypass it. For benign traffic, the system works as a transparent proxy, as well. If binary programs are found in traffic, they are automatically extracted and submitted to a malware analysis module of the sandbox. In this way, we can safely identify the intention of the attackers without making them aware of our surveillance.
Keywords: Internet; invasive software; telecommunication security ;telecommunication traffic; Internet; cyberattacks; integrated sandbox system; internal malicious network traffic analysis; internal networks; malware analysis module; mass infection malware; secure proxy; secure traffic analysis system; software defined networking technology; transparent proxy; Electronic mail; Indexes; Internet; Malware; Protocols; Servers; dynamic analysis; malware; sandbox; targeted attack (ID#: 15-4917)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6899231&isnumber=6899181

Yutao Liu; Yubin Xia; Haibing Guan; Binyu Zang; Haibo Chen, "Concurrent and Consistent Virtual Machine Introspection With Hardware Transactional Memory," High Performance Computer Architecture (HPCA), 2014 IEEE 20th International Symposium on, pp. 416,427, 15-19 Feb. 2014. doi: 10.1109/HPCA.2014.6835951 Virtual machine introspection, which provides tamperresistant, high-fidelity “out of the box” monitoring of virtual machines, has many prominent security applications including VM-based intrusion detection, malware analysis and memory forensic analysis. However, prior approaches are either intrusive in stopping the world to avoid race conditions between introspection tools and the guest VM, or providing no guarantee of getting a consistent state of the guest VM. Further, there is currently no effective means for timely examining the VM states in question. In this paper, we propose a novel approach, called TxIntro, which retrofits hardware transactional memory (HTM) for concurrent, timely and consistent introspection of guest VMs. Specifically, TxIntro leverages the strong atomicity of HTM to actively monitor updates to critical kernel data structures. Then TxIntro can mount introspection to timely detect malicious tampering. To avoid fetching inconsistent kernel states for introspection, TxIntro uses HTM to add related synchronization states into the read set of the monitoring core and thus can easily detect potential inflight concurrent kernel updates. We have implemented and evaluated TxIntro based on Xen VMM on a commodity Intel Haswell machine that provides restricted transactional memory (RTM) support. To demonstrate the effectiveness of TxIntro, we implemented a set of kernel rootkit detectors using TxIntro. Evaluation results show that TxIntro is effective in detecting these rootkits, and is efficient in adding negligible performance overhead.
Keywords: digital forensics; invasive software; virtual machines; HTM; TxIntro; VM-based intrusion detection; Xen VMM; commodity Intel Haswell machine; hardware transactional memory; kernel state; malicious tampering; malware analysis; memory forensic analysis; security application; virtual machine introspection; Abstracts; Continuous wavelet transforms; Educational institutions; Kernel; Monitoring; Single photon emission computed tomography; Virtual machine monitors (ID#: 15-4918)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6835951&isnumber=6835920

Zhao Lei; Ren Xiangyu; Liu Mengleng; Wang Lina; Zhang Hao; Zhang Huanguo, "Collaborative Reversing Of Input Formats And Program Data Structures For Security Applications," Communications, China, vol. 11, no.9, pp.135,147, Sept. 2014. doi: 10.1109/CC.2014.6969778 Reversing the syntactic format of program inputs and data structures in binaries plays a vital role for understanding program behaviors in many security applications. In this paper, we propose a collaborative reversing technique by capturing the mapping relationship between input fields and program data structures. The key insight behind our paper is that program uses corresponding data structures as references to parse and access different input fields, and every field could be identified by reversing its corresponding data structure. In details, we use a finegrained dynamic taint analysis to monitor the propagation of inputs. By identifying base pointers for each input byte, we could reverse data structures and conversely identify fields based on their referencing data structures. We construct several experiments to evaluate the effectiveness. Experiment results show that our approach could effectively reverse precise input formats, and provide unique benefits to two representative security applications, exploit diagnosis and malware analysis.
Keywords: data structures; groupware; security of data; collaborative reversing technique; exploit diagnosis; input formats; malware analysis; program behavior understanding; program data structures; security applications; Collaboration; Computer security; Data structures; Monitoring; Protocols; Syntactics; fine-grained dynamic tainting; reversing engineering; software security (ID#: 15-4919)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6969778&isnumber=6969702

Boukhtouta, A.; Lakhdari, N.-E.; Debbabi, M., "Inferring Malware Family through Application Protocol Sequences Signature," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on,  pp. 1, 5, March 30 2014-April 2 2014. doi: 10.1109/NTMS.2014.6814026 The dazzling emergence of cyber-threats exert today's cyberspace, which needs practical and efficient capabilities for malware traffic detection. In this paper, we propose an extension to an initial research effort, namely, towards fingerprinting malicious traffic by putting an emphasis on the attribution of maliciousness to malware families. The proposed technique in the previous work establishes a synergy between automatic dynamic analysis of malware and machine learning to fingerprint badness in network traffic. Machine learning algorithms are used with features that exploit only high-level properties of traffic packets (e.g. packet headers). Besides, the detection of malicious packets, we want to enhance fingerprinting capability with the identification of malware families responsible in the generation of malicious packets. The identification of the underlying malware family is derived from a sequence of application protocols, which is used as a signature to the family in question. Furthermore, our results show that our technique achieves promising malware family identification rate with low false positives.
Keywords: computer network security; invasive software; learning (artificial intelligence);application protocol sequences signature; cyber-threats; machine learning algorithm; malicious packets detection; malware automatic dynamic analysis; malware traffic detection; network traffic; Cryptography; Databases; Engines; Feeds; Malware; Protocols (ID#: 15-4920)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6814026&isnumber=6813963

Finickel, E.; Lahmadi, A.; Beck, F.; Festor, O., "Empirical Analysis Of Android Logs Using Self-Organizing Maps," Communications (ICC), 2014 IEEE International Conference on, pp. 1802, 1807, 10-14 June 2014. doi: 10.1109/ICC.2014.6883584 In this paper, we present an empirical analysis of the logs generated by the logging system available in Android environments. The logs are mainly related to the execution of the different components of applications and services running on an Android device. We have analysed the logs using self organizing maps where our goal is to establish behavioural fingerprints of Android applications. Each fingerprint is build using information available in logs and related to the structure of an application and its interaction with the system. The developed methodology allows us the better understand Android Apps regarding their granted permissions and performed actions and it proves to be promising for the analysis of malware applications with a minimal overhead and cost.
Keywords: invasive software; self-organising feature maps; smart phones; Android Apps; Android device; Android logs analysis; behavioural fingerprints; logging system; malware application analysis; self-organizing maps; Androids; Humanoid robots; Image color analysis; Malware; Smart phones; Software; Vectors (ID#: 15-4921)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6883584&isnumber=6883277

Kellogg, Lee; Ruttenberg, Brian; O'Connor, Alison; Howard, Michael; Pfeffer, Avi, "Hierarchical Management of Large-Scale Malware Data," Big Data (Big Data), 2014 IEEE International Conference on, pp. 666,674, 27-30 Oct. 2014. doi: 10.1109/BigData.2014.7004290 As the pace of generation of new malware accelerates, clustering and classifying newly discovered malware requires new approaches to data management. We describe our Big Data approach to managing malware to support effective and efficient malware analysis on large and rapidly evolving sets of malware. The key element of our approach is a hierarchical organization of the malware, which organizes malware into families, maintains a rich description of the relationships between malware, and facilitates efficient online analysis of new malware as they are discovered. Using clustering evaluation metrics, we show that our system discovers malware families comparable to those produced by traditional hierarchical clustering algorithms, while scaling much better with the size of the data set. We also show the flexibility of our system as it relates to substituting various data representations, methods of comparing malware binaries, clustering algorithms, and other factors. Our approach will enable malware analysts and investigators to quickly understand and quantify changes in the global malware ecosystem.
Keywords:  (not provided) (ID#: 15-4922)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7004290&isnumber=7004197

Xiong Ping; Wang Xiaofeng; Niu Wenjia; Zhu Tianqing; Li Gang, "Android Malware Detection With Contrasting Permission Patterns," Communications, China, vol.11, no.8, pp.1,14, Aug. 2014. doi: 10.1109/CC.2014.6911083 As the risk of malware is sharply increasing in Android platform, Android malware detection has become an important research topic. Existing works have demonstrated that required permissions of Android applications are valuable for malware analysis, but how to exploit those permission patterns for malware detection remains an open issue. In this paper, we introduce the contrasting permission patterns to characterize the essential differences between malwares and clean applications from the permission aspect. Then a framework based on contrasting permission patterns is presented for Android malware detection. According to the proposed framework, an ensemble classifier, Enclamald, is further developed to detect whether an application is potentially malicious. Every contrasting permission pattern is acting as a weak classifier in Enclamald, and the weighted predictions of involved weak classifiers are aggregated to the final result. Experiments on real-world applications validate that the proposed Enclamald classifier outperforms commonly used classifiers for Android Malware Detection.
Keywords: Android (operating system);invasive software; pattern classification; Android malware detection; Enclamald ensemble classifier; contrasting permission patterns; weak classifiers; weighted predictions; Androids; Educational institutions; Humanoid robots; Internet; Malware; Smart phones; Training; Android; classification; contrast set; malware detection; permission pattern (ID#: 15-4923)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6911083&isnumber=6911078

Ban Xiaofang; Chen Li; Hu Weihua; Wu Qu, "Malware Variant Detection Using Similarity Search Over Content Fingerprint," Control and Decision Conference (2014 CCDC), The 26th Chinese, pp. 5334,5339, May 31 2014-June 2 2014. doi: 10.1109/CCDC.2014.6852216 Detection of polymorphic malware variants plays an important role to improve information system security. Traditional static/dynamic analysis technologies have shown to be an effective characteristic that represents polymorphic malware instances. While these approaches demonstrate promise, they are themselves subject to a growing array of countermeasures that increase the cost of capturing these malware code features. Further, feature extraction requires a time investment per malware that does not scale well to the daily volume of malwares being reported by those who diligently collect malware. In this paper, we propose a similarity search of malware using novel distance (similarity) metrics of malware content fingerprint based on the locality-sensitive hashing (LSH) schemes. We describe a malware by the binary content of the malware contains; the next step is to compute an feature fingerprint for the malware binary image sample by using the SURF algorithm, and then do fast fingerprint matching with the LSH from malware code corpus to return the top most visually (structurally) similar variants. The LSH algorithm that captures malware similarity is based on image similarity. We implement B2M (Binary mapping to image) algorithm, the SURF algorithm and the LSH algorithm in a complete malware variant detection system. The evaluation shows that our approach is highly effective in terms of response time and malware variant detection.
Keywords: cryptography; feature extraction; fingerprint identification; image coding; image matching; invasive software;B2M;LSH;SURF algorithm; binary mapping to image algorithm; content fingerprint; distance metrics; fast fingerprint matching; feature extraction; feature fingerprint; image similarity; information system security; locality-sensitive hashing schemes; malware binary image; malware code corpus; malware code features; malware variant detection; similarity search; Algorithm design and analysis; Data visualization; Feature extraction; Fingerprint recognition; Force; Malware; Vectors; Content Fingerprint; Locality-sensitive Hashing; Malware Variant Detection; Similarity Search (ID#: 15-4924)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6852216&isnumber=6852105

Wang, Ping; Chao, Wun Jie; Chao, Kuo-Ming; Lo, Chi-Chun, "Using Taint Analysis for Threat Risk of Cloud Applications," e-Business Engineering (ICEBE), 2014 IEEE 11th International Conference on, pp.185,190, 5-7 Nov. 2014. doi: 10.1109/ICEBE.2014.40 Most existing approaches to developing cloud applications using threat analysis involve program vulnerability analyses for identifying the security holes associated with malware attacks. New malware attacks can bypass firewall-based detection by bypassing stack protection and by using Hypertext Transfer Protocol logging, kernel hacks, and library hack techniques, and to the cloud applications. In performing threat analysis for unspecified malware attacks, software engineers can use a taint analysis technique for tracking information flows between attack sources (malware) and detect vulnerabilities of targeted network applications. This paper proposes a threat risk analysis model incorporating an improved attack tree analysis scheme for solving the mobile security problem, in the model, Android programs perform taint checking to analyse the risks posed by suspicious applications. In probabilistic risk analysis, defence evaluation metrics are used for each attack path for assisting a defender simulate the attack results against malware attacks and estimate the impact losses. Finally, a case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach.
Keywords: Analytical models; Malware; Measurement; Probabilistic logic; Risk analysis; Software; Attack defence tree; Cyber attacks; Taint checking; Threat; analysis (ID#: 15-4925)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6982078&isnumber=6982037

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.