Malware Analysis, Part 4
SoS Newsletter- Advanced Book Block
 |
Malware Analysis, Part 4 |
Malware detection, analysis, and classification are perennial issues in cybersecurity. The research presented here advances malware analysis in some unique and interesting ways. The works cited were published or presented in 2014. Because of the volume of work, the bibliography is broken into multiple parts.
Zhao Xiaoyan; Fang Juan; Wang Xiujuan, "Android Malware Detection Based on Permissions," Information and Communications Technologies (ICT 2014), 2014 International Conference on, pp.1,5, 15-17 May 2014. doi:10.1049/cp.2014.0605 Abstract: In this paper, we propose a permission-based malware detection framework for Android platform. The proposed framework uses PCA (Principal Component Analysis) algorithm for features selection after permissions extracted, and applies SVM(support vector machine) methods to classify the collected data as benign or malicious in the process of detection. The simulation experimental results suggest that this proposed detection framework is effective in detecting unknown malware, and compared with traditional antivirus software, it can detect unknown malware effectively and immediately without updating the newest malware sample library in time. It also illustrates that using permissions features alone with machine learning methods can achieve good detection result.
Keywords: Android; Malware Detection; PCA; SVM (ID#: 15-4946)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6913658&isnumber=6913610
Seungyong Yoon; Jeongnyeo Kim; Hyunsook Cho, "Detection of SMS Mobile Malware," Electronics, Information and Communications (ICEIC), 2014 International Conference on, pp. 1, 2, 15-18 Jan. 2014. doi: 10.1109/ELINFOCOM.2014.6914392 Abstract: This paper relates to mobile malware detection for prevention against financial charge caused by the malicious behavior using SMS. In this paper, we propose the method that conducts malicious behavior monitoring and various analysis techniques to detect the attack. This method includes malware installation check, SMS sending and receiving analysis, and signature-based pattern matching. Therefore, we can effectively respond against SMS mobile malware attacks.
Keywords: financial data processing; invasive software; mobile computing; pattern matching; SMS mobile malware detection; SMS sending; attack detection; financial charge; malicious behavior; malware installation check; receiving analysis; signature based pattern matching; Computer crime; Inspection; Malware; Mobile communication; Pattern matching; Smart phones; SMS; mobile malware (ID#: 15-4947)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6914392&isnumber=6914344
Yong Li; Pan Hui; Depeng Jin; Li Su; Lieguang Zeng, "Optimal Distributed Malware Defense in Mobile Networks with Heterogeneous Devices," Mobile Computing, IEEE Transactions on, vol. 13, no.2, pp. 377, 391, Feb. 2014. doi: 10.1109/TMC.2012.255 Abstract: As malware attacks become more frequently in mobile networks, deploying an efficient defense system to protect against infection and to help the infected nodes to recover is important to prevent serious spreading and outbreaks. The technical challenges are that mobile devices are heterogeneous in terms of operating systems, the malware infects the targeted system in any opportunistic fashion via local and global connectivity, while the to-be-deployed defense system on the other hand would be usually resource limited. In this paper, we investigate the problem of how to optimally distribute the content-based signatures of malware, which helps to detect the corresponding malware and disable further propagation, to minimize the number of infected nodes. We model the defense system with realistic assumptions addressing all the above challenges that have not been addressed in previous analytical work. Based on the framework of optimizing the system welfare utility, which is the weighted summation of individual utility depending on the final number of infected nodes through the signature allocation, we propose an encounter-based distributed algorithm based on Metropolis sampler. Through theoretical analysis and simulations with both synthetic and realistic mobility traces, we show that the distributed algorithm achieves the optimal solution, and performs efficiently in realistic environments.
Keywords: invasive software; mobile radio; operating systems (computers); telecommunication security; Metropolis sampler; content-based signatures; encounter-based distributed algorithm; global connectivity ;heterogeneous devices; infected node minimization; infection protection; local connectivity; malware attacks; mobile devices; mobile networks; operating systems; optimal distributed malware defense; realistic mobility trace; signature allocation; synthetic mobility trace; system welfare utility; theoretical analysis; to-be-deployed defense system; Distributed algorithms; Educational institutions; Malware; Mathematical model; Mobile communication; Mobile computing; Mobile handsets; Security threat; distributed algorithm; heterogeneous mobile networks; mobile malware (ID#: 15-4948)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6381416&isnumber=6689256
Jun Li; Lidong Zhai; Xinyou Zhang; Daiyong Quan, "Research of Android Malware Detection Based On Network Traffic Monitoring," Industrial Electronics and Applications (ICIEA), 2014 IEEE 9th Conference on, pp.1739, 1744, 9-11 June 2014. doi: 10.1109/ICIEA.2014.6931449 Abstract: With Android terminal into the life of people, the spread of Android malware seriously affected people's life. As a result of the Android security flaws, attackers can easily collect private information of users, and the information can be utilized in APT attacks. It is not only a threat to the end user, but also poses a threat to industrial control systems and mobile Internet. In this paper, we propose a network traffic monitoring system used in the detection of Android malware. The system consists of four components: traffic monitoring, traffic anomaly recognition, response processing and cloud storage. The system parses the protocol of data packets and extracts the feature data, then use SVM classification algorithm for data classification, determine whether the network traffic is abnormal, and locate the application that produced abnormal through the correlation analysis. The system not only can automatic response and process the malicious software, but also can generate new security policy from existing information and training data; When training data is reaching a certain amount, it will trigger a new round of training to improve the ability of detection. Finally, we experiment on the system, the experimental results show that our system can effectively detect the Android malware and control the application.
Keywords: Android (operating system);cloud computing; invasive software; mobile computing; pattern classification; support vector machines; telecommunication traffic; APT attacks; Android malware detection; Android security flaws; Android terminal; SVM classification algorithm; cloud storage; correlation analysis; data packets protocol; feature data; industrial control systems; mobile Internet; network traffic; network traffic monitoring; private information; response processing; security policy; traffic anomaly recognition; Feature extraction; Malware; Monitoring; Smart phones; Software; Telecommunication traffic; Android; Malware; Network traffic monitoring; SVM (ID#: 15-4949)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6931449&isnumber=6931119
Criscione, C.; Bosatelli, F.; Zanero, S.; Maggi, F., "ZARATHUSTRA: Extracting Webinject Signatures from Banking Trojans," Privacy, Security and Trust (PST), 2014 Twelfth Annual International Conference on, pp.139,148, 23-24 July 2014. doi: 10.1109/PST.2014.6890933 Abstract: Modern trojans are equipped with a functionality, called WebInject, that can be used to silently modify a web page on the infected end host. Given its flexibility, WebInject-based malware is becoming a popular information-stealing mechanism. In addition, the structured and well-organized malware-as-a-service model makes revenue out of customization kits, which in turns leads to high volumes of binary variants. Analysis approaches based on memory carving to extract the decrypted webinject.txt and config.bin files at runtime make the strong assumption that the malware will never change the way such files are handled internally, and therefore are not future proof by design. In addition, developers of sensitive web applications (e.g., online banking) have no tools that they can possibly use to even mitigate the effect of WebInjects.
Keywords: Web sites; banking; digital signatures; invasive software; Web page; WebInject-based malware; Webinject signature extraction; ZARATHUSTRA; banking trojans; binary variants; config.bin files extraction; customization kits; decrypted webinject.txt extraction; information-stealing mechanism; malware-as-a-service model; memory carving; sensitive Web applications; Cryptography; Engines; Fingerprint recognition; HTML; Monitoring; Servers; Surgery (ID#: 15-4950)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6890933&isnumber=6890911
Derhab, A.; Saleem, K.; Youssef, A., "Third line of Defense Strategy to Fight Against SMS-Based Malware in Android Smartphones," Wireless Communications and Mobile Computing Conference (IWCMC), 2014 International, pp. 542, 547, 4-8 Aug. 2014. doi: 10.1109/IWCMC.2014.6906414 Abstract: In this paper, we inspire from two analogies: the warfare kill zone and the airport check-in system, to design and deploy a new line in the defense-in-depth strategy, called the third line. This line is represented by a security framework, named the Intrusion Ambushing System and is designed to tackle the issue of SMS-based malware in the Android-based Smartphones. The framework exploits the security features offered by Android operating system to prevent the malicious SMS from going out of the phone and detect the corresponding SMS-based malware. We show that the proposed framework can ensure full security against SMS-based malware. In addition, an analytical study demonstrates that the framework offers optimal performance in terms of detection time and execution cost in comparison to intrusion detection systems based on static and dynamic analysis.
Keywords: Android (operating system);electronic messaging; invasive software; smart phones; Android-based smart phones; SMS-based malware; airport check-in system; analytical analysis; defense-in-depth strategy; detection time; execution cost ;intrusion ambushing system; malicious SMS prevention; operating system; optimal performance; security features ;security framework; third line-of-defense strategy; warfare kill zone; Airports; Cryptography; Intrusion detection; Malware; Operating systems; Smart phones; Malware; SMS; intrusion ambushing; intrusion detection; third line of defense (ID#: 15-4951)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6906414&isnumber=6906315
Raveendranath, Rahul; Rajamani, Venkiteswaran; Babu, Anoop Joseph; Datta, Soumya Kanti, "Android Malware Attacks and Countermeasures: Current and Future Directions," Control, Instrumentation, Communication and Computational Technologies (ICCICCT), 2014 International Conference on, pp. 137, 143, 10-11 July 2014. doi: 10.1109/ICCICCT.2014.6992944 Abstract: Smartphones are rising in popularity as well as becoming more sophisticated over recent years. This popularity coupled with the fact that smartphones contain a lot of private user data is causing a proportional rise in different malwares for the platform. In this paper we analyze and classify state-of-the-art malware techniques and their countermeasures. The paper also reports a novel method for malware development and novel attack techniques such as mobile botnets, usage pattern based attacks and repackaging attacks. The possible countermeasures are also proposed. Then a detailed analysis of one of the proposed novel malware methods is explained. Finally the paper concludes by summarizing the paper.
Keywords: Androids; Humanoid robots; Malware; Permission; Servers; Smart phones; Android; Countermeasures; Malware; Permissions; Security threats (ID#: 15-4952)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6992944&isnumber=6992918
Burgess, C.; Sezer, S.; McLaughlin, K.; Eul Gyu Im, "Feature Set Reduction for the Detection of Packed Executables," Irish Signals & Systems Conference 2014 and 2014 China-Ireland International Conference on Information and Communications Technologies (ISSC 2014/CIICT 2014). 25th IET, pp.263, 268, 26-27 June 2014. doi: 10.1049/cp.2014.0696 Abstract: Emerging sophisticated malware utilises obfuscation to circumvent detection. This is achieved by using packers to disguise their malicious intent. In this paper a novel malware detection method for detecting packed executable files using entropy analysis is proposed. It utilises a reduced feature set of variables to calculate an entropy score from which classification can be performed. Competitive analysis with state-of-the-art reveals an increase in classification accuracy.
Keywords: invasive software; pattern classification; classification accuracy; entropy analysis; entropy score; feature set reduction; malware detection method; obfuscation; packed executable files detection; packed executables detection; Malware; Obfuscation; Packing; Security (ID#: 15-4953)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6912767&isnumber=6912720
Josse, S., "Malware Dynamic Recompilation," System Sciences (HICSS), 2014 47th Hawaii International Conference on, pp. 5080, 5089, 6-9 Jan. 2014. doi: 10.1109/HICSS.2014.624 Abstract: Malware are more and more difficult to analyze, using conventional static and dynamic analysis tools, because they use commercially off-the-shelf specialized tools to protect their code. We present in this paper the bases of a multi-targets, generic and automatic binary rewriting tool adapted to the analysis of protected and potentially hostile binary programs. It implements an emulator and several specialized analysis functions to firstly observe the target program and its execution environment, and next extract and simplify its representation. This simplification is done through the use of a new and generic method of information extraction and de-obfuscation.
Keywords: invasive software; program diagnostics; binary program analysis; code protection; dynamic malware recompilation; emulators; execution environment; information deobfuscation; information extraction; multi-target-generic-automatic binary rewriting tool; off-the-shelf specialized tools; target program analysis functions; Computer architecture; Data mining; Engines ;Instruments; Malware; Operating systems (ID#: 15-4954)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6759227&isnumber=6758592
Bahador, Mohammad Bagher; Abadi, Mahdi; Tajoddin, Asghar, "HPCMalHunter: Behavioral Malware Detection Using Hardware Performance Counters and Singular Value Decomposition," Computer and Knowledge Engineering (ICCKE), 2014 4th International eConference on, pp. 703, 708, 29-30 Oct. 2014. doi: 10.1109/ICCKE.2014.6993402 Abstract: Malicious programs, also known as malware, often use code obfuscation techniques to make static analysis more difficult and to evade signature-based detection. To resolve this problem, various behavioral detection techniques have been proposed that focus on the run-time behaviors of programs in order to dynamically detect malicious ones. Most of these techniques describe the run-time behavior of a program on the basis of its data flow and/or its system call traces. Recent work in behavioral malware detection has shown promise in using hardware performance counters (HPCs), which are a set of special-purpose registers built into modern processors providing detailed information about hardware and software events. In this paper, we pursue this line of research by presenting HPCMalHunter, a novel approach for real-time behavioral malware detection. HPCMalHunter uses HPCs to collect a set of event vectors from the beginning of a program's execution. It also uses the singular value decomposition (SVD) to reduce these event vectors and generate a behavioral vector for the program. By applying support vector machines (SVMs) to the feature vectors of different programs, it is able to identify malicious programs in real-time. Our results of experiments show that HPCMalHunter can detect malicious programs at the beginning of their execution with a high detection rate and a low false alarm rate.
Keywords: Hardware; Malware; Matrix decomposition; Radiation detectors; Real-time systems; Support vector machines; Vectors; behavioral malware detection; hardware performance counter; hardware-level detection; real-time detection; singular value decomposition (ID#: 15-4955)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6993402&isnumber=6993332
Hosseini, Soodeh; Azgomi, Mohammad Abdollahi; Rahmani, Adel Torkaman, "On the Global Dynamics of an SEIRS Epidemic Model of Malware Propagation," Telecommunications (IST), 2014 7th International Symposium on, pp. 646, 651, 9-11 Sept. 2014. doi: 10.1109/ISTEL.2014.7000784 Abstract: In this paper, we attempt to mathematically formulate a susceptible-exposed-infectious-recovered-susceptible (SEIRS) epidemic model to study dynamical behaviors of malware propagation in scale-free networks (SFNs). In the proposed discrete-time epidemic model, we consider defense mechanism of software diversity to limit epidemic spreading in SFNs. Dynamical behaviors of the SEIRS epidemic model is determined by basic reproductive ratio, which is often used as a threshold parameter. Also, the impact of the assignment of diverse software packages on the propagation process is examined. Theoretical results show that basic reproductive ratio is significantly dependent on diverse software packages and the network topology. The installation of diverse software packages on nodes leads to decrease reproductive ratio and malware spreading. The results of numerical simulations are given to validate the theoretical analysis.
Keywords: Analytical models; Computational modeling; Malware; Mathematical model; Numerical models; Software packages; Scale-free network; basic reproductive ratio; malware propagation modeling; software diversity (ID#: 15-4956)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7000784&isnumber=7000650
Zhen Ling; Junzhou Luo; Kui Wu; Wei Yu; Xinwen Fu, "TorWard: Discovery of Malicious Traffic Over Tor," INFOCOM, 2014 Proceedings IEEE, pp.1402,1410, April 27 2014-May 2 2014. doi: 10.1109/INFOCOM.2014.6848074 Abstract: Tor is a popular low-latency anonymous communication system. However, it is currently abused in various ways. Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we design and implement a novel system, TorWard, for the discovery and systematic study of malicious traffic over Tor. The system can avoid legal and administrative complaints and allows the investigation to be performed in a sensitive environment such as a university campus. An IDS (Intrusion Detection System) is used to discover and classify malicious traffic. We performed comprehensive analysis and extensive real-world experiments to validate the feasibility and effectiveness of TorWard. Our data shows that around 10% Tor traffic can trigger IDS alerts. Malicious traffic includes P2P traffic, malware traffic (e.g., botnet traffic), DoS (Denial-of-Service) attack traffic, spam, and others. Around 200 known malware have been identified. To the best of our knowledge, we are the first to perform malicious traffic categorization over Tor.
Keywords: computer network security; peer-to-peer computing; telecommunication network routing; telecommunication traffic; DoS; IDS; IDS alerts; P2P traffic; Tor exit routers; denial-of-service attack traffic; intrusion detection system; low-latency anonymous communication system; malicious traffic categorization; malicious traffic discovery; spam; Bandwidth; Computers; Logic gates; Malware; Mobile handsets; Ports (Computers);Servers; Intrusion Detection System; Malicious Traffic; Tor (ID#: 15-4957)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6848074&isnumber=6847911
Bond, M.; Choudary, O.; Murdoch, S.J.; Skorobogatov, S.; Anderson, R., "Chip and Skim: Cloning EMV Cards with the Pre-play Attack," Security and Privacy (SP), 2014 IEEE Symposium on, pp. 49, 64, 18-21 May 2014. doi: 10.1109/SP.2014.11 Abstract: EMV, also known as "Chip and PIN", is the leading system for card payments worldwide. It is used throughout Europe and much of Asia, and is starting to be introduced in North America too. Payment cards contain a chip so they can execute an authentication protocol. This protocol requires point-of-sale (POS) terminals or ATMs to generate a nonce, called the unpredictable number, for each transaction to ensure it is fresh. We have discovered two serious problems: a widespread implementation flaw and a deeper, more difficult to fix flaw with the EMV protocol itself. The first flaw is that some EMV implementers have merely used counters, timestamps or home-grown algorithms to supply this nonce. This exposes them to a "pre-play" attack which is indistinguishable from card cloning from the standpoint of the logs available to the card-issuing bank, and can be carried out even if it is impossible to clone a card physically. Card cloning is the very type of fraud that EMV was supposed to prevent. We describe how we detected the vulnerability, a survey methodology we developed to chart the scope of the weakness, evidence from ATM and terminal experiments in the field, and our implementation of proof-of-concept attacks. We found flaws in widely-used ATMs from the largest manufacturers. We can now explain at least some of the increasing number of frauds in which victims are refused refunds by banks which claim that EMV cards cannot be cloned and that a customer involved in a dispute must therefore be mistaken or complicit. The second problem was exposed by the above work. Independent of the random number quality, there is a protocol failure: the actual random number generated by the terminal can simply be replaced by one the attacker used earlier when capturing an authentication code from the card. This variant of the pre-play attack may be carried out by malware in an ATM or POS terminal, or by a man-in-the-middle between the terminal and the acquirer. We explore the design an- implementation mistakes that enabled these flaws to evade detection until now: shortcomings of the EMV specification, of the EMV kernel certification process, of implementation testing, formal analysis, and monitoring customer complaints. Finally we discuss countermeasures. More than a year after our initial responsible disclosure of these flaws to the banks, action has only been taken to mitigate the first of them, while we have seen a likely case of the second in the wild, and the spread of ATM and POS malware is making it ever more of a threat.
Keywords: financial data processing; invasive software; ATM malware; Asia; EMV card cloning; Europe; North America; POS malware; POS terminals; automated teller machines; card payments; counters; home-grown algorithms; man-in-the-middle attack; point-of-sale terminals; preplay attack; proof-of-concept attacks; timestamps; unpredictable number; Authentication; Authorization; Cloning; Cryptography; Online banking; Protocols; Radiation detectors (ID#: 15-4958)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6956556&isnumber=6956545
Wrench, P.M.; Irwin, B.V.W., "Towards a Sandbox for the Deobfuscation and Dissection of PHP Malware," Information Security for South Africa (ISSA), 2014, pp. 1, 8, 13-14 Aug. 2014. doi: 10.1109/ISSA.2014.6950504 Abstract: The creation and proliferation of PHP-based Remote Access Trojans (or web shells) used in both the compromise and post exploitation of web platforms has fuelled research into automated methods of dissecting and analysing these shells. Current malware tools disguise themselves by making use of obfuscation techniques designed to frustrate any efforts to dissect or reverse engineer the code. Advanced code engineering can even cause malware to behave differently if it detects that it is not running on the system for which it was originally targeted. To combat these defensive techniques, this paper presents a sandbox-based environment that aims to accurately mimic a vulnerable host and is capable of semi-automatic semantic dissection and syntactic deobfuscation of PHP code.
Keywords: Internet; authoring languages; invasive software; PHP code; PHP malware; PHP-based remote access Trojans; Web platforms; Web shells; advanced code engineering; malware tools; sandbox-based environment; semi-automatic semantic dissection; syntactic deobfuscation; Arrays; Databases; Decoding; Malware; Process control; Semantics; Software; Code deobfuscation; Reverse engineering; Sandboxing (ID#: 15-4959)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6950504&isnumber=6950479
Shi Pu; Zhouguo Chen; Chen Huang; Yiming Liu; Bing Zen, "Threat Analysis of Smart Mobile Device," General Assembly and Scientific Symposium (URSI GASS), 2014 XXXIth URSI, pp.1,3, 16-23 Aug. 2014. doi: 10.1109/URSIGASS.2014.6929439 Abstract: With the development of telecommunication and network bands, there is a great increase in the number of services and applications available for smart mobile devices while the population of malicious mobile software is growing rapidly. Most smart mobile devices do not run anti-malware programs to protect against threats, such as virus, trojan, ddos, malware and botnet, which give the chance for hackers to control the system. The paper mainly analyses the typical threats which smart mobile devices face.
Keywords: mobile computing; security of data; DDOS; anti-malware programs; botnet; malicious mobile software; malware; mobile security; network bands; smart mobile device; telecommunication network; threat analysis; trojan; virus; Market research; Mobile communication; Mobile handsets; Operating systems; Trojan horses (ID#: 15-4960)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6929439&isnumber=6928981
Yoon, Seungyong; Jeon, YongSung, "Security Threats Analysis for Android Based Mobile Device," Information and Communication Technology Convergence (ICTC), 2014 International Conference on, pp. 775, 776, 22-24 Oct. 2014. doi: 10.1109/ICTC.2014.6983285 Abstract: Recently, the number of mobile malware is rapidly growing. In order to cope with mobile malware, the detection and response method of rooting attack is actively studied. However, the damages caused information leakage and financial charge can be occurred without rooting attack. In this paper, we have shown through experiments that it is possible to conduct DDoS attacks, privacy information leakage, and illegal financial charging without rooting attacks, and analyzed security vulnerabilities and threats in detail.
Keywords: Computer crime; Computer hacking; Malware; Mobile communication; Privacy; Smart phones; Android; Mobile Device; Mobile Malware; Rooting (ID#: 15-4961)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6983285&isnumber=6983064
Eslahi, Meisam; Rostami, Mohammad Reza; Hashim, H.; Tahir, N.M.; Naseri, Maryam Var, "A Data Collection Approach for Mobile Botnet Analysis and Detection," Wireless Technology and Applications (ISWTA), 2014 IEEE Symposium on, pp.199,204, Sept. 28 2014-Oct. 1 2014. doi: 10.1109/ISWTA.2014.6981187 Abstract: Recently, MoBots or Mobile Botnets have become one of the most critical challenges in mobile communication and cyber security. The integration of Mobile devices with the Internet along with enhanced features and capabilities has made them an environment of interest for cyber criminals. Therefore, the spread of sophisticated malware such as Botnets has significantly increased in mobile devices and networks. On the other hand, the Bots and Botnets are newly migrated to mobile devices and have not been fully explored yet. Thus, the efficiency of current security solutions is highly limited due to the lack of available Mobile Botnet datasets and samples. As a result providing a valid dataset to analyse and understand the Mobile botnets has become a crucial issue in mobile security and privacy. In this paper we present an overview of the current available data set and samples and we discuss their advantages and disadvantages. We also propose a model to implement a mobile Botnet test bed to collect data for further analysis.
Keywords: Command and control systems; Malware; Mobile communication; Mobile computing; Mobile handsets; Servers; Botnets; Dataset; Mobile malware; network traffic; smartphone security (ID#: 15-4962)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6981187&isnumber=6981155
Nordvik, R.; Yi-Ching Liao; Langweg, H., "AccountabilityFS: A File System Monitor for Forensic Readiness," Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pp.308,311, 24-26 Sept. 2014. doi: 10.1109/JISIC.2014.61 Abstract: We present a file system monitor, AccountabilityFS, which prepares an organization for forensic analysis and incident investigation in advance by ensuring file system operation traces readily available. We demonstrate the feasibility of AccountabilityFS in terms of performance and storage overheads, and prove its reliability against malware attacks.
Keywords: digital forensics; invasive software; Accountability FS file system monitor; file system operation; forensic analysis; forensic readiness; malware attacks; performance overhead; storage overhead; Educational institutions; Forensics; Kernel; Malware; Monitoring; Reliability (ID#: 15-4963)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6975599&isnumber=6975536
Ming-Yang Su; Wen-Chuan Chang, "Permission-based Malware Detection Mechanisms For Smart Phones," Information Networking (ICOIN), 2014 International Conference on, pp. 449, 452, 10-12 Feb. 2014. doi: 10.1109/ICOIN.2014.6799722 Abstract: Smart phone users often neglect security issues, and directly confirm the pop-up windows without reading the permission requirement of the software. As a result, many smart phones have been implanted with virus. In the Android market, malicious software is disguised as games for users to download, thus resulting in malicious consumption, phone resource consumption, assistance in crime, or information theft. This study focuses on the prevention of the malware installed on Android smart phones, and analyzes whether an app is malware according to the announced permission combinations of the application.
Keywords: computer viruses; smart phones; Android market; crime assistance; information theft; malicious consumption; malicious software; permission requirement; permission-based malware detection mechanisms; phone resource consumption; security issues; smart phone users; Internet; Malware; Operating systems; Probability; Smart phones; Android; permission; security; smart phone (ID#: 15-4964)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6799722&isnumber=6799467
Bolton, A.; Heard, N., "Application of a Linear Time Method for Change Point Detection to the Classification of Software," Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pp.292,295, 24-26 Sept. 2014. doi: 10.1109/JISIC.2014.58 Abstract: A computer program's dynamic instruction trace is the sequence of instructions it generates during run-time. This article presents a method for analysing dynamic instruction traces, with an application in malware detection. Instruction traces can be modelled as piecewise homogeneous Markov chains and an exact linear time method is used for detecting change points in the transition probability matrix. The change points divide the instruction trace into segments performing different functions. If segments performing malicious functions can be detected then the software can be classified as malicious. The change point detection method is applied to both a simulated dynamic instruction trace and the dynamic instruction trace generated by a piece of malware.
Keywords: Markov processes; invasive software; matrix algebra; probability; change point detection method; computer program dynamic instruction trace analysis; exact linear time method; instruction sequence; instruction trace modelling; malicious functions; malware detection; piecewise homogeneous Markov chains; simulated dynamic instruction trace; software classification; transition probability matrix; Computational modeling; Computers; Educational institutions; Heuristic algorithms; Malware; Markov processes; Software; PELT algorithm; change point analysis; malware; piecewise homogeneous Markov chain (ID#: 15-4965)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6975595&isnumber=6975536
Kharraz, A.; Kirda, E.; Robertson, W.; Balzarotti, D.; Francillon, A., "Optical Delusions: A Study of Malicious QR Codes in the Wild," Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pp.192, 203, 23-26 June 2014. doi: 10.1109/DSN.2014.103 Abstract: QR codes, a form of 2D barcode, allow easy interaction between mobile devices and websites or printed material by removing the burden of manually typing a URL or contact information. QR codes are increasingly popular and are likely to be adopted by malware authors and cyber-criminals as well. In fact, while a link can "look" suspicious, malicious and benign QR codes cannot be distinguished by simply looking at them. However, despite public discussions about increasing use of QR codes for malicious purposes, the prevalence of malicious QR codes and the kinds of threats they pose are still unclear. In this paper, we examine attacks on the Internet that rely on QR codes. Using a crawler, we performed a large-scale experiment by analyzing QR codes across 14 million unique web pages over a ten-month period. Our results show that QR code technology is already used by attackers, for example to distribute malware or to lead users to phishing sites. However, the relatively few malicious QR codes we found in our experiments suggest that, on a global scale, the frequency of these attacks is not alarmingly high and users are rarely exposed to the threats distributed via QR codes while surfing the web.
Keywords: Internet; Web sites; computer crime; invasive software; telecommunication security;2D barcode; Internet; URL; Web crawler; Web sites; contact information; malicious QR code; mobile device; optical delusion; phishing sites; Crawlers; Malware; Mobile communication; Servers; Smart phones; Web pages; Mobile devices; malicious QR codes; malware; phishing (ID#: 15-4966)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6903579&isnumber=6903544
Gupta, Mukesh Kumar; Govil, Mahesh Chand; Singh, Girdhari, "A Context-Sensitive Approach for Precise Detection of Cross-Site Scripting Vulnerabilities," Innovations in Information Technology (INNOVATIONS), 2014 10th International Conference on, pp.7,12, 9-11 Nov. 2014. doi: 10.1109/INNOVATIONS.2014.6987553 Abstract: Currently, dependence on web applications is increasing rapidly for social communication, health services, financial transactions and many other purposes. Unfortunately, the presence of cross-site scripting vulnerabilities in these applications allows malicious user to steals sensitive information, install malware, and performs various malicious operations. Researchers proposed various approaches and developed tools to detect XSS vulnerability from source code of web applications. However, existing approaches and tools are not free from false positive and false negative results. In this paper, we propose a taint analysis and defensive programming based HTML context-sensitive approach for precise detection of XSS vulnerability from source code of PHP web applications. It also provides automatic suggestions to improve the vulnerable source code. Preliminary experiments and results on test subjects show that proposed approach is more efficient than existing ones.
Keywords: Browsers; Context; HTML; Security; Servers; Software; Standards; Cross-Site Scripting; Software Development Life Cycle; Taint Analysis; Vulnerability Detection; XSS Attacks (ID#: 15-4967)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6987553&isnumber=6985764
Heard, N.; Rubin-Delanchy, P.; Lawson, D., "Filtering Automated Polling Traffic in Computer Network Flow Data," Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pp.268, 271, 24-26 Sept. 2014. doi: 10.1109/JISIC.2014.52 Abstract: Detecting polling behaviour in a computer network has two important applications. First, the polling can be indicative of malware beaconing, where an undetected software virus sends regular communications to a controller. Second, the cause of the polling may not be malicious, since it may correspond to regular automated update requests permitted by the client, to build models of normal host behaviour for signature-free anomaly detection, this polling behaviour needs to be understood. This article presents a simple Fourier analysis technique for identifying regular polling, and focuses on the second application: modelling the normal behaviour of a host, using real data collected from the computer network of Imperial College London.
Keywords: Fourier analysis; computer network security; system monitoring; Fourier analysis technique; Imperial College London; automated polling traffic filtering; computer network flow data; regular automated update requests; signature-free anomaly detection; Computational modeling; Educational institutions; IP networks; Malware; Monitoring; Servers (ID#: 15-4968)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6975589&isnumber=6975536
Shulman, H.; Waidner, M., "Towards Forensic Analysis of Attacks with DNSSEC," Security and Privacy Workshops (SPW), 2014 IEEE, pp.69, 76, 17-18 May 2014. doi: 10.1109/SPW.2014.20 Abstract: DNS cache poisoning is a stepping stone towards advanced (cyber) attacks, and can be used to monitor users' activities, for censorship, to distribute malware and spam, and even to subvert correctness and availability of Internet networks and services. The DNS infrastructure relies on challenge-response defences, which are deemed effective for thwarting attacks by (the common) off-path adversaries. Such defences do not suffice against stronger adversaries, e.g., man-in-the-middle (MitM). However, there seems to be little willingness to adopt systematic, cryptographic mechanisms, since stronger adversaries are not believed to be common. In this work we validate this assumption and show that it is imprecise. In particular, we demonstrate that: (1) attackers can frequently obtain MitM capabilities, and (2) even weaker attackers can subvert DNS security. Indeed, as we show, despite wide adoption of challenge-response defences, cache-poisoning attacks against DNS infrastructure are highly prevalent. We evaluate security of domain registrars and name servers, experimentally, and find vulnerabilities, which expose DNS infrastructure to cache poisoning. We review DNSSEC, the defence against DNS cache poisoning, and argue that, not only it is the most suitable mechanism for preventing cache poisoning attacks, but it is also the only proposed defence that enables a-posteriori forensic analysis of attacks. Specifically, DNSSEC provides cryptographic evidences, which can be presented to, and validated by, any third party and can be used in investigations and for detection of attacks even long after the attack took place.
Keywords: cache storage computer crime; cryptographic protocols; digital forensics; digital signatures; invasive software; DNS cache poisoning attacks; DNS infrastructure; DNS security; DNSSEC; Internet networks ;Internet services; MitM capabilities; a-posteriori forensic analysis; advanced cyber attacks;attacks detection; censorship; challenge-response defences; cryptographic evidences; cryptographic mechanisms; digital signature; domain registrars; malware; man-in-the-middle; name servers; spam; thwarting attacks; users activities monitoring; Computer crime; Cryptography; Forensics; Internet; Routing; Servers; DNS cache-poisoning; DNSSEC; cryptographic evidences; cyber attacks;digital signatures; security (ID#: 15-4969)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6957288&isnumber=6957265
Jermyn, J.; Jover, R.P.; Istomin, M.; Murynets, I., "Firecycle: A scalable test bed for large-scale LTE security research," Communications (ICC), 2014 IEEE International Conference on, pp. 907, 913, 10-14 June 2014. doi: 10.1109/ICC.2014.6883435 Abstract: LTE (Long Term Evolution) is the latest cellular communications standard to provide advanced mobile services that go beyond traditional voice and short messaging traffic. Mobility networks are experiencing a drastic evolution with the advent of Machine to Machine (M2M) systems and the Internet of Things (IoT), which is expected to result in billions of connected devices in the near future. In parallel, the security threat landscape against communication networks has rapidly evolved over the last few years, with major Distributed Denial of Service (DDoS) attacks and the substantial spread of mobile malware. In this paper we introduce Firecycle, a new modeling and simulation platform for next-generation LTE mobility network security research. This standards compliant platform is suitable for large-scale security analysis of threats against a real LTE mobile network. It is designed with the ability to be distributed over the cloud, with an arbitrary number of virtual machines running different portions of the network, thus allowing simulation and testing of a full-scale LTE mobility network with millions of connected devices. Moreover, the mobile traffic generated by the platform is modeled from real data traffic observations from one of the major tier-1 operators in the US.
Keywords: Internet of Things; Long Term Evolution; cellular radio; computer network security; invasive software; DDoS attacks; Firecycle; Internet of Things; IoT; Long Term Evolution;M2M machine; cellular communications; distributed denial of service attacks; large-scale LTE security research; machine to machine system; mobile malware; next-generation LTE mobility network security research; Analytical models; IP networks; Long Term Evolution; Mobile communication; Mobile computing; Security; Smart phones (ID#: 15-4970)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6883435&isnumber=6883277
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.