Visible to the public Biblio

Filters: Author is Taylor, Teryl  [Clear All Filters]
2022-12-23
Duby, Adam, Taylor, Teryl, Bloom, Gedare, Zhuang, Yanyan.  2022.  Detecting and Classifying Self-Deleting Windows Malware Using Prefetch Files. 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC). :0745–0751.
Malware detection and analysis can be a burdensome task for incident responders. As such, research has turned to machine learning to automate malware detection and malware family classification. Existing work extracts and engineers static and dynamic features from the malware sample to train classifiers. Despite promising results, such techniques assume that the analyst has access to the malware executable file. Self-deleting malware invalidates this assumption and requires analysts to find forensic evidence of malware execution for further analysis. In this paper, we present and evaluate an approach to detecting malware that executed on a Windows target and further classify the malware into its associated family to provide semantic insight. Specifically, we engineer features from the Windows prefetch file, a file system forensic artifact that archives process information. Results show that it is possible to detect the malicious artifact with 99% accuracy; furthermore, classifying the malware into a fine-grained family has comparable performance to techniques that require access to the original executable. We also provide a thorough security discussion of the proposed approach against adversarial diversity.
2018-03-05
Kohlbrenner, Anne, Araujo, Frederico, Taylor, Teryl, Stoecklin, Marc Ph..  2017.  POSTER: Hidden in Plain Sight: A Filesystem for Data Integrity and Confidentiality. Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. :2523–2525.

A filesystem capable of curtailing data theft and ensuring file integrity protection through deception is introduced and evaluated. The deceptive filesystem transparently creates multiple levels of stacking to protect the base filesystem and monitor file accesses, hide and redact sensitive files with baits, and inject decoys onto fake system views purveyed to untrusted subjects, all while maintaining a pristine state to legitimate processes. Our prototype implementation leverages a kernel hot-patch to seamlessly integrate the new filesystem module into live and existing environments. We demonstrate the utility of our approach with a use case on the nefarious Erebus ransomware. We also show that the filesystem adds no I/O overhead for legitimate users.