Biblio

Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryp-tocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through cryptojacking malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable cryptocurrencies (e.g., Monero), cryptojacking malware has become an indispensable tool for attackers. Indeed, the banking industry, major commercial websites, government and military servers (e.g., US Dept. of Defense), online video sharing platforms (e.g., Youtube), gaming platforms (e.g., Nintendo), critical infrastructure resources (e.g., routers), and even recently widely popular remote video conferencing/meeting programs (e.g., Zoom during the Covid-19 pandemic) have all been the victims of powerful cryptojacking malware campaigns. Nonetheless, existing detection methods such as browser extensions that protect users with blacklist methods or antivirus programs with different analysis methods can only provide a partial panacea to this emerging crypto-jacking issue as the attackers can easily bypass them by using obfuscation techniques or changing their domains or scripts frequently. Therefore, many studies in the literature proposed cryptojacking malware detection methods using various dynamic/behavioral features. However, the literature lacks a systemic study with a deep understanding of the emerging cryptojacking malware and a comprehensive review of studies in the literature. To fill this gap in the literature, in this SoK paper, we present a systematic overview of cryptojacking malware based on the information obtained from the combination of academic research papers, two large cryptojacking datasets of samples, and 45 major attack instances. Finally, we also present lessons learned and new research directions to help the research community in this emerging area.

The popularity of cryptocurrencies has garnered interest from cybercriminals, spurring an onslaught of cryptojacking campaigns that aim to hijack computational resources for the purpose of mining cryptocurrencies. In this paper, we present a cross-stack cryptojacking defense system that spans the hardware and OS layers. Unlike prior work that is confined to detecting cryptojacking behavior within web browsers, our solution is application agnostic. We show that tracking instructions that are frequently used in cryptographic hash functions serve as reliable signatures for fingerprinting cryptojacking activity. We demonstrate that our solution is resilient to multi-threaded and throttling evasion techniques that are commonly employed by cryptojacking malware. We characterize the robustness of our solution by extensively testing a diverse set of workloads that include real consumer applications. Finally, an evaluation of our proof-of-concept implementation shows minimal performance impact while running a mix of benchmark applications.

Mobile healthcare (mHealth) application and technologies have promised their cost-effectiveness to enhance healthcare quality, particularly in rural areas. However, the increased security incidents and leakage of patient data raise the concerns to address security risks and privacy issues of mhealth applications urgently. While recent mobile health applications that rely on password-based authentication cannot withstand password guessing and cracking attacks, several countermeasures such as One-Time Password (OTP), grid-based password, and biometric authentication have recently been implemented to protect mobile health applications. These countermeasures, however, can be thwarted by brute force attacks, man-in-the-middle attacks and persistent malware attacks. This paper proposed grid-based honey encryption by hybridising honey encryption with grid-based authentication. Compared to recent honey encryption limited in the hardening password attacks process, the proposed grid-based honey encryption can be further employed against shoulder surfing, smudge and replay attacks. Instead of rejecting access as a recent security defence mechanism in mobile healthcare applications, the proposed Grid-based Honey Encryption creates an indistinct counterfeit patient's record closely resembling the real patients' records in light of each off-base speculation legitimate password.

New technologies from day to day are submitted with many vulnerabilities that can make data exploitation. Nowadays, IoT is a target for Cybercrime attacks as it is one of the popular platforms in the century. This research address the IoT security problem by carried a medium-interaction honeypot. Honeypot is one of the solutions that can be done because it is a system feed for the introduction of attacks and fraudulent devices. This research has created a medium interaction honeypot using Cowrie, which is used to maintain the Internet of Things device from malware attacks or even attack patterns and collect information about the attacker's machine. From the result analysis, the honeypot can record all trials and attack activities, with CPU loads averagely below 6,3%.

Attack surface detection for the complex software is needed to find targets for the fuzzing, because testing the whole system with many inputs is not realistic. Researchers that previously applied taint analysis for dealing with different security tasks in the virtual machines did not examined how to apply it for attack surface detection. I.e., getting the program modules and functions, that may be affected by input data. We propose using taint tracking within a virtual machine and virtual machine introspection to create a new approach that can detect the internal module interfaces that can be fuzz tested to assure that software is safe or find the vulnerabilities.

In the recent time due to advancement of technology, Malware and its clan have continued to advance and become more diverse. Malware otherwise Malicious Software consists of Virus, Trojan horse, Adware, Spyware etc. This said software leads to extrusion of data (Spyware), continuously flow of Ads (Adware), modifying or damaging the system files (Virus), or access of personal information (Trojan horse). Some of the major factors driving the growth of these attacks are due to poorly secured devices and the ease of availability of tools in the Internet with which anyone can attack any system. The attackers or the developers of Malware usually lean towards blending of malware into the executable file, which makes it hard to detect the presence of malware in executable files. In this paper we have done experimental study on various algorithms of Machine Learning for detecting the presence of Malware in executable files. After testing Naïve Bayes, KNN and SVM, we found out that SVM was the most suited algorithm and had the accuracy of 94%. We then created a web application where the user could upload executable file and test the authenticity of the said executable file if it is a Malware file or a benign file.

Containers that can be easily created, transported and scaled with the use of container-based virtualization technologies work better than classical virtualization technologies and provide efficient resource usage. The Docker platform is one of the most widely used solutions among container-based virtualization technologies. The OS-level virtualization of the Docker platform and the container’s use of the host operating system kernel may cause security problems. In this study, a method including static and dynamic analysis has been proposed to ensure Docker image and container security. In the static analysis phase of the method, the packages of the images are scanned for vulnerabilities and malware. In the dynamic analysis phase, Docker containers are run for a certain period of time, after the open port scanning, network traffic is analyzed with the Snort3. Seven Docker images are analyzed and the results are shared.

As millions of IoT devices are interconnected together for better communication and computation, compromising even a single device opens a gateway for the adversary to access the network leading to an epidemic. It is pivotal to detect any malicious activity on a device and mitigate the threat. Among multiple feasible security threats, malware (malicious applications) poses a serious risk to modern IoT networks. A wide range of malware can replicate itself and propagate through the network via the underlying connectivity in the IoT networks making the malware epidemic inevitable. There exist several techniques ranging from heuristics to game-theory based technique to model the malware propagation and minimize the impact on the overall network. The state-of-the-art game-theory based approaches solely focus either on the network performance or the malware confinement but does not optimize both simultaneously. In this paper, we propose a throughput-aware game theory-based end-to-end IoT network security framework to confine the malware epidemic while preserving the overall network performance. We propose a two-player game with one player being the attacker and other being the defender. Each player has three different strategies and each strategy leads to a certain gain to that player with an associated cost. A tailored min-max algorithm was introduced to solve the game. We have evaluated our strategy on a 500 node network for different classes of malware and compare with existing state-of-the-art heuristic and game theory-based solutions.

The design of attacks for cyber physical systems is critical to assess CPS resilience at design time and run-time, and to generate rich datasets from testbeds for research. Attacks against cyber physical systems distinguish themselves from IT attacks in that the main objective is to harm the physical system. Therefore, both cyber and physical system knowledge are needed to design such attacks. The current practice to generate attacks either focuses on the cyber part of the system using IT cyber security existing body of knowledge, or uses heuristics to inject attacks that could potentially harm the physical process. In this paper, we present a systematic approach to automatically generate integrity attacks from the CPS safety and control specifications, without knowledge of the physical system or its dynamics. The generated attacks violate the system operational and safety requirements, hence present a genuine test for system resilience. We present an algorithm to automate the malware payload development. Several examples are given throughout the paper to illustrate the proposed approach.

Having a clear insight on the protocols carrying traffic is crucial for network applications. Deep Packet Inspection (DPI) has been a key technique to provide visibility into traffic. DPI has proven effective in various scenarios, and indeed several open source DPI solutions are maintained by the community. Yet, these solutions provide different classifications, and it is hard to establish a common ground truth. Independent works approaching the question of the quality of DPI are already aged and rely on limited datasets. Here, we test if open source DPI solutions can provide useful information in practical scenarios, e.g., supporting security applications. We provide an evaluation of the performance of four open-source DPI solutions, namely nDPI, Libprotoident, Tstat and Zeek. We use datasets covering various traffic scenarios, including operational networks, IoT scenarios and malware. As no ground truth is available, we study the consistency of classification across the solutions, investigating rootcauses of conflicts. Important for on-line security applications, we check whether DPI solutions provide reliable classification with a limited number of packets per flow. All in all, we confirm that DPI solutions still perform satisfactorily for well-known protocols. They however struggle with some P2P traffic and security scenarios (e.g., with malware traffic). All tested solutions reach a final classification after observing few packets with payload, showing adequacy for on-line applications.

Malwares are the key means leveraged by threat actors in the cyber space for their attacks. There is a large array of commercial solutions in the market and significant scientific research to tackle the challenge of the detection and defense against malwares. At the same time, attackers also advance their capabilities in creating polymorphic and metamorphic malwares to make it increasingly challenging for existing solutions. To tackle this issue, we propose a methodology to perform malware detection and family attribution. The proposed methodology first performs the extraction of opcodes from malwares in each family and constructs their respective opcode graphs. We explore the use of clustering algorithms on the opcode graphs to detect clusters of malwares within the same malware family. Such clusters can be seen as belonging to different sub-family groups. Opcode graph signatures are built from each detected cluster. Hence, for each malware family, a group of signatures is generated to represent the family. These signatures are used to classify an unknown sample as benign or belonging to one the malware families. We evaluate our methodology by performing experiments on a dataset consisting of both benign files and malware samples belonging to a number of different malware families and comparing the results to existing approach.

Antivirus software is considered to be the primary line of defense against malicious software in modern computing systems. The purpose of this paper is to expose exploitation that can evade Antivirus software that uses signature-based detection algorithms. In this paper, a novel approach was proposed to change the source code of a common Metasploit-Framework used to compile the reverse shell payload without altering its functionality but changing its signature. The proposed method introduced an additional stage to the shellcode program. Instead of the shellcode being generated and stored within the program, it was generated separately and stored on a remote server and then only accessed when the program is executed. This approach was able to reduce its detectability by the Antivirus software by 97% compared to a typical reverse shell program.

Malicious hackers breach security perimeters, cause infrastructure disruptions as well as steal proprietary information, financial data, and violate consumers' privacy. Protection of the whole organization by using the firm's security officers can be besieged with faulty warnings. Engineers must shift from console to console to put together investigative clues as a result of today's fragmented security technologies that cause frustratingly sluggish investigations. Endpoint Detection and Response (EDR) solutions adds an extra layer of protection to prevent an endpoint action into a breach. EDR is the region's foremost detection and response tool that combines endpoint and network data to recognize and respond to sophisticated threats. Offering unrivaled security and operational effectiveness, it integrates prevention, investigation, detection, and responding in a single platform. EDR provides enterprise coverage and uninterrupted defense with its continuous monitoring and response to threats. We have presented a comprehensive review of existing EDRs through various security layers that includes detection, response and management capabilities which enables security teams to have unified end-to-end corporate accessibility, powerful analytics along with additional features such as web threat scan, external device scan and automatic reaction across the whole technological tower.

Most famous malware defense tools depend on a large number of detect rules, which are time consuming to develop and require lots of professional experience. Meanwhile, even commercial tools may show high false-negative for some new coming malware, whose patterns were not curved in the prepared rules. This paper proposed the Normalized CNN based Malicious binary Detection method on condition of String, Feature mining (NCMDSF) to address the above problems. Firstly, amount of string feature was extracted from thousands of windows binary applications. Secondly, a 3-layer normalized CNN model, with normalization layer other than down sampling layer, was fit to detect malware. Finally, the proposed method NCMDSF was evaluated to discover malware from more than 1,000 windows binary applications by K-fold cross validation. Experimental results showed that, NCMDSF was superior to some other learning-based methods, including classical CNN, LSTM, normalized LSTM, and won higher true positive rate on the condition of same false positive rate. Furthermore, it successfully avoids over-fitting that occurs in deep learning methods without using normalization.

Artificial intelligence (AI) technologies have given the cyber security industry a huge leverage with the possibility of having significantly autonomous models that can detect and prevent cyberattacks – even though there still exist some degree of human interventions. AI technologies have been utilized in gathering data which can then be processed into information that are valuable in the prevention of cyberattacks. These AI-based cybersecurity frameworks have commendable scalability about them and are able to detect malicious activities within the cyberspace in a prompter and more efficient manner than conventional security architectures. However, our one or two completed studies did not provide a complete and clear analyses to apply different machine learning algorithms on different media systems. Because of the existing methods of attack and the dynamic nature of malware or other unwanted software (adware etc.) it is important to automatically and systematically create, update and approve malicious packages that can be available to the public. Some of Complex tests have shown that DNN performs maybe can better than conventional machine learning classification. Finally, we present a multiple, large and hybrid DNN torrent structure called Scale-Hybrid-IDS-AlertNet, which can be used to effectively monitor to detect and review the impact of network traffic and host-level events to warn directly or indirectly about cyber-attacks. Besides this, they are also highly adaptable and flexible, with commensurate efficiency and accuracy when it comes to the detection and prevention of cyberattacks.There has been a multiplicity of AI-based cyber security architectures in recent years, and each of these has been found to show varying degree of effectiveness. Deep Neural Networks, which tend to be more complex and even more efficient, have been the major focus of research studies in recent times. In light of the foregoing, the objective of this paper is to discuss the use of AI methods in fighting cyberattacks like malware and DDoS attacks, with attention on DNN-based models.

Connecting anything to the Internet is one of the main objectives of the Internet of Things (IoT). It enabled to access any device from anywhere at any time without any human intervention. There are endless applications of IoT involving controlling home applications to industry. This rapid growth of this technology and innovations of its application results due to improved technology of developing these tiny devices with its back-end software. On the other side, internal resources such as memory, processing power, battery life are the significant constraints of these devices. Introducing lightweight cryptography helped secure data transmission across various devices while protecting these devices from getting attacked for DDoS attack is still a significant concern. This paper primarily focuses on elaborating on DDoS attack and the malware used to initiate a DDoS attack on IoT devices. Further, this paper mainly focuses on providing solutions that would help to prevent DDoS attack from IoT network.

As it is easy to ensure the confidentiality of users on the Dark Web, malware and exploit kits are sold on the market, and attack methods are discussed in forums. Some services provide IoT Botnet to perform distributed denial-of-service (DDoS as a Service: DaaS), and it is speculated that the purchase of these services is made on the Dark Web. By crawling such information and storing it in a database, threat intelligence can be obtained that cannot otherwise be obtained from information on the Surface Web. However, crawling sites on the Dark Web present technical challenges. For this paper, we implemented a crawler that can solve these challenges. We also collected information on markets and forums on the Dark Web by operating the implemented crawler. Results confirmed that the dataset collected by crawling contains threat intelligence that is useful for analyzing cyber attacks, particularly those related to IoT Botnet and DaaS. Moreover, by uncovering the relationship with security reports, we demonstrated that the use of data collected from the Dark Web can provide more extensive threat intelligence than using information collected only on the Surface Web.

With the advancement of network technology, users can now easily gain access to and benefit from networks. However, the number of network violations is increasing. The main issue with this violation is that irresponsible individuals are infiltrating the network. Network intrusion can be interpreted in a variety of ways, including cyber criminals forcibly attempting to disrupt network connections, gaining unauthorized access to valuable data, and then stealing, corrupting, or destroying the data. There are already numerous systems in place to detect network intrusion. However, the systems continue to fall short in detecting and counter-attacking network intrusion attacks. This research aims to enhance the detection of Denial of service (DoS) by identifying significant features and identifying abnormal network activities more accurately. To accomplish this goal, the study proposes an Intrusion Analysis System for detecting Denial of service (DoS) network attacks using machine learning. The accuracy rate of the proposed method using random forest was demonstrated in our experimental results. It was discovered that the accuracy rate with each dataset is greater than 98.8 percent when compared to traditional approaches. Furthermore, when features are selected, the detection time is significantly reduced.

Even if there is a rapid proliferation with the advantages of low cost, the emerging on-demand cloud services have led to an increase in cybercrime activities. Cyber criminals are utilizing cloud services through its distributed nature of infrastructure and create a lot of challenges to detect and investigate the incidents by the security personnel. The tracing of command flow forms a clue for the detection of malicious activity occurring in the system through System Calls Analysis (SCA). As machine learning based approaches are known to automate the work in detecting malwares, simple Support Vector Machine (SVM) based approaches are often reporting low value of accuracy. In this work, a malware classification system proposed with the supervised machine learning of unknown malware instances through Support Vector Machine - Stochastic Gradient Descent (SVM-SGD) algorithm. The performance of the system evaluated on CIC-IDS2017 dataset with labelled attacks. The system is compared with traditional signature based detection model and observed to report less number of false alerts with improved accuracy. The signature based detection gets an accuracy of 86.12%, while the SVM-SGD gets the best accuracy of 99.13%. The model is found to be lightweight but efficient in detecting malware with high degree of accuracy.

In recent times, the world has seen a tremendous increase in the number of attacks on IoT devices. A majority of these attacks have been botnet attacks, where an army of compromised IoT devices is used to launch DDoS attacks on targeted systems. In this paper, we study how the choice of a dataset and the extracted features determine the performance of a Machine Learning model, given the task of classifying Linux Binaries (ELFs) as being benign or malicious. Our work focuses on Linux systems since embedded Linux is the more popular choice for building today’s IoT devices and systems. We propose using 4 different types of files as the dataset for any ML model. These include system files, IoT application files, IoT botnet files and general malware files. Further, we propose using static, dynamic as well as network features to do the classification task. We show that existing methods leave out one or the other features, or file types and hence, our model outperforms them in terms of accuracy in detecting these files. While enhancing the dataset adds to the robustness of a model, utilizing all 3 types of features decreases the false positive and false negative rates non-trivially. We employ an exhaustive scenario based method for evaluating a ML model and show the importance of including each of the proposed files in a dataset. We also analyze the features and try to explain their importance for a model, using observed trends in different benign and malicious files. We perform feature extraction using the open source Limon sandbox, which prior to this work has been tested only on Ubuntu 14. We installed and configured it for Ubuntu 18, the documentation of which has been shared on Github.

Modern technologies for searching viruses, cloud-edge computing, and also federated algorithms and machine learning architectures are shown. The architectures for searching malware based on the xor metric applied in the design and test of computing systems are proposed. A Federated ML method is proposed for searching for malware, which significantly speeds up learning without the private big data of users. A federated infrastructure of cloud-edge computing is described. The use of signature analysis and the assertion engine for searching malware is shown. The paradigm of LTF-computing for searching destructive components in software applications is proposed.

Internet of Things (IoT) apps provide great convenience but exposes us to new safety threats. Unlike traditional software systems, threats may emerge from the joint behavior of multiple apps. While prior studies use handcrafted safety and security policies to detect these threats, these policies may not anticipate all usages of the devices and apps in a smart home, causing false alarms. In this study, we propose to use the technique of mining sandboxes for securing an IoT environment. After a set of behaviors are analyzed from a bundle of apps and devices, a sandbox is deployed, which enforces that previously unseen behaviors are disallowed. Hence, the execution of malicious behavior, introduced from software updates or obscured through methods to hinder program analysis, is blocked.While sandbox mining techniques have been proposed for Android apps, we show and discuss why they are insufficient for detecting malicious behavior in a more complex IoT system. We prototype IoTBox to address these limitations. IoTBox explores behavior through a formal model of a smart home. In our empirical evaluation to detect malicious code changes, we find that IoTBox achieves substantially higher precision and recall compared to existing techniques for mining sandboxes.

A common way to detect malware attacks and avoid their destructive impact on a system is the use of virtual machines; A.K.A sandboxing. Attackers, on the other hand, strive to detect sandboxes when their software is running under such a virtual environment. Accordingly, they postpone launching any attack (Malware) as long as operating under such an execution environment. Thus, it is common among malware developers to utilize different sandbox detection techniques (sometimes referred to as Anti-VM or Anti-Virtualization techniques). In this paper, we present novel, side-channel-based techniques to detect sandboxes. We show that it is possible to detect even sandboxes that were properly configured and so far considered to be detection-proof. This paper proposes and implements the first attack which leverage side channels leakage between sibling logical cores to determine the execution environment.

In this work a time evolution model is used to help categorize malicious samples. This method can be used in anti-malware testing procedures as well as in detecting cyber-attacks. The time evolution mathematical model can help security experts to better understand the behaviour of malware attacks and malware families. It can be used for estimating much better their spreading and for planning the required defence actions against them. The basic time dependent variable of this model is the Ratio of the malicious files within an investigated time window. To estimate the main characteristics of the time series describing the change of the Ratio values related to a specific malicious file, nonlinear, exponential curve fitting method is used. The free parameters of the model were determined by numerical searching algorithms. The three parameters can be used in the information security field to describe more precisely the behaviour of a piece of malware and a family of malware as well. In the case of malware families, the aggregation of these parameters can provide effective solution for estimating the cyberthreat trends.

In these days, malware attacks target different kinds of devices as IoT, mobiles, servers even the cloud. It causes several hardware damages and financial losses especially for big companies. Malware attacks represent a serious issue to cybersecurity specialists. In this paper, we propose a new approach to detect unknown malware families based on machine learning classification and visualization technique. A malware binary is converted to grayscale image, then for each image a GIST descriptor is used as input to the machine learning model. For the malware classification part we use 3 machine learning algorithms. These classifiers are so efficient where the highest precision reach 98%. Once we train, test and evaluate models we move to simulate 2 new malware families. We do not expect a good prediction since the model did not know the family; however our goal is to analyze the behavior of our classifiers in the case of new family. Finally, we propose an approach using a filter to know either the classification is normal or it's a zero-day malware.