912 research outputs found
Dissection of Modern Malicious Software
The exponential growth of the number of malicious software samples, known by malware in
the specialized literature, constitutes nowadays one of the major concerns of cyber-security
professionals. The objectives of the creators of this type of malware are varied, and the means
used to achieve them are getting increasingly sophisticated. The increase of the computation
and storage resources, as well as the globalization have been contributing to this growth, and
fueling an entire industry dedicated to developing, selling and improving systems or solutions for
securing, recovering, mitigating and preventing malware related incidents. The success of these
systems typically depends of detailed analysis, often performed by humans, of malware samples
captured in the wild. This analysis includes the search for patterns or anomalous behaviors that
may be used as signatures to identify or counter-attack these threats.
This Master of Science (Ms.C.) dissertation addresses problems related with dissecting and analyzing
malware. The main objectives of the underlying work were to study and understand the
techniques used by this type of software nowadays, as well as the methods that are used by
specialists on that analysis, so as to conduct a detailed investigation and produce structured
documentation for at least one modern malware sample. The work was mostly focused in malware
developed for the Operating Systems (OSs) of the Microsoft Windows family for desktops.
After a brief study of the state of the art, the dissertation presents the classifications applied to
malware, which can be found in the technical literature on the area, elaborated mainly by an
industry community or seller of a security product. The structuring of the categories is nonetheless
the result of an effort to unify or complete different classifications. The families of some of
the most popular or detected malware samples are also presented herein, initially in a tabular
form and, subsequently, via a genealogical tree, with some of the variants of each previously
described family. This tree provides an interesting perspective over malware and is one of the
contributions of this programme.
Within the context of the description of functionalities and behavior of malware, some advanced
techniques, with which modern specimens of this type of software are equipped to ease their
propagation and execution, while hindering their detection, are then discussed with more detail.
The discussion evolves to the presentation of the concepts related to the detection and defense
against modern malware, along with a small introduction to the main subject of this work. The
analysis and dissection of two samples of malware is then the subject of the final chapters of the
dissertation. A basic static analysis is performed to the malware known as Stuxnet, while the
Trojan Banker known as Tinba/zuzy is subdued to both basic and advanced dynamic analysis.
The results of this part of the work emphasize difficulties associated with these tasks and the
sophistication and dangerous level of samples under investigation.O crescimento exponencial do número de amostras de software malicioso, conhecido na gÃria
informática como malware, constitui atualmente uma das maiores preocupações dos profissionais
de cibersegurança. São vários os objetivos dos criadores deste tipo de software e a forma
cada vez mais sofisticada como os mesmos são alcançados. O aumento da computação e capacidade
de armazenamento, bem como a globalização, têm contribuÃdo para este crescimento, e
têm alimentado toda uma indústria dedicada ao desenvolvimento, venda e melhoramento de
sistemas ou soluções de segurança, recuperação, mitigação e prevenção de incidentes relacionados
com malware. O sucesso destes sistemas depende normalmente da análise detalhada, feita
muitas vezes por humanos, de peças de malware capturadas no seu ambiente de atuação. Esta
análise compreende a procura de padrões ou de comportamentos anómalos que possam servir
de assinatura para identificar ou contra-atacar essas ameaças.
Esta dissertação aborda a problemática da análise e dissecação de malware. O trabalho que
lhe está subjacente tinha como objetivos estudar e compreender as técnicas utilizadas por este
tipo de software hoje em dia, bem como as que são utilizadas por especialistas nessa análise,
de forma a conduzir uma investigação detalhada e a produzir documentação estruturada sobre
pelo menos uma amostra de malware moderna. O trabalho focou-se, sobretudo, em malware
desenvolvido para os sistemas operativos da famÃlia Microsoft Windows para computadores de
secretária. Após um breve estudo ao estado da arte, a dissertação apresenta as classificações
de malware encontradas na literatura técnica da especialidade, principalmente usada pela indústria,
resultante de um esforço de unificação das mesmas. São também apresentadas algumas
das famÃlias de malware mais detetadas da atualidade, inicialmente através de uma tabela e,
posteriormente, através de uma árvore geneológica, com algumas das variantes de cada uma das
famÃlias descritas previamente. Esta árvore fornece uma perspetiva interessante sobre malware
e constitui uma das contribuições deste programa de mestrado.
Ainda no âmbito da descrição de funcionalidades e comportamentos do malware, são expostas,
com algum detalhe, algumas técnicas avançadas com as quais os programas maliciosos mais
modernos são por vezes munidos com o intuito a facilitar a sua propagação e execução, dificultando
a sua deteção. A descrição evolui para a apresentação dos conceitos adjacentes à deteção
e combate ao malware moderno, assim como para uma pequena introdução ao tema principal
deste trabalho. A análise e dissecação de duas amostras de malware moderno surgem nos capÃtulos
finais da dissertação. Ao malware conhecido por Stuxnet é feita a análise básica estática,
enquanto que ao Trojan Banker Tinba/zusy é feita e demonstrada a análise dinâmica básica e
avançada. Os resultados desta parte são demonstrativos do grau de sofisticação e perigosidade
destas amostras e das dificuldades associadas a estas tarefas
BotCap: Machine Learning Approach for Botnet Detection Based on Statistical Features
In this paper, we describe a detailed approach to develop a botnet detection system using machine learning (ML)techniques. Detecting botnet member hosts, or identifying botnet traffic has been the main subject of manyresearch efforts. This research aims to overcome two serious limitations of current botnet detection systems:First, the need for Deep Packet Inspection-DPI and the need to collect traffic from several infected hosts. Toachieve that, we have analyzed several botware samples of known botnets. Based on this analysis, we haveidentified a set of statistical features that may help to distinguish between benign and botnet malicious traffic.Then, we have carried several machine learning experiments in order to test the suitability of ML techniques andalso to pick a minimal subset of the identified features that provide best detection. We have implemented ourapproach in a tool called BotCap whose test results showed its proven ability to detect individually infected hostsin a local network
Construcción de clasificadores de malware para agencias de seguridad del Estado
Sandboxing has been used regularly to analyze software samples and determine if these contain suspicious properties or behaviors. Even if sandboxing is a powerful technique to perform malware analysis, it requires that a malware analyst performs a rigorous analysis of the results to determine the nature of the sample: goodware or malware. This paper proposes two machine learning models able to classify samples based on signatures and permissions obtained through Cuckoo sandbox, Androguard and VirusTotal. The developed models are also tested obtaining an acceptable percentage of correctly classified samples, being in this way useful tools for a malware analyst. A proposal of architecture for an IoT sentinel that uses one of the developed machine learning model is also showed. Finally, different approaches, perspectives, and challenges about the use of sandboxing and machine learning by security teams in State security agencies are also shared.El sandboxing ha sido usado de manera regular para analizar muestras de software y determinar si estas contienen propiedades o comportamientos sospechosos. A pesar de que el sandboxing es una técnica poderosa para desarrollar análisis de malware, esta requiere que un analista de malware desarrolle un análisis riguroso de los resultados para determinar la naturaleza de la muestra: goodware o malware. Este artÃculo propone dos modelos de aprendizaje automáticos capaces de clasificar muestras con base a un análisis de firmas o permisos extraÃdos por medio de Cuckoo sandbox, Androguard y VirusTotal. En este artÃculo también se presenta una propuesta de arquitectura de centinela IoT que protege dispositivos IoT, usando uno de los modelos de aprendizaje automáticos desarrollados anteriormente. Finalmente, diferentes enfoques y perspectivas acerca del uso de sandboxing y aprendizaje automático por parte de agencias de seguridad del Estado también son aportados
Information Pooling Bias in Collaborative Cyber Forensics
abstract: Cyber threats are growing in number and sophistication making it important to continually study and improve all dimensions of cyber defense. Human teamwork in cyber defense analysis has been overlooked even though it has been identified as an important predictor of cyber defense performance. Also, to detect advanced forms of threats effective information sharing and collaboration between the cyber defense analysts becomes imperative. Therefore, through this dissertation work, I took a cognitive engineering approach to investigate and improve cyber defense teamwork. The approach involved investigating a plausible team-level bias called the information pooling bias in cyber defense analyst teams conducting the detection task that is part of forensics analysis through human-in-the-loop experimentation. The approach also involved developing agent-based models based on the experimental results to explore the cognitive underpinnings of this bias in human analysts. A prototype collaborative visualization tool was developed by considering the plausible cognitive limitations contributing to the bias to investigate whether a cognitive engineering-driven visualization tool can help mitigate the bias in comparison to off-the-shelf tools. It was found that participant teams conducting the collaborative detection tasks as part of forensics analysis, experience the information pooling bias affecting their performance. Results indicate that cognitive friendly visualizations can help mitigate the effect of this bias in cyber defense analysts. Agent-based modeling produced insights on internal cognitive processes that might be contributing to this bias which could be leveraged in building future visualizations. This work has multiple implications including the development of new knowledge about the science of cyber defense teamwork, a demonstration of the advantage of developing tools using a cognitive engineering approach, a demonstration of the advantage of using a hybrid cognitive engineering methodology to study teams in general and finally, a demonstration of the effect of effective teamwork on cyber defense performance.Dissertation/ThesisDoctoral Dissertation Applied Psychology 201
From Text to MITRE Techniques: Exploring the Malicious Use of Large Language Models for Generating Cyber Attack Payloads
This research article critically examines the potential risks and
implications arising from the malicious utilization of large language
models(LLM), focusing specifically on ChatGPT and Google's Bard. Although these
large language models have numerous beneficial applications, the misuse of this
technology by cybercriminals for creating offensive payloads and tools is a
significant concern. In this study, we systematically generated implementable
code for the top-10 MITRE Techniques prevalent in 2022, utilizing ChatGPT, and
conduct a comparative analysis of its performance with Google's Bard. Our
experimentation reveals that ChatGPT has the potential to enable attackers to
accelerate the operation of more targeted and sophisticated attacks.
Additionally, the technology provides amateur attackers with more capabilities
to perform a wide range of attacks and empowers script kiddies to develop
customized tools that contribute to the acceleration of cybercrime.
Furthermore, LLMs significantly benefits malware authors, particularly
ransomware gangs, in generating sophisticated variants of wiper and ransomware
attacks with ease. On a positive note, our study also highlights how offensive
security researchers and pentesters can make use of LLMs to simulate realistic
attack scenarios, identify potential vulnerabilities, and better protect
organizations. Overall, we conclude by emphasizing the need for increased
vigilance in mitigating the risks associated with LLMs. This includes
implementing robust security measures, increasing awareness and education
around the potential risks of this technology, and collaborating with security
experts to stay ahead of emerging threats
Resilient and Scalable Android Malware Fingerprinting and Detection
Malicious software (Malware) proliferation reaches hundreds of thousands daily. The manual analysis of such a large volume of malware is daunting and time-consuming. The diversity of targeted systems in terms of architecture and platforms compounds the challenges of Android malware detection and malware in general. This highlights the need to design and implement new scalable and robust methods, techniques, and tools to detect Android malware. In this thesis, we develop a malware fingerprinting framework to cover accurate Android malware detection and family attribution. In this context, we emphasize the following: (i) the scalability over a large malware corpus; (ii) the resiliency to common obfuscation techniques; (iii) the portability over different platforms and architectures.
In the context of bulk and offline detection on the laboratory/vendor level: First, we propose an approximate fingerprinting technique for Android packaging that captures the underlying static structure of the Android apps. We also propose a malware clustering framework on top of this fingerprinting technique to perform unsupervised malware detection and grouping by building and partitioning a similarity network of malicious apps. Second, we propose an approximate fingerprinting technique for Android malware's behavior reports generated using dynamic analyses leveraging natural language processing techniques. Based on this fingerprinting technique, we propose a portable malware detection and family threat attribution framework employing supervised machine learning techniques. Third, we design an automatic framework to produce intelligence about the underlying malicious cyber-infrastructures of Android malware. We leverage graph analysis techniques to generate relevant, actionable, and granular intelligence that can be used to identify the threat effects induced by malicious Internet activity associated to Android malicious apps.
In the context of the single app and online detection on the mobile device level, we further propose the following: Fourth, we design a portable and effective Android malware detection system that is suitable for deployment on mobile and resource constrained devices, using machine learning classification on raw method call sequences. Fifth, we elaborate a framework for Android malware detection that is resilient to common code obfuscation techniques and adaptive to operating systems and malware change overtime, using natural language processing and deep learning techniques.
We also evaluate the portability of the proposed techniques and methods beyond Android platform malware, as follows: Sixth, we leverage the previously elaborated techniques to build a framework for cross-platform ransomware fingerprinting relying on raw hybrid features in conjunction with advanced deep learning techniques
A Survey on Industrial Control System Testbeds and Datasets for Security Research
The increasing digitization and interconnection of legacy Industrial Control
Systems (ICSs) open new vulnerability surfaces, exposing such systems to
malicious attackers. Furthermore, since ICSs are often employed in critical
infrastructures (e.g., nuclear plants) and manufacturing companies (e.g.,
chemical industries), attacks can lead to devastating physical damages. In
dealing with this security requirement, the research community focuses on
developing new security mechanisms such as Intrusion Detection Systems (IDSs),
facilitated by leveraging modern machine learning techniques. However, these
algorithms require a testing platform and a considerable amount of data to be
trained and tested accurately. To satisfy this prerequisite, Academia,
Industry, and Government are increasingly proposing testbed (i.e., scaled-down
versions of ICSs or simulations) to test the performances of the IDSs.
Furthermore, to enable researchers to cross-validate security systems (e.g.,
security-by-design concepts or anomaly detectors), several datasets have been
collected from testbeds and shared with the community. In this paper, we
provide a deep and comprehensive overview of ICSs, presenting the architecture
design, the employed devices, and the security protocols implemented. We then
collect, compare, and describe testbeds and datasets in the literature,
highlighting key challenges and design guidelines to keep in mind in the design
phases. Furthermore, we enrich our work by reporting the best performing IDS
algorithms tested on every dataset to create a baseline in state of the art for
this field. Finally, driven by knowledge accumulated during this survey's
development, we report advice and good practices on the development, the
choice, and the utilization of testbeds, datasets, and IDSs
Development of a multi-layered botmaster based analysis framework
Botnets are networks of compromised machines called bots that come together to form the tool of choice for hackers in the exploitation and destruction of computer networks. Most malicious botnets have the ability to be rented out to a broad range of potential customers, with each customer having an attack agenda different from the other. The result is a botnet that is under the control of multiple botmasters, each of which implement their own attacks and transactions at different times in the botnet. In order to fight botnets, details about their structure, users, and their users motives need to be discovered. Since current botnets require the information about the initial bootstrapping of a bot to a botnet, the monitoring of botnets are possible. Botnet monitoring is used to discover the details of a botnet, but current botnet monitoring projects mainly identify the magnitude of the botnet problem and tend to overt some fundamental problems, such as the diversified sources of the attacks. To understand the use of botnets in more detail, the botmasters that command the botnets need to be studied. In this thesis we focus on identifying the threat of botnets based on each individual botmaster. We present a multi-layered analysis framework which identifies the transactions of each botmaster and then we correlate the transactions with the physical evolution of the botnet. With these characteristics we discover what role each botmaster plays in the overall botnet operation. We demonstrate our results in our system: MasterBlaster, which discovers the level of interaction between each botmaster and the botnet. Our system has been evaluated in real network traces.
Our results show that investigating the roles of each botmaster in a botnet should be essential and demonstrates its potential benefit for identifying and conducting additional research on analyzing botmaster interactions. We believe our work will pave the way for more fine-grained analysis of botnets which will lead to better protection capabilities and more rapid attribution of cyber crimes committed using botnets
- …