5 research outputs found
Recommended from our members
A Study of the Relationship Between Antivirus Regressions and Label Changes
AntiVirus (AV) products use multiple components to detect malware. A component which is found in virtually all AVs is the signature-based detection engine: this component assigns a particular signature label to a malware that the AV detects. In previous analysis [1-3], we observed cases of regressions in several different AVs: i.e. cases where on a particular date a given AV detects a given malware but on a later date the same AV fails to detect the same malware. We studied this aspect further by analyzing the only externally observable behaviors from these AVs, namely whether AV engines detect a malware and what labels they assign to the detected malware. In this paper we present the results of the analysis about the relationship between the changing of the labels with which AV vendors recognize malware and the AV regressions
EMPIRICAL STUDIES BASED ON HONEYPOTS FOR CHARACTERIZING ATTACKERS BEHAVIOR
The cybersecurity community has made substantial efforts to understand and mitigate security flaws in information systems. Oftentimes when a compromise is discovered, it is difficult to identify the actions performed by an attacker.
In this study, we explore the compromise phase, i.e., when an attacker exploits the host he/she gained access to using a vulnerability exposed by an information system. More specifically, we look at the main actions performed during the compromise and the factors deterring the attackers from exploiting the compromised systems.
Because of the lack of security datasets on compromised systems, we need to deploy systems to more adequately study attackers and the different techniques they employ to compromise computer. Security researchers employ target computers, called honeypots, that are not used by normal or authorized users.
In this study we first describe the distributed honeypot network architecture deployed at the University of Maryland and the different honeypot-based experiments enabling the data collection required to conduct the studies on attackers' behavior.
In a first experiment we explore the attackers' skill levels and the purpose of the malicious software installed on the honeypots. We determined the relative skill levels of the attackers and classified the different software installed.
We then focused on the crimes committed by the attackers, i.e., the attacks launched from the honeypots by the attackers. We defined the different computer crimes observed (e.g., brute-force attacks and denial of service attacks) and their characteristics (whether they were coordinated and/or destructive). We looked at the impact of computer resources restrictions on the crimes and then, at the deterrent effect of warning and surveillance. Lastly, we used different metrics related to the attack sessions to investigate the impact of surveillance on the attackers based on their country of origin.
During attacks, we found that attackers mainly installed IRC-based bot tools and sometimes shared their honeypot access. From the analysis on crimes, it appears that deterrence does not work; we showed attackers seem to favor certain computer resources. Lastly, we observed that the presence of surveillance had no significant impact on the attack sessions, however surveillance altered the behavior originating from a few countries
Effiziente und erklärbare Erkennung von mobiler Schadsoftware mittels maschineller Lernmethoden
In recent years, mobile devices shipped with Google’s Android operating system
have become ubiquitous. Due to their popularity and the high concentration of
sensitive user data on these devices, however, they have also become a
profitable target of malware authors. As a result, thousands of new malware
instances targeting Android are found almost every day. Unfortunately, common
signature-based methods often fail to detect these applications, as these
methods can- not keep pace with the rapid development of new malware.
Consequently, there is an urgent need for new malware detection methods to
tackle this growing threat.
In this thesis, we address the problem by combining concepts of static analysis
and machine learning, such that mobile malware can be detected directly on the
mobile device with low run-time overhead. To this end, we first discuss our
analysis results of a sophisticated malware that uses an ultrasonic side
channel to spy on unwitting smartphone users. Based on the insights we gain
throughout this thesis, we gradually develop a method that allows detecting
Android malware in general. The resulting method performs a broad static
analysis, gathering a large number of features associated with an application.
These features are embedded in a joint vector space, where typical patterns
indicative of malware can be automatically identified and used for explaining
the decisions of our method. In addition to an evaluation of its overall
detection and run-time performance, we also examine the interpretability of the
underlying detection model and strengthen the classifier against realistic
evasion attacks.
In a large set of experiments, we show that the method clearly outperforms
several related approaches, including popular anti-virus scanners. In most
experiments, our approach detects more than 90% of all malicious samples in the
dataset at a low false positive rate of only 1%. Furthermore, even on older
devices, it offers a good run-time performance, and can output a decision along
with a proper explanation within a few seconds, despite the use of machine
learning techniques directly on the mobile device.
Overall, we find that the application of machine learning techniques is a
promising research direction to improve the security of mobile devices. While
these techniques alone cannot defeat the threat of mobile malware, they at
least raise the bar for malicious actors significantly, especially if combined
with existing techniques.Die Verbreitung von Smartphones, insbesondere mit dem Android-Betriebssystem,
hat in den vergangenen Jahren stark zugenommen. Aufgrund ihrer hohen
Popularität haben sich diese Geräte jedoch zugleich auch zu einem lukrativen
Ziel für Entwickler von Schadsoftware entwickelt, weshalb mittlerweile täglich
neue Schadprogramme fĂĽr Android gefunden werden.
Obwohl verschiedene Lösungen existieren, die Schadprogramme auch auf mobilen
Endgeräten identifizieren sollen, bieten diese in der Praxis häufig keinen
ausreichenden Schutz. Dies liegt vor allem daran, dass diese Verfahren zumeist
signaturbasiert arbeiten und somit schädliche Programme erst zuverlässig
identifizieren können, sobald entsprechende Erkennungssignaturen vorhanden
sind. Jedoch wird es fĂĽr Antiviren-Hersteller immer schwieriger, die zur
Erkennung notwendigen Signaturen rechtzeitig bereitzustellen. Daher ist die
Entwicklung von neuen Verfahren nötig, um der wachsenden Bedrohung durch mobile
Schadsoftware besser begegnen zu können.
In dieser Dissertation wird ein Verfahren vorgestellt und eingehend untersucht,
das Techniken der statischen Code-Analyse mit Methoden des maschinellen Lernens
kombiniert, um so eine zuverlässige Erkennung von mobiler Schadsoftware direkt
auf dem Mobilgerät zu ermöglichen. Die Methode analysiert hierfür mobile
Anwendungen zunächst statisch und extrahiert dabei spezielle Merkmale, die eine
Abbildung einer Applikation in einen hochdimensionalen Vektorraum ermöglichen.
In diesem Vektorraum sind schlieĂźlich maschinelle Lernmethoden in der Lage,
automatisch Muster zur Erkennung von Schadprogrammen zu finden. Die gefundenen
Muster können dabei nicht nur zur Erkennung, sondern darüber hinaus auch zur
Erklärung einer getroffenenen Entscheidung dienen.
Im Rahmen einer ausfĂĽhrlichen Evaluation wird nicht nur die Erkennungsleistung
und die Laufzeit der vorgestellten Methode untersucht, sondern darĂĽber hinaus
das gelernte Erkennungsmodell im Detail analysiert. Hierbei wird auch die
Robustheit des Modells gegenĂĽber gezielten Angriffe untersucht und verbessert.
In einer Reihe von Experimenten kann gezeigt werden, dass mit dem
vorgeschlagenen Verfahren bessere Ergebnisse erzielt werden können als mit
vergleichbaren Methoden, sogar einschließlich einiger populärer
Antivirenprogramme. In den meisten Experimenten kann die Methode Schadprogramme
zuverlässig erkennen und erreicht Erkennungsraten von über 90% bei einer
geringen Falsch-Positiv-Rate von 1%