Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Review of Malware Defense in Mobile Network using Dynamic Analysis of Android Application

Today Android has the biggest market share as compared to other operating system for smart phone. As users are continuously increasing day by day the Security is one of the main concerns for Smartphone users. As the features and power of Smartphone are increase, so that they has their vulnerability for attacks by Malwares. But the android is the operating system which is more secure than any other operating systems available for Smart phones. The Android operating system has very few restrictions for developers and it will increase the security risk for end users. In this paper we have reviewed android security model, application level security in android and its security issues

Review of Malware Detection in Android Applications using Dynamic Analysis

Today Android has the biggest market share as compared to other operating system for smart phone. As users are continuously increasing day by day the Security is one of the main concerns for Smartphone users. As the features and power of Smartphone are increase, so that they has their vulnerability for attacks by Malwares. But the android is the operating system which is more secure than any other operating systems available for Smart phones. The Android operating system has very few restrictions for developers and it will increase the security risk for end users. In this paper we have reviewed android security model, application level security in android and its security issues

Detection of Advanced Bots in Smartphones through User Profiling

abstract: This thesis addresses the ever increasing threat of botnets in the smartphone domain and focuses on the Android platform and the botnets using Online Social Networks (OSNs) as Command and Control (C&C;) medium. With any botnet, C&C; is one of the components on which the survival of botnet depends. Individual bots use the C&C; channel to receive commands and send the data. This thesis develops active host based approach for identifying the presence of bot based on the anomalies in the usage patterns of the user before and after the bot is installed on the user smartphone and alerting the user to the presence of the bot. A profile is constructed for each user based on the regular web usage patterns (achieved by intercepting the http(s) traffic) and implementing machine learning techniques to continuously learn the user's behavior and changes in the behavior and all the while looking for any anomalies in the user behavior above a threshold which will cause the user to be notified of the anomalous traffic. A prototype bot which uses OSN s as C&C; channel is constructed and used for testing. Users are given smartphones(Nexus 4 and Galaxy Nexus) running Application proxy which intercepts http(s) traffic and relay it to a server which uses the traffic and constructs the model for a particular user and look for any signs of anomalies. This approach lays the groundwork for the future host-based counter measures for smartphone botnets using OSN s as C&C; channel.Dissertation/ThesisM.S. Computer Science 201

Unsupervised Anomaly-based Malware Detection using Hardware Features

Recent works have shown promise in using microarchitectural execution patterns to detect malware programs. These detectors belong to a class of detectors known as signature-based detectors as they catch malware by comparing a program's execution pattern (signature) to execution patterns of known malware programs. In this work, we propose a new class of detectors - anomaly-based hardware malware detectors - that do not require signatures for malware detection, and thus can catch a wider range of malware including potentially novel ones. We use unsupervised machine learning to build profiles of normal program execution based on data from performance counters, and use these profiles to detect significant deviations in program behavior that occur as a result of malware exploitation. We show that real-world exploitation of popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can be detected with nearly perfect certainty. We also examine the limits and challenges in implementing this approach in face of a sophisticated adversary attempting to evade anomaly-based detection. The proposed detector is complementary to previously proposed signature-based detectors and can be used together to improve security.Comment: 1 page, Latex; added description for feature selection in Section 4, results unchange

A Self Healing Microservices Architecture: A Case Study in Docker Swarm Cluster

One desired aspect of a self-adapting microservices architecture is the ability to continuously monitor the operational environment, detect and observe anomalous behaviour as well as implement a reasonable policy for self-scaling, self-healing, and self-tuning the computational resources in order to dynamically respond to a sudden change in its operational environment. Often the behaviour of a microservices architecture continuously changes over time and the identification of both normal and abnormal behaviours of running services becomes a challenging task. This paper proposes a self-healing Microservice architecture that continuously monitors the operational environment, detects and observes anomalous behaviours, and provides a reasonable adaptation policy using a multi-dimensional utility-based model. This model preserves the cluster state and prevents multiple actions to taking place at the same time. It also guarantees that the executed adaptation action fits the current execution context and achieves the adaptation goals. The results show the ability of this model to dynamically scale the architecture horizontally or vertically in response to the context changes

ON INTEGRATION OF EVOLVING INFRASTRUCTURE TOPOLOGY GRAPHS AND METRIC DATA STREAMS IN INFORMATION TECHNOLOGY INFRASTRUCTURE MANAGEMENT

Modern cloud-based information technology (IT) infrastructure monitoring context and data are gathered from various systems. Typical monitoring systems provide a set of metrics characterizing the performance and health of a variety of infrastructure components. To understand the dependencies and relations among these measurements, the infrastructure topology can be analysed to provide context to the monitoring metrics. However, the metrics and the topology are updated at different time intervals and providing continuous merging and analysis of both data sets is a challenging task which is rarely addressed in the scientific literature. The paper elaborates a method for integration of infrastructure topology graph and monitoring metric data streams. The method is intended for application in the identification of anomalies in IT infrastructure.

Cloud based intrusion detection architecture for smartphones

Smartphones are phones with advanced capabilities like those of personal computers (PCs). Smartphone technology is more and more becoming the predominant communication tool for people across the world. People use their smartphones to keep their contact data, to browse the internet, to exchange messages, to keep notes, carry their personal files and documents, etc. Users while browsing are also capable of shopping online, thus provoking a need to type their credit card numbers and security codes. As the smartphones are becoming widespread, it's also becoming a popular target for security threats and attack. Since smartphones use the same software architecture as in PCs, they are vulnerable to be exposed to similar threats such as in PCs. Recent news and articles indicate huge increase in malware and viruses for operating systems employed on smartphones (primarily Android and iOS). Major limitations of smartphone technology are its processing power and its scarce energy source since smartphones rely on battery usage. The smartphones have less storage and computational power to put into effect highly complex algorithms for intrusion detection and implementing signature based attack detection. Now in this paper, we propose a cloud based Intrusion Detection System for smartphones to overcome the issues of smartphone resource constraints and to detect any misbehavior or anomalous activity effectively

HYPA: Efficient Detection of Path Anomalies in Time Series Data on Networks

The unsupervised detection of anomalies in time series data has important applications in user behavioral modeling, fraud detection, and cybersecurity. Anomaly detection has, in fact, been extensively studied in categorical sequences. However, we often have access to time series data that represent paths through networks. Examples include transaction sequences in financial networks, click streams of users in networks of cross-referenced documents, or travel itineraries in transportation networks. To reliably detect anomalies, we must account for the fact that such data contain a large number of independent observations of paths constrained by a graph topology. Moreover, the heterogeneity of real systems rules out frequency-based anomaly detection techniques, which do not account for highly skewed edge and degree statistics. To address this problem, we introduce HYPA, a novel framework for the unsupervised detection of anomalies in large corpora of variable-length temporal paths in a graph. HYPA provides an efficient analytical method to detect paths with anomalous frequencies that result from nodes being traversed in unexpected chronological order.Comment: 11 pages with 8 figures and supplementary material. To appear at SIAM Data Mining (SDM 2020