Learning Fast and Slow: PROPEDEUTICA for Real-time Malware Detection

In this paper, we introduce and evaluate PROPEDEUTICA, a novel methodology and framework for efficient and effective real-time malware detection, leveraging the best of conventional machine learning (ML) and deep learning (DL) algorithms. In PROPEDEUTICA, all software processes in the system start execution subjected to a conventional ML detector for fast classification. If a piece of software receives a borderline classification, it is subjected to further analysis via more performance expensive and more accurate DL methods, via our newly proposed DL algorithm DEEPMALWARE. Further, we introduce delays to the execution of software subjected to deep learning analysis as a way to "buy time" for DL analysis and to rate-limit the impact of possible malware in the system. We evaluated PROPEDEUTICA with a set of 9,115 malware samples and 877 commonly used benign software samples from various categories for the Windows OS. Our results show that the false positive rate for conventional ML methods can reach 20%, and for modern DL methods it is usually below 6%. However, the classification time for DL can be 100X longer than conventional ML methods. PROPEDEUTICA improved the detection F1-score from 77.54% (conventional ML method) to 90.25%, and reduced the detection time by 54.86%. Further, the percentage of software subjected to DL analysis was approximately 40% on average. Further, the application of delays in software subjected to ML reduced the detection time by approximately 10%. Finally, we found and discussed a discrepancy between the detection accuracy offline (analysis after all traces are collected) and on-the-fly (analysis in tandem with trace collection). Our insights show that conventional ML and modern DL-based malware detectors in isolation cannot meet the needs of efficient and effective malware detection: high accuracy, low false positive rate, and short classification time.Comment: 17 pages, 7 figure

Reducing the Attack Surface of Dynamic Binary Instrumentation Frameworks

Malicious applications pose as one of the most relevant issues in today’s technology scenario, being considered the root of many Internet security threats. In part, this owes the ability of malware developers to promptly respond to the emergence of new security solutions by developing artifacts to detect and avoid them. In this work, we present three countermeasures to mitigate recent mechanisms used by malware to detect analysis environments. Among these techniques, this work focuses on those that enable a malware to detect dynamic binary instrumentation frameworks, thus increasing their attack surface. To ensure the effectiveness of the proposed countermeasures, proofs of concept were developed and tested in a controlled environment with a set of anti-instrumentation techniques. Finally, we evaluated the performance impact of using such countermeasures

Empirical study to fingerprint public malware analysis services

The evolution of malicious software (malware) analysis tools provided controlled, isolated, and virtual environments to analyze malware samples. Several services are found on the Internet that provide to users automatic system to analyze malware samples, as VirusTotal, Jotti, or ClamAV, to name a few. Unfortunately, malware is currently incorporating techniques to recognize execution onto a virtual or sandbox environment. When analysis environment is detected, malware behave as a benign application or even show no activity. In this work, we present an empirical study and characterization of automatic public malware analysis services. In particular, we consider 26 different services. We also show a set of features that allow to easily fingerprint these services as analysis environments. Finally, we propose a method to mitigate fingerprinting

Backdoor attack detection based on stepping stone detection approach

Network intruders usually use a series of hosts (stepping stones) to conceal the tracks of their intrusion in the network. This type of intrusion can be detected through an approach called Stepping Stone Detection (SSD). In the past years, SSD was confined to the detection of only this type of intrusion. In this dissertation, we consider the use of SSD concepts in the field of backdoor attack detection. The application of SSD in this field results in many advantages. First, the use of SSD makes the backdoor attack detection and the scan process time faster. Second, this technique detects all types of backdoor attack, both known and unknown, even if the backdoor attack is encrypted. Third, this technique reduces the large storage resources used by traditional antivirus tools in detecting backdoor attacks. This study contributes to the field by extending the application of SSD-based techniques, which are usually used in SSD-based environments only, into backdoor attack detection environments. Through an experiment, the accuracy of SSD-based backdoor attack detection is shown as very high

Behavioral Analysis Of Malicious Code Through Network Traffic And System Call Monitoring

Malicious code (malware) that spreads through the Internet-such as viruses, worms and trojans-is a major threat to information security nowadays and a profitable business for criminals. There are several approaches to analyze malware by monitoring its actions while it is running in a controlled environment, which helps to identify malicious behaviors. In this article we propose a tool to analyze malware behavior in a non-intrusive and effective way, extending the analysis possibilities to cover malware samples that bypass current approaches and also fixes some issues with these approaches. © 2011 SPIE.8059The Society of Photo-Optical Instrumentation Engineers (SPIE)Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G., Efficient detection of split personalities in malware (2010) 17th Annual Network and Distributed System Security SymposiumBayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C., A view on current malware behaviors (2009) Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET)Bayer, U., Kruegel, C., Kirda, E., TTanalyze: A tool for analyzing malware (2006) Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), pp. 180-192Bellard, F., QEMU, a fast and portable dynamic translator (2005) Proc. of the Annual Conference on USENIX Annual Technical Conference, pp. 41-41. , USENIX AssociationBinsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L., On the analysis of the zeus botnet crimeware toolkit (2010) Proc. of the Eighth Annual Conference on Privacy, Security and Trust, PST'2010Blunden, B., (2009) The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System, , Jones and Bartlett Publishers, Inc, 1th editionChoi, Y., Kim, I., Oh, J., Ryou, J., PE file header analysis-based packed pe file detection technique (PHAD) (2008) Proc of the International Symposium on Computer Science and Its Applications, pp. 28-31Dinaburg, A., Royal, P., Sharif, M., Lee, W., Ether: Malware analysis via hardware virtualization extensions (2008) Proc. Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), , OctoberFather, H., Hooking windows API-technics of hooking API functions on windows (2004) CodeBreakers J., 1 (2)Franklin, J., Paxson, V., Perrig, A., Savage, S., An inquiry into the nature and causes of the wealth of internet miscreants (2007) Conference on Computer and Communications Security (CCS)Garfinkel, T., Rosenblum, M., A virtual machine introspection based architecture for intrusion detection (2003) Proc. Network and Distributed Systems Security Symposium, pp. 191-206Hoglund, G., Butler, J., (2005) Rootkits: Subverting the Windows Kernel, , Addison- Wesley Professional, 1th editionHolz, T., Engelberth, M., Freiling, F., Learning more about the underground economy: A case-study of keyloggers and dropzones (2008) Reihe Informatik TR-2008-006, , University of Mannheimhttp://www.joebox.org/Kang, M.G., Poosankam, P., Yin, H., Renovo: A hidden code extractor for packed exe-cutables (2007) Proc. of the 2007 ACM Workshop on Recurring Malcode (WORM 2007)Kong, J., (2007) Designing BSD Rootkits, , No Starch Press, 1th editionLeder, F., Werner, T., Know your enemy: Containing conficker (2009) The Honeynet Project & Research AllianceMartignoni, L., Christodorescu, M., Jha, S., Omniunpack: Fast, generic, and safe unpack-ing of malware (2007) Proc. of the Annual Computer Security Applications Conference (ACSAC)http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde- d599bac8184a/pecoff_v8.docxMoser, A., Kruegel, C., Kirda, E., Limits of static analysis for malware detection (2007) ACSAC, pp. 421-430. , IEEE Computer Societyhttp://www.securelist.com/en/descriptions/old145521http://www.softpanorama.org/Malware/Malware_defense_history/ Malware_gallery/Network_worms/allaple_rahack.shtmlSong, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Saxena, P., BitBlaze: A new approach to computer security via binary analysis (2008) Proc. of the 4th International Conference on Information Systems SecurityWillems, G., Holz, T., Freiling, F., Toward automated dynamic malware analysis using CWSandbox (2007) IEEE Security and Privacy, 5 (2), pp. 32-39. , DOI 10.1109/MSP.2007.45Yegneswaran, V., Saidi, H., Porras, P., Eureka: A framework for enabling static analysis on malware (2008) Technical Report SRI-CSL-08-01 Computer Science Laboratory and College of Computing, , Georgia Institute of Technolog

Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor