889 research outputs found
Intelligent and behavioral-based detection of malware in IoT spectrum sensors
The number of Cyber-Physical Systems (CPS) available in industrial environments is growing mainly due to the evolution of the Internet-of-Things (IoT) paradigm. In such a context, radio frequency spectrum sensing in industrial scenarios is one of the most interesting applications of CPS due to the scarcity of the spectrum. Despite the benefits of operational platforms, IoT spectrum sensors are vulnerable to heterogeneous malware. The usage of behavioral fingerprinting and machine learning has shown merit in detecting cyberattacks. Still, there exist challenges in terms of (i) designing, deploying, and evaluating ML-based fingerprinting solutions able to detect malware attacks affecting real IoT spectrum sensors, (ii) analyzing the suitability of kernel events to create stable and precise fingerprints of spectrum sensors, and (iii) detecting recent malware samples affecting real IoT spectrum sensors of crowdsensing platforms. Thus, this work presents a detection framework that applies device behavioral fingerprinting and machine learning to detect anomalies and classify different botnets, rootkits, backdoors, ransomware and cryptojackers affecting real IoT spectrum sensors. Kernel events from CPU, memory, network,file system, scheduler, drivers, and random number generation have been analyzed, selected, and monitored to create device behavioral fingerprints. During testing, an IoT spectrum sensor of the ElectroSense platform has been infected with ten recent malware samples (two botnets, three rootkits, three backdoors, one ransomware, and one cryptojacker) to measure the detection performance of the framework in two different network configurations. Both supervised and semi-supervised approaches provided promising results when detecting and classifying malicious behaviors from the eight previous malware and seven normal behaviors. In particular, the framework obtained 0.88–0.90 true positive rate when detecting the previous malicious behaviors as unseen or zero-day attacks and 0.94–0.96 F1-score when classifying the
Análise de malware com suporte de hardware
Orientadores: Paulo Lício de Geus, André Ricardo Abed GrégioDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: O mundo atual é impulsionado pelo uso de sistemas computacionais, estando estes pre- sentes em todos aspectos da vida cotidiana. Portanto, o correto funcionamento destes é essencial para se assegurar a manutenção das possibilidades trazidas pelos desenvolvi- mentos tecnológicos. Contudo, garantir o correto funcionamento destes não é uma tarefa fácil, dado que indivíduos mal-intencionados tentam constantemente subvertê-los visando benefíciar a si próprios ou a terceiros. Os tipos mais comuns de subversão são os ataques por códigos maliciosos (malware), capazes de dar a um atacante controle total sobre uma máquina. O combate à ameaça trazida por malware baseia-se na análise dos artefatos coletados de forma a permitir resposta aos incidentes ocorridos e o desenvolvimento de contramedidas futuras. No entanto, atacantes têm se especializado em burlar sistemas de análise e assim manter suas operações ativas. Para este propósito, faz-se uso de uma série de técnicas denominadas de "anti-análise", capazes de impedir a inspeção direta dos códigos maliciosos. Dentre essas técnicas, destaca-se a evasão do processo de análise, na qual são empregadas exemplares capazes de detectar a presença de um sistema de análise para então esconder seu comportamento malicioso. Exemplares evasivos têm sido cada vez mais utilizados em ataques e seu impacto sobre a segurança de sistemas é considerá- vel, dado que análises antes feitas de forma automática passaram a exigir a supervisão de analistas humanos em busca de sinais de evasão, aumentando assim o custo de se manter um sistema protegido. As formas mais comuns de detecção de um ambiente de análise se dão através da detecção de: (i) código injetado, usado pelo analista para inspecionar a aplicação; (ii) máquinas virtuais, usadas em ambientes de análise por questões de escala; (iii) efeitos colaterais de execução, geralmente causados por emuladores, também usados por analistas. Para lidar com malware evasivo, analistas tem se valido de técnicas ditas transparentes, isto é, que não requerem injeção de código nem causam efeitos colaterais de execução. Um modo de se obter transparência em um processo de análise é contar com suporte do hardware. Desta forma, este trabalho versa sobre a aplicação do suporte de hardware para fins de análise de ameaças evasivas. No decorrer deste texto, apresenta-se uma avaliação das tecnologias existentes de suporte de hardware, dentre as quais máqui- nas virtuais de hardware, suporte de BIOS e monitores de performance. A avaliação crítica de tais tecnologias oferece uma base de comparação entre diferentes casos de uso. Além disso, são enumeradas lacunas de desenvolvimento existentes atualmente. Mais que isso, uma destas lacunas é preenchida neste trabalho pela proposição da expansão do uso dos monitores de performance para fins de monitoração de malware. Mais especificamente, é proposto o uso do monitor BTS para fins de construção de um tracer e um debugger. O framework proposto e desenvolvido neste trabalho é capaz, ainda, de lidar com ataques do tipo ROP, um dos mais utilizados atualmente para exploração de vulnerabilidades. A avaliação da solução demonstra que não há a introdução de efeitos colaterais, o que per- mite análises de forma transparente. Beneficiando-se desta característica, demonstramos a análise de aplicações protegidas e a identificação de técnicas de evasãoAbstract: Today¿s world is driven by the usage of computer systems, which are present in all aspects of everyday life. Therefore, the correct working of these systems is essential to ensure the maintenance of the possibilities brought about by technological developments. However, ensuring the correct working of such systems is not an easy task, as many people attempt to subvert systems working for their own benefit. The most common kind of subversion against computer systems are malware attacks, which can make an attacker to gain com- plete machine control. The fight against this kind of threat is based on analysis procedures of the collected malicious artifacts, allowing the incident response and the development of future countermeasures. However, attackers have specialized in circumventing analysis systems and thus keeping their operations active. For this purpose, they employ a series of techniques called anti-analysis, able to prevent the inspection of their malicious codes. Among these techniques, I highlight the analysis procedure evasion, that is, the usage of samples able to detect the presence of an analysis solution and then hide their malicious behavior. Evasive examples have become popular, and their impact on systems security is considerable, since automatic analysis now requires human supervision in order to find evasion signs, which significantly raises the cost of maintaining a protected system. The most common ways for detecting an analysis environment are: i) Injected code detec- tion, since injection is used by analysts to inspect applications on their way; ii) Virtual machine detection, since they are used in analysis environments due to scalability issues; iii) Execution side effects detection, usually caused by emulators, also used by analysts. To handle evasive malware, analysts have relied on the so-called transparent techniques, that is, those which do not require code injection nor cause execution side effects. A way to achieve transparency in an analysis process is to rely on hardware support. In this way, this work covers the application of the hardware support for the evasive threats analysis purpose. In the course of this text, I present an assessment of existing hardware support technologies, including hardware virtual machines, BIOS support, performance monitors and PCI cards. My critical evaluation of such technologies provides basis for comparing different usage cases. In addition, I pinpoint development gaps that currently exists. More than that, I fill one of these gaps by proposing to expand the usage of performance monitors for malware monitoring purposes. More specifically, I propose the usage of the BTS monitor for the purpose of developing a tracer and a debugger. The proposed framework is also able of dealing with ROP attacks, one of the most common used technique for remote vulnerability exploitation. The framework evaluation shows no side-effect is introduced, thus allowing transparent analysis. Making use of this capability, I demonstrate how protected applications can be inspected and how evasion techniques can be identifiedMestradoCiência da ComputaçãoMestre em Ciência da ComputaçãoCAPE
On-device Security and Privacy Mechanisms for Resource-limited Devices: A Bottom-up Approach
This doctoral dissertation introduces novel mechanisms to provide on-device security and privacy for resource-limited smart devices and their applications. These mechanisms aim to cover five fundamental contributions in the emerging Cyber-Physical Systems (CPS), Internet of Things (IoT), and Industrial IoT (IIoT) fields. First, we present a host-based fingerprinting solution for device identification that is complementary to other security services like device authentication and access control. Then, we design a kernel- and user-level detection framework that aims to discover compromised resource-limited devices based on behavioral analysis. Further we apply dynamic analysis of smart devices’ applications to uncover security and privacy risks in real-time. Then, we describe a solution to enable digital forensics analysis on data extracted from interconnected resource-limited devices that form a smart environment. Finally, we offer to researchers from industry and academia a collection of benchmark solutions for the evaluation of the discussed security mechanisms on different smart domains. For each contribution, this dissertation comprises specific novel tools and techniques that can be applied either independently or combined to enable a broader security services for the CPS, IoT, and IIoT domains
Determining the effectiveness of deceptive honeynets
Over the last few years, incidents of network based intrusions have rapidly increased, due to the increase and popularity of various attack tools easily available for download from the Internet. Due to this increase in intrusions, the concept of a network defence known as Honeypots developed. These honeypots are designed to ensnare attackers and monitor their activities. Honeypots use the principles of deception such as masking, mimicry, decoying, inventing, repackaging and dazzling to deceive attackers. Deception exists in various forms. It is a tactic to survive and defeat the motives of attackers. Due to its presence in the nature, deception has been widely used during wars and now in Information Systems. This thesis considers the current state of honeypot technology as well as describes the framework of how to improve the effectiveness of honeypots through the effective use of deception. In this research, a legitimate corporate deceptive network is created using Honeyd (a type of honeypot) which is attacked and improved using empirical learning approach. The data collected during the attacking exercise were analysed, using various measures, to determine the effectiveness of the deception in the honeypot network created using honeyd. The results indicate that the attackers were deceived into believing the honeynet was a real network which instead was a deceptive network
LightBox: Full-stack Protected Stateful Middlebox at Lightning Speed
Running off-site software middleboxes at third-party service providers has
been a popular practice. However, routing large volumes of raw traffic, which
may carry sensitive information, to a remote site for processing raises severe
security concerns. Prior solutions often abstract away important factors
pertinent to real-world deployment. In particular, they overlook the
significance of metadata protection and stateful processing. Unprotected
traffic metadata like low-level headers, size and count, can be exploited to
learn supposedly encrypted application contents. Meanwhile, tracking the states
of 100,000s of flows concurrently is often indispensable in production-level
middleboxes deployed at real networks.
We present LightBox, the first system that can drive off-site middleboxes at
near-native speed with stateful processing and the most comprehensive
protection to date. Built upon commodity trusted hardware, Intel SGX, LightBox
is the product of our systematic investigation of how to overcome the inherent
limitations of secure enclaves using domain knowledge and customization. First,
we introduce an elegant virtual network interface that allows convenient access
to fully protected packets at line rate without leaving the enclave, as if from
the trusted source network. Second, we provide complete flow state management
for efficient stateful processing, by tailoring a set of data structures and
algorithms optimized for the highly constrained enclave space. Extensive
evaluations demonstrate that LightBox, with all security benefits, can achieve
10Gbps packet I/O, and that with case studies on three stateful middleboxes, it
can operate at near-native speed.Comment: Accepted at ACM CCS 201
Forensic Box for Quick Network-Based Security Assessments
Network security assessments are seen as important, yet cumbersome and time consuming tasks,
mostly due to the use of different and manually operated tools. These are often very specialized
tools that need to be mastered and combined, besides requiring sometimes that a testing environment
is set up. Nonetheless, in many cases, it would be useful to obtain an audit in a swiftly
and on-demand manner, even if with less detail. In such cases, these audits could be used as
an initial step for a more detailed evaluation of the network security, as a complement to other
audits, or aid in preventing major data leaks and system failures due to common configuration,
management or implementation issues.
This dissertation describes the work towards the design and development of a portable system
for quick network security assessments and the research on the automation of many tasks (and
associated tools) composing that process. An embodiment of such system was built using a Raspberry
Pi 2, several well known open source tools, whose functions vary from network discovery,
service identification, Operating System (OS) fingerprinting, network sniffing and vulnerability
discovery, and custom scripts and programs for connecting all the different parts that comprise
the system. The tools are integrated in a seamless manner with the system, to allow deployment
in wired or wireless network environments, where the device carries out a mostly automated
and thorough analysis. The device is near plug-and-play and produces a structured report at
the end of the assessment. Several simple functions, such as re-scanning the network or doing
Address Resolution Protocol (ARP) poisoning on the network are readily available through a small
LCD display mounted on top of the device. It offers a web based interface for finer configuration
of the several tools and viewing the report, aso developed within the scope of this work. Other
specific outputs, such as PCAP files with collected traffic, are available for further analysis.
The system was operated in controlled and real networks, so as to verify the quality of its
assessments. The obtained results were compared with the results obtained through manually
auditing the same networks. The achieved results showed that the device was able to detect
many of the issues that the human auditor detected, but showed some shortcomings in terms
of some specific vulnerabilities, mainly Structured Query Language (SQL) injections.
The image of the OS with the pre-configured tools, automation scripts and programs is available
for download from [Ber16b]. It comprises one of the main outputs of this work.As avaliações de segurança de uma rede (e dos seus dispositivos) são vistas como tarefas importantes,
mas pesadas e que consomem bastante tempo, devido à utilização de diferentes
ferramentas manuais. Normalmente, estas ferramentas são bastante especializadas e exigem
conhecimento prévio e habituação, e muitas vezes a necessidade de criar um ambiente de teste.
No entanto, em muitos casos, seria útil obter uma auditoria rápida e de forma mais direta, ainda
que pouco profunda. Nesses moldes, poderia servir como passo inicial para uma avaliação mais
detalhada, complementar outra auditoria, ou ainda ajudar a prevenir fugas de dados e falhas de
sistemas devido a problemas comuns de configuração, gestão ou implementação dos sistemas.
Esta dissertação descreve o trabalho efetuado com o objetivo de desenhar e desenvolver um
sistema portátil para avaliações de segurança de uma rede de forma rápida, e também a investigação
efetuada com vista à automação de várias tarefas (e ferramentas associadas) que
compõem o processo de auditoria. Uma concretização do sistema foi criada utilizando um Raspberry
Pi 2, várias ferramentas conhecidas e de código aberto, cujas funcionalidades variam
entre descoberta da rede, identificação de sistema operativo, descoberta de vulnerabilidades a
captura de tráfego na rede, e scripts e programas personalizados que interligam as várias partes
que compõem o sistema. As ferramentas são integradas de forma transparente no sistema,
que permite ser lançado em ambientes cablados ou wireless, onde o dispositivo executa uma
análise meticulosa e maioritariamente automatizada. O dispositivo é praticamente plug and
play e produz um relatório estruturado no final da avaliação. Várias funções simples, tais como
analisar novamente a rede ou efetuar ataques de envenenamento da cache Address Resolution
Protocol (ARP) na rede estão disponíveis através de um pequeno ecrã LCD montado no topo do
dispositivo. Este oferece ainda uma interface web, também desenvolvida no contexto do trabalho,
para configuração mais específica das várias ferramentas e para obter acesso ao relatório
da avaliação. Outros outputs mais específicos, como ficheiros com tráfego capturado, estão
disponíveis a partir desta interface.
O sistema foi utilizado em redes controladas e reais, de forma a verificar a qualidade das suas
avaliações. Os resultados obtidos foram comparados com aqueles obtidos através de auditoria
manual efetuada às mesmas redes. Os resultados obtidos mostraram que o dispositivo deteta a
maioria dos problemas que um auditor detetou manualmente, mas mostrou algumas falhas na
deteção de algumas vulnerabilidades específicas, maioritariamente injeções Structured Query
Language (SQL).
A imagem do Sistema Operativo com as ferramentas pré-configuradas, scripts de automação
e programas está disponível para download de [Ber16b]. Esta imagem corresponde a um dos principais resultados deste trabalho
- …