9 research outputs found
Π€ΠΎΡΠΌΠ°Π»ΡΠ½Π°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΡΡΠ½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠ° Π² ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅
The article presents a formal model of the functioning of the process in the operating system, created on the basis of a subject-object approach to the separation of the main elements of the operating system. A feature of the presented model is a high-level abstraction of the interaction between the operating system processes and resources, which allows applying the obtained results to a wide range of similar systems. The use of this model is necessary for carrying out the transition from the real world object (process) to a formal model to take into account the significant properties of the behavior of the process both during the static analysis phase of a binary executable file and the dynamic phase of monitoring its implementation. The system of safe execution of code is an extension of the composition of such approaches to the detection of malicious software as the application of the formal verification method Β«Model checkingΒ» and the use of machine safety to monitor the implementation of the studied program. This system allows using in corporate information and computer networks only such software, reliability of which is confirmed by a formal mathematical proof and continuous monitoring of its execution.Π ΡΡΠ°ΡΡΠ΅ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Π° ΡΠΎΡΠΌΠ°Π»ΡΠ½Π°Ρ ΠΌΠΎΠ΄Π΅Π»Ρ ΡΡΠ½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½ΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠ° Π² ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΠ΅, ΠΏΠΎΡΡΡΠΎΠ΅Π½Π½Π°Ρ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΡ ΡΡΠ±ΡΠ΅ΠΊΡΠ½ΠΎ-ΠΎΠ±ΡΠ΅ΠΊΡΠ½ΠΎΠ³ΠΎ ΠΏΠΎΠ΄Ρ
ΠΎΠ΄Π° ΠΊ ΡΠ°Π·Π΄Π΅Π»Π΅Π½ΠΈΡ ΠΎΡΠ½ΠΎΠ²Π½ΡΡ
ΡΠ»Π΅ΠΌΠ΅Π½ΡΠΎΠ² ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ. ΠΡΠΎΠ±Π΅Π½Π½ΠΎΡΡΡΡ ΠΏΡΠ΅Π΄ΡΡΠ°Π²Π»Π΅Π½Π½ΠΎΠΉ ΠΌΠΎΠ΄Π΅Π»ΠΈ ΡΠ²Π»ΡΠ΅ΡΡΡ Π²ΡΡΠΎΠΊΠΎΡΡΠΎΠ²Π½Π΅Π²Π°Ρ Π°Π±ΡΡΡΠ°ΠΊΡΠΈΡ ΠΎΠΏΠΈΡΠ°Π½ΠΈΡ Π²Π·Π°ΠΈΠΌΠΎΠ΄Π΅ΠΉΡΡΠ²ΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠ° Ρ ΡΠ΅ΡΡΡΡΠ°ΠΌΠΈ ΠΎΠΏΠ΅ΡΠ°ΡΠΈΠΎΠ½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ, ΡΡΠΎ ΠΏΠΎΠ·Π²ΠΎΠ»ΡΠ΅Ρ ΠΏΡΠΈΠΌΠ΅Π½ΠΈΡΡ ΠΏΠΎΠ»ΡΡΠ΅Π½Π½ΡΠ΅ Π½Π° Π΅Π΅ ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠ΅Π·ΡΠ»ΡΡΠ°ΡΡ ΠΊ ΡΠΈΡΠΎΠΊΠΎΠΌΡ ΠΊΠ»Π°ΡΡΡ Π°Π½Π°Π»ΠΎΠ³ΠΈΡΠ½ΡΡ
ΡΠΈΡΡΠ΅ΠΌ. ΠΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ Π΄Π°Π½Π½ΠΎΠΉ ΠΌΠΎΠ΄Π΅Π»ΠΈ Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ Π΄Π»Ρ ΡΠΎΠ²Π΅ΡΡΠ΅Π½ΠΈΡ ΠΏΠ΅ΡΠ΅Ρ
ΠΎΠ΄Π° ΠΎΡ ΡΠ΅Π°Π»ΡΠ½ΠΎΠ³ΠΎ ΠΏΡΠΎΡΠ΅ΡΡΠ° ΠΊ Π΅Π³ΠΎ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ ΠΌΠΎΠ΄Π΅Π»ΠΈ, ΠΏΠΎΠ·Π²ΠΎΠ»ΡΡΡΠ΅ΠΉ ΡΡΠΈΡΡΠ²Π°ΡΡ Π·Π½Π°ΡΠΈΠΌΡΠ΅ ΡΠ²ΠΎΠΉΡΡΠ²Π° ΠΏΠΎΠ²Π΅Π΄Π΅Π½ΠΈΡ ΠΏΡΠΎΡΠ΅ΡΡΠ° ΠΊΠ°ΠΊ Π½Π° ΡΡΠ°ΡΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΡΠ°ΠΏΠ΅ Π°Π½Π°Π»ΠΈΠ·Π° Π±ΠΈΠ½Π°ΡΠ½ΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»Π½ΡΠ΅ΠΌΠΎΠ³ΠΎ ΡΠ°ΠΉΠ»Π°, ΡΠ°ΠΊ ΠΈ Π½Π° Π΄ΠΈΠ½Π°ΠΌΠΈΡΠ΅ΡΠΊΠΎΠΌ ΡΡΠ°ΠΏΠ΅ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π·Π° Π΅Π³ΠΎ Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ. ΠΡΠ΅Π΄Π»ΠΎΠΆΠ΅Π½Π° ΡΡΡΡΠΊΡΡΡΠ° ΡΠΈΡΡΠ΅ΠΌΡ Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΠ³ΠΎ ΠΈΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΡ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΊΠΎΠ΄Π°, ΡΠ²Π»ΡΡΡΠ°ΡΡΡ ΡΠ°ΡΡΠΈΡΠ΅Π½Π½ΠΎΠΉ ΠΊΠΎΠΌΠΏΠΎΠ·ΠΈΡΠΈΠ΅ΠΉ ΡΠ°ΠΊΠΈΡ
ΠΏΠΎΠ΄Ρ
ΠΎΠ΄ΠΎΠ² ΠΊ ΠΎΠ±Π½Π°ΡΡΠΆΠ΅Π½ΠΈΡ Π²ΡΠ΅Π΄ΠΎΠ½ΠΎΡΠ½ΠΎΠ³ΠΎ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ³ΠΎ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΡ, ΠΊΠ°ΠΊ ΠΏΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ ΠΌΠ΅ΡΠΎΠ΄Π° ΡΠΎΡΠΌΠ°Π»ΡΠ½ΠΎΠΉ Π²Π΅ΡΠΈΡΠΈΠΊΠ°ΡΠΈΠΈ Β«Model checkingΒ» ΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ Π°Π²ΡΠΎΠΌΠ°ΡΠ° Π±Π΅Π·ΠΎΠΏΠ°ΡΠ½ΠΎΡΡΠΈ Π΄Π»Ρ ΠΊΠΎΠ½ΡΡΠΎΠ»Ρ Π·Π° Π²ΡΠΏΠΎΠ»Π½Π΅Π½ΠΈΠ΅ΠΌ ΠΈΡΡΠ»Π΅Π΄ΡΠ΅ΠΌΠΎΠΉ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΡ. ΠΡΠΈΠΌΠ΅Π½Π΅Π½ΠΈΠ΅ Π΄Π°Π½Π½ΠΎΠΉ ΡΠΈΡΡΠ΅ΠΌΡ ΠΏΠΎΠ·Π²ΠΎΠ»ΠΈΡ ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡ Π² ΠΊΠΎΡΠΏΠΎΡΠ°ΡΠΈΠ²Π½ΡΡ
ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΠΎΠ½Π½ΠΎ-Π²ΡΡΠΈΡΠ»ΠΈΡΠ΅Π»ΡΠ½ΡΡ
ΡΠ΅ΡΡΡ
ΡΠΎΠ»ΡΠΊΠΎ ΠΏΡΠΎΠ³ΡΠ°ΠΌΠΌΠ½ΠΎΠ΅ ΠΎΠ±Π΅ΡΠΏΠ΅ΡΠ΅Π½ΠΈΠ΅, ΡΡΠΎΠ²Π΅Π½Ρ Π΄ΠΎΠ²Π΅ΡΠΈΡ ΠΊ ΠΊΠΎΡΠΎΡΠΎΠΌΡ ΠΏΠΎΠ΄ΡΠ²Π΅ΡΠΆΠ΄Π°Π΅ΡΡΡ ΡΠΎΡΠΌΠ°Π»ΡΠ½ΡΠΌ ΠΌΠ°ΡΠ΅ΠΌΠ°ΡΠΈΡΠ΅ΡΠΊΠΈΠΌ Π΄ΠΎΠΊΠ°Π·Π°ΡΠ΅Π»ΡΡΡΠ²ΠΎΠΌ ΠΈ Π½Π΅ΠΏΡΠ΅ΡΡΠ²Π½ΡΠΌ ΠΊΠΎΠ½ΡΡΠΎΠ»Π΅ΠΌ Π·Π° Π΅Π³ΠΎ ΡΡΠ½ΠΊΡΠΈΠΎΠ½ΠΈΡΠΎΠ²Π°Π½ΠΈΠ΅ΠΌ
Ensemble Learning for Low-Level Hardware-Supported Malware Detection
Abstract. Recent work demonstrated hardware-based online malware detection using only low-level features. This detector is envisioned as a first line of defense that prioritizes the application of more expensive and more accurate software detectors. Critical to such a framework is the detection performance of the hardware detector. In this paper, we explore the use of both specialized detectors and ensemble learning tech-niques to improve performance of the hardware detector. The proposed detectors reduce the false positive rate by more than half compared to a single detector, while increasing the detection rate. We also contribute approximate metrics to quantify the detection overhead, and show that the proposed detectors achieve more than 11x reduction in overhead compared to a software only detector (1.87x compared to prior work), while improving detection time. Finally, we characterize the hardware complexity by extending an open core and synthesizing it on an FPGA platform, showing that the overhead is minimal.
Feature selection and machine learning classification for malware detection
Malware is a computer security problem that can morph to evade traditional detection methods based on known signature matching. Since new malware variants contain patterns that are similar to those in observed malware, machine learning techniques can be used to identify new malware. This work presents a comparative study of several feature selection methods with four different machine learning classifiers in the context of static malware detection based on n-grams analysis. The result shows that the use of Principal Component Analysis (PCA) feature selection and Support Vector Machines (SVM) classification gives the best classification accuracy using a minimum number of feature
Machine learning classification for advanced malware detection
This introductory document discusses topics related to malware detection via the application
of machine learning algorithms. It is intended as a supplement to the published work
submitted (a complete list of which can be found in Table 1) and outlines the motivation
behind the experiments.
The document begins with the following sections:
β’ Section 2 presents a preliminary discussion of the research methodology employed.
β’ Section 3 presents the background analysis of malware detection in general, and the
use of machine learning.
β’ Section 4 provides a brief introduction of the most common machine learning
algorithms in current use.
The remaining sections present the main body of the experimental work, which lead to the
conclusions in Section 10.
β’ Section 5 analyzes different initialization strategies for machine learning models, with
a view to ensuring that the most effective training and testing strategy is employed.
Following this, a purely dynamic approach is proposed, which results in perfect
classification of the samples against benign files, and therefore provides a baseline
against which the performance of subsequent static approaches can be compared.
β’ Section 6 introduces the static-based tests, beginning with the challenging problem of
zero-day detection samples, i.e. malware samples for which not enough data has been
gathered yet to train the machine learning models.
β’ Section 7 describes the testing of several different approaches to static malware
detection. During these tests, the effectiveness of these algorithms is analyzed and
compared with other means of classification.
7
β’ Section 8 proposes and compares techniques to boost the detection accuracy by
combining the scores obtained from other detection algorithms, with a view to
improving static classification scores and thus reach the perfect detection obtained
with dynamic features.
β’ Section 9 tests the effectiveness of generic malware models by assessing the detection
effectiveness of a generic malware model trained on several different families. The
experiments are intended to introduce a more realistic scenario where a single,
comprehensive, machine learning model is used to detect several families. This
Section shows the difficulty to build a single model to detect several malware families
Recommended from our members
Architectural Support for Securing Systems Against Software Vulnerabilities
Cyberattacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication, and cost. These attacks use vulnerabilities to compromise systems to leak Information (Yahoo 2016, Marriott 2018, and Facebook 2019), steal identity information (Equifax 2017), or even effecting politics (by attacking the governmental election process). Traditionally, security researchers and practitioners have viewed security as a software problem -- originating in software and to be solved by software. Recently, the Spectre and Meltdown attacks have shown that hardware should also be considered when evaluating the system security. Conversely, because many aspects of security are computationally expensive, hardware can play a role in promoting software security through computational support as well as the development of new abstractions that promote security. Under this general umbrella, the research in this dissertation pursues two research directions that demonstrate how hardware can promote software security, and how we can design hardware that is secure against Spectre and Meltdown attacks. In the first direction, security exploits and ensuant malware pose an increasing challenge to computing systems as the variety and complexity of attacks continue to increase. In response, software-based malware detection tools have grown in complexity, thus making it computationally difficult to use them to protect systems in real-time. Against this drawback, hardware-based malware detectors (HMDs) are a promising new approach to defend against malware. HMDs collect low-level architectural features and use them to classify malware from normal programs. With simple hardware support, HMDs can be always on, operating as a first line of defense that prioritizes the application of more expensive and more accurate software-detector. In this dissertation, our goal is to make HMDs practical for deployment in two ways: (1) Improving the detection accuracy of HMDs: We use specialized detectors targeted towards a specific type of malware to improve the detection of each type. Next, we use ensemble learning techniques to improve the overall accuracy by combining detectors. We explore detectors based on logistic regression (LR) and neural networks (NN). The proposed detectors reduce the false-positive rate by more than half compared to using a single detector, while increasing their sensitivity. We develop metrics to estimate detection overhead; the proposed detectors achieve more than 16.6x overhead reduction during online detection compared to an idealized software-only detector, with an 8x improvement in relative detection time. NN detectors outperform LR detectors in accuracy, overhead (by 40\%), and time-to-detection of the hardware component (by 5x). Finally, we characterize the hardware complexity by extending an open-core and synthesizing it on an FPGA platform, showing that the overhead is minimal. (2) Make them resilient to evasion attacks: we explore the question of how well evasive malware can avoid detection by HMDs. We show that existing HMDs can be effectively reverse-engineered and subsequently evaded, allowing malware to hide from detection without substantially slowing it down (which is important for certain types of malware). This result demonstrates that the current generation of HMDs can be easily defeated by evasive malware. Next, we explore how well a detector can evolve if it is exposed to this evasive malware during training. We show that simple detectors, such as logistic regression, cannot detect the evasive malware even with retraining. More sophisticated detectors can be retrained to detect evasive malware, but the retrained detectors can be reverse-engineered and evaded again. To address these limitations, we propose a new type of Resilient HMDs (RHMDs) that stochastically switch between different detectors. These detectors can be shown to be provably more difficult to reverse engineer based on resent results in probably approximately correct (PAC) learnability theory. We show that indeed such detectors are resilient to both reverse engineering and evasion, and that the resilience increases with the number and diversity of the individual detectors. Our results demonstrate that these HMDs offer effective defense against evasive malware at low additional complexity. In the second direction, the recent Spectre and Meltdown attacks show that speculative execution, which is used pervasively in modern CPUs, can leave side effects in the processor caches and other structures even when the speculated instructions do not commit and their direct effect is not visible. Therefore, they utilize this behavior to expose privileged information accessed speculatively to an unprivileged attacker. In particular, the attack forces the speculative execution of a code gadget that will carry out the illegal read, which eventually gets squashed, but which leaves a side-channel trail that can be used by the attacker to infer the value. Several attack variations are possible, allowing arbitrary exposure of the full kernel memory to an unprivileged attacker. In this dissertation, we introduce a new model (SafeSpec) for supporting speculation in a way that is immune to the side- channel leakage necessary for attacks such as Meltdown and Spectre. In particular, SafeSpec stores side effects of speculation in separate structures while the instructions are speculative. The speculative state is then either committed to the main CPU structures if the branch commits, or squashed if it does not, making all direct side effects of speculative code invisible. The solution must also address the possibility of a covert channel from speculative instructions to committed instructions before these instructions are committed (i.e., while they share the speculative state). We show that SafeSpec prevents all three variants of Spectre and Meltdown, as well as new variants that we introduce. We also develop a cycle accurate model of modified design of an x86-64 processor and show that the performance impact is negligible (in fact a small performance improvement is achieved). We build prototypes of the hardware support in a hardware description language to show that the additional overhead is acceptable. SafeSpec completely closes this class of attacks, retaining the benefits of speculation, and is practical to implement
Reading the brainβs personality: using machine learning to investigate the relationships between EEG and depressivity
Electroencephalography (EEG) measures electrical signals on the scalp and can give information about processes near the surface of the brain (cortex). The goal of our research was to create models that predict depressivity (mapping to personality in general, not just sickness) and to find potential biomarkers in EEG data. First, to provide our models with cleaner EEG data, we designed a novel single-channel physiology-based eye blink artefact removal method and a mains power noise removal method. Then, we assessed two main machine learning model types (classification- and regression-based) with a total of eighteen sub-types to predict the depressivity of participants. The models were generated by combining four signal processing techniques with a) three classification techniques, and b) three regression techniques. The experimental results showed that both types of models perform well in depressivity prediction and one regression-based model (Reg-FFT-LSBoost) showed a significant depressivity prediction performance, especially for female group. More importantly, we found that a specific EEG frequency band (the gamma band) made major contributions to depressivity prediction. Apart from that, the alpha and beta band may make modest contributions. Specific locations (T7, T8, and C3) made major contributions to depressivity prediction. Frontal locations may also have some influence. We also found that the combination of both eye statesβ EEG data showed a better depressivity prediction ability. Compared to the eyes closed data, the EEG data obtained from the state of eyes open were more suitable for assessing depressivity. In brief, the outcomes of this research provided the possibilities for translating the EEG data for depressivity measure. Furthermore, there are possibilities to extend the research to apply to other mental disordersβ prediction, such as anxiety