Malware variant identification using incremental clustering

Dynamic analysis and pattern matching techniques are widely used in industry, and they provide a straightforward method for the identification of malware samples. Yara is a pattern matching technique that can use sandbox memory dumps for the identification of malware families. However, pattern matching techniques fail silently due to minor code variations, leading to unidentified malware samples. This paper presents a two-layered Malware Variant Identification using Incremental Clustering (MVIIC) process and proposes clustering of unidentified malware samples to enable the identification of malware variants and new malware families. The novel incremental clustering algorithm is used in the identification of new malware variants from the unidentified malware samples. This research shows that clustering can provide a higher level of performance than Yara rules, and that clustering is resistant to small changes introduced by malware variants. This paper proposes a hybrid approach, using Yara scanning to eliminate known malware, followed by clustering, acting in concert, to allow the identification of new malware variants. F1 score and V-Measure clustering metrics are used to evaluate our results

Profiling IoT botnet activity

Undoubtedly, Internet of Things (IoT) devices have evolved into a necessity within our modern lifestyles. Nonetheless, IoT devices have proved to pose significant security risks due to their vulnerabilities and susceptibility to malware. Evidently, vulnerable IoT devices are enlisted by attackers to participate into Internet-wide botnets in order to instrument large-scale cyber-attacks and disrupt critical Internet services. Tracking these botnets is challenging due to their varying structural characteristics, and also due to the fact that malicious actors continuously adopt new evasion and propagation strategies. This thesis develops BotPro framework, a novel data-driven approach for profiling IoT botnet behaviour. BotPro provides a comprehensive approach for capturing and highlighting the behavioural properties of IoT botnets with respect to their structural and propagation properties across the global Internet. We implement the proposed framework using real-world data obtained from the measurement infrastructure that was designed in this thesis. Our measurement infrastructure gathers data from various sources, including globally distributed honeypots, regional Internet registries, global IP blacklists and routing topology. This diverse dataset forms a strong foundation for profiling IoT botnet activity, ensuring that our analysis accurately reflects behavioural patterns of botnets in real-world scenarios. BotPto encompasses diverse methods to profile IoT botnets, including information theory, statistical analysis, natural language processing, machine learning and graph theory. The framework’s results provide insights related to the structural properties as well as the evolving scanning and propagation strategies of IoT botnets. It also provides evidence on concentrated botnet activities and determines the effectiveness of widely used IP blacklists on capturing their evolving behaviour. In addition, the insights reveal the strategy adopted by IoT botnets in expanding their network and increasing their level of resilience. The results provide a compilation of the most important autonomous system(AS) attributes that frequently embrace IoT botnet activity as well as provide a novel macroscopic view on the influence of AS-level relationships with respect to IoT botnet propagation. Furthermore, It provides insights into the structural properties of botnet loaders with respect to the distribution of malware binaries of various strains. The insights generated by BotPro are essential to equip next generation automated cyber threat intelligence, intrusion detection systems and anomaly detection mechanisms with enriched information regarding evolving scanning, establishment and propagation strategies of new botnet variants. Industry will be equipped with even more improved ways to defend against emerging threats in the domains of cyber warfare, cyber tourism and cybercrime. The BotPro framework provides a comprehensive platform for stakeholders, including cybersecurity researchers, security analysts and network administrators to gain deep and meaningful insights into the sophisticated activities and behaviour exhibited by IoT botnets

Avaliação da viabilidade de modelos filogenéticos na classificação de aplicações maliciosas

Orientador: André Ricardo Abed GrégioTese (Doutorado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba, 03/02/2023Inclui referências: p. 150-170Área de concentração: Ciência da ComputaçãoResumo: Milhares de códigos maliciosos são criados, modificados com apoio de ferramentas de automação e liberados diariamente na rede mundial de computadores. Entre essas ameaças, malware são programas projetados especificamente para interromper, danificar ou obter acesso não autorizado a um sistema ou dispositivo. Para facilitar a identificação e a categorização de comportamentos comuns, estruturas e outras características de malware, possibilitando o desenvolvimento de soluções de defesa, existem estratégias de análise que classificam malware em grupos conhecidos como famílias. Uma dessas estratégias é a Filogenia, técnica baseada na Biologia, que investiga o relacionamento histórico e evolutivo de uma espécie ou outro grupo de elementos. Além disso, a utilização de técnicas de agrupamento em conjuntos semelhantes facilita tarefas de engenharia reversa para análise de variantes desconhecidas. Uma variante se refere a uma nova versão de um código malicioso que é criada a partir de modificações de malware existentes. O presente trabalho investiga a viabilidade do uso de filogenias e de métodos de agrupamento na classificação de variantes de malware para plataforma Android. Inicialmente foram analisados 82 trabalhos correlatos para verificação de configurações de experimentos do estado da arte. Após esse estudo, foram realizados quatro experimentos para avaliar uso de métricas de similaridade e de algoritmos de agrupamento na classificação de variantes e na análise de similaridade entre famílias. Propôs-se então um Fluxo de Atividades para Agrupamento de malware com o objetivo de auxiliar na definição de parâmetros para técnicas de agrupamentos, incluindo métricas de similaridade, tipo de algoritmo de agrupamento a ser utilizado e seleção de características. Como prova de conceito, foi proposto o framework Androidgyny para análise de amostras, extração de características e classificação de variantes com base em medóides (elementos representativos médios de cada grupo) e características exclusivas de famílias conhecidas. Para validar o Androidgyny foram feitos dois experimentos: um comparativo com a ferramenta correlata Gefdroid e outro, com exemplares das 25 famílias mais populosas do dataset Androzoo.Abstract: Thousands of malicious codes are created, modified with the support of tools of automation and released daily on the world wide web. Among these threats, malware are programs specifically designed to interrupt, damage, or gain access unauthorized access to a system or device. To facilitate identification and categorization of common behaviors, structures and other characteristics of malware, enabling the development of defense solutions, there are analysis strategies that classify malware into groups known as families. One of these strategies is Phylogeny, a technique based on the Biology, which investigates the historical and evolutionary relationship of a species or other group of elements. In addition, the use of clustering techniques on similar sets facilitates reverse engineering tasks for analysis of unknown variants. a variant refers to a new version of malicious code that is created from modifications of existing malware. The present work investigates the feasibility of using phylogenies and methods of grouping in the classification of malware variants for the Android platform. Initially 82 related works were analyzed to verify experiment configurations of the state of the art. After this study, four experiments were carried out to evaluate the use of similarity measures and clustering algorithms in the classification of variants and in the similarity analysis between families. In addition to these experiments, a Flow of Activities for Malware grouping with five distinct phases. This flow has purpose of helping to define parameters for clustering techniques, including measures of similarity, type of clustering algorithm to be used and feature selection. After defining the flow of activities, the Androidgyny framework was proposed, a prototype for sample analysis, feature extraction and classification of variants based on medoids and unique features of known families. To validate Androidgyny were Two experiments were carried out: a comparison with the related tool Gefdroid and another with copies of the 25 most populous families in the Androzoo dataset