Survey on representation techniques for malware detection system

Malicious programs are malignant software’s designed by hackers or cyber offenders with a harmful intent to disrupt computer operation. In various researches, we found that the balance between designing an accurate architecture that can detect the malware and track several advanced techniques that malware creators apply to get variants of malware are always a difficult line. Hence the study of malware detection techniques has become more important and challenging within the security field. This review paper provides a detailed discussion and full reviews for various types of malware, malware detection techniques, various researches on them, malware analysis methods and different dynamic programmingbased tools that could be used to represent the malware sampled. We have provided a comprehensive bibliography in malware detection, its techniques and analysis methods for malware researchers

Dissection of Modern Malicious Software

The exponential growth of the number of malicious software samples, known by malware in the specialized literature, constitutes nowadays one of the major concerns of cyber-security professionals. The objectives of the creators of this type of malware are varied, and the means used to achieve them are getting increasingly sophisticated. The increase of the computation and storage resources, as well as the globalization have been contributing to this growth, and fueling an entire industry dedicated to developing, selling and improving systems or solutions for securing, recovering, mitigating and preventing malware related incidents. The success of these systems typically depends of detailed analysis, often performed by humans, of malware samples captured in the wild. This analysis includes the search for patterns or anomalous behaviors that may be used as signatures to identify or counter-attack these threats. This Master of Science (Ms.C.) dissertation addresses problems related with dissecting and analyzing malware. The main objectives of the underlying work were to study and understand the techniques used by this type of software nowadays, as well as the methods that are used by specialists on that analysis, so as to conduct a detailed investigation and produce structured documentation for at least one modern malware sample. The work was mostly focused in malware developed for the Operating Systems (OSs) of the Microsoft Windows family for desktops. After a brief study of the state of the art, the dissertation presents the classifications applied to malware, which can be found in the technical literature on the area, elaborated mainly by an industry community or seller of a security product. The structuring of the categories is nonetheless the result of an effort to unify or complete different classifications. The families of some of the most popular or detected malware samples are also presented herein, initially in a tabular form and, subsequently, via a genealogical tree, with some of the variants of each previously described family. This tree provides an interesting perspective over malware and is one of the contributions of this programme. Within the context of the description of functionalities and behavior of malware, some advanced techniques, with which modern specimens of this type of software are equipped to ease their propagation and execution, while hindering their detection, are then discussed with more detail. The discussion evolves to the presentation of the concepts related to the detection and defense against modern malware, along with a small introduction to the main subject of this work. The analysis and dissection of two samples of malware is then the subject of the final chapters of the dissertation. A basic static analysis is performed to the malware known as Stuxnet, while the Trojan Banker known as Tinba/zuzy is subdued to both basic and advanced dynamic analysis. The results of this part of the work emphasize difficulties associated with these tasks and the sophistication and dangerous level of samples under investigation.O crescimento exponencial do número de amostras de software malicioso, conhecido na gíria informática como malware, constitui atualmente uma das maiores preocupações dos profissionais de cibersegurança. São vários os objetivos dos criadores deste tipo de software e a forma cada vez mais sofisticada como os mesmos são alcançados. O aumento da computação e capacidade de armazenamento, bem como a globalização, têm contribuído para este crescimento, e têm alimentado toda uma indústria dedicada ao desenvolvimento, venda e melhoramento de sistemas ou soluções de segurança, recuperação, mitigação e prevenção de incidentes relacionados com malware. O sucesso destes sistemas depende normalmente da análise detalhada, feita muitas vezes por humanos, de peças de malware capturadas no seu ambiente de atuação. Esta análise compreende a procura de padrões ou de comportamentos anómalos que possam servir de assinatura para identificar ou contra-atacar essas ameaças. Esta dissertação aborda a problemática da análise e dissecação de malware. O trabalho que lhe está subjacente tinha como objetivos estudar e compreender as técnicas utilizadas por este tipo de software hoje em dia, bem como as que são utilizadas por especialistas nessa análise, de forma a conduzir uma investigação detalhada e a produzir documentação estruturada sobre pelo menos uma amostra de malware moderna. O trabalho focou-se, sobretudo, em malware desenvolvido para os sistemas operativos da família Microsoft Windows para computadores de secretária. Após um breve estudo ao estado da arte, a dissertação apresenta as classificações de malware encontradas na literatura técnica da especialidade, principalmente usada pela indústria, resultante de um esforço de unificação das mesmas. São também apresentadas algumas das famílias de malware mais detetadas da atualidade, inicialmente através de uma tabela e, posteriormente, através de uma árvore geneológica, com algumas das variantes de cada uma das famílias descritas previamente. Esta árvore fornece uma perspetiva interessante sobre malware e constitui uma das contribuições deste programa de mestrado. Ainda no âmbito da descrição de funcionalidades e comportamentos do malware, são expostas, com algum detalhe, algumas técnicas avançadas com as quais os programas maliciosos mais modernos são por vezes munidos com o intuito a facilitar a sua propagação e execução, dificultando a sua deteção. A descrição evolui para a apresentação dos conceitos adjacentes à deteção e combate ao malware moderno, assim como para uma pequena introdução ao tema principal deste trabalho. A análise e dissecação de duas amostras de malware moderno surgem nos capítulos finais da dissertação. Ao malware conhecido por Stuxnet é feita a análise básica estática, enquanto que ao Trojan Banker Tinba/zusy é feita e demonstrada a análise dinâmica básica e avançada. Os resultados desta parte são demonstrativos do grau de sofisticação e perigosidade destas amostras e das dificuldades associadas a estas tarefas

Infrastructure as Code for Cybersecurity Training

An organization\u27s infrastructure rests upon the premise that cybersecurity professionals have specific knowledge in administrating and protecting it against outside threats. Without this expertise, sensitive information could be leaked to malicious actors and cause damage to critical systems. These attacks tend to become increasingly specialized, meaning cybersecurity professionals must ensure proficiency in specific areas. Naturally, recommendations include creating advanced practical training scenarios considering realistic situations to help trainees gain detailed knowledge. However, the caveats of high-cost infrastructure and difficulties in the deployment process of this kind of system, primarily due to the manual process of pre-configuring software needed for the training and relying on a set of static Virtual Machines, may take much work to circumvent. In order to facilitate this process, our work addresses the use of Infrastructure as Code (IaC) and DevOps to automate the deployment of cyber ranges. An approach closely related to virtualization and containerization as the code\u27s underlying infrastructure helps lay down this burden. Notably, placing emphasis on using IaC tools like Ansible eases the process of configuration management and provisioning of a network. Therefore, we start by focusing on understanding what the State of the Art perspectives lack and showcasing the benefits of this new working outlook. Lastly, we explore several up-to-date vulnerabilities that are constantly messing with the lives of individuals and organizations, most related to Privilege Escalation, Remote Code Execution attacks, and Incident Forensics, allowing the improvement of skills concerning Red team and Blue team scenarios. The analysis of the attacks and exploitation of such vulnerabilities are carried out safely due to a sandbox environment. The expected results revolve around using IaC to deploy a set of purposely-designed cyber ranges with specific challenges. The main objective is to guarantee a complexity of scenarios similar to what we can observe in enterprise-level networks. Thus, this entails having a set of playbooks that can be run in a machine or laboratory, assuring the final state of the network is consistent. We expect this deployment strategy to be cost-effective, allowing the trainee to get deep insight into a wide range of situations. Nowadays, DevOps solutions work as a silver bullet against the issues derived from old-case-driven approaches for setting up scenarios. In short, one of the key takeaways of this work is contributing to better prepare specialists in ensuring that the principles of the National Institute of Standards and Technology (NIST) Cybersecurity Framework hold, namely: prevent, detect, mitigate, and recover