727 research outputs found
A Praise for Defensive Programming: Leveraging Uncertainty for Effective Malware Mitigation
A promising avenue for improving the effectiveness of behavioral-based
malware detectors would be to combine fast traditional machine learning
detectors with high-accuracy, but time-consuming deep learning models. The main
idea would be to place software receiving borderline classifications by
traditional machine learning methods in an environment where uncertainty is
added, while software is analyzed by more time-consuming deep learning models.
The goal of uncertainty would be to rate-limit actions of potential malware
during the time consuming deep analysis. In this paper, we present a detailed
description of the analysis and implementation of CHAMELEON, a framework for
realizing this uncertain environment for Linux. CHAMELEON offers two
environments for software: (i) standard - for any software identified as benign
by conventional machine learning methods and (ii) uncertain - for software
receiving borderline classifications when analyzed by these conventional
machine learning methods. The uncertain environment adds obstacles to software
execution through random perturbations applied probabilistically on selected
system calls. We evaluated CHAMELEON with 113 applications and 100 malware
samples for Linux. Our results showed that at threshold 10%, intrusive and
non-intrusive strategies caused approximately 65% of malware to fail
accomplishing their tasks, while approximately 30% of the analyzed benign
software to meet with various levels of disruption. With a dynamic, per-system
call threshold, CHAMELEON caused 92% of the malware to fail, and only 10% of
the benign software to be disrupted. We also found that I/O-bound software was
three times more affected by uncertainty than CPU-bound software. Further, we
analyzed the logs of software crashed with non-intrusive strategies, and found
that some crashes are due to the software bugs
Stealthy Opaque Predicates in Hardware -- Obfuscating Constant Expressions at Negligible Overhead
Opaque predicates are a well-established fundamental building block for
software obfuscation. Simplified, an opaque predicate implements an expression
that provides constant Boolean output, but appears to have dynamic behavior for
static analysis. Even though there has been extensive research regarding opaque
predicates in software, techniques for opaque predicates in hardware are barely
explored. In this work, we propose a novel technique to instantiate opaque
predicates in hardware, such that they (1) are resource-efficient, and (2) are
challenging to reverse engineer even with dynamic analysis capabilities. We
demonstrate the applicability of opaque predicates in hardware for both,
protection of intellectual property and obfuscation of cryptographic hardware
Trojans. Our results show that we are able to implement stealthy opaque
predicates in hardware with minimal overhead in area and no impact on latency
A Lightweight Intrusion Detection System for the Cluster Environment
As clusters of Linux workstations have gained in popularity, security in this environment has become increasingly important. While prevention methods such as access control can enhance the security level of a cluster system, intrusions are still possible and therefore intrusion detection and recovery methods are necessary. In this thesis, a system architecture for an intrusion detection system in a cluster environment is presented. A prototype system called pShield based on this architecture for a Linux cluster environment is described and its capability to detect unique attacks on MPI programs is demonstrated. The pShield system was implemented as a loadable kernel module that uses a neural network classifier to model normal behavior of processes. A new method for generating artificial anomalous data is described that uses a limited amount of attack data in training the neural network. Experimental results demonstrate that using this method rather than randomly generated anomalies reduces the false positive rate without compromising the ability to detect novel attacks. A neural network with a simple activation function is used in order to facilitate fast classification of new instances after training and to ease implementation in kernel space. Our goal is to classify the entire trace of a program¡¯s execution based on neural network classification of short sequences in the trace. Therefore, the effect of anomalous sequences in a trace must be accumulated. Several trace classification methods were compared. The results demonstrate that methods that use information about locality of anomalies are more effective than those that only look at the number of anomalies. The impact of pShield on system performance was evaluated on an 8-node cluster. Although pShield adds some overhead for each API for MPI communication, the experimental results show that a real world parallel computing benchmark was slowed only slightly by the intrusion detection system. The results demonstrate the effectiveness of pShield as a light-weight intrusion detection system in a cluster environment. This work is part of the Intelligent Intrusion Detection project of the Center for Computer Security Research at Mississippi State University
Cybersecurity: Past, Present and Future
The digital transformation has created a new digital space known as
cyberspace. This new cyberspace has improved the workings of businesses,
organizations, governments, society as a whole, and day to day life of an
individual. With these improvements come new challenges, and one of the main
challenges is security. The security of the new cyberspace is called
cybersecurity. Cyberspace has created new technologies and environments such as
cloud computing, smart devices, IoTs, and several others. To keep pace with
these advancements in cyber technologies there is a need to expand research and
develop new cybersecurity methods and tools to secure these domains and
environments. This book is an effort to introduce the reader to the field of
cybersecurity, highlight current issues and challenges, and provide future
directions to mitigate or resolve them. The main specializations of
cybersecurity covered in this book are software security, hardware security,
the evolution of malware, biometrics, cyber intelligence, and cyber forensics.
We must learn from the past, evolve our present and improve the future. Based
on this objective, the book covers the past, present, and future of these main
specializations of cybersecurity. The book also examines the upcoming areas of
research in cyber intelligence, such as hybrid augmented and explainable
artificial intelligence (AI). Human and AI collaboration can significantly
increase the performance of a cybersecurity system. Interpreting and explaining
machine learning models, i.e., explainable AI is an emerging field of study and
has a lot of potentials to improve the role of AI in cybersecurity.Comment: Author's copy of the book published under ISBN: 978-620-4-74421-
Techniques for the reverse engineering of banking malware
Malware attacks are a significant and frequently reported problem, adversely affecting the productivity of organisations and governments worldwide. The well-documented consequences of malware attacks include financial loss, data loss, reputation damage, infrastructure damage, theft of intellectual property, compromise of commercial negotiations, and national security risks. Mitiga-tion activities involve a significant amount of manual analysis. Therefore, there is a need for automated techniques for malware analysis to identify malicious behaviours. Research into automated techniques for malware analysis covers a wide range of activities. This thesis consists of a series of studies: an anal-ysis of banking malware families and their common behaviours, an emulated command and control environment for dynamic malware analysis, a technique to identify similar malware functions, and a technique for the detection of ransomware. An analysis of the nature of banking malware, its major malware families, behaviours, variants, and inter-relationships are provided in this thesis. In doing this, this research takes a broad view of malware analysis, starting with the implementation of the malicious behaviours through to detailed analysis using machine learning. The broad approach taken in this thesis differs from some other studies that approach malware research in a more abstract sense. A disadvantage of approaching malware research without domain knowledge, is that important methodology questions may not be considered. Large datasets of historical malware samples are available for countermea-sures research. However, due to the age of these samples, the original malware infrastructure is no longer available, often restricting malware operations to initialisation functions only. To address this absence, an emulated command and control environment is provided. This emulated environment provides full control of the malware, enabling the capabilities of the original in-the-wild operation, while enabling feature extraction for research purposes. A major focus of this thesis has been the development of a machine learn-ing function similarity method with a novel feature encoding that increases feature strength. This research develops techniques to demonstrate that the machine learning model trained on similarity features from one program can find similar functions in another, unrelated program. This finding can lead to the development of generic similar function classifiers that can be packaged and distributed in reverse engineering tools such as IDA Pro and Ghidra. Further, this research examines the use of API call features for the identi-fication of ransomware and shows that a failure to consider malware analysis domain knowledge can lead to weaknesses in experimental design. In this case, we show that existing research has difficulty in discriminating between ransomware and benign cryptographic software. This thesis by publication, has developed techniques to advance the disci-pline of malware reverse engineering, in order to minimize harm due to cyber-attacks on critical infrastructure, government institutions, and industry.Doctor of Philosoph
BINARY INSTRUMENTATION AND TRANSFORMATION FOR SOFTWARE SECURITY APPLICATIONS
The capabilities of software analysis and manipulation are crucial to counter software security threats such as malware and vulnerabilities. Binary instrumentation and transformation are the essential techniques to enable software analysis and manipulation. However, existing approaches fail to meet requirements (e.g. flexibility, transparency) specific in software security applications
- …