27 research outputs found
Mining structural and behavioral patterns in smart malware
Mención Internacional en el tÃtulo de doctorFuncas. Premio Enrique Fuentes Quintana 2016.Smart devices equipped with powerful sensing, computing and networking capabilities
have proliferated lately, ranging from popular smartphones and tablets
to Internet appliances, smart TVs, and others that will soon appear (e.g., watches,
glasses, and clothes). One key feature of such devices is their ability to incorporate
third-party apps from a variety of markets. This poses strong security and privacy issues
to users and infrastructure operators, particularly through software of malicious
(or dubious) nature that can easily get access to the services provided by the device
and collect sensory data and personal information.
Malware in current smart devices—mostly smartphones and tablets—has rocketed
in the last few years, supported by sophisticated techniques (e.g., advanced
obfuscation and targeted infection and activation engines) purposely designed to
overcome security architectures currently in use by such devices. This phenomenon
is known as the proliferation of smart malware. Even though important advances
have been made on malware analysis and detection in traditional personal computers
during the last decades, adopting and adapting those techniques to smart devices
is a challenging problem. For example, power consumption is one major constraint
that makes unaffordable to run traditional detection engines on the device, while
externalized (i.e., cloud-based) techniques raise many privacy concerns.
This Thesis examines the problem of smart malware in such devices, aiming at designing and developing new approaches to assist security analysts and end users in
the analysis of the security nature of apps. We first present a comprehensive analysis
on how malware has evolved over the last years, as well as recent progress made to
analyze and detect malware. Additionally, we compile a suit of the most cutting-edge
open source tools, and we design a versatile and multipurpose research laboratory for
smart malware analysis and detection.
Second, we propose a number of methods and techniques aiming at better analyzing
smart malware in scenarios with a constant and large stream of apps that
require security inspection. More precisely, we introduce Dendroid, an effective system
based on text mining and information retrieval techniques. Dendroid uses static
analysis to measures the similarity between malware samples, which is then used to
automatically classify them into families with remarkably accuracy. Then, we present
Alterdroid, a novel dynamic analysis technique for automatically detecting hidden or
obfuscated malware functionality. Alterdroid introduces the notion of differential fault
analysis for effectively mining obfuscated malware components distributed as parts
of an app package.
Next, we present an evaluation of the power-consumption trade-offs among different
strategies for off-loading, or not, certain security tasks to the cloud. We develop
a system for testing several functional tasks and metering their power consumption
called Meterdroid. Based on the results obtained in this analysis, we then propose a
cloud-based system, called Targetdroid, that addresses the problem of detecting targeted
malware by relying on stochastic models of usage and context events derived
from real user traces. Based on these models, we build an efficient automatic testing
system capable of triggering targeted malware. Finally, based on the conclusions extracted from this Thesis, we propose a number
of open research problems and future directions where there is room for researchLos dispositivos inteligentes se han posicionado en pocos años como aparatos
altamente populares con grandes capacidades de cómputo, comunicación y
sensorización. Entre ellos se encuentran dispositivos como los teléfonos móviles inteligentes
(o smartphones), las televisiones inteligentes, o más recientemente, los
relojes, las gafas y la ropa inteligente. Una caracterÃstica clave de este tipo de dispositivos
es su capacidad para incorporar aplicaciones de terceros desde una gran
variedad de mercados. Esto plantea fuertes problemas de seguridad y privacidad para
sus usuarios y para los operadores de infraestructuras, sobre todo a través de software
de naturaleza maliciosa (o malware), el cual es capaz de acceder fácilmente a los
servicios proporcionados por el dispositivo y recoger datos sensibles de los sensores
e información personal.
En los últimos años se ha observado un incremento radical del malware atacando
a estos dispositivos inteligentes—principalmente a smartphones—y apoyado por sofisticadas
técnicas diseñadas para vencer los sistemas de seguridad implantados por
los dispositivos. Este fenómeno ha dado pie a la proliferación de malware inteligente.
Algunos ejemplos de estas técnicas inteligentes son el uso de métodos de ofuscación,
de estrategias de infección dirigidas y de motores de activación basados en el contexto.
A pesar de que en las últimos décadas se han realizado avances importantes
en el análisis y la detección de malware en los ordenadores personales, adaptar y
portar estas técnicas a los dispositivos inteligentes es un problema difÃcil de resolver. En concreto, el consumo de energÃa es una de las principales limitaciones a las que
están expuestos estos dispositivos. Dicha limitación hace inasequible el uso de motores
tradicionales de detección. Por el contrario, el uso de estrategias de detección
externalizadas (es decir, basadas en la nube) suponen una gran amenaza para la
privacidad de sus usuarios.
Esta tesis analiza el problema del malware inteligente que adolece a estos dispositivos,
con el objetivo de diseñar y desarrollar nuevos enfoques que permitan ayudar a
los analistas de seguridad y los usuarios finales en la tarea de analizar aplicaciones. En
primer lugar, se presenta un análisis exhaustivo sobre la evolución que el malware ha
seguido en los últimos años, asà como los avances más recientes enfocados a analizar
apps y detectar malware. Además, integramos y extendemos las herramientas de código
abierto más avanzadas utilizadas por la comunidad, y diseñamos un laboratorio
que permite analizar malware inteligente de forma versátil y polivalente.
En segundo lugar, se proponen una serie de técnicas dirigida a mejorar el análisis
de malware inteligente en escenarios dónde se requiere analizar importantes cantidad
de muestras. En concreto, se propone Dendroid, un sistema basado en minerÃa de
textos que permite analizar conjuntos de apps de forma eficaz. Dendroid hace uso
de análisis estático de código para extraer una medida de la similitud entre distintas
las muestras de malware. Dicha distancia permitirá posteriormente clasificar cada
muestra en su correspondiente familia de malware de forma automática y con gran
precisión. Por otro lado, se propone una técnica de análisis dinámico de código,
llamada Alterdroid, que permite detectar automáticamente funcionalidad oculta y/o
ofuscada. Alterdroid introduce la un nuevo método de análisis basado en la inyección
de fallos y el análisis diferencial del comportamiento asociado. Por último, presentamos una evaluación del consumo energético asociado a diferentes
estrategias de externalización usadas para trasladar a la nube determinadas
tareas de seguridad. Para ello, desarrollamos un sistema llamado Meterdroid que permite
probar distintas funcionalidades y medir su consumo. Basados en los resultados
de este análisis, proponemos un sistema llamado Targetdroid que hace uso de la nube
para abordar el problema de la detección de malware dirigido o especializado. Dicho
sistema hace uso de modelos estocásticos para modelar el comportamiento del usuario
asà como el contexto que les rodea. De esta forma, Targetdroid permite, además,
detectar de forma automática malware dirigido por medio de estos modelos.
Para finalizar, a partir de las conclusiones extraÃdas en esta Tesis, identificamos
una serie de lÃneas de investigación abiertas y trabajos futuros basados.Programa Oficial de Doctorado en Ciencia y TecnologÃa InformáticaPresidente: Francisco Javier López Muñoz.- Secretario: Jesús GarcÃa Herrero.- Vocal: Nadarajah Asoka
Toward Reliable, Secure, and Energy-Efficient Multi-Core System Design
Computer hardware researchers have perennially focussed on improving the performance of computers while stipulating the energy consumption under a strict budget. While several innovations over the years have led to high performance and energy efficient computers, more challenges have also emerged as a fallout. For example, smaller transistor devices in modern multi-core systems are afflicted with several reliability and security concerns, which were inconceivable even a decade ago. Tackling these bottlenecks happens to negatively impact the power and performance of the computers. This dissertation explores novel techniques to gracefully solve some of the pressing challenges of the modern computer design. Specifically, the proposed techniques improve the reliability of on-chip communication fabric under a high power supply noise, increase the energy-efficiency of low-power graphics processing units, and demonstrate an unprecedented security loophole of the low-power computing paradigm through rigorous hardware-based experiments
MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention
Android users are constantly threatened by an increasing number of malicious applications (apps), generically called malware. Malware constitutes a serious threat to user privacy, money, device and file integrity. In this paper we note that, by studying their actions, we can classify malware into a small number of behavioral classes, each of which performs a limited set of misbehaviors that characterize them. These misbehaviors can be defined by monitoring features belonging to different Android levels. In this paper we present MADAM, a novel host-based malware detection system for Android devices which simultaneously analyzes and correlates features at four levels: kernel, application, user and package, to detect and stop malicious behaviors. MADAM has been designed to take into account those behaviors characteristics of almost every real malware which can be found in the wild. MADAM detects and effectively blocks more than 96% of malicious apps, which come from three large datasets with about 2,800 apps, by exploiting the cooperation of two parallel classifiers and a behavioral signature-based detector. Extensive experiments, which also includes the analysis of a testbed of 9,804 genuine apps, have been conducted to show the low false alarm rate, the negligible performance overhead and limited battery consumption
Evaluation Methodologies in Software Protection Research
Man-at-the-end (MATE) attackers have full control over the system on which
the attacked software runs, and try to break the confidentiality or integrity
of assets embedded in the software. Both companies and malware authors want to
prevent such attacks. This has driven an arms race between attackers and
defenders, resulting in a plethora of different protection and analysis
methods. However, it remains difficult to measure the strength of protections
because MATE attackers can reach their goals in many different ways and a
universally accepted evaluation methodology does not exist. This survey
systematically reviews the evaluation methodologies of papers on obfuscation, a
major class of protections against MATE attacks. For 572 papers, we collected
113 aspects of their evaluation methodologies, ranging from sample set types
and sizes, over sample treatment, to performed measurements. We provide
detailed insights into how the academic state of the art evaluates both the
protections and analyses thereon. In summary, there is a clear need for better
evaluation methodologies. We identify nine challenges for software protection
evaluations, which represent threats to the validity, reproducibility, and
interpretation of research results in the context of MATE attacks
Cybersecurity Games: Mathematical Approaches for Cyber Attack and Defense Modeling
Cyber-attacks targeting individuals and enterprises have become a predominant part of the computer/information age. Such attacks are becoming more sophisticated and prevalent on a day-to-day basis. The exponential growth of cyber plays and cyber players necessitate the inauguration of new methods and research for better understanding the cyber kill chain, particularly with the rise of advanced and novel malware and the extraordinary growth in the population of Internet residents, especially connected Internet of Things (IoT) devices.
Mathematical modeling could be used to represent real-world cyber-attack situations. Such models play a beneficial role when it comes to the secure design and evaluation of systems/infrastructures by providing a better understanding of the threat itself and the attacker\u27s conduct during the lifetime of a cyber attack. Therefore, the main goal of this dissertation is to construct a proper theoretical framework to be able to model and thus evaluate the defensive strategies/technologies\u27 effectiveness from a security standpoint.
To this end, we first present a Markov-based general framework to model the interactions between the two famous players of (network) security games, i.e., a system defender and an attacker taking actions to reach its attack objective(s) in the game. We mainly focus on the most significant and tangible aspects of sophisticated cyber attacks: (1) the amount of time it takes for the adversary to accomplish its mission and (2) the success probabilities of fulfilling the attack objective(s) by translating attacker-defender interactions into well-defined games and providing rigorous cryptographic security guarantees for a system given both players\u27 tactics and strategies.
We study various attack-defense scenarios, including Moving Target Defense (MTD) strategies, multi-stage attacks, and Advanced Persistent Threats (APT). We provide general theorems about how the probability of a successful adversary defeating a defender’s strategy is related to the amount of time (or any measure of cost) spent by the adversary in such scenarios. We also introduce the notion of learning in cybersecurity games and describe a general game of consequences meaning that each player\u27s chances of making a progressive move in the game depend on its previous actions.
Finally, we walk through a malware propagation and botnet construction game in which we investigate the importance of defense systems\u27 learning rates to fight against the self-propagating class of malware such as worms and bots. We introduce a new propagation modeling and containment strategy called the learning-based model and study the containment criterion for the propagation of the malware based on theoretical and simulation analysis
Recommended from our members
Investigating Android permissions and intents for malware detection
Today’s smart phones are used for wider range of activities. This extended range of functionalities has also seen the infiltration of new security threats. Android has been the favorite target of cyber criminals. The malicious parties are using highly stealthy techniques to perform the targeted operations, which are hard to detect by the conventional signature and behaviour based approaches. Additionally, the limited resources of mobile device are inadequate to perform the extensive malware detection tasks. Impulsively emerging Android malware merit a robust and effective malware detection solution.
In this thesis, we present the PIndroid ― a novel Permissions and Intents based framework for identifying Android malware apps. To the best of author’s knowledge, PIndroid is the first solution that uses a combination of permissions and intents supplemented with ensemble methods for malware detection. It overcomes the drawbacks of some of the existing malware detection methods. Our goal is to provide mobile users with an effective malware detection and prevention solution keeping in view the limited resources of mobile devices and versatility of malware behavior. Our detection engine classifies the apps against certain distinguishing combinations of permissions and intents. We conducted a comparative study of different machine learning algorithms against several performance measures to demonstrate their relative advantages. The proposed approach, when applied to 1,745 real world applications, provides more than 99% accuracy (which is best reported to date). Empirical results suggest that the proposed framework is effective in detection of malware apps including the obfuscated ones.
In this thesis, we also present AndroPIn—an Android based malware detection algorithm using Permissions and Intents. It is designed with the methodology proposed in PInDroid. AndroPIn overcomes the limitation of stealthy techniques used by malware by exploiting the usage pattern of permissions and intents. These features, which play a major role in sharing user data and device resources cannot be obfuscated or altered. These vital features are well suited for resource constrained smartphones. Experimental evaluation on a corpus of real-world malware and benign apps demonstrate that the proposed algorithm can effectively detect malicious apps and is resilient to common obfuscations methods.
Besides PInDroid and AndroPIn, this thesis consists of three additional studies, which supplement the proposed methodology. First study investigates if there is any correlation between permissions and intents which can be exploited to detect malware apps. For this, the statistical significance test is applied to investigate the correlation between permissions and intents. We found statistical evidence of a strong correlation between permissions and intents which could be exploited to detect malware applications.
The second study is conducted to investigate if the performance of classifiers can further be improved with ensemble learning methods. We applied different ensemble methods such as bagging, boosting and stacking. The experiments with ensemble methods yielded much improved results.
The third study is related to investigating if the permissions and intents based system can be used to detect the ever challenging colluding apps. Application collusion is an emerging threat to Android based devices. We discuss the current state of research on app collusion and open challenges to the detection of colluding apps. We compare existing approaches and present an integrated approach that can be used to detect the malicious app collusion
Intelligent Agents for Active Malware Analysis
The main contribution of this thesis is to give a novel perspective on Active Malware Analysis modeled as a decision making process between intelligent agents. We propose solutions aimed at extracting the behaviors of malware agents with advanced Artificial Intelligence techniques. In particular, we devise novel action selection strategies for the analyzer agents that allow to analyze malware by selecting sequences of triggering actions aimed at maximizing the information acquired. The goal is to create informative models representing the behaviors of the malware agents observed while interacting with them during the analysis process. Such models can then be used to effectively compare a malware against others and to correctly identify the malware famil