Partial Evaluation for Java Malware Detection

The fact that Java is platform independent gives hackers the opportunity to write exploits that can target users on any platform, which has a JVM implementation. Metasploit is a well-known source of Java exploits and to circumvent detection by Anti Virus (AV) software, obfuscation techniques are routinely applied to make an exploit more difficult to recognise. Popular obfuscation techniques for Java include string obfuscation and applying reflection to hide method calls; two techniques that can either be used together or independently. This paper shows how to apply partial evaluation to remove these obfuscations and thereby improve AV matching. The paper presents a partial evaluator for Jimple, which is a typed three-address code suitable for optimisation and program analysis, and also demonstrates how the residual Jimple code, when transformed back into Java, improves the detection rates of a number of commercial AV products

Using Verification Technology to Specify and Detect Malware

Computer viruses and worms are major threats for our computer infrastructure, and thus, for economy and society at large. Recent work has demonstrated that a model checking based approach to malware detection can capture the semantics of security exploits more accurately than traditional approaches, and consequently achieve higher detection rates. In this approach, malicious behavior is formalized using the expressive specification language CTPL based on classic CTL. This paper gives an overview of our toolchain for malware detection and presents our new system for computer assisted generation of malicious code specifications

A Semantics-Based Approach to Malware Detection

Malware detection is a crucial aspect of software security. Current malware detectors work by checking for signatures, which attempt to capture the syntactic characteristics of the machine-level byte sequence of the malware. This reliance on a syntactic approach makes current detectors vulnerable to code obfuscations, increasingly used by malware writers, that alter the syntactic properties of the malware byte sequence without significantly affecting their execution behavior. This paper takes the position that the key to malware identification lies in their semantics. It proposes a semantics-based framework for reasoning about malware detectors and proving properties such as soundness and completeness of these detectors. Our approach uses a trace semantics to characterize the behavior of malware as well as that of the program being checked for infection, and uses abstract interpretation to ``hide'' irrelevant aspects of these behaviors. As a concrete application of our approach, we show that (1) standard signature matching detection schemes are generally sound but not complete, (2) the semantics-aware malware detector proposed byChristodorescu et al. is complete with respect to a number of common obfuscations used by malware writers and (3) the malware detection scheme proposed by Kinder et al. and based on standard model-checking techniques is sound in general and complete on some, but not all, obfuscations handled by the semantics-aware malware detector

Markov modeling of moving target defense games

We introduce a Markov-model-based framework for Moving Target Defense (MTD) analysis. The framework allows modeling of broad range of MTD strategies, provides general theorems about how the probability of a successful adversary defeating an MTD strategy is related to the amount of time/cost spent by the adversary, and shows how a multi-level composition of MTD strategies can be analyzed by a straightforward combination of the analysis for each one of these strategies. Within the proposed framework we define the concept of security capacity which measures the strength or effectiveness of an MTD strategy: the security capacity depends on MTD specific parameters and more general system parameters. We apply our framework to two concrete MTD strategies

Sex- and age-related differences in the management and outcomes of chronic heart failure: an analysis of patients from the ESC HFA EORP Heart Failure Long-Term Registry

Aims: This study aimed to assess age- and sex-related differences in management and 1-year risk for all-cause mortality and hospitalization in chronic heart failure (HF) patients. Methods and results: Of 16 354 patients included in the European Society of Cardiology Heart Failure Long-Term Registry, 9428 chronic HF patients were analysed [median age: 66 years; 28.5% women; mean left ventricular ejection fraction (LVEF) 37%]. Rates of use of guideline-directed medical therapy (GDMT) were high (angiotensin-converting enzyme inhibitors/angiotensin receptor blockers, beta-blockers and mineralocorticoid receptor antagonists: 85.7%, 88.7% and 58.8%, respectively). Crude GDMT utilization rates were lower in women than in men (all differences: P\ua0 64 0.001), and GDMT use became lower with ageing in both sexes, at baseline and at 1-year follow-up. Sex was not an independent predictor of GDMT prescription; however, age >75 years was a significant predictor of GDMT underutilization. Rates of all-cause mortality were lower in women than in men (7.1% vs. 8.7%; P\ua0=\ua00.015), as were rates of all-cause hospitalization (21.9% vs. 27.3%; P\ua075 years. Conclusions: There was a decline in GDMT use with advanced age in both sexes. Sex was not an independent predictor of GDMT or adverse outcomes. However, age >75 years independently predicted lower GDMT use and higher all-cause mortality in patients with LVEF 6445%