Biblio

Found 237 results

Filters: Keyword is Malware  [Clear All Filters]
2020-05-18
Thejaswini, S, Indupriya, C.  2019.  Big Data Security Issues and Natural Language Processing. 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI). :1307–1312.
Whenever we talk about big data, the concern is always about the security of the data. In recent days the most heard about technology is the Natural Language Processing. This new and trending technology helps in solving the ever ending security problems which are not completely solved using big data. Starting with the big data security issues, this paper deals with addressing the topics related to cyber security and information security using the Natural Language Processing technology. Including the well-known cyber-attacks such as phishing identification and spam detection, this paper also addresses issues on information assurance and security such as detection of Advanced Persistent Threat (APT) in DNS and vulnerability analysis. The goal of this paper is to provide the overview of how natural language processing can be used to address cyber security issues.
2020-02-17
Skopik, Florian, Filip, Stefan.  2019.  Design principles for national cyber security sensor networks: Lessons learned from small-scale demonstrators. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). :1–8.
The timely exchange of information on new threats and vulnerabilities has become a cornerstone of effective cyber defence in recent years. Especially national authorities increasingly assume their role as information brokers through national cyber security centres and distribute warnings on new attack vectors and vital recommendations on how to mitigate them. Although many of these initiatives are effective to some degree, they also suffer from severe limitations. Many steps in the exchange process require extensive human involvement to manually review, vet, enrich, analyse and distribute security information. Some countries have therefore started to adopt distributed cyber security sensor networks to enable the automatic collection, analysis and preparation of security data and thus effectively overcome limiting scalability factors. The basic idea of IoC-centric cyber security sensor networks is that the national authorities distribute Indicators of Compromise (IoCs) to organizations and receive sightings in return. This effectively helps them to estimate the spreading of malware, anticipate further trends of spreading and derive vital findings for decision makers. While this application case seems quite simple, there are some tough questions to be answered in advance, which steer the further design decisions: How much can the monitored organization be trusted to be a partner in the search for malware? How much control of the scanning process should be delegated to the organization? What is the right level of search depth? How to deal with confidential indicators? What can be derived from encrypted traffic? How are new indicators distributed, prioritized, and scan targets selected in a scalable manner? What is a good strategy to re-schedule scans to derive meaningful data on trends, such as rate of spreading? This paper suggests a blueprint for a sensor network and raises related questions, outlines design principles, and discusses lessons learned from small-scale pilots.
2020-04-17
Burgess, Jonah, Carlin, Domhnall, O'Kane, Philip, Sezer, Sakir.  2019.  MANiC: Multi-step Assessment for Crypto-miners. 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). :1—8.
Modern Browsers have become sophisticated applications, providing a portal to the web. Browsers host a complex mix of interpreters such as HTML and JavaScript, allowing not only useful functionality but also malicious activities, known as browser-hijacking. These attacks can be particularly difficult to detect, as they usually operate within the scope of normal browser behaviour. CryptoJacking is a form of browser-hijacking that has emerged as a result of the increased popularity and profitability of cryptocurrencies, and the introduction of new cryptocurrencies that promote CPU-based mining. This paper proposes MANiC (Multi-step AssessmeNt for Crypto-miners), a system to detect CryptoJacking websites. It uses regular expressions that are compiled in accordance with the API structure of different miner families. This allows the detection of crypto-mining scripts and the extraction of parameters that could be used to detect suspicious behaviour associated with CryptoJacking. When MANiC was used to analyse the Alexa top 1m websites, it detected 887 malicious URLs containing miners from 11 different families and demonstrated favourable results when compared to related CryptoJacking research. We demonstrate that MANiC can be used to provide insights into this new threat, to identify new potential features of interest and to establish a ground-truth dataset, assisting future research.
2020-01-20
He, Zecheng, Raghavan, Aswin, Hu, Guangyuan, Chai, Sek, Lee, Ruby.  2019.  Power-Grid Controller Anomaly Detection with Enhanced Temporal Deep Learning. 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). :160–167.
Controllers of security-critical cyber-physical systems, like the power grid, are a very important class of computer systems. Attacks against the control code of a power-grid system, especially zero-day attacks, can be catastrophic. Earlier detection of the anomalies can prevent further damage. However, detecting zero-day attacks is extremely challenging because they have no known code and have unknown behavior. Furthermore, if data collected from the controller is transferred to a server through networks for analysis and detection of anomalous behavior, this creates a very large attack surface and also delays detection. In order to address this problem, we propose Reconstruction Error Distribution (RED) of Hardware Performance Counters (HPCs), and a data-driven defense system based on it. Specifically, we first train a temporal deep learning model, using only normal HPC readings from legitimate processes that run daily in these power-grid systems, to model the normal behavior of the power-grid controller. Then, we run this model using real-time data from commonly available HPCs. We use the proposed RED to enhance the temporal deep learning detection of anomalous behavior, by estimating distribution deviations from the normal behavior with an effective statistical test. Experimental results on a real power-grid controller show that we can detect anomalous behavior with high accuracy (\textbackslashtextgreater99.9%), nearly zero false positives and short (\textbackslashtextless; 360ms) latency.
2020-02-26
Bhatnagar, Dev, Som, Subhranil, Khatri, Sunil Kumar.  2019.  Advance Persistant Threat and Cyber Spying - The Big Picture, Its Tools, Attack Vectors and Countermeasures. 2019 Amity International Conference on Artificial Intelligence (AICAI). :828–839.

Advance persistent threat is a primary security concerns to the big organizations and its technical infrastructure, from cyber criminals seeking personal and financial information to state sponsored attacks designed to disrupt, compromising infrastructure, sidestepping security efforts thus causing serious damage to organizations. A skilled cybercriminal using multiple attack vectors and entry points navigates around the defenses, evading IDS/Firewall detection and breaching the network in no time. To understand the big picture, this paper analyses an approach to advanced persistent threat by doing the same things the bad guys do on a network setup. We will walk through various steps from foot-printing and reconnaissance, scanning networks, gaining access, maintaining access to finally clearing tracks, as in a real world attack. We will walk through different attack tools and exploits used in each phase and comparative study on their effectiveness, along with explaining their attack vectors and its countermeasures. We will conclude the paper by explaining the factors which actually qualify to be an Advance Persistent Threat.

2020-02-10
Ding, Steven H. H., Fung, Benjamin C. M., Charland, Philippe.  2019.  Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization. 2019 IEEE Symposium on Security and Privacy (SP). :472–489.

Reverse engineering is a manually intensive but necessary technique for understanding the inner workings of new malware, finding vulnerabilities in existing systems, and detecting patent infringements in released software. An assembly clone search engine facilitates the work of reverse engineers by identifying those duplicated or known parts. However, it is challenging to design a robust clone search engine, since there exist various compiler optimization options and code obfuscation techniques that make logically similar assembly functions appear to be very different. A practical clone search engine relies on a robust vector representation of assembly code. However, the existing clone search approaches, which rely on a manual feature engineering process to form a feature vector for an assembly function, fail to consider the relationships between features and identify those unique patterns that can statistically distinguish assembly functions. To address this problem, we propose to jointly learn the lexical semantic relationships and the vector representation of assembly functions based on assembly code. We have developed an assembly code representation learning model \textbackslashemphAsm2Vec. It only needs assembly code as input and does not require any prior knowledge such as the correct mapping between assembly functions. It can find and incorporate rich semantic relationships among tokens appearing in assembly code. We conduct extensive experiments and benchmark the learning model with state-of-the-art static and dynamic clone search approaches. We show that the learned representation is more robust and significantly outperforms existing methods against changes introduced by obfuscation and optimizations.

2019-12-16
Zubarev, Dmytro, Skarga-Bandurova, Inna.  2019.  Cross-Site Scripting for Graphic Data: Vulnerabilities and Prevention. 2019 10th International Conference on Dependable Systems, Services and Technologies (DESSERT). :154–160.

In this paper, we present an overview of the problems associated with the cross-site scripting (XSS) in the graphical content of web applications. The brief analysis of vulnerabilities for graphical files and factors responsible for making SVG images vulnerable to XSS attacks are discussed. XML treatment methods and their practical testing are performed. As a result, the set of rules for protecting the graphic content of the websites and prevent XSS vulnerabilities are proposed.

2020-02-26
Matin, Iik Muhamad Malik, Rahardjo, Budi.  2019.  Malware Detection Using Honeypot and Machine Learning. 2019 7th International Conference on Cyber and IT Service Management (CITSM). 7:1–4.

Malware is one of the threats to information security that continues to increase. In 2014 nearly six million new malware was recorded. The highest number of malware is in Trojan Horse malware while in Adware malware is the most significantly increased malware. Security system devices such as antivirus, firewall, and IDS signature-based are considered to fail to detect malware. This happens because of the very fast spread of computer malware and the increasing number of signatures. Besides signature-based security systems it is difficult to identify new methods, viruses or worms used by attackers. One other alternative in detecting malware is to use honeypot with machine learning. Honeypot can be used as a trap for packages that are suspected while machine learning can detect malware by classifying classes. Decision Tree and Support Vector Machine (SVM) are used as classification algorithms. In this paper, we propose architectural design as a solution to detect malware. We presented the architectural proposal and explained the experimental method to be used.

2019-06-24
Ijaz, M., Durad, M. H., Ismail, M..  2019.  Static and Dynamic Malware Analysis Using Machine Learning. 2019 16th International Bhurban Conference on Applied Sciences and Technology (IBCAST). :687–691.

Malware detection is an indispensable factor in security of internet oriented machines. The combinations of different features are used for dynamic malware analysis. The different combinations are generated from APIs, Summary Information, DLLs and Registry Keys Changed. Cuckoo sandbox is used for dynamic malware analysis, which is customizable, and provide good accuracy. More than 2300 features are extracted from dynamic analysis of malware and 92 features are extracted statically from binary malware using PEFILE. Static features are extracted from 39000 malicious binaries and 10000 benign files. Dynamically 800 benign files and 2200 malware files are analyzed in Cuckoo Sandbox and 2300 features are extracted. The accuracy of dynamic malware analysis is 94.64% while static analysis accuracy is 99.36%. The dynamic malware analysis is not effective due to tricky and intelligent behaviours of malwares. The dynamic analysis has some limitations due to controlled network behavior and it cannot be analyzed completely due to limited access of network.

2020-03-09
Joseph, Linda, Mukesh, Rajeswari.  2019.  To Detect Malware attacks for an Autonomic Self-Heal Approach of Virtual Machines in Cloud Computing. 2019 Fifth International Conference on Science Technology Engineering and Mathematics (ICONSTEM). 1:220–231.

Cloud Computing as of large is evolving at a faster pace with an ever changing set of cloud services. The amenities in the cloud are all enabled with respect to the public cloud services in their own enormous domain aspects commercially, which tend to be more insecure. These cloud services should be thus protected and secured which is very vital to the cloud infrastructures. Therefore, in this research work, we have identified security features with a self-heal approach that could be rendered on the infrastructure as a service (IaaS) in a private cloud environment. We have investigated the attack model from the virtual machine snapshots and have analyzed based on the supervised machine learning techniques. The virtual machines memory snapshots API call sequences are considered as input for the supervised and unsupervised machine learning algorithms to classify the attacked and the un-attacked virtual machine memory snapshots. The obtained set of the attacked virtual machine memory snapshots are given as input to the self-heal algorithm which is enabled to retrieve back the functionality of the virtual machines. Our method of detecting the malware attains about 93% of accuracy with respect to the virtual machine snapshots.

2019-09-11
[Anonymous].  2019.  El Paso and Dayton Tragedy-Related Scams and Malware Campaigns. CISA.

In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch out for possible malicious cyber activity seeking to capitalize on these tragic events. Users should exercise caution in handling emails related to the shootings, even if they appear to originate from trusted sources. It is common for hackers to try to capitalize on horrible events that occur to perform phishing attacks.

2020-06-01
Vishwakarma, Ruchi, Jain, Ankit Kumar.  2019.  A Honeypot with Machine Learning based Detection Framework for defending IoT based Botnet DDoS Attacks. 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI). :1019–1024.
With the tremendous growth of IoT botnet DDoS attacks in recent years, IoT security has now become one of the most concerned topics in the field of network security. A lot of security approaches have been proposed in the area, but they still lack in terms of dealing with newer emerging variants of IoT malware, known as Zero-Day Attacks. In this paper, we present a honeypot-based approach which uses machine learning techniques for malware detection. The IoT honeypot generated data is used as a dataset for the effective and dynamic training of a machine learning model. The approach can be taken as a productive outset towards combatting Zero-Day DDoS Attacks which now has emerged as an open challenge in defending IoT against DDoS Attacks.
2020-02-17
Biswal, Satya Ranjan, Swain, Santosh Kumar.  2019.  Model for Study of Malware Propagation Dynamics in Wireless Sensor Network. 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI). :647–653.
Wireless Sensor Network (WSN) faces critical security challenges due to malware(worm, virus, malicious code etc.) attack. When a single node gets compromised by malware then start to spread in entire sensor network through neighboring sensor nodes. To understand the dynamics of malware propagation in WSN proposed a Susceptible-Exposed-Infectious-Recovered-Dead (SEIRD) model. This model used the concept of epidemiology. The model focused on early detection of malicious signals presence in the network and accordingly application of security mechanism for its removal. The early detection method helps in controlling of malware spread and reduce battery consumption of sensor nodes. In this paper study the dynamics of malware propagation and stability analysis of the system. In epidemiology basic reproduction number is a crucial parameter which is used for the determination of malware status in the system. The expression of basic reproduction number has been obtained. Analyze the propagation dynamics and compared with previous model. The proposed model provides improved security mechanism in comparison to previous one. The extensive simulation results conform the analytical investigation and accuracy of proposed model.
2020-03-12
Park, Sean, Gondal, Iqbal, Kamruzzaman, Joarder, Zhang, Leo.  2019.  One-Shot Malware Outbreak Detection Using Spatio-Temporal Isomorphic Dynamic Features. 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). :751–756.

Fingerprinting the malware by its behavioural signature has been an attractive approach for malware detection due to the homogeneity of dynamic execution patterns across different variants of similar families. Although previous researches show reasonably good performance in dynamic detection using machine learning techniques on a large corpus of training set, decisions must be undertaken based upon a scarce number of observable samples in many practical defence scenarios. This paper demonstrates the effectiveness of generative adversarial autoencoder for dynamic malware detection under outbreak situations where in most cases a single sample is available for training the machine learning algorithm to detect similar samples that are in the wild.

2020-03-27
Walker, Aaron, Amjad, Muhammad Faisal, Sengupta, Shamik.  2019.  Cuckoo’s Malware Threat Scoring and Classification: Friend or Foe? 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC). :0678–0684.
Malware threat classification involves understanding the behavior of the malicious software and how it affects a victim host system. Classifying threats allows for measured response appropriate to the risk involved. Malware incident response depends on many automated tools for the classification of threat to help identify the appropriate reaction to a threat alert. Cuckoo Sandbox is one such tool which can be used for automated analysis of malware and one method of threat classification provided is a threat score. A security analyst might submit a suspicious file to Cuckoo for analysis to determine whether or not the file contains malware or performs potentially malicious behavior on a system. Cuckoo is capable of producing a report of this behavior and ranks the severity of the observed actions as a score from one to ten, with ten being the most severe. As such, a malware sample classified as an 8 would likely take priority over a sample classified as a 3. Unfortunately, this scoring classification can be misleading due to the underlying methodology of severity classification. In this paper we demonstrate why the current methodology of threat scoring is flawed and therefore we believe it can be improved with greater emphasis on analyzing the behavior of the malware. This allows for a threat classification rating which scales with the risk involved in the malware behavior.
2020-03-09
Khan, Iqra, Durad, Hanif, Alam, Masoom.  2019.  Data Analytics Layer For high-interaction Honeypots. 2019 16th International Bhurban Conference on Applied Sciences and Technology (IBCAST). :681–686.

Security of VMs is now becoming a hot topic due to their outsourcing in cloud computing paradigm. All VMs present on the network are connected to each other, making exploited VMs danger to other VMs. and threats to organization. Rejuvenation of virtualization brought the emergence of hyper-visor based security services like VMI (Virtual machine introspection). As there is a greater chance for any intrusion detection system running on the same system, of being dis-abled by the malware or attacker. Monitoring of VMs using VMI, is one of the most researched and accepted technique, that is used to ensure computer systems security mostly in the paradigm of cloud computing. This thesis presents a work that is to integrate LibVMI with Volatility on a KVM, a Linux based hypervisor, to introspect memory of VMs. Both of these tools are used to monitor the state of live VMs. VMI capability of monitoring VMs is combined with the malware analysis and virtual honeypots to achieve the objective of this project. A testing environment is deployed, where a network of VMs is used to be introspected using Volatility plug-ins. Time execution of each plug-in executed on live VMs is calculated to observe the performance of Volatility plug-ins. All these VMs are deployed as Virtual Honeypots having honey-pots configured on them, which is used as a detection mechanism to trigger alerts when some malware attack the VMs. Using STIX (Structure Threat Information Expression), extracted IOCs are converted into the understandable, flexible, structured and shareable format.

2020-01-28
KADOGUCHI, Masashi, HAYASHI, Shota, HASHIMOTO, Masaki, OTSUKA, Akira.  2019.  Exploring the Dark Web for Cyber Threat Intelligence Using Machine Leaning. 2019 IEEE International Conference on Intelligence and Security Informatics (ISI). :200–202.

In recent years, cyber attack techniques are increasingly sophisticated, and blocking the attack is more and more difficult, even if a kind of counter measure or another is taken. In order for a successful handling of this situation, it is crucial to have a prediction of cyber attacks, appropriate precautions, and effective utilization of cyber intelligence that enables these actions. Malicious hackers share various kinds of information through particular communities such as the dark web, indicating that a great deal of intelligence exists in cyberspace. This paper focuses on forums on the dark web and proposes an approach to extract forums which include important information or intelligence from huge amounts of forums and identify traits of each forum using methodologies such as machine learning, natural language processing and so on. This approach will allow us to grasp the emerging threats in cyberspace and take appropriate measures against malicious activities.

2020-02-18
Huang, Yonghong, Verma, Utkarsh, Fralick, Celeste, Infantec-Lopez, Gabriel, Kumar, Brajesh, Woodward, Carl.  2019.  Malware Evasion Attack and Defense. 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). :34–38.

Machine learning (ML) classifiers are vulnerable to adversarial examples. An adversarial example is an input sample which is slightly modified to induce misclassification in an ML classifier. In this work, we investigate white-box and grey-box evasion attacks to an ML-based malware detector and conduct performance evaluations in a real-world setting. We compare the defense approaches in mitigating the attacks. We propose a framework for deploying grey-box and black-box attacks to malware detection systems.

2020-03-27
Liu, Yingying, Wang, Yiwei.  2019.  A Robust Malware Detection System Using Deep Learning on API Calls. 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conference (ITNEC). :1456–1460.
With the development of technology, the massive malware become the major challenge to current computer security. In our work, we implemented a malware detection system using deep learning on API calls. By means of cuckoo sandbox, we extracted the API calls sequence of malicious programs. Through filtering and ordering the redundant API calls, we extracted the valid API sequences. Compared with GRU, BGRU, LSTM and SimpleRNN, we evaluated the BLSTM on the massive datasets including 21,378 samples. The experimental results demonstrate that BLSTM has the best performance for malware detection, reaching the accuracy of 97.85%.
2020-01-02
Mar\'ın, Gonzalo, Casas, Pedro, Capdehourat, Germán.  2019.  Deep in the Dark - Deep Learning-Based Malware Traffic Detection Without Expert Knowledge. 2019 IEEE Security and Privacy Workshops (SPW). :36–42.

With the ever-growing occurrence of networking attacks, robust network security systems are essential to prevent and mitigate their harming effects. In recent years, machine learning-based systems have gain popularity for network security applications, usually considering the application of shallow models, where a set of expert handcrafted features are needed to pre-process the data before training. The main problem with this approach is that handcrafted features can fail to perform well given different kinds of scenarios and problems. Deep Learning models can solve this kind of issues using their ability to learn feature representations from input raw or basic, non-processed data. In this paper we explore the power of deep learning models on the specific problem of detection and classification of malware network traffic, using different representations for the input data. As a major advantage as compared to the state of the art, we consider raw measurements coming directly from the stream of monitored bytes as the input to the proposed models, and evaluate different raw-traffic feature representations, including packet and flow-level ones. Our results suggest that deep learning models can better capture the underlying statistics of malicious traffic as compared to classical, shallow-like models, even while operating in the dark, i.e., without any sort of expert handcrafted inputs.

2020-01-21
Hou, Ye, Such, Jose, Rashid, Awais.  2019.  Understanding Security Requirements for Industrial Control System Supply Chains. 2019 IEEE/ACM 5th International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS). :50–53.

We address the need for security requirements to take into account risks arising from complex supply chains underpinning cyber-physical infrastructures such as industrial control systems (ICS). We present SEISMiC (SEcurity Industrial control SysteM supply Chains), a framework that takes into account the whole spectrum of security risks - from technical aspects through to human and organizational issues - across an ICS supply chain. We demonstrate the effectiveness of SEISMiC through a supply chain risk assessment of Natanz, Iran's nuclear facility that was the subject of the Stuxnet attack.

2020-04-06
Chen, Chia-Mei, Wang, Shi-Hao, Wen, Dan-Wei, Lai, Gu-Hsin, Sun, Ming-Kung.  2019.  Applying Convolutional Neural Network for Malware Detection. 2019 IEEE 10th International Conference on Awareness Science and Technology (iCAST). :1—5.

Failure to detect malware at its very inception leaves room for it to post significant threat and cost to cyber security for not only individuals, organizations but also the society and nation. However, the rapid growth in volume and diversity of malware renders conventional detection techniques that utilize feature extraction and comparison insufficient, making it very difficult for well-trained network administrators to identify malware, not to mention regular users of internet. Challenges in malware detection is exacerbated since complexity in the type and structure also increase dramatically in these years to include source code, binary file, shell script, Perl script, instructions, settings and others. Such increased complexity offers a premium on misjudgment. In order to increase malware detection efficiency and accuracy under large volume and multiple types of malware, this research adopts Convolutional Neural Networks (CNN), one of the most successful deep learning techniques. The experiment shows an accuracy rate of over 90% in identifying malicious and benign codes. The experiment also presents that CNN is effective with detecting source code and binary code, it can further identify malware that is embedded into benign code, leaving malware no place to hide. This research proposes a feasible solution for network administrators to efficiently identify malware at the very inception in the severe network environment nowadays, so that information technology personnel can take protective actions in a timely manner and make preparations for potential follow-up cyber-attacks.

2020-06-01
Luo, Xupeng, Yan, Qiao, Wang, Mingde, Huang, Wenyao.  2019.  Using MTD and SDN-based Honeypots to Defend DDoS Attacks in IoT. 2019 Computing, Communications and IoT Applications (ComComAp). :392–395.
With the rapid development of Internet of Things (IoT), distributed denial of service (DDoS) attacks become the important security threat of the IoT. Characteristics of IoT, such as large quantities and simple function, which have easily caused the IoT devices or servers to be attacked and be turned into botnets for launching DDoS attacks. In this paper, we use software-defined networking (SDN) to develop moving target defense (MTD) architecture that increases uncertainty because of ever changing attack surface. In addition, we deploy SDN-based honeypots to mimic IoT devices, luring attackers and malwares. Finally, experimental results show that combination of MTD and SDN-based honeypots can effectively hide network asset from scanner and defend against DDoS attacks in IoT.
2020-03-09
Hăjmăȿan, Gheorghe, Mondoc, Alexandra, Creț, Octavian.  2019.  Bytecode Heuristic Signatures for Detecting Malware Behavior. 2019 Conference on Next Generation Computing Applications (NextComp). :1–6.
For a long time, the most important approach for detecting malicious applications was the use of static, hash-based signatures. This approach provides a fast response time, has a low performance overhead and is very stable due to its simplicity. However, with the rapid growth in the number of malware, as well as their increased complexity in terms of polymorphism and evasion, the era of reactive security solutions started to fade in favor of new, proactive approaches such as behavior based detection. We propose a novel approach that uses an interpreter virtual machine to run proactive behavior heuristics from bytecode signatures, thus combining the advantages of behavior based detection with those of signatures. Based on our approximation, using this approach we succeeded to reduce by 85% the time required to update a behavior based detection solution to detect new threats, while continuing to benefit from the versatility of behavior heuristics.
2018-11-19
Carlin, D., O'Kane, P., Sezer, S., Burgess, J..  2018.  Detecting Cryptomining Using Dynamic Analysis. 2018 16th Annual Conference on Privacy, Security and Trust (PST). :1–6.
With the rise in worth and popularity of cryptocurrencies, a new opportunity for criminal gain is being exploited and with little currently offered in the way of defence. The cost of mining (i.e., earning cryptocurrency through CPU-intensive calculations that underpin the blockchain technology) can be prohibitively expensive, with hardware costs and electrical overheads previously offering a loss compared to the cryptocurrency gained. Off-loading these costs along a distributed network of machines via malware offers an instantly profitable scenario, though standard Anti-virus (AV) products offer some defences against file-based threats. However, newer fileless malicious attacks, occurring through the browser on seemingly legitimate websites, can easily evade detection and surreptitiously engage the victim machine in computationally-expensive cryptomining (cryptojacking). With no current academic literature on the dynamic opcode analysis of cryptomining, to the best of our knowledge, we present the first such experimental study. Indeed, this is the first such work presenting opcode analysis on non-executable files. Our results show that browser-based cryptomining within our dataset can be detected by dynamic opcode analysis, with accuracies of up to 100%. Further to this, our model can distinguish between cryptomining sites, weaponized benign sites, de-weaponized cryptomining sites and real world benign sites. As it is process-based, our technique offers an opportunity to rapidly detect, prevent and mitigate such attacks, a novel contribution which should encourage further future work.