Malware Analysis, Part 5

	Malware Analysis, Part 5

Malware detection, analysis, and classification are perennial issues in cybersecurity. The research presented here advances malware analysis in some unique and interesting ways. The works cited were published or presented in 2014.  Because of the volume of work, the bibliography is broken into multiple parts.

Dainotti, A.; King, A.; Claffy, K.; Papale, F.; Pescapé, A., "Analysis of a '/0' Stealth Scan from a Botnet," Networking, IEEE/ACM Transactions on, vol. 23, no. 2, pp. 341-354, April 2015. doi: 10.1109/TNET.2013.2297678  Abstract: Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, including searching for vulnerable machines to infect and recruit into the botnet, probing networks for enumeration or penetration, etc. We present the measurement and analysis of a horizontal scan of the entire IPv4 address space conducted by the Sality botnet in February 2011. This 12-day scan originated from approximately 3 million distinct IP addresses and used a heavily coordinated and unusually covert scanning strategy to try to discover and compromise VoIP-related (SIP server) infrastructure. We observed this event through the UCSD Network Telescope, a /8 darknet continuously receiving large amounts of unsolicited traffic, and we correlate this traffic data with other public sources of data to validate our inferences. Sality is one of the largest botnets ever identified by researchers. Its behavior represents ominous advances in the evolution of modern malware: the use of more sophisticated stealth scanning strategies by millions of coordinated bots, targeting critical voice communications infrastructure. This paper offers a detailed dissection of the botnet's scanning behavior, including general methods to correlate, visualize, and extrapolate botnet behavior across the global Internet.
Keywords: Animation; Geology; IP networks; Internet; Ports (Computers);Servers; Telescopes; Botnet Internet background radiation; Internet telephony; Network Telescope; VoIP; communication system security; darknet; network probing; scanning (ID#: 15-4971)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6717049&isnumber=4359146

Vance, Andrew, "Flow based analysis of Advanced Persistent Threats Detecting Targeted Attacks in Cloud Computing," Infocommunications Science and Technology, 2014 First International Scientific-Practical Conference Problems of, pp.173,176, 14-17 Oct. 2014. doi: 10.1109/INFOCOMMST.2014.6992342 Abstract: Cloud computing provides industry, government, and academic users' convenient and cost-effective access to distributed services and shared data via the Internet. Due to its distribution of diverse users and aggregation of immense data, cloud computing has increasingly been the focus of targeted attacks. Meta-analysis of industry studies and retrospective research involving cloud service providers reveal that cloud computing is demonstrably vulnerable to a particular type of targeted attack, Advanced Persistent Threats (APTs). APTs have proven to be difficult to detect and defend against in cloud based infocommunication systems. The prevalent use of polymorphic malware and encrypted covert communication channels make it difficult for existing packet inspecting and signature based security technologies such as; firewalls, intrusion detection sensors, and anti-virus systems to detect APTs. In this paper, we examine the application of an alternative security approach which applies an algorithm derived from flow based monitoring to successfully detect APTs. Results indicate that statistical modeling of APT communications can successfully develop deterministic characteristics for detection is a more effective and efficient way to protect against APTs.
Keywords: Cloud computing; Computer security; Logic gates; Telecommunication traffic; Vectors; Advanced Persistent Threats ;Cloud Computing; Cyber Security; Flow Based Analysis; Threat Detection (ID#: 15-4972)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6992342&isnumber=6992271

Sang, F.L.; Nicomette, V.; Deswarte, Y., "A Tool to Analyze Potential I/O Attacks against PCs," Security & Privacy, IEEE, vol.12, no.2, pp.60,66, Mar.-Apr. 2014. doi: 10.1109/MSP.2013.79 Abstract: Instead of making the CPU execute malware, I/O attacks exploit peripheral devices and, as such, can't be detected by traditional anti-malware techniques. The proposed multipurpose FPGA-based tool can help analyze such attacks and be programmed to mimic a malicious I/O controller, host a Trojan horse, and even apply fuzzing techniques to identify vulnerabilities that could be exploited from I/O controllers or peripheral devices.
Keywords: field programmable gate arrays; invasive software; microcomputers; peripheral interfaces; I/O attack; I/O controller; Trojan horse; antimalware technique; fuzzing technique; multipurpose FPGA-based tool; peripheral device; Central Processing Unit; Computer security; Field programmable gate arrays; Input variables; Malware; Memory management;I/O attacks; fuzzing; vulnerability analysis (ID#: 15-4973)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6567863&isnumber=6798534

Kara, A.M.; Binsalleeh, H.; Mannan, M.; Youssef, A.; Debbabi, M., "Detection of Malicious Payload Distribution Channels in DNS," Communications (ICC), 2014 IEEE International Conference on, pp.853,858, 10-14 June 2014. doi: 10.1109/ICC.2014.6883426 Abstract: Botmasters are known to use different protocols to hide their activities. Throughout the past few years, several protocols have been abused, and recently Domain Name System (DNS) also became a target of such malicious activities. In this paper, we study the use of DNS as a malicious payload distribution channel. We present a system to analyze the resource record activities of domain names and build DNS zone profiles to detect payload distribution channels. Our work is based on an extensive analysis of malware datasets for one year, and a near real-time feed of passive DNS traffic. The experimental results reveal a few previously unreported long-running hidden domains used by the Morto worm for distributing malicious payloads. Our experiments on passive DNS traffic indicate that our system can detect these channels regardless of the payload format.
Keywords: computer network security; invasive software; protocols; telecommunication traffic; Botmasters; DNS traffic; Morto worm; domain name system; malicious activities; malicious payload distribution channel; malicious payload distribution channel detection; malware datasets; passive DNS traffic; protocols; resource record activities;Databases;Malware;Payloads;Protocols;Servers;Syntactics; Tunneling (ID#: 15-4974)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6883426&isnumber=6883277

Crussell, J.; Gibler, C.; Chen, H., "AnDarwin: Scalable Detection of Android Application Clones Based on Semantics," Mobile Computing, IEEE Transactions on, vol.14, no.10, pp.2007-2019, Oct. 1 2015. doi: 10.1109/TMC.2014.2381212 Abstract: Smartphones rely on their vibrant application markets; however, plagiarism threatens the long-term health of these markets. We present a scalable approach to detecting similar Android apps based on their semantic information. We implement our approach in a tool called AnDarwin and evaluate it on 265,359 apps collected from 17 markets including Google Play and numerous third-party markets. In contrast to earlier approaches, AnDarwin has four advantages: it avoids comparing apps pairwise, thus greatly improving its scalability; it analyzes only the app code and does not rely on other information — such as the app’s market, signature, or description — thus greatly increasing its reliability; it can detect both full and partial app similarity; and it can automatically detect library code and remove it from the similarity analysis.We present two use cases for AnDarwin: finding similar apps by different developers (“clones”) and similar apps from the same developer (“rebranded”). In ten hours, AnDarwin detected at least 4,295 apps that are the victims of cloning and 36,106 rebranded apps. Additionally, AnDarwin detects similar code that is injected into many apps, which may indicate the spread of malware. Our evaluation demonstrates AnDarwin’s ability to accurately detect similar apps on a large scale.
Keywords: Cloning; Feature extraction; Libraries; Malware; Semantics; Smart phones; Vectors (ID#: 15-4975)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6985631&isnumber=4358975

Daiping Liu; Haining Wang; Stavrou, A., "Detecting Malicious Javascript in PDF through Document Instrumentation," Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on, pp.100,111, 23-26 June 2014. doi: 10.1109/DSN.2014.92 Abstract: An emerging threat vector, embedded malware inside popular document formats, has become rampant since 2008. Owed to its wide-spread use and Javascript support, PDF has been the primary vehicle for delivering embedded exploits. Unfortunately, existing defenses are limited in effectiveness, vulnerable to evasion, or computationally expensive to be employed as an on-line protection system. In this paper, we propose a context-aware approach for detection and confinement of malicious Javascript in PDF. Our approach statically extracts a set of static features and inserts context monitoring code into a document. When an instrumented document is opened, the context monitoring code inside will cooperate with our runtime monitor to detect potential infection attempts in the context of Javascript execution. Thus, our detector can identify malicious documents by using both static and runtime features. To validate the effectiveness of our approach in a real world setting, we first conduct a security analysis, showing that our system is able to remain effective in detection and be robust against evasion attempts even in the presence of sophisticated adversaries. We implement a prototype of the proposed system, and perform extensive experiments using 18623 benign PDF samples and 7370 malicious samples. Our evaluation results demonstrate that our approach can accurately detect and confine malicious Javascript in PDF with minor performance overhead.
Keywords: Java; document handling; feature extraction; invasive software; ubiquitous computing; Javascript execution; Javascript support; PDF; context monitoring code; context-aware approach; document format; document instrumentation; embedded malware; emerging threat vector; evasion attempt; malicious Javascript confinement; malicious Javascript detection; malicious document identification; online protection system; potential infection attempt detection; runtime feature; runtime monitoring; security analysis; sophisticated adversaries; static feature extraction; Context; Feature extraction; Instruments; Malware; Monitoring; Portable document format; Runtime; Malcode bearing PDF; document instrumentation; malicious Javascript; malware detection and confinement (ID#: 15-4976)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6903571&isnumber=6903544

Vargheese, R., "Dynamic Protection for Critical Health Care Systems Using Cisco CWS: Unleashing the Power of Big Data Analytics," Computing for Geospatial Research and Application (COM.Geo), 2014 Fifth International Conference on, pp.77,81, 4-6 Aug. 2014. doi: 10.1109/COM.Geo.2014.28 Abstract: Critical Care IT systems such as life support devices, vitals monitoring systems, information systems that provide point of care guidance to care teams are a key component of a lifesaving effort in Healthcare. The mega trends of mobility, social, cloud combined with wide spread increase and sophistication of malware, has created new challenges and the point in time detection methods at the hospitals are no longer effective and pose a big threat to the critical care systems. To maintain the availability and integrity of these critical care systems, new adaptive, learning security defense systems are required that not only learns from the traffic entering the hospital, but also proactively learns from the traffic worldwide. Cisco's Cloud web security (CWS) provides industry-leading security and control for the distributed enterprise by protecting users everywhere, anytime through Cisco worldwide threat intelligence, advanced threat defense capabilities, and roaming user protection. It leverages the big data to perform behavioral analysis, anomaly detection, evasion resistance, rapid Detection services using flow based, signature based, behavior based and full packet capture models to identify threats. This tech talk looks at how big Data Analytics is used in combination with other security capabilities to proactively identify threats and prevent wide spread damage to healthcare critical assets.
Keywords: Big Data; cloud computing; data analysis; data protection; health care; hospitals; medical information systems; security of data; Cisco CWS; Cisco Cloud Web security; Cisco worldwide threat intelligence; advanced threat defense capabilities; anomaly detection; behavioral analysis; big data analytics; care guidance; care teams; critical care IT systems; critical health care systems; dynamic protection; evasion resistance; healthcare critical assets; information systems; life support devices lifesaving effort; monitoring systems; rapid detection services; roaming user protection; Big data;Industries; Malware; Medical services; Monitoring; Behavior Analysis; Big Data Analytics; Cloud; Cloud Web Security; Critical Care; Healthcare; Machine Learning; Malware; Security (ID#: 15-4977)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6910124&isnumber=6910097

Pek, G.; Buttyan, L., "Towards the Automated Detection of Unknown Malware on Live Systems," Communications (ICC), 2014 IEEE International Conference on, pp. 847, 852, 10-14 June 2014. doi: 10.1109/ICC.2014.6883425 Abstract: In this paper, we propose a new system monitoring framework that can serve as an enabler for automated malware detection on live systems. Our approach takes advantage of the increased availability of hardware assisted virtualization capabilities of modern CPUs, and its basic novelty consists in launching a hypervisor layer on the live system without stopping and restarting it.This hypervisor runs at a higher privilege level than the OS itself, thus, it can be used to observe the behavior of the analyzed system in a transparent manner. For this purpose, we also propose a novel system call tracing method that is designed to be configurable in terms of transparency and granularity.
Keywords: computer network security; invasive software; virtualisation; CPU; automated malware detection; hardware assisted virtualization capability; hypervisor layer; l ive systems; system call tracing method; system monitoring framework; unknown malware; Data structures; Hardware; Malware; Monitoring; Program processors; Virtual machine monitors; Virtualization (ID#: 15-4978)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6883425&isnumber=6883277

Shaw, A.L.; Bordbar, B.; Saxon, J.; Harrison, K.; Dalton, C.I., "Forensic Virtual Machines: Dynamic Defence in the Cloud via Introspection," Cloud Engineering (IC2E), 2014 IEEE International Conference on, pp.303, 310, 11-14 March 2014. doi: 10.1109/IC2E.2014.59  Abstract: The Cloud attempts to provide its users with automatically scalable platforms to host many applications and operating systems. To allow for quick deployment, they are often homogenised to a few images, restricting the variations used within the Cloud. An exploitable vulnerability stored within an image means that each instance will suffer from it and as a result, an attacker can be sure of a high pay-off for their time. This makes the Cloud a prime target for malicious activities. There is a clear requirement to develop an automated and computationally-inexpensive method of discovering malicious behaviour as soon as it starts, such that remedial action can be adopted before substantial damage is caused. In this paper we propose the use of Mini-OS, a virtualised operating system that uses minimal resources on the Xen virtualisation platform, for analysing the memory space of other guest virtual machines. These detectors, which we call Forensic Virtual Machines (FVMs), are lightweight such that they are inherently computationally cheap to run. Such a small footprint allows the physical host to run numerous instances to find symptoms of malicious behaviour whilst potentially limiting attack vectors. We describe our experience of developing FVMs and how they can be used to complement existing methods to combat malware. We also evaluate them in terms of performance and the resources that they require.
Keywords: cloud computing; digital forensics; invasive software; operating systems (computers); virtual machines; virtualisation; FVM; Mini-OS virtualised operating system; Xen virtualisation platform; cloud defence; forensic virtual machines; guest virtual machines; image vulnerability; malicious activities; malicious behaviour discovery; malware; Forensics; Kernel; Libraries; Malware; Monitoring; Virtual machining; Xen; cloud computing; forensics; introspection; intrusion detection; monitoring; security virtual machine; virtualization (ID#: 15-4979)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6903487&isnumber=6903436

Bou-Harb, E.; Debbabi, M.; Assi, C., "Behavioral Analytics for Inferring Large-Scale Orchestrated Probing Events," Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on, pp.506,511, April 27 2014-May 2 2014. doi: 10.1109/INFCOMW.2014.6849283 Abstract: The significant dependence on cyberspace has indeed brought new risks that often compromise, exploit and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, inferring probing events, which are commonly the first stage of any cyber attack, render a promising tactic to achieve that task. We have been receiving for the past three years 12 GB of daily malicious real darknet data (i.e., Internet traffic destined to half a million routable yet unallocated IP addresses) from more than 12 countries. This paper exploits such data to propose a novel approach that aims at capturing the behavior of the probing sources in an attempt to infer their orchestration (i.e., coordination) pattern. The latter defines a recently discovered characteristic of a new phenomenon of probing events that could be ominously leveraged to cause drastic Internet-wide and enterprise impacts as precursors of various cyber attacks. To accomplish its goals, the proposed approach leverages various signal and statistical techniques, information theoretical metrics, fuzzy approaches with real malware traffic and data mining methods. The approach is validated through one use case that arguably proves that a previously analyzed orchestrated probing event from last year is indeed still active, yet operating in a stealthy, very low rate mode. We envision that the proposed approach that is tailored towards darknet data, which is frequently, abundantly and effectively used to generate cyber threat intelligence, could be used by network security analysts, emergency response teams and/or observers of cyber events to infer large-scale orchestrated probing events for early cyber attack warning and notification.
Keywords: IP networks; Internet; computer network security; data mining; fuzzy set theory ;information theory; invasive software; statistical analysis telecommunication traffic; Internet traffic; coordination pattern; cyber attack; cyber threat intelligence; cyberspace; data mining methods; early cyber attack notification; early cyber attack warning; emergency response teams; fuzzy approaches; information theoretical metrics; large-scale orchestrated probing events; malicious activities; malicious real darknet data; malware traffic; network security analysts; orchestration pattern; routable unallocated IP addresses; signal techniques; statistical techniques; Conferences; IP networks; Internet; Malware; Probes (ID#: 15-4980)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6849283&isnumber=6849127

Maghrabi, L.A., "The Threats of Data Security over the Cloud as Perceived by Experts and University Students," Computer Applications & Research (WSCAR), 2014 World Symposium on, pp. 1, 6, 18-20 Jan. 2014. doi: 10.1109/WSCAR.2014.6916842 Abstract: This research investigates the privacy, confidentiality and integrity of data over the Cloud. It explores different data security concerns over the Cloud as perceived by experts and university students. This topic is significant because of the increasing demand for Cloud services that attracts many people to use it more frequently. Being aware of data security concerns will undoubtedly help users take precautions from unauthorized access up to data theft. The comparison between the views of experts and users of data threats over the Cloud encourages investigators to conduct further research to increase awareness and maximize security measures. This study is based on the assumption that data over the Cloud are secure. This paper reviews the literature that focuses on the experts' findings and interpretations of data security issues and threats over the Cloud. The Cloud Security Alliance (CSA) [I] points out seven security threats: abuse and nefarious use of Cloud Computing, insecure Application Programming Interfaces (APIs), malicious insiders, shared technology vulnerabilities, data loss or leakage, account or service hijacking, and unknown risk profile. In addition, experts state different attacks that may occur at any time: DoS attacks, Cloud malware injection, side channels attack, authentication attacks, and Man-In-The-Middle (MITM) cryptographic attack. In this study, completed questionnaires were collected from students of the University of the West of England to examine their perception and awareness of data threats over the Cloud. Both perceptions from experts and students were compared and analyzed to derive conclusions about data security over the Cloud. A number of findings are discovered. As experts prove that data might be compromised over the Cloud, the outcome of this research reveals that users are unaware of these threats. Many users are unaware of the issues they face concerning their data's privacy, confidentiality, and integrity. However, the participants value their data privacy. The results also show that they utilize the Cloud for different purposes and various benefits. As for further research, many ideas are proposed with regard to research settings in terms of size of sample, type and background of population, and the choice of qualitative methodology.
Keywords: application program interfaces; authorisation; cloud computing; cryptography; data integrity; data privacy; invasive software; risk analysis; API; CSA; DoS attacks; MITM; University of the West of England; account hijacking; authentication attacks; cloud computing; cloud malware injection; cloud security alliance; cloud services; data confidentiality; data integrity; data leakage; data loss; data privacy; data security threats; data theft; insecure application programming interfaces; malicious insiders; man-in-the-middle cryptographic attack; qualitative methodology; service hijacking; shared technology vulnerabilities; side channels attack; unauthorized access; university students; unknown risk profile; Cryptography; Data privacy; Educational institutions; Cloud Computing; data security; data threats; information security; security threats (ID#: 15-4981)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6916842&isnumber=6916766

Manek, A.S.; Sumithra, V.; Shenoy, P.D.; Mohan, M.C.; Venugopal, K.R.; Patnaik, L.M., "DeMalFier: Detection of Malicious Web Pages Using an Effective Classifier," Data Science & Engineering (ICDSE), 2014 International Conference on, pp.83, 88, 26-28 Aug. 2014. doi: 10.1109/ICDSE.2014.6974616 Abstract: The web has become an indispensable global platform that glues together daily communication, sharing, trading, collaboration and service delivery. Web users often store and manage critical information that attracts cybercriminals who misuse the web and the internet to exploit vulnerabilities for illegitimate benefits. Malicious web pages are transpiring threatening issue over the internet because of the notoriety and their capability to influence. Detecting and analyzing them is very costly because of their qualities and intricacies. The complexities of attacks are increasing day by day because the attackers are using blended approaches of various existing attacking techniques. In this paper, a model DeMalFier (Detection of Malicious Web Pages using an Effective ClassiFier) has been developed to apply supervised learning approaches to identify malicious web pages relevant to malware distribution, phishing, drive-by-download and injection by extracting the content of web pages, URL-based features and features based on host information. Experimental evaluation of DeMalFier model achieved 99.9% accuracy recommending the impact of our approach for real-life deployment.
Keywords: Internet; computer crime; invasive software; learning (artificial intelligence); DeMalFier; Internet; URL-based features; Web security; cybercriminal attracts; malicious Web pages; malware distribution; phishing; supervised learning approaches; threatening issue; Accuracy; Crawlers; Data models; Feature extraction; HTML; Uniform resource locators; Web pages; DeMalFier; Malicious Web Pages; Pre-Processing Techniques; Supervised Learning; Web Security (ID#: 15-4982)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6974616&isnumber=6974596

Idrees, F.; Rajarajan, M., "Investigating the Android Intents and Permissions for Malware Detection," Wireless and Mobile Computing, Networking and Communications (WiMob), 2014 IEEE 10th International Conference on, pp.354,358, 8-10 Oct. 2014. doi: 10.1109/WiMOB.2014.6962194 Abstract: Mobile phones are mastering our day to day scheduling, entertainment, information and almost every aspect of life. With the increasing human dependence on smart phones, threats against these devices have also increased exponentially. Almost all the mobile apps are playing with the mobile user's privacy besides the targeted actions by the malicious apps. Android applications use permissions to use different features and resources of mobile device along with the intents to launch different activities. Various aspects of permission framework have been studied but sufficient attention has not been given to the intent framework. This work is first of its kind which is investigating the combined effects of permissions and intent filters to distinguish between the malware and benign apps. This paper proposes a novel approach to identify the malicious apps by analyzing the permission and intent patterns of android apps. This approach is supplemented with the machine learning algorithms for further classification of apps. Performance of proposed approach has been validated by applying the technique to the available malicious and benign samples collected from a number of sources.
Keywords: Android (operating system);data privacy; invasive software; learning (artificial intelligence);pattern classification; smart phones; Android applications; Android intents; Android permissions; benign apps; human dependence; machine learning algorithms; malicious apps; malware detection; mobile app classification; mobile device features; mobile device resources; mobile phones; mobile user privacy; permission framework; smart phones; Androids; Conferences; Humanoid robots; Malware; Mobile communication; Smart phones; classification; intents; malware detection; permission model (ID#: 15-4983)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6962194&isnumber=6962120

Kuriakose, J.; Vinod, P., "Discriminant Features for Metamorphic Malware Detection," Contemporary Computing (IC3), 2014 Seventh International Conference on, pp. 406, 411, 7-9 Aug. 2014. doi: 10.1109/IC3.2014.6897208 Abstract: To unfold a solution for the detection of metamorphic viruses (obfuscated malware), we propose a non signature based approach using feature selection techniques such as Categorical Proportional Difference (CPD), Weight of Evidence of Text (WET), Term Frequency-Inverse Document Frequency (TF-IDF) and Term Frequency-Inverse Document Frequency-Class Frequency (TF-IDF-CF). Feature selection methods are employed to rank and prune bi-gram features obtained from malware and benign files. Synthesized features are further evaluated for their prominence in either of the classes. Using our proposed methodology 100% accuracy is obtained with test samples. Hence, we argue that the statistical scanner proposed by us can identify future metamorphic variants and can assist antiviruses with high accuracy.
Keywords: computer viruses; feature extraction; statistical analysis; CPD; TF-IDF-CF; WET; antivirus; benign files; bigram feature pruning; bigram feature ranking; categorical proportional difference; discriminant features; feature selection technique; feature synthesis; metamorphic malware detection; metamorphic variant identification; metamorphic virus detection; nonsignature based approach; obfuscated malware; statistical scanner; term frequency-inverse document frequency-class frequency; weight of evidence of text; Accuracy; Detectors; Feature extraction; Hidden Markov models; Malware; Measurement; Viruses (medical);classifiers; discriminant; feature selection; metamorphic malware; obfuscation (ID#: 15-4984)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6897208&isnumber=6897132

Hasegawa, H.; Yamaguchi, Y.; Shimada, H.; Takakura, H., "A Countermeasure Recommendation System against Targeted Attacks with Preserving Continuity of Internal Networks," Computer Software and Applications Conference (COMPSAC), 2014 IEEE 38th Annual, pp.400,405, 21-25 July 2014. doi: 10.1109/COMPSAC.2014.63 Abstract: Recently, the sophistication of targeted cyber attacks makes conventional countermeasures useless to defend our network. Proper network design, i.e., Moderate segmentation and adequate access control, is one of the most effective countermeasures to prevent stealth activities of the attacks inside the network. By paying attention to the violation of the control, we can be aware of the existence of the attacks. In case that suspicious activities are found, we should adopt more strict design for further analysis and mitigation of damage. However, an organization must assume that its network administrators have full knowledge of its business and enough information of its network structure for selecting the most suitable design. This paper discusses a recommendation system to enhance the ability of a semi-automatic network design system previously proposed by us. Our new system evaluates on the viewpoint of two criteria, the effectiveness against malicious activities and the impact on business. The former takes the infection probability and hazardousness of communication into account and the latter considers the impact of the countermeasure which affects the organization's activities. By reviewing the candidate of the countermeasures with these criteria, the most suitable one to the organization can be selected.
Keywords: authorisation; probability; recommender systems; access control; countermeasure recommendation system; cyber attacks;hazardousness; infection probability; internal networks; network administrators; network design; targeted attacks; Access control; Malware; Organizations; Personnel; Servers; VLAN; access control; design evaluation; targeted attack (ID#: 15-4985)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6899242&isnumber=6899181

Wei Wang; Xing Wang; Dawei Feng; Jiqiang Liu; Zhen Han; Xiangliang Zhang, "Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection," Information Forensics and Security, IEEE Transactions on, vol.9, no.11, pp.1869,1882, Nov. 2014. doi: 10.1109/TIFS.2014.2353996 Abstract: Android has been a major target of malicious applications (malapps). How to detect and keep the malapps out of the app markets is an ongoing challenge. One of the central design points of Android security mechanism is permission control that restricts the access of apps to core facilities of devices. However, it imparts a significant responsibility to the app developers with regard to accurately specifying the requested permissions and to the users with regard to fully understanding the risk of granting certain combinations of permissions. Android permissions requested by an app depict the app's behavioral patterns. In order to help understanding Android permissions, in this paper, we explore the permission-induced risk in Android apps on three levels in a systematic manner. First, we thoroughly analyze the risk of an individual permission and the risk of a group of collaborative permissions. We employ three feature ranking methods, namely, mutual information, correlation coefficient, and T-test to rank Android individual permissions with respect to their risk. We then use sequential forward selection as well as principal component analysis to identify risky permission subsets. Second, we evaluate the usefulness of risky permissions for malapp detection with support vector machine, decision trees, as well as random forest. Third, we in depth analyze the detection results and discuss the feasibility as well as the limitations of malapp detection based on permission requests. We evaluate our methods on a very large official app set consisting of 310 926 benign apps and 4868 real-world malapps and on a third-party app sets. The empirical results show that our malapp detectors built on risky permissions give satisfied performance (a detection rate as 94.62% with a false positive rate as 0.6%), catch the malapps' essential patterns on violating permission access regulations, and are universally applicable to unknown malapps (detection rate as 74.03%).
Keywords: Android (operating system);invasive software; principal component analysis; smart phones; Android security mechanism; T-test; collaborative permissions; correlation coefficient; decision trees; malapp detection; malicious applications; mutual information; permission control; permission-induced risk; principal component analysis; random forest; sequential forward selection; support vector machine; third-party app sets; Androids; Correlation; Humanoid robots; Principal component analysis ;Security; Smart phones; Support vector machines; Android security; Android system; intrusion detection; malware detection; permission usage analysis (ID#: 15-4986)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6891250&isnumber=6912034

Byungho Min; Varadharajan, V., "Design and Analysis of Security Attacks against Critical Smart Grid Infrastructures," Engineering of Complex Computer Systems (ICECCS), 2014 19th International Conference on, pp.59,68, 4-7 Aug. 2014. doi: 10.1109/ICECCS.2014.16 Abstract: Smart grid, the future power grid, is expected to provide better energy efficiency, more customer choices and improved reliability and security. As the smart grid is an integrated system that consists of multiple subsystems, understanding it as a whole system is required to fully understand the security risks it faces. In this paper, a sophisticated cyber-physical system (CPS) unique malware attack against the smart grid is proposed. The paper first outlines the architecture of the smart grid in general. Then we present the characteristics of recent malware attacks targeting the CPS such as Stuxnet and Shamoon. These lead to the design of our proposed attack that incorporates the key features from the smart grid architecture and the recent real attacks. One key aspect of the proposed attack is that it manipulates various physical field devices as well as cyber systems to illustrate how a blackout is possible even under the security-improved smart grid environment. Then, we explain the application of defensive techniques in the context of the suggested attack. Lastly, prototype implementation showing the effectiveness of the attack and the defensive measures is described.
Keywords: critical infrastructures; invasive  software; power engineering computing; smart power grids; CPS; Shamoon; Stuxnet; critical smart grid infrastructures; cyber-physical system; defensive techniques; malware attack; physical field devices; security attacks; smart grid architecture; Control systems; Malware; Payloads; Protocols; Smart grids; Software; cyber attack; cyber-physical system; deceptive attack; malware; security; smart grid (ID#: 15-4987)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6923118&isnumber=6923102

Irakiza, D.; Karim, M.E.; Phoha, V.V., "A Non-Interactive Dual Channel Continuous Traffic Authentication Protocol," Information Forensics and Security, IEEE Transactions on, vol.9, no.7, pp.1133, 1140, July 2014. doi: 10.1109/TIFS.2014.2323700 Abstract: We introduce a non-interactive dual-channel protocol for continuous traffic authentication and analyze its security properties. We realize the proposed protocol by facilitating dual channels at the keyboard with the assistance of a lightweight hardware module. The proposed protocol does not require users' explicit engagement in the authentication process. Empirical results show that, for a 30-day period, the maximum false reject rate for all legitimate requests on a day is 6% (with a 30 day daily average of 2.4%) and the false accept rate on any given day is 0%. The daily maximum false reject rate of the user requests falls to 0% if the users are forced to engage explicitly in the protocol operation for a maximum of 1.2% of users' non-typed requests.
Keywords: cryptographic protocols; keyboards; authentication process; continuous traffic authentication; keyboard; lightweight hardware module; noninteractive dual channel continuous traffic authentication protocol; security property; time 30 day; Authentication; Computers; Hardware; Malware; Protocols; Servers; information exfiltration; non-interactive dual channel protocol (ID#: 15-4988)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6815645&isnumber=6819111

Smith, A.J.; Mills, R.F.; Bryant, A.R.; Peterson, G.L.; Grimaila, M.R., "REDIR: Automated Static Detection of Obfuscated Anti-Debugging Techniques," Collaboration Technologies and Systems (CTS), 2014 International Conference on, vol., no., pp.173,180, 19-23 May 2014. doi: 10.1109/CTS.2014.6867561 Abstract: Reverse Code Engineering (RCE) to detect anti-debugging techniques in software is a very difficult task. Code obfuscation is an anti-debugging technique makes detection even more challenging. The Rule Engine Detection by Intermediate Representation (REDIR) system for automated static detection of obfuscated anti-debugging techniques is a prototype designed to help the RCE analyst improve performance through this tedious task. Three tenets form the REDIR foundation. First, Intermediate Representation (IR) improves the analyzability of binary programs by reducing a large instruction set down to a handful of semantically equivalent statements. Next, an Expert System (ES) rule-engine searches the IR and initiates a sense-making process for anti-debugging technique detection. Finally, an IR analysis process confirms the presence of an anti-debug technique. The REDIR system is implemented as a debugger plug-in. Within the debugger, REDIR interacts with a program in the disassembly view. Debugger users can instantly highlight anti-debugging techniques and determine if the presence of a debugger will cause a program to take a conditional jump or fall through to the next instruction.
Keywords: program debugging; program diagnostics; reverse engineering; ES; IR analysis process; REDIR system; automated static detection; binary program analysis; code obfuscation; expert system rule-engine; obfuscated anti-debugging techniques; reverse code engineering; rule engine detection by intermediate representation system; Debugging; Engines; Instruments; Malware; Registers; Testing; Timing; Anti-debugging; Expert systems; Reverse code engineering; Sensemaking (ID#: 15-4989)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6867561&isnumber=6867522

Hu Ge; Li Ting; Dong Hang; Yu Hewei; Zhang Miao, "Malicious Code Detection for Android Using Instruction Signatures," Service Oriented System Engineering (SOSE), 2014 IEEE 8th International Symposium on, pp.332,337, 7-11 April 2014. doi: 10.1109/SOSE.2014.48 Abstract: This paper provides an overview of the current static analysis technology of Android malicious code, and a detailed analysis of the format of APK which is the application name of Android platform executable file (dex). From the perspective of binary sequence, Dalvik VM file is syncopated in method, and these test samples are analyzed by automated DEX file parsing tools and Levenshtein distance algorithm, which can detect the malicious Android applications that contain the same signatures effectively. Proved by a large number of samples, this static detection system that based on signature sequences can't only detect malicious code quickly, but also has a very low rate of false positives and false negatives.
Keywords: Android (operating system); digital signatures; program compilers; program diagnostics; APK format; Android malicious code detection; Android platform executable file; Dalvik VM file; Levenshtein distance algorithm; automated DEX file parsing tools; binary sequence; instruction signatures; malicious Android applications detection; signature sequences; static analysis technology; static detection system; Libraries; Malware; Mobile communication; Smart phones; Software; Testing; Android; DEX; Static Analysis; malicious code (ID#: 15-4990)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6830926&isnumber=6825948

Oprisa, C.; Checiches, M.; Nandrean, A., "Locality-Sensitive Hashing Optimizations for Fast Malware Clustering," Intelligent Computer Communication and Processing (ICCP), 2014 IEEE International Conference on, pp.97,104, 4-6 Sept. 2014. doi: 10.1109/ICCP.2014.6936960 Abstract: Large datasets, including malware collections are difficult to cluster. Although we are mainly dealing with polynomial algorithms, the long running times make them difficult to use in practice. The main issue consists in the fact that the classical hierarchical algorithms need to compute the distance between each pair of items. This paper will show a faster approach for clustering large collections of malware samples using a technique called locality-sensitive hashing. This approach performs single-linkage clustering faster than the state of the art methods, while producing clusters of a similar quality. Although our proposed algorithm is still quadratic in theory, the coefficient for the quadratic term is several orders of magnitude smaller. Our experiments show that we can reduce this coefficient to under 0.02% and still produce clusters 99.9% similar with the ones produced by the single linkage algorithm.
Keywords: cryptography; invasive software; optimisation; pattern clustering; polynomials; locality-sensitive hashing optimization; malware clustering; polynomial algorithm; single-linkage clustering; Algorithm design and analysis; Approximation algorithms; Arrays; Clustering algorithms; Dictionaries; Equations; Malware (ID#: 15-4991)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6936960&isnumber=6936959

Xiangyu Ju, "Android Malware Detection Through Permission and Package," Wavelet Analysis and Pattern Recognition (ICWAPR), 2014 International Conference on, pp.61, 65, 13-16 July 2014. doi: 10.1109/ICWAPR.2014.6961291 Abstract: Malicious Android applications are a seriously problem due to the large share of the Android operating system market and also the flexibility of Android. An application should be checked before installing to a phone to avoid the privacy information leak. This paper proposes a static android malware detection method by using not only the permission but also the package of an Android application. The experimental results show the proposed method can detect the malicious software effectively. It suggests that the information provided by the package is useful for detection.
Keywords: Android (operating system); invasive software; Android malware detection; Android operating system; malicious Android application; privacy information leak; Accuracy; Androids; Conferences; Feature extraction; Humanoid robots; Malware; Smart phones; APK; Android; DEX; Malware; Package; Permission (ID#: 15-4992)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6961291&isnumber=6961275

Note:

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.