Visible to the public Zero-Day Exploits, Part 2

SoS Newsletter- Advanced Book Block


SoS Logo

Zero–Day Exploits

Part 2

Zero-day exploits are a major research challenge in cybersecurity. Recent work on this subject has been conducted globally. The works cited here were presented in 2014 and early 2015.

Adebayo, O.S.; AbdulAziz, N., “An Intelligence Based Model for the Prevention of Advanced Cyber-Attacks,” Information and Communication Technology for The Muslim World (ICT4M), 2014 The 5th International Conference on, vol., no., pp. 1, 5, 17-18 Nov. 2014. doi:10.1109/ICT4M.2014.7020648
Abstract: The trend and motive of Cyber-attacks have gone beyond traditional damages and challenges to information stealing for political and economic gain. With the recent APT (Advance Persistent Threat), which comprises of Zeroday malware, Polymorphic malware, and Blended threat, the task of protecting vita[l] infrastructures are increasingly becoming difficult. This paper proposes an intelligence based technique that combined the traditional signature based detection with the next generation based detection. The proposed model consists of virtual execution environment, detection, and prevention module. The virtual execution environment is designated to analyze and execute a suspected file contains malware while other module inspect, detect, and prevent malware execution based on the intelligent gathering in the central management system (CMS). The model based on Next Generation Malware Detection of creating threat intelligence for future occurrence prevention. The new model shall take into consideration lapses and benefits of the existing detectors.
Keywords: digital signatures; invasive software; APT; advance persistent threat; advanced cyber-attack prevention; blended threat; central management system; economic gain; future occurrence prevention; information stealing; intelligence based model; malware execution detection; malware execution inspection; malware execution prevention; next generation malware detection; political gain; polymorphic malware; signature based detection; suspected file analysis; suspected file execution; virtual execution environment; zero-day malware; Decision support systems; APT; Advanced Persistent Threat; Cyber Attacks; Next Generation Threat; Next-Generation Security (ID#: 15-6214)

Min Zheng; Mingshen Sun; Lui, J.C.S., “DroidTrace: A Ptrace Based Android Dynamic Analysis System with Forward Execution Capability,” Wireless Communications and Mobile Computing Conference (IWCMC), 2014 International, vol., no.,
pp. 128, 133, 4-8 Aug. 2014. doi:10.1109/IWCMC.2014.6906344
Abstract: Android, being an open source smartphone operating system, enjoys a large community of developers who create new mobile services and applications. However, it also attracts malware writers to exploit Android devices in order to distribute malicious apps in the wild. In fact, Android malware are becoming more sophisticated and they use advanced “dynamic loading” techniques like Java reflection or native code execution to bypass security detection. To detect dynamic loading, one has to use dynamic analysis. Currently, there are only a handful of Android dynamic analysis tools available, and they all have shortcomings in detecting dynamic loading. The aim of this paper is to design and implement a dynamic analysis system which allows analysts to perform systematic analysis of dynamic payloads with malicious behaviors. We propose “DroidTrace”, a ptrace based dynamic analysis system with forward execution capability. Our system uses ptrace to monitor selected system calls of the target process which is running the dynamic payloads, and classifies the payloads behaviors through the system call sequence, e.g., behaviors such as file access, network connection, inter-process communication and even privilege escalation. Also, DroidTrace performs “physical modification” to trigger different dynamic loading behaviors within an app. Using DroidTrace, we carry out a large scale analysis on 36,170 dynamic payloads in 50,000 apps and 294 malware in 10 families (four of them are zero-day) with various dynamic loading behaviors.
Keywords: Android (operating system); Java; invasive software; mobile computing; program diagnostics; public domain software; Android malware; DroidTrace; Java reflection; dynamic loading detection; dynamic payload analysis; file access; forward execution capability; interprocess communication; malicious apps; malicious behaviors; mobile applications; mobile services; native code execution; network connection; open source smartphone operating system; physical modification; privilege escalation; ptrace based Android dynamic analysis system; security detection; system call monitoring; Androids; Humanoid robots; Java; Loading; Malware; Monitoring; Payloads (ID#: 15-6215)

Shin-Ying Huang; Yennun Huang; Suri, N., “Event Pattern Discovery on IDS Traces of Cloud Services,” Big Data and Cloud Computing (BdCloud), 2014 IEEE Fourth International Conference on, vol., no., pp. 25, 32, 3-5 Dec. 2014. doi:10.1109/BDCloud.2014.92
Abstract: The value of Intrusion Detection System (IDS) traces is based on being able to meaningfully parse the complex data patterns appearing therein as based on the pre-defined intrusion ‘detection’ rule sets. As IDS traces monitor large groups of servers, large amounts of network data and also spanning a variety of patterns, efficient analytical approaches are needed to address this big heterogeneous data analysis problem. We believe that using unsupervised learning methods can help to classify data that allows analysts to find out meaningful insights and extract the value of the collected data more precisely and efficiently. This study demonstrates how the technique of growing hierarchical self-organizing maps (GHSOM) can be utilized to facilitate efficient event data analysis. For the collected IDS traces, GHSOM is used to cluster data and reveal the geometric distances between each cluster in a topological space such that the attack signatures for each cluster can be easily identified. The experimental results from a real-world IDS traces show that our proposed approach can efficiently discover several critical attack patterns and significantly reduce the size of IDS trace log which needs to be further analyzed. The proposed approach can help internet security administrators/analysts to conduct network forensics analysis, discover suspicious attack sources, and set up recovery processes to prevent previously unknown security threats such as zero-day attacks.
Keywords: cloud computing; data analysis; digital signatures; pattern classification; pattern clustering; self-organising feature maps; unsupervised learning; GHSOM; IDS traces; Internet security administrators; Internet security analysts; analytical approach; attack signatures; cloud services; cluster geometric distances; complex data pattern parsing; critical attack patterns; data classification; data clustering; event data analysis; event pattern discovery; growing hierarchical self-organizing maps; heterogeneous data analysis problem; intrusion detection rule sets; intrusion detection system; network forensics analysis; recovery process; suspicious attack source discovery; topological space; unsupervised learning methods; Correlation; Data mining; IP networks; Intrusion detection; Ports (Computers);Telecommunication traffic; forensic analysis; growing hierarchical self-organizing map; internet security (ID#: 15-6216)

Almaatouq, A.; Alabdulkareem, A.; Nouh, M.; Alsaleh, M.; Alarifi, A.; Sanchez, A.; Alfaris, A.; Williams, J., “A Malicious Activity Detection System Utilizing Predictive Modeling in Complex Environments,” Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th, vol., no., pp. 371, 379, 10-13 Jan. 2014. doi:10.1109/CCNC.2014.6866597
Abstract: Complex enterprise environments consist of globally distributed infrastructure with a variety of applications and a large number of activities occurring on a daily basis. This increases the attack surface and narrows the view of ongoing intrinsic dynamics. Thus, many malicious activities can persist under the radar of conventional detection mechanisms long enough to achieve critical mass for full-fledged cyber attacks. Many of the typical detection approaches are signature-based and thus are expected to fail in the face of zero-day attacks. In this paper, we present the building-blocks for developing a Malicious Activity Detection System (MADS). MADS employs predictive modeling techniques for the detection of malicious activities. Unlike traditional detection mechanisms, MADS includes the detection of both network-based intrusions and malicious user behaviors. The system utilizes a simulator to produce holistic replication of activities, including both benign and malicious, flowing within a given complex IT environment. We validate the performance and accuracy of the simulator through a case study of a Fortune 500 company where we compare the results of the simulated infrastructure against the physical one in terms of resource consumption (i.e., CPU utilization), the number of concurrent users, and response times. In addition to an evaluation of the detection algorithms with varying hyper-parameters and comparing the results.
Keywords: computer network security; complex environments; malicious activity detection system; predictive modeling; resource consumption; Analytical models; Data models; Data visualization; Databases; Engines; Predictive models; Security (ID#: 15-6217)

Andreas Kuehn, Milton Mueller; “Shifts in the Cybersecurity Paradigm: Zero-Day Exploits, Discourse, and Emerging Institutions,” NSPW ’14, Proceedings of the 2014 Workshop on New Security Paradigms Workshop, September 2014, Pages 63-68. doi:10.1145/2683467.2683473
Abstract: This ongoing dissertation research examines the institutionalization of new cybersecurity norms and practices that are emerging from current controversies around markets for software vulnerabilities and exploits. A market has developed for the production and distribution of software exploits, with buyers sometimes paying over USD 100,000 for exploits and software vendors offering bounties for the disclosure of underlying vulnerabilities. Labeled a ‘digital arms race’ by some, it is generating a transnational debate about control and regulation of cyber capabilities, the role of secrecy and disclosure in cybersecurity, and the ethics of exploit production and use. The research takes a qualitative approach to theorize the emerging cybersecurity institutions. It shall provide insights into the technical, economic and institutional shifts in cybersecurity norms and practices. Analyzing the bug bounty programs run by Microsoft and Facebook as examples, the paper briefly discusses the role of institutions in facilitating software vulnerability markets. The paper summarizes the work presented at NSPW 2014, its findings are preliminary.
Keywords: cybersecurity, discourse, institutions, internet governance, software exploit, software vulnerability (ID#: 15-6218)

Yasuyuki Tanaka, Atsuhiro Goto; “n-ROPdetector: Proposal of a Method to Detect the ROP Attack Code on the Network,” SafeConfig ’14, Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation, November 2014, Pages 33-36. doi:10.1145/2665936.2665937
Abstract: Targeted attacks exploiting a zero-day vulnerability are serious threats for many organizations. One reason is that generally available attack tools are very powerful and easy-to-use for attackers. In this paper, we propose n-ROPdetector that detects ROP (Return-Oriented Programming) attack code on the network side. ROP is a core technique used in zero-day attacks. The n-ROPdetector is noticeable method to detect ROP code efficiently on the network side rather than on the host machines side. To evaluate the n-ROPdetector and to show its effectiveness, we used the attack code samples from the attack tool Metasploit and the n-ROPdetector detected 84% of ROP codes in Metasploit.
Keywords: nids, return-oriented programming, zero-day attack (ID#: 15-6219)

Yier Jin; “Embedded System Security in Smart Consumer Electronics,” TrustED ’14, Proceedings of the 4th International Workshop on Trustworthy Embedded Devices, November 2014, Pages 59-59. doi:10.1145/2666141.2673888
Abstract: Advances in manufacturing and emerging technologies in miniaturization and reduction of power consumption have proven to be a pivotal point in mankind’s progress. The once advanced machines that occupied entire buildings and needed hundreds of engineers to be operated are now shadowed by the smart cellular phones we carry in our pockets. With the advent of the Internet and proliferation of wireless technologies, these devices are now extremely interconnected. Enter the nascent era of Internet of Things (IoT) and wearable devices, where small embedded devices loaded with sensors collect information from its surroundings, process it and relay it to remote locations for further analysis. Albeit looking harmless, this nascent technologies raise security and privacy concerns. In this talk, we pose the question of the possibility and effects of compromising one of such devices. Concentrating on the design flow of IoT devices, we discuss some common design practices and their implications on security and privacy. We present the Google Nest Learning Thermostat as an example on how these practices affect the resulting device and the potential consequences to user security and privacy. We will then introduce design flow security enhancement methods through which security will be built into the device, a major difference from traditional practices which treat security as an add-on property implemented at post-fabrication stage.
Keywords: hardware attack, hardware security, internet of things, secure boot, trusted design, zero-day attack (ID#: 15-6220)

Robert Gawlik, Thorsten Holz; “Towards Automated Integrity Protection of C++ Virtual Function Tables in Binary Programs,” ACSAC ’14, Proceedings of the 30th Annual Computer Security Applications Conference, December 2014, Pages 396-405. doi:10.1145/2664243.2664249
Abstract: Web browsers are one of the most used, complex, and popular software systems nowadays. They are prone to dangling pointers that result in use-after-free vulnerabilities and this is the de-facto way to exploit them. From a technical point of view, an attacker uses a technique called vtable hijacking to exploit such bugs. More specifically, she crafts bogus virtual tables and lets a freed C++ object point to it in order to gain control over the program at virtual function call sites.  In this paper, we present a novel approach towards mitigating and detecting such attacks against C++ binary code. We propose a static binary analysis technique to extract virtual function call site information in an automated way. Leveraging this information, we instrument the given binary executable and add runtime policy enforcements to thwart the illegal usage of these call sites. We implemented the proposed techniques in a prototype called T-VIP and successfully hardened three versions of Microsoft's Internet Explorer and Mozilla Firefox. An evaluation with several zero-day exploits demonstrates that our method prevents all of them. Performance benchmarks both on micro and macro level indicate that the overhead is reasonable with about 2.2%, which is only slightly higher compared to recent compiler-based approaches that address this problem.
Keywords: (not provided) (ID#: 15-6221)

Sean Whalen, Nathaniel Boggs, Salvatore J. Stolfo; “Model Aggregation for Distributed Content Anomaly Detection,” AISec ’14, Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop, November 2014, Pages 61-71. doi:10.1145/2666652.2666660
Abstract: Cloud computing offers a scalable, low-cost, and resilient platform for critical applications. Securing these applications against attacks targeting unknown vulnerabilities is an unsolved challenge. Network anomaly detection addresses such zero-day attacks by modeling attributes of attack-free application traffic and raising alerts when new traffic deviates from this model. Content anomaly detection (CAD) is a variant of this approach that models the payloads of such traffic instead of higher level attributes. Zero-day attacks then appear as outliers to properly trained CAD sensors. In the past, CAD was unsuited to cloud environments due to the relative overhead of content inspection and the dynamic routing of content paths to geographically diverse sites. We challenge this notion and introduce new methods for efficiently aggregating content models to enable scalable CAD in dynamically-pathed environments such as the cloud. These methods eliminate the need to exchange raw content, drastically reduce network and CPU overhead, and offer varying levels of content privacy. We perform a comparative analysis of our methods using Random Forest, Logistic Regression, and Bloom Filter-based classifiers for operation in the cloud or other distributed settings such as wireless sensor networks. We find that content model aggregation offers statistically significant improvements over non-aggregate models with minimal overhead, and that distributed and non-distributed CAD have statistically indistinguishable performance. Thus, these methods enable the practical deployment of accurate CAD sensors in a distributed attack detection infrastructure.
Keywords: anomaly detection, machine learning, model aggregation (ID#: 15-6222)

Sun-il Kim, William Edmonds, Nnamdi Nwanze; “On GPU Accelerated Tuning for a Payload Anomaly-Based Network Intrusion Detection Scheme,” CISR ’14, Proceedings of the 9th Annual Cyber and Information Security Research Conference, April 2014, Pages 1-4. doi:10.1145/2602087.2602093
Abstract: In network intrusion detection, anomaly-based solutions complement signature-based solutions in mitigating zero-day attacks, but require extensive training and learning to effectively model what the normal pattern for a given system (or service) looks like. Though the training typically happens off-line, and the processing speed is not as important as the detection stage (which occurs on-line in real-time), continuous analysis and retuning may be attractive depending on the deployment scenarios. The different types of computation required to perform automatic retuning (or retraining) of the system may result in resource competition for other important system tasks. Thus, a mechanism by which the retuning can take place without affecting the actual system workload is important. In this paper, we describe a layered, simple statistics based anomaly detection algorithm with parallel implementation of the training algorithm. We focus on the use of graphic processing units (GPU) to allow cost-efficient implementation with minimal impact on CPU loads so as to minimize affecting the day to day server workloads. Our results show potential for significant performance improvements.
Keywords: intrusion detection, network security, parallel processing (ID#: 15-6223)

Roopak Venkatakrishnan, Mladen A. Vouk; “Diversity-Based Detection of Security Anomalies,” HotSoS ’14, Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, April 2014, Article No. 29. doi:10.1145/2600176.2600205
Abstract: Detecting and preventing attacks before they compromise a system can be done using acceptance testing, redundancy based mechanisms, and using external consistency checking such external monitoring and watchdog processes. Diversity-based adjudication, is a step towards an oracle that uses knowable behavior of a healthy system. That approach, under best circumstances, is able to detect even zero-day attacks. In this approach we use functionally equivalent but in some way diverse components and we compare their output vectors and reactions for a given input vector. This paper discusses practical relevance of this approach in the context of recent web-service attacks.
Keywords: attack detection, diversity, redundancy in security, web services (ID#: 15-6224)

Hao Zhang, Danfeng Daphne Yao, Naren Ramakrishnan; “Detection of Stealthy Malware Activities with Traffic Causality and Scalable Triggering Relation Discovery,” ASIA CCS ’14, Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, June 2014, Pages 39-50. doi:10.1145/2590296.2590309
Abstract: Studies show that a significant portion of networked computers are infected with stealthy malware. Infection allows remote attackers to control, utilize, or spy on victim machines. Conventional signature-scan or counting-based techniques are limited, as they are unable to stop new zero-day exploits. We describe a traffic analysis method that can effectively detect malware activities on a host. Our new approach efficiently discovers the underlying triggering relations of a massive amount of network events. We use these triggering relations to reason the occurrences of network events and to pinpoint stealthy malware activities. We define a new problem of triggering relation discovery of network events. Our solution is based on domain-knowledge guided advanced learning algorithms. Our extensive experimental evaluation involving 6+ GB traffic of various types shows promising results on the accuracy of our triggering relation discovery.
Keywords: anomaly detection, network security, stealthy malware (ID#: 15-6225)

Yu Feng, Saswat Anand, Isil Dillig, Alex Aiken; “Apposcopy: Semantics-Based Detection of Android Malware Through Static Analysis,”  FSE 2014, Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, November 2014, Pages 576-587. doi:10.1145/2635868.2635869
Abstract: We present Apposcopy, a new semantics-based approach for identifying a prevalent class of Android malware that steals private user information. Apposcopy incorporates (i) a high-level language for specifying signatures that describe semantic characteristics of malware families and (ii) a static analysis for deciding if a given application matches a malware signature. The signature matching algorithm of Apposcopy uses a combination of static taint analysis and a new form of program representation called Inter-Component Call Graph to efficiently detect Android applications that have certain control- and data-flow properties. We have evaluated Apposcopy on a corpus of real-world Android applications and show that it can effectively and reliably pinpoint malicious applications that belong to certain malware families
Keywords: Android, Inter-component Call Graph, Taint Analysis (ID#: 15-6226)

Steven Noel, Sushil Jajodia; “Metrics Suite for Network Attack Graph Analytics,” CISR ’14, Proceedings of the 9th Annual Cyber and Information Security Research Conference, April 2014, Pages 5-8. doi:10.1145/2602087.2602117
Abstract: We describe a suite of metrics for measuring network-wide cyber security risk based on a model of multi-step attack vulnerability (attack graphs). Our metrics are grouped into families, with family-level metrics combined into an overall metric for network vulnerability risk. The Victimization family measures risk in terms of key attributes of risk across all known network vulnerabilities. The Size family is an indication of the relative size of the attack graph. The Containment family measures risk in terms of minimizing vulnerability exposure across protection boundaries. The Topology family measures risk through graph theoretic properties (connectivity, cycles, and depth) of the attack graph. We display these metrics (at the individual, family, and overall levels) in interactive visualizations, showing multiple metrics trends over time.
Keywords: attack graphs, security metrics, topological vulnerability analysis (ID#: 15-6227)

Tsung Hsuan Ho, Daniel Dean, Xiaohui Gu, William Enck; “PREC: Practical Root Exploit Containment for Android Devices,” CODASPY ’14, Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, March 2014, Pages 187-198. doi:10.1145/2557547.2557563
Abstract: Application markets such as the Google Play Store and the Apple App Store have become the de facto method of distributing software to mobile devices. While official markets dedicate significant resources to detecting malware, state-of-the-art malware detection can be easily circumvented using logic bombs or checks for an emulated environment. We present a Practical Root Exploit Containment (PREC) framework that protects users from such conditional malicious behavior. PREC can dynamically identify system calls from high-risk components (e.g., third-party native libraries) and execute those system calls within isolated threads. Hence, PREC can detect and stop root exploits with high accuracy while imposing low interference to benign applications. We have implemented PREC and evaluated our methodology on 140 most popular benign applications and 10 root exploit malicious applications. Our results show that PREC can successfully detect and stop all the tested malware while reducing the false alarm rates by more than one order of magnitude over traditional malware detection algorithms. PREC is light-weight, which makes it practical for runtime on-device root exploit detection and containment.
Keywords: android, dynamic analysis, host intrusion detection, malware, root exploits (ID#: 15-6228)

Frederico Araujo, Kevin W. Hamlen, Sebastian Biedermann, Stefan Katzenbeisser; “From Patches to Honey-Patches: Lightweight Attacker Misdirection, Deception, and Disinformation,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 942-953. doi:10.1145/2660267.2660329
Abstract: Traditional software security patches often have the unfortunate side-effect of quickly alerting attackers that their attempts to exploit patched vulnerabilities have failed. Attackers greatly benefit from this information; it expedites their search for unpatched vulnerabilities, it allows them to reserve their ultimate attack payloads for successful attacks, and it increases attacker confidence in stolen secrets or expected sabotage resulting from attacks. To overcome this disadvantage, a methodology is proposed for reformulating a broad class of security patches into honey-patches — patches that offer equivalent security but that frustrate attackers’ ability to determine whether their attacks have succeeded or failed. When an exploit attempt is detected, the honey-patch transparently and efficiently redirects the attacker to an unpatched decoy, where the attack is allowed to succeed. The decoy may host aggressive software monitors that collect important attack information, and deceptive files that disinform attackers. An implementation for three production-level web servers, including Apache HTTP, demonstrates that honey-patching can be realized for large-scale, performance-critical software applications with minimal overheads.
Keywords: honeypots, intrusion detection and prevention (ID#: 15-6229)

Sascha Fahl, Sergej Dechand, Henning Perl, Felix Fischer, Jaromir Smrcek, Matthew Smith; “Hey, NSA: Stay Away from My Market! Future Proofing App Markets against Powerful Attackers,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1143-1155. doi:10.1145/2660267.2660311
Abstract: Mobile devices are evolving as the dominant computing platform and consequently application repositories and app markets are becoming the prevalent paradigm for deploying software. Due to their central and trusted position in the software ecosystem, coerced, hacked or malicious app markets pose a serious threat to user security. Currently, there is little that hinders a nation state adversary (NSA) or other powerful attackers from using such central and trusted points of software distribution to deploy customized (malicious) versions of apps to specific users. Due to intransparencies in the current app installation paradigm, this kind of attack is extremely hard to detect.  In this paper, we evaluate the risks and drawbacks of current app deployment in the face of powerful attackers. We assess the app signing practices of 97% of all free Google Play apps and find that the current practices make targeted attacks unnecessarily easy and almost impossible to detect for users and app developers alike. We show that high profile Android apps employ intransparent and unaccountable strategies when they publish apps to (multiple) alternative markets. We then present and evaluate Application Transparency (AT), a new framework that can defend against ``targeted-and-stealthy'' attacks, mount by malicious markets. We deployed AT in the wild and conducted an extensive field study in which we analyzed app installations on 253,819 real world Android devices that participate in a popular anti-virus app's telemetry program. We find that AT can effectively protect users against malicious targeted attack apps and furthermore adds transparency and accountability to the current intransparent signing and packaging strategies employed by many app developers.
Keywords: android, apps, market, nsa, security, transparency (ID#: 15-6230)

Mingshen Sun, Min Zheng, John C. S. Lui, Xuxian Jiang; “Design and Implementation of an Android Host-based Intrusion Prevention System,” ACSAC ’14, Proceedings of the 30th Annual Computer Security Applications Conference, December 2014, Pages 226-235. doi:10.1145/2664243.2664245
Abstract: Android has a dominating share in the mobile market and there is a significant rise of mobile malware targeting Android devices. Android malware accounted for 97% of all mobile threats in 2013 [26]. To protect smartphones and prevent privacy leakage, companies have implemented various host-based intrusion prevention systems (HIPS) on their Android devices. In this paper, we first analyze the implementations, strengths and weaknesses of three popular HIPS architectures. We demonstrate a severe loophole and weakness of an existing popular HIPS product in which hackers can readily exploit. Then we present a design and implementation of a secure and extensible HIPS platform—“Patronus.” Patronus not only provides intrusion prevention without the need to modify the Android system, it can also dynamically detect existing malware based on runtime information. We propose a two-phase dynamic detection algorithm for detecting running malware. Our experiments show that Patronus can prevent the intrusive behaviors efficiently and detect malware accurately with a very low performance overhead and power consumption.
Keywords: (not provided) (ID#: 15-6231)

Thomas Hobson, Hamed Okhravi, David Bigelow, Robert Rudd, William Streilein; “On the Challenges of Effective Movement,” MTD ’14, Proceedings of the First ACM Workshop on Moving Target Defense, November 2014, Pages 41-50. doi:10.1145/2663474.2663480
Abstract: Moving Target (MT) defenses have been proposed as a game-changing approach to rebalance the security landscape in favor of the defender. MT techniques make systems less deterministic, less static, and less homogeneous in order to increase the level of effort required to achieve a successful compromise. However, a number of challenges in achieving effective movement lead to weaknesses in MT techniques that can often be used by the attackers to bypass or otherwise nullify the impact of that movement. In this paper, we propose that these challenges can be grouped into three main types: coverage, unpredictability, and timeliness. We provide a description of these challenges and study how they impact prominent MT techniques. We also discuss a number of other considerations faced when designing and deploying MT defenses.
Keywords: cybersecurity challenges, diversity, metrics, moving target, randomization (ID#: 15-6232)

M. Zubair Rafique, Ping Chen, Christophe Huygens, Wouter Joosen; “Evolutionary Algorithms for Classification of Malware Families Through Different Network Behaviors,” GECCO ’14, Proceedings of the 2014 Conference on Genetic and Evolutionary Computation, July 2014, Pages 1167-1174. doi:10.1145/2576768.2598238
Abstract: The staggering increase of malware families and their diversity poses a significant threat and creates a compelling need for automatic classification techniques. In this paper, we first analyze the role of network behavior as a powerful technique to automatically classify malware families and their polymorphic variants. Afterwards, we present a framework to efficiently classify malware families by modeling their different network behaviors (such as HTTP, SMTP, UDP, and TCP). We propose protocol-aware and state-space modeling schemes to extract features from malware network behaviors. We analyze the applicability of various evolutionary and non-evolutionary algorithms for our malware family classification framework. To evaluate our framework, we collected a real-world dataset of $6,000$ unique and active malware samples belonging to 20 different malware families. We provide a detailed analysis of network behaviors exhibited by these prevalent malware families. The results of our experiments shows that evolutionary algorithms, like sUpervised Classifier System (UCS), can effectively classify malware families through different network behaviors in real-time. To the best of our knowledge, the current work is the first malware classification framework based on evolutionary classifier that uses different network behaviors.
Keywords: machine learning, malware classification, network behaviors (ID#: 15-6233)

Ali Zand, Giovanni Vigna, Xifeng Yan, Christopher Kruegel; “Extracting Probable Command and Control Signatures for Detecting Botnets,” SAC ’14, Proceedings of the 29th Annual ACM Symposium on Applied Computing, March 2014, Pages 1657-1662. doi:10.1145/2554850.2554896
Abstract: Botnets, which are networks of compromised machines under the control of a single malicious entity, are a serious threat to online security. The fact that botnets, by definition, receive their commands from a single entity can be leveraged to fight them. To this end, one requires techniques that can detect command and control (C&C) traffic, as well as the servers that host C&C services. Given the knowledge of a C&C server’s IP address, one can use this information to detect all hosts that attempt to contact such a server, and subsequently disinfect, disable, or block the infected machines. This information can also be used by law enforcement to take down the C&C server. In this paper, we present a new botnet C&C signature extraction approach that can be used to find C&C communication in traffic generated by executing malware samples in a dynamic analysis system. This approach works in two steps. First, we extract all frequent strings seen in the network traffic. Second, we use a function that assigns a score to each string. This score represents the likelihood that the string is indicative of C&C traffic. This function allows us to rank strings and focus our attention on those that likely represent good C&C signatures. We apply our technique to almost 2.6 million network connections produced by running more than 1.4 million malware samples. Using our technique, we were able to automatically extract a set of signatures that are able to identify C&C traffic. Furthermore, we compared our signatures with those used by existing tools, such as Snort and BotHunter.
Keywords:  (not provided) (ID#: 15-6234)

Sandy Clark, Michael Collis, Matt Blaze, Jonathan M. Smith; “Moving Targets: Security and Rapid-Release in Firefox,” CCS ’14, Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, November 2014, Pages 1256-1266. doi:10.1145/2660267.2660320
Abstract: Software engineering practices strongly affect the security of the code produced. The increasingly popular Rapid Release Cycle (RRC) development methodology and easy network software distribution have enabled rapid feature introduction. RRC’s defining characteristic of frequent software revisions would seem to conflict with traditional software engineering wisdom regarding code maturity, reliability and reuse, as well as security. Our investigation of the consequences of rapid release comprises a quantitative, data-driven study of the impact of rapid-release methodology on the security of the Mozilla Firefox browser. We correlate reported vulnerabilities in multiple rapid release versions of Firefox code against those in corresponding extended release versions of the same system; using a common software base with different release cycles eliminates many causes other than RRC for the observables. Surprisingly, the resulting data show that Firefox RRC does not result in higher vulnerability rates and, further, that it is exactly the unfamiliar, newly released software (the “moving targets”) that requires time to exploit. These provocative results suggest that a rethinking of the consequences of software engineering practices for security may be warranted.
Keywords: agile programming, honeymoon effect, arms race, rapid release cycle, secure software development models, secure software metrics, software life-cycle, software quality, secure software development, vulnerabilities, windows of vulnerability (ID#: 15-6235)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.