2018 13th International Conference on Malicious and Unwanted Software (MALWARE)最新文献

{"title":"Malware Anomaly Detection on Virtual Assistants","authors":"Ni An, A. Duff, Mahshid Noorani, S. Weber, S. Mancoridis","doi":"10.1109/MALWARE.2018.8659366","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659366","url":null,"abstract":"This work explores the application of anomaly detection techniques, specifically one-class support vector machine (SVM) and online change-point detection, to construct a model that can distinguish, in real-time, between the normal operation of an Amazon Alexa Virtual Assistant IoT device from anomalous operation due to malware infections. Despite the current absence of widespread malware for IoT devices, the anticipated rapid growth in deployment and use of IoT devices will likely attract many different malware attacks in the near future. Because of their highly specialized and, hence, predictable expected behavior, malware detection on IoT devices is not difficult given large training sets, long testing vectors, and extensive computational power. The challenge we address in this paper is to ascertain how quickly malware may be detected, i.e., the distribution on the number of system calls before a suitably high confidence decision may be made.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"77 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126161276","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Binary Obfuscation Based Reassemble","authors":"Chang Wang, Zhaolong Zhang, Xiaoqi Jia, Donghai Tian","doi":"10.1109/MALWARE.2018.8659363","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659363","url":null,"abstract":"Software reverse engineering is the process of retrieving the source code or recovering the higher level structure from an executable binary file. It has a wide range of applications in software analysis, such as vulnerability mining and exploiting, blind patching and so on. But it can also be used for illegal activities such as software piracy and plagiarism, which bring huge losses to relevant workers. So Anti-reverse has important significance for intellectual property protection. In fact, it is difficult to protect a software against being reversed or malicious modifications.In this paper, we present and discuss a new binary obfuscation method based on reassemble. The binary reassembling refers to the process of disassembling an executable binaries into assembly code and assemble it back to a correct binary. We make binary obfuscation in this process because it can avoid many problems and have better protection than other obfuscation methods. We designed two obfuscating schemes including instruction substitution and control flow confusion. The resulting code is still a correct program, but it has more complex instruction execution sequence and sophisticated control flow graph. According to the experiment results, the obfuscated program has more smaller file size but it execute more slowly than the original program.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125343923","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Model-driven Timing Consistency for Active Malware Redirection","authors":"Rory Klein, T. Barkley, Weston Clizbe, J. Bateman, J. Rrushi","doi":"10.1109/MALWARE.2018.8659370","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659370","url":null,"abstract":"Decoy I/O on computers in production is designed to redirect malware towards phantom devices, where malware are intercepted and hence are immediately detected, pinpointed, and possibly controlled and leveraged against the threat actors. On their part, malware seek inconsistencies in their targets to detect decoys and avoid falling into a trap, possibly before it is too late for them. In this paper we explore modeling and simulation based on the queueing network formalism to provide decoy network interface cards and their associated network targets with an infallible timing consistency. We propose a practical approach that integrates the findings of modeling and simulation into the operating system kernel, and thus creates a usable source of timing consistency for network decoys. We implemented this work within the code of a decoy Object Linking and Embedding (OLE) for Process Control (OPC) server. We tested our tool against malware samples involved in recent cyber attack campaigns, and thus discuss the findings in the paper.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131344528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Behavioral Malware Classification using Convolutional Recurrent Neural Networks","authors":"Bander Alsulami, S. Mancoridis","doi":"10.1109/MALWARE.2018.8659358","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659358","url":null,"abstract":"Behavioral malware detection aims to improve on the performance of static signature-based techniques used by anti-virus systems, which are less effective against modern polymorphic and metamorphic malware. Behavioral malware classification aims to go beyond the detection of malware by also identifying a malware’s family according to a naming scheme such as the ones used by anti-virus vendors. Behavioral malware classification techniques use run-time features, such as file system or network activities, to capture the behavioral characteristic of running processes. The increasing volume of malware samples, diversity of malware families, and the variety of naming schemes given to malware samples by anti-virus vendors present challenges to behavioral malware classifiers. We describe a behavioral classifier that uses a Convolutional Recurrent Neural Network and data from Microsoft Windows Prefetch files. We demonstrate the model’s improvement on the state-of-the-art using a large dataset of malware families and four major anti-virus vendor naming schemes. The model is effective in classifying malware samples that belong to common and rare malware families and can incrementally accommodate the introduction of new malware samples and families.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114743969","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Is eval () Evil : A study of JavaScript in PDF malware","authors":"A. Lemay, Sylvain P. Leblanc","doi":"10.1109/MALWARE.2018.8659374","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659374","url":null,"abstract":"Client-side attacks have become very popular in recent years. Consequently, third party client software, such as Adobe’s Acrobat Reader, remains a popular vector for infections. In order to support their malicious activities, PDF malware authors often turn to JavaScript. Because of this malicious intent, JavaScript from malicious PDF is markedly different than JavaScript from non-malicious PDF. This paper presents a detailed analysis of the content of JavaScript from two sources: malicious and non-malicious PDF files gathered from multiple extractions on VirusTotal Intelligence, in order to provide an overview of the significant differences in the distribution of keywords between the two types of JavaScript. The analysis shows that the obfuscation techniques and the generation of exploit triggering code used by malware authors create artefacts, such as the presence of seldom used functions that are not observable in normal files. Additionally, JavaScript from malicious PDF files lack the keywords associated with common PDF automation tasks such as getting new content from the web, interacting with the document or interacting with the user. This provides empirical confirmation of extrapolations into the detection of malicious JavaScript in PDF files from previous research and provides insight for the creation of a classifier based on keyword distributions.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128293111","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Hybrid Static Tool to Increase the Usability and Scalability of Dynamic Detection of Malware","authors":"Danny Kim, Daniel Mirsky, Amir Majlesi-Kupaei, R. Barua","doi":"10.1109/MALWARE.2018.8659373","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659373","url":null,"abstract":"Malware detection is a paramount priority in today’s world in order to prevent malware attacks. Malware detection comes in three methods: static analysis, dynamic analysis, and hybrids. Static analysis is fast and effective for detecting previously seen malware where as dynamic analysis can be more accurate and robust against zero-day or polymorphic malware, but at the cost of a high computational load, which results in an often-prohibitive dollar cost for the needed server farm to handle all incoming traffic at an organization’s network entry point. Most modern defenses today use a hybrid approach, which uses both static and dynamic analysis to maximize their chances of detecting malware. However, current hybrid approaches are suboptimal. We propose a solution to utilize the strengths of both while minimizing their weaknesses by using a two-phase hybrid detection tool. The first phase is a static tool, which we call a “static-hybrid” tool, that is based on machine learning and static analysis to categorize incoming programs into three buckets: definitely benign, definitely malicious, and needs further analysis. Only the small fraction of programs in the third bucket are run on the dynamic analyzer. Our system approaches the accuracy of the dynamic-only system with only a small fraction of its computational cost, while maintaining a real-time malware detection timeliness similar to a static-only system, thus achieving the best of both approaches.A key feature of our system is that the first (static) phase can run in active mode, i.e. it blocks malware in real time, which is possible because of the low 0.08% rate of mistakenly blocking benign programs as malicious (all results in our salient configuration). The second (dynamic) phase is run in passive mode, i.e. it send alerts for suspected malware without blocking them, and has a higher false positive rate of 0.75%. The first phase blocks 88.98% of malware, whereas the second phase brings up the detection rate to 98.73%. Since only a small fraction of malware missed by the first stage but caught by the second stage generates alerts, our system reduces alerts by 9.5X vs any highly accurate system running by itself in the typical passive mode seen in practice. Since only 3.63% of programs that need further study are sent to the second phase, this reduces the computation load for dynamic analysis by 100/3.63 = 27.5X.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"28 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124923476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SpyDroid: A Framework for Employing Multiple Real-Time Malware Detectors on Android","authors":"Shahrear Iqbal, Mohammad Zulkernine","doi":"10.1109/MALWARE.2018.8659365","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659365","url":null,"abstract":"Android has become the leading operating system for next-generation smart devices. Consequently, the number of Android malware has also skyrocketed. Many dynamic analysis techniques have been proposed to detect Android malware. However, very few of these techniques use real-time monitoring on user devices as Android does not provide low-level information to third-party apps. Moreover, some techniques detect a specific malware class more effectively than others. Therefore, end users can be benefited by installing multiple malware detection techniques. In this paper, we propose SpyDroid, a real-time malware detection framework that can accommodate multiple detectors from third-parties (e.g., researchers and antivirus vendors) and allows efficient and controlled real-time monitoring. SpyDroid consists of two operating system modules (monitoring and detection) and supports application layer sub-detectors. Sub-detectors are regular Android applications that monitor and analyze different runtime information using the monitoring module and they report the detection module about their findings. The detection module decides when to mark an app as malware. Researchers and antivirus vendors can now publish their techniques via app markets and end users can install any number of sub-detectors as they require. We have implemented SpyDroid using the Android Open Source Project (AOSP) and our experiments with a dataset containing 4,965 apps show that decisions from multiple sub-detectors can increase the malware detection rate significantly on a real device.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134293672","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MALWARE 2018 Welcome Message","authors":"","doi":"10.1109/malware.2018.8659356","DOIUrl":"https://doi.org/10.1109/malware.2018.8659356","url":null,"abstract":"","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"94 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122095983","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SCRaaPS: X.509 Certificate Revocation Using the Blockchain-based Scrybe Secure Provenance System","authors":"Sai Medury, A. Skjellum, R. Brooks, Lu Yu","doi":"10.1109/MALWARE.2018.8659364","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659364","url":null,"abstract":"X.509 certificates underpin the security of the Internet economy, notably secure web servers, and they need to be revoked promptly and reliably once they are compromised. The original revocation method specified in the X.509 standard, to distribute certificate revocation lists (CRLs), is both old and untrustworthy. CRLs are susceptible to attacks such as Man-in-the-Middle and Denial of Service. The newer Online Certificate Status Protocol (OCSP) and OCSP-stapling approaches have well-known drawbacks as well.The primary contribution of this paper is Secure Revocation as a Peer Service (SCRaaPS). SCRaaPS is an alternative, reliable way to support X.509 certificate revocation via the Scrybe secure provenance system. The blockchain support of Scrybe enables the creation of a durable, reliable revocation service that can withstand Denial-of-Service attacks and ensures non-repudiation of certificates revoked. We provide cross-CA-revocation information and address the additional problem of intermediate-certificate revocation with the knock-on effects on certificates derived thereof.A Cuckoo filter provides quick, communication-free testing by servers and browsers against our current revocation list (with no false negatives). A further contribution of this work is that the revocation service can fit in as a drop-in replacement for OCSP-stapling with superior performance and coverage both for servers and browsers. Potential revocation indicated by our Cuckoo filter is backed up by rigorous service query to eliminate false positives. Cuckoo filter parameters are also stored in our blockchain to provide open access to this algorithmic option for detection.We describe the advantages of using a blockchain-based system and, in particular, the approach to distributed ledger technology and lightweight mining enabled by Scrybe, which was designed with secure provenance in mind.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"69 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128348656","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"An In-Depth Study of Open-Source Command and Control Frameworks","authors":"Julien Piet, Blake Anderson, D. McGrew","doi":"10.1109/MALWARE.2018.8659361","DOIUrl":"https://doi.org/10.1109/MALWARE.2018.8659361","url":null,"abstract":"Previous work has intensely studied the prevention and detection of malicious network traffic, but current solutions still lack the efficacy needed to detect Remote Access Trojan (RAT) network activity. This deficiency is becoming more of a threat with the releases of open-source implementations that emphasize ease of use while maintaining stealth and modularity. In this paper, we provide a detailed design and analysis of network-based methods that can detect generic RAT behaviors such as polling, and specific detection techniques targeting three popular open-source RATs: Metasploit, Empire, and Pupy. Our methods rely on passive monitoring as well as semi-active scans targeting suspicious servers that are triggered by the passive monitoring system. Our complete classification system achieves a ~98.5% true positive rate and a ~0.01% false positive rate, validating our approach to RAT detection.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115850571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}