发布求助
文献互助 智能选刊 最新文献

2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE)最新文献

筛选
英文 中文
Heuristic malware detection via basic block comparison 基于基本块比较的启发式恶意软件检测
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703680
Francis Adkins, Luke Jones, M. Carlisle, Jason Upchurch
{"title":"Heuristic malware detection via basic block comparison","authors":"Francis Adkins, Luke Jones, M. Carlisle, Jason Upchurch","doi":"10.1109/MALWARE.2013.6703680","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703680","url":null,"abstract":"Each day, malware analysts are tasked with more samples than they have the ability to analyze by hand. To produce this trend, malware authors often reuse a significant portion of their code. In this paper, we introduce a technique to statically decompose malicious software to identify shared code. This technique variably applies a sliding-window methodology to either full files or individual basic blocks to produce representative similarity ratios either between two binaries or between two functionalities within binaries, respectively. This grants the ability to apply heuristic detection via threshold similarity matching as well as full-inclusivity matching for malicious functionality. Additionally, we apply generalization techniques to minimize local assembly variants while still maintaining consistent structural matching. We also identify improvements that this technique provides over previous technologies and demonstrate its success in practical sample detection. Finally, we suggest further applications of this technique and highlight possible contributions to modern malware detection.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116216207","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 20
Use-case-specific metrics for comparative testing of endpoint security products 用于端点安全产品比较测试的特定于用例的度量
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703683
Jeffrey Wu, A. Arrott
{"title":"Use-case-specific metrics for comparative testing of endpoint security products","authors":"Jeffrey Wu, A. Arrott","doi":"10.1109/MALWARE.2013.6703683","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703683","url":null,"abstract":"A battery of protection and resource performance tests were conducted using commercial internet security suites designed for general purpose usage with a Windows 8 personal computer (PC). Six classes of PC users were identified: Internet addict; network businessman; socializer; basic user; gamer; self-presenter; infrequent user. Recognizing that practical Internet security is different for each of these user groups, the importance of each component protection and resource performance test was assessed independently for each PC user group. By weighting component results to match relative importance for each user group, separate overall comparative assessments of the tested internet security suite products were obtained separately for each user group. From this, a more effective assessment of the value of commercial anti-malware protection is obtained specific to a customer's PC usage. When third party commercial anti-malware products were compared to the protection application provided by Microsoft, the average improvement ranged from 5% to 10% when measured separately for each PC user group.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123994254","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Countering malware evolution using cloud-based learning 使用基于云的学习来对抗恶意软件的进化
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703689
Jacob Ouellette, A. Pfeffer, Arun Lakhotia
{"title":"Countering malware evolution using cloud-based learning","authors":"Jacob Ouellette, A. Pfeffer, Arun Lakhotia","doi":"10.1109/MALWARE.2013.6703689","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703689","url":null,"abstract":"Recent years have seen an explosion in the number and sophistication of malware attacks. The sheer volume of novel malware has made purely manual signature development impractical and has led to research on applying machine learning and data mining to automatically infer malware signatures in the wild. Unfortunately, researchers have recently found ways to game the machine learning algorithms and learn to predict which samples the learning algorithms will classify as benign or malicious, thus opening the door for innovative deception on the part of malware developers. To counter this threat, we are developing our Semi-Supervised Algorithms against Malware Evolution (SESAME) program, which uses online learning to evolve as new malware is encountered, recognizing novel families and adapting its model of families as they themselves evolve. It uses semi-supervised learning to enable it to learn from both labeled and unlabeled malware. SESAME combines a rich feature set with deep learning algorithms to learn the essential characteristics of malware that enable us to relate novel malware to existing malware. SESAME is being designed to be an enterprise-based system with learning in the cloud and rapid endpoint classification.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"53 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122534516","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 22
Analysis and diversion of Duqu's driver 杜曲司机的分析与分流
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703692
Guillaume Bonfante, J. Marion, Fabrice Sabatier, Aurélien Thierry
{"title":"Analysis and diversion of Duqu's driver","authors":"Guillaume Bonfante, J. Marion, Fabrice Sabatier, Aurélien Thierry","doi":"10.1109/MALWARE.2013.6703692","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703692","url":null,"abstract":"The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu's modified driver would have detected Duqu.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123020127","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 10
Synthesizing near-optimal malware specifications from suspicious behaviors 从可疑行为中合成近乎最佳的恶意软件规格
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703684
S. Jha, Matt Fredrikson, Mihai Christodorescu, R. Sailer, Xifeng Yan
{"title":"Synthesizing near-optimal malware specifications from suspicious behaviors","authors":"S. Jha, Matt Fredrikson, Mihai Christodorescu, R. Sailer, Xifeng Yan","doi":"10.1109/MALWARE.2013.6703684","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703684","url":null,"abstract":"Behavior-based detection techniques are a promising solution to the problem of malware proliferation. However, they require precise specifications of malicious behavior that do not result in an excessive number of false alarms, while still remaining general enough to detect new variants before traditional signatures can be created and distributed. In this paper, we present an automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based on graph mining and stochastic optimization, scales to large classes of programs. When this work was originally published, the technique yielded favorable results on malware targeted towards workstations (~86% detection rates on new malware). We believe that it can be brought to bear on emerging malware-based threats for new platforms, and discuss several promising avenues for future work in this direction.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128826488","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 19
REcompile: A decompilation framework for static analysis of binaries REcompile:用于静态分析二进制文件的反编译框架
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703690
Khaled Yakdan, Sebastian Eschweiler, E. Gerhards-Padilla
{"title":"REcompile: A decompilation framework for static analysis of binaries","authors":"Khaled Yakdan, Sebastian Eschweiler, E. Gerhards-Padilla","doi":"10.1109/MALWARE.2013.6703690","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703690","url":null,"abstract":"Reverse engineering of binary code is an essential step for malware analysis. However, it is a tedious and time-consuming task. Decompilation facilitates this process by transforming machine code into a high-level representation that is more concise and easier to understand. This paper describes REcompile, an efficient and extensible decompilation framework. REcompile uses the static single assignment form (SSA) as its intermediate representation and performs three main classes of analysis. Data flow analysis removes machine-specific details from code and transforms it into a concise high-level form. Type analysis finds variable types based on how those variables are used in code. Control flow analysis identifies high-level control structures such as conditionals, loops, and switch statements. These steps enable REcompile to produce well-readable decompiled code. The overall evaluation, using real programs and malware samples, shows that REcompile achieves a comparable and in many cases better performance than state-of-the-art decompilers.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130432570","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
First byte: Force-based clustering of filtered block N-grams to detect code reuse in malicious software 第一个字节:过滤块N-grams的基于力的聚类,以检测恶意软件中的代码重用
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703687
Jason Upchurch, Xiaobo Zhou
{"title":"First byte: Force-based clustering of filtered block N-grams to detect code reuse in malicious software","authors":"Jason Upchurch, Xiaobo Zhou","doi":"10.1109/MALWARE.2013.6703687","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703687","url":null,"abstract":"Detecting code reuse in malicious software is complicated by the lack of source code. The same circumstance that makes code reuse detection in malicious software desirable, that is, the limited availability of original source code, also contributes to the difficulty of detecting code reuse. In this paper, we propose a method for detecting code reuse in software, specifically malicious software, that moves beyond the limitations of targeting variant detection (categorization of families). This method expands n-gram analysis to target basic blocks extracted from compiled code vice entire text sections. It also targets individual relationships between basic blocks found in localized code reuse, while preserving the ability to detect variants and families of variants found with generalized code reuse. We demonstrate the limitations of similarity calculated without first disassembling the instructions and show that our First Byte normalization gives dramatic improvements in detection of code reuse. To visualize results, our method proposes force-based clustering as a solution to rapidly detect relationships between compiled binaries and detect relationships without complex analysis. Our methods retain the previously demonstrated ability of n-gram analysis to detect variants, while adding the ability to detect code reuse in non-variant malware. We show that our proposed filtering method reduces the number of similarity calculations and highlights only meaningful relationships in our malware set.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"58 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122942829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 9
An antivirus API for Android malware recognition Android恶意软件识别的反病毒API
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703688
Rafael Fedler, Marcel Kulicke, J. Schütte
{"title":"An antivirus API for Android malware recognition","authors":"Rafael Fedler, Marcel Kulicke, J. Schütte","doi":"10.1109/MALWARE.2013.6703688","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703688","url":null,"abstract":"On the Android platform, antivirus software suffers from significant deficiencies. Due to platform limitations, it cannot access or monitor an Android device's file system, or dynamic behavior of installed apps. This includes the downloading of malicious files after installation, and other file system alterations. That has grave consequences for device security, as any app - even without openly malicious code in its package file - can still download and execute malicious files without any danger of being detected by antivirus software. In this paper, we present a proposal for an antivirus interface to be added to the Android API. It allows for three primary operations: (1) on-demand file system scanning and traversal, (2) on-change file system monitoring, (3) a set of basic operations that allow for scanning of arbitrary file system objects without disclosing their contents. This interface can enable Android antivirus software to deploy techniques for malware recognition similar to those of desktop antivirus systems. The proposed measures comply with Android's security architecture and user data privacy is maintained. Through our approach, antivirus software on the Android platform would reach a level of effectiveness significantly higher than currently, and comparable to that of desktop antivirus software.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"37 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122421769","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 20
It's you on photo?: Automatic detection of Twitter accounts infected with the Blackhole Exploit Kit 照片上是你吗?:自动检测感染黑洞漏洞工具包的Twitter账户
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703685
Joshua S. White, Jeanna Neefe Matthews
{"title":"It's you on photo?: Automatic detection of Twitter accounts infected with the Blackhole Exploit Kit","authors":"Joshua S. White, Jeanna Neefe Matthews","doi":"10.1109/MALWARE.2013.6703685","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703685","url":null,"abstract":"The Blackhole Exploit Kit (BEK) has been called the “Toyota Camry” of exploit kits - cheap, readily available and reliable. According to some estimates, it was used to enable the majority of malware infections in 2012. One major infection vector for BEK is through Twitter. In this paper, we analyze over two months of Twitter data from May through July of 2012 and identify user accounts affected by BEK. Based on reports that BEK infected tweets containing the string ”It's you on photo?” were being used to lure victims to BEK infected sites, we identified matching messages and analyzed the associated accounts. We then identified a wider range of message types associated with BEK infection and developed an automated mechanism for identifying infectious accounts - both accounts that were created specifically for malware distribution and legitimate accounts that began distributing malware after the owner's system was infected. Specifically, we find that BEK infectious accounts are characterized by tweets with an entropy lower than 4.5, tweets that are sent using the Mobile Web API and tweets containing an embedded URL. We present an automated method for isolating the point at which an account becomes infectious based on changes in the entropy of tweets from the account.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124873346","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 4
Circumventing keyloggers and screendumps 规避键盘记录程序和屏幕转储
2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE) Pub Date : 2013-10-01 DOI: 10.1109/MALWARE.2013.6703691
Karan Sapra, Benafsh Husain, R. Brooks, M. C. Smith
{"title":"Circumventing keyloggers and screendumps","authors":"Karan Sapra, Benafsh Husain, R. Brooks, M. C. Smith","doi":"10.1109/MALWARE.2013.6703691","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703691","url":null,"abstract":"We consider keyloggers (hardware or software) and screendumps of virtual keyboards by the local machine. To counter these attacks, we use DirectX 9 libraries[3] on Windows or Linux[5] operating systems. Our approach uses a remote server that communicates securely with the local process. The Direct X mode that we use executes in the GPU while being directly displayed on the screen. There is no direct communication between the operating system and the GPU storage, which allows us to communicate with the user securely even if the local machine is compromised. We present a simple prototype application of this approach, which supports web browsing.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"106 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128129480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 11
下一页 尾页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信