2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE)最新文献

{"title":"A simple client-side defense against environment-dependent web-based malware","authors":"Gen Lu, Karan Chadha, S. Debray","doi":"10.1109/MALWARE.2013.6703694","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703694","url":null,"abstract":"Web-based malware tend to be environment-dependent, which poses a significant challenge on defending web-based attacks, because the malicious code - which may be exposed and activated only under specific environmental conditions such as the version of the browser - may not be triggered during analysis. This paper proposes a simple approach for defending environment-dependent malware. Instead of increasing analysis coverage in detector, the goal of this technique is to ensure that the client will take the same execution path as the one examined by the detector. This technique is designed to work alongside a detector, it can handle cases existing multi-path exploration techniques are incapable of, and provides an efficient way to identify discrepancies in a JavaScript program's execution behavior in a user's environment compared to its behavior in a sandboxed detector, thereby detecting false negatives that may have been caused by environment dependencies. Experiment shows that this technique can effectively detect environment-dependent behavior discrepancy of various forms, including those seen in real malware.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126129909","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Measuring the effectiveness of modern security products to detect and contain emerging threats — A consensus-based approach","authors":"F. C. Osorio, F. Leitold, Dorottya Mike, Chris Pickard, Sveta Miladinov, A. Arrott","doi":"10.1109/MALWARE.2013.6703682","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703682","url":null,"abstract":"Increasingly the idea that cyber-attacks can be stopped at the periphery of the network has become a fool's errand. In today's computing environment and cyber-threat landscape, individuals as well as corporations have recognized the fact that (i) with the emergence of cloud based computing there are no longer network boundaries under your control that can be protected, (ii) threats are often distributed in nature both in time and space - making detection extremely difficult, and (iii) the working assumption is not that you can prevent infections (the goal of 100% prevention is no longer practical) but rather, given that your \"system\" will be compromised, how quickly can you detect the breach and how do you minimize the impact of such an event. In this new environment, the idea that measuring the number of infected files detected within end-point devices is a good measure of the effectiveness of Anti-Malware and Security related products seems foolish. Instead, the industry has recognized that time to detect, time to countermeasure issuance, and ability to identify short-lived C&C sites are more relevant to determining the \"goodness\" of security products. Within this context, the authors have undertaken to develop benchmark metrics to test the ability of commercial automated gateway and endpoint security services to classify and categorize different types of web traffic (malicious content, malicious activity, non-malicious category). A test methodology has been developed for this purpose, based on the Wireless Systems Security Research Laboratory (WSSRL) test methodology, and extensions to CheckVir Battery Test. Using this methodology, eight gateway protection services were tested and classified for their ability to identify the incoming traffic as malicious, C&C communications, and non-malicious content. A key component of the methodology is the concept of eventual consensus, a methodology whereas new threats are classified as malicious or not when (n/2+ 1) security products agree on the nature of the threat over time. The methodology was developed as a simplified extension of the well known Byzantine Agreement protocol first discussed by Leslie Lamport.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"174 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122755586","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Static malware detection with Segmented Sandboxing","authors":"Hongyuan Qiu, F. C. Osorio","doi":"10.1109/MALWARE.2013.6703695","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703695","url":null,"abstract":"Traditionally, dynamic detection approaches to Malware identification are commended for their simplicity and small sized signature database. In practice they suffer from two major defects. First, Malware might need to be emulated for a long time before traces of harmful behavior are first exhibited. Second, a few Anti-VM techniques are widely known and can be easily employed by any program to thwart the attempt of having it executed in a sandbox and observe its original behavior, rendering the approach less than effective. On the other hand, static detection approaches, have their own limitations, ranging from parsing obfuscated executables to the scalability issues due to the ever-increasing size of the signature database. Fundamentally, in the last 10-15 years polymorphic and metamorphic obfuscation techniques have become prevalent making static approaches less than effective due to the sheer magnitude of the sample set1. While the benefits of either dynamic or static approaches look quite tempting from each of their counterparts perspectives, their weakness are daunting in their own sight as well. In this manuscript we attempted to combine the best part of both worlds, without bringing in the disadvantage of either of them. We call this mixed approach “Segmented Sandboxing”.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"23 7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116802423","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Noninvasive detection of anti-forensic malware","authors":"Mordechai Guri, Gabi Kedma, Tom Sela, B. Carmeli, Amit Rosner, Y. Elovici","doi":"10.1109/MALWARE.2013.6703679","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703679","url":null,"abstract":"Modern malicious programs often escape dynamic analysis, by detecting forensic instrumentation within their own runtime environment. This has become a major challenge for malware researchers and analysts. Current defensive analysis of anti-forensic malware often requires painstaking step-by-step manual inspection. Code obfuscation may further complicate proper analysis. Furthermore, current defensive countermeasures are usually effective only against anti-forensic techniques which have already been identified. In this paper we propose a new method to detect and classify anti-forensic behavior, by comparing the trace-logs of the suspect program between different environments. Unlike previous works, the presented method is essentially noninvasive (does not interfere with original program flow). We separately trace the flow of instructions (Opcode) and the flow of Input-Output operations (IO). The two dimensions (Opcode and IO) complement each other to provide reliable classification. Our method can identify split behavior of suspected programs without prior knowledge of any specific anti-forensic technique; furthermore, it relieves the malware analyst from tedious step-by-step inspection. Those features are critical in the modern Cyber arena, where rootkits and Advanced Persistent Threats (APTs) are constantly adopting new sophisticated anti-forensic techniques to deceive analysis.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"64 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121174068","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PANDORA applies non-deterministic obfuscation randomly to Android","authors":"Mykola Protsenko, Tilo Müller","doi":"10.1109/MALWARE.2013.6703686","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703686","url":null,"abstract":"Android, a Linux-based operating system, is currently the most popular platform for mobile devices like smart-phones and tablets. Recently, two closely related security threats have become a major concern of the research community: software piracy and malware. This paper studies the capabilities of code obfuscation for the purposes of plagiarized software and malware diversification. Within the scope of this work, the PANDORA (PANDORA Applies Non-Deterministic Obfuscation Randomly to Android) transformation system for Android bytecode was designed and implemented, combining techniques for data and object-oriented design obfuscation. Our evaluation results indicate deficiencies of the malware detection engines currently used in 46 popular antivirus products, which in most cases were not able to detect samples obfuscated with PANDORA. Furthermore, this paper reveals shortcomings of the Androsim tool and potentially other static software similarity algorithms, recently proposed to address the piracy problem in Android.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"2015 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2013-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121607674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus","authors":"Dennis Andriesse, C. Rossow, Brett Stone-Gross, D. Plohmann, H. Bos","doi":"10.1109/MALWARE.2013.6703693","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703693","url":null,"abstract":"Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable. Through a detailed analysis of this new Zeus variant, we demonstrate the high resilience of state of the art peer-to-peer botnets in general, and of peer-to-peer Zeus in particular.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122264094","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Dynamic classification of packing algorithms for inspecting executables using entropy analysis","authors":"Munkhbayar Bat-Erdene, Taebeom Kim, Hongzhe Li, Heejo Lee","doi":"10.1109/MALWARE.2013.6703681","DOIUrl":"https://doi.org/10.1109/MALWARE.2013.6703681","url":null,"abstract":"Packing is widely used for bypassing anti-malware systems, and the proportion of packed malware has been growing rapidly, making up over 80% of malware. Few studies on detecting packing algorithms have been conducted during last two decades. In this paper, we propose a method to classify packing algorithms of given packed executables. First, we convert entropy values of the packed executables loaded in memory into symbolic representations. Our proposed method uses SAX (Symbolic Aggregate Approximation) which is known to be good at large data conversion. Due to its advantage of simplifying complicated patterns, symbolic representation is commonly used in bio-informatics and data mining fields. Second, we classify the distribution of symbols using supervised learning classifications, i.e., Naive Bayes and Support Vector Machines. Results of our experiments with a collection of 466 programs and 15 packing algorithms demonstrated that our method can identify packing algorithms of given executables with a high accuracy of 94.2%, recall of 94.7% and precision of 92.7%. It has been confirmed that packing algorithms can be identified using entropy analysis, which is a measure of uncertainty of running executables, without a prior knowledge of the executable.","PeriodicalId":325281,"journal":{"name":"2013 8th International Conference on Malicious and Unwanted Software: \"The Americas\" (MALWARE)","volume":"257 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116374066","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}