发布求助
文献互助 智能选刊 最新文献

2011 6th International Conference on Malicious and Unwanted Software最新文献

筛选
英文 中文
Evidence of Advanced Persistent Threat: A case study of malware for political espionage 高级持续威胁的证据:用于政治间谍活动的恶意软件案例研究
2011 6th International Conference on Malicious and Unwanted Software Pub Date : 2011-10-18 DOI: 10.1109/MALWARE.2011.6112333
F. Li, Anthony Lai, Ddl Ddl
{"title":"Evidence of Advanced Persistent Threat: A case study of malware for political espionage","authors":"F. Li, Anthony Lai, Ddl Ddl","doi":"10.1109/MALWARE.2011.6112333","DOIUrl":"https://doi.org/10.1109/MALWARE.2011.6112333","url":null,"abstract":"A political figure in Hong Kong continuously receives spear-phishing emails that encourage clicking on shortcuts or opening attachments with file extensions, such as .pdf, .doc(x), .xls(x), .chm, and so on. He suspects that such emails were actively sent from seemingly known parties during the pre- and postelection periods. The emails and samples were sent to us for investigation, and two nearly identical samples were chosen for the case study. These malwares appear to be the first Advanced Persistent Threat (APT) incident to undergo detailed study in Hong Kong. APT is defined by MANDIANT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target or entity for a prolonged period. The malware performs the following functions similar to those of “Operation Shady RAT”, it attempts to hide itself from known anti-virus programs, downloads and executes additional binaries, enumerates all file information in the hard disk, gathers email and instant messaging passwords from victims, collects screen captures, establishes outbound encrypted HTTP connections, sends all gathered intelligence to a Command and Control, and deletes all temporary files of the collected information from the victims' machine after uploading. The forensic findings lead us to believe that APT is a real threat in Hong Kong.","PeriodicalId":375300,"journal":{"name":"2011 6th International Conference on Malicious and Unwanted Software","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130796480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 86
ROP payload detection using speculative code execution 使用推测代码执行的ROP有效负载检测
2011 6th International Conference on Malicious and Unwanted Software Pub Date : 2011-10-18 DOI: 10.1109/MALWARE.2011.6112327
M. Polychronakis, A. Keromytis
{"title":"ROP payload detection using speculative code execution","authors":"M. Polychronakis, A. Keromytis","doi":"10.1109/MALWARE.2011.6112327","DOIUrl":"https://doi.org/10.1109/MALWARE.2011.6112327","url":null,"abstract":"The prevalence of code injection attacks has led to the wide adoption of exploit mitigations based on nonexecutable memory pages. In turn, attackers are increasingly relying on return-oriented programming (ROP) to bypass these protections. At the same time, existing detection techniques based on shellcode identification are oblivious to this new breed of exploits, since attack vectors may not contain binary code anymore. In this paper, we present a detection method for the identification of ROP payloads in arbitrary data such as network traffic or process memory buffers. Our technique speculatively drives the execution of code that already exists in the address space of a targeted process according to the scanned input data, and identifies the execution of valid ROP code at runtime. Our experimental evaluation demonstrates that our prototype implementation can detect a broad range of ROP exploits against Windows applications without false positives, while it can be easily integrated into existing defenses based on shell-code detection.","PeriodicalId":375300,"journal":{"name":"2011 6th International Conference on Malicious and Unwanted Software","volume":"97 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123597935","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 49
Results-oriented security 注重实效的安全
2011 6th International Conference on Malicious and Unwanted Software Pub Date : 2011-10-18 DOI: 10.1109/MALWARE.2011.6112325
M. Bishop, R. Ford, M. Ramilli
{"title":"Results-oriented security","authors":"M. Bishop, R. Ford, M. Ramilli","doi":"10.1109/MALWARE.2011.6112325","DOIUrl":"https://doi.org/10.1109/MALWARE.2011.6112325","url":null,"abstract":"Current security practice is to examine incoming messages, commands, data, and executing processes for attacks that can then be countered. This position paper argues that this practice is counterproductive because the number and variety of attacks are far greater than we can cope with. We propose a results-oriented approach, in which one focuses on the step of the attack that realizes the compromise. Thus, the manner in which the compromise is effected becomes less important than the actual result, and prevention, detection, and recovery efforts are focused on that.","PeriodicalId":375300,"journal":{"name":"2011 6th International Conference on Malicious and Unwanted Software","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122153192","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 1
Game-theoretic design of an information exchange model for detecting packed malware 一种检测打包恶意软件信息交换模型的博弈论设计
2011 6th International Conference on Malicious and Unwanted Software Pub Date : 2011-10-18 DOI: 10.1109/MALWARE.2011.6112319
Anshuman Singh, Arun Lakhotia
{"title":"Game-theoretic design of an information exchange model for detecting packed malware","authors":"Anshuman Singh, Arun Lakhotia","doi":"10.1109/MALWARE.2011.6112319","DOIUrl":"https://doi.org/10.1109/MALWARE.2011.6112319","url":null,"abstract":"Packing, a method used by the ‘good guys’ to protect their software from reverse engineering, is also used by the ‘bad guys’ to hide malicious code from being detected by anti-virus (AV) scanners. The AV industry is developing a mechanism to blacklist the software vendors that pack malicious applications, instead of the current practice of blacklisting the packers that are used for packing malicious applications. This will require packer developers to introduce ‘taggants’ in the packed executable and share taggant information in an industry wide information exchange. The idea is similar to the effort of requiring special chemicals to aid in the detection and identification of explosives. In the software context, it is expected that a packer vendor will introduce some secure watermark or signature that can identify the author of a packed binary, and hence help with the detection of malware. For a packer vendor to take on the extra work, which may cost him some customers, the AV industry may need to provide some incentive. However, since a packer vendor is an independent company, likely residing in a different legal jurisdiction, the AV industry cannot verify whether the packer vendor is indeed abiding by the terms of the incentive, and not selling a non-taggant version to malware authors through another channel. We use a game-theoretic modeling approach called the “principal-agent problem” to model the interaction between the AV industry and a packer vendor and give a method of computing the optimal incentive for packer vendors to tag and abide by the terms of the incentive.","PeriodicalId":375300,"journal":{"name":"2011 6th International Conference on Malicious and Unwanted Software","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127900517","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 11
Building malware infection trees 构建恶意软件感染树
2011 6th International Conference on Malicious and Unwanted Software Pub Date : 2011-10-18 DOI: 10.1109/MALWARE.2011.6112326
J. Morales, Michael Main, Weiliang Luo, Shouhuai Xu, R. Sandhu
{"title":"Building malware infection trees","authors":"J. Morales, Michael Main, Weiliang Luo, Shouhuai Xu, R. Sandhu","doi":"10.1109/MALWARE.2011.6112326","DOIUrl":"https://doi.org/10.1109/MALWARE.2011.6112326","url":null,"abstract":"Dynamic analysis of malware is an ever evolving and challenging task. A malware infection tree (MiT) can assist in analysis by identifying processes and files related to a specific malware sample. In this paper we propose an abstract approach to building a comprehensive MiT based on rules describing execution events essential to malware infection strategies of files and processes. The MiT is built using strong and weak bonds between processes and files which are based on transitivity of information and creator/created relationships. The abstract approach facilitates usage on any operating system platform. We implement the rules on the Windows Vista operating system using a custom built tool named MiTCoN which was used in a small scale analysis and infection tree creation of a diverse set of 5800 known malware samples. Results analysis revealed a significant occurrent of our rules within a very short span of time. We demonstrate our rule set can effectively and efficiently build infection trees linking all related processes and files of a specific malware sample with no false positives. We also tested the possible usability of a MiT in disinfecting a system which yielded a 100% success rate.","PeriodicalId":375300,"journal":{"name":"2011 6th International Conference on Malicious and Unwanted Software","volume":"258 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132490852","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 7
Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications 使用静态分析来自动评估和缓解Android应用程序中不需要的和恶意的活动
2011 6th International Conference on Malicious and Unwanted Software Pub Date : 2011-10-01 DOI: 10.1109/MALWARE.2011.6112328
L. Batyuk, Markus Herpich, S. Çamtepe, Karsten Raddatz, Aubrey-Derrick Schmidt, S. Albayrak
{"title":"Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications","authors":"L. Batyuk, Markus Herpich, S. Çamtepe, Karsten Raddatz, Aubrey-Derrick Schmidt, S. Albayrak","doi":"10.1109/MALWARE.2011.6112328","DOIUrl":"https://doi.org/10.1109/MALWARE.2011.6112328","url":null,"abstract":"In the last decade, smartphones have gained widespread usage. Since the advent of online application stores, hundreds of thousands of applications have become instantly available to millions of smart-phone users. Within the Android ecosystem, application security is governed by digital signatures and a list of coarse-grained permissions. However, this mechanism is not fine-grained enough to provide the user with a sufficient means of control of the applications' activities. Abuse of highly sensible private information such as phone numbers without users' notice is the result. We show that there is a high frequency of privacy leaks even among widely popular applications. Together with the fact that the majority of the users are not proficient in computer security, this presents a challenge to the engineers developing security solutions for the platform. Our contribution is twofold: first, we propose a service which is able to assess Android Market applications via static analysis and provide detailed, but readable reports to the user. Second, we describe a means to mitigate security and privacy threats by automated reverse-engineering and refactoring binary application packages according to the users' security preferences.","PeriodicalId":375300,"journal":{"name":"2011 6th International Conference on Malicious and Unwanted Software","volume":"104 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2011-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124212411","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
引用次数: 156
首页 上一页
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
请完成安全验证×
相关产品
×
本文献相关产品
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信