活动恶意软件重定向的模型驱动定时一致性

2018 13th International Conference on Malicious and Unwanted Software (MALWARE) Pub Date : 2018-10-01 DOI:10.1109/MALWARE.2018.8659370

Rory Klein, T. Barkley, Weston Clizbe, J. Bateman, J. Rrushi

{"title":"活动恶意软件重定向的模型驱动定时一致性","authors":"Rory Klein, T. Barkley, Weston Clizbe, J. Bateman, J. Rrushi","doi":"10.1109/MALWARE.2018.8659370","DOIUrl":null,"url":null,"abstract":"Decoy I/O on computers in production is designed to redirect malware towards phantom devices, where malware are intercepted and hence are immediately detected, pinpointed, and possibly controlled and leveraged against the threat actors. On their part, malware seek inconsistencies in their targets to detect decoys and avoid falling into a trap, possibly before it is too late for them. In this paper we explore modeling and simulation based on the queueing network formalism to provide decoy network interface cards and their associated network targets with an infallible timing consistency. We propose a practical approach that integrates the findings of modeling and simulation into the operating system kernel, and thus creates a usable source of timing consistency for network decoys. We implemented this work within the code of a decoy Object Linking and Embedding (OLE) for Process Control (OPC) server. We tested our tool against malware samples involved in recent cyber attack campaigns, and thus discuss the findings in the paper.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Model-driven Timing Consistency for Active Malware Redirection\",\"authors\":\"Rory Klein, T. Barkley, Weston Clizbe, J. Bateman, J. Rrushi\",\"doi\":\"10.1109/MALWARE.2018.8659370\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Decoy I/O on computers in production is designed to redirect malware towards phantom devices, where malware are intercepted and hence are immediately detected, pinpointed, and possibly controlled and leveraged against the threat actors. On their part, malware seek inconsistencies in their targets to detect decoys and avoid falling into a trap, possibly before it is too late for them. In this paper we explore modeling and simulation based on the queueing network formalism to provide decoy network interface cards and their associated network targets with an infallible timing consistency. We propose a practical approach that integrates the findings of modeling and simulation into the operating system kernel, and thus creates a usable source of timing consistency for network decoys. We implemented this work within the code of a decoy Object Linking and Embedding (OLE) for Process Control (OPC) server. We tested our tool against malware samples involved in recent cyber attack campaigns, and thus discuss the findings in the paper.\",\"PeriodicalId\":200928,\"journal\":{\"name\":\"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)\",\"volume\":\"1 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MALWARE.2018.8659370\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2018.8659370","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

生产中的计算机上的诱饵I/O旨在将恶意软件重定向到幽灵设备，在那里恶意软件被拦截，因此可以立即检测到，精确定位，并可能控制和利用威胁参与者。在他们这方面，恶意软件寻找目标的不一致性，以发现诱饵，避免落入陷阱，可能在为时已晚之前。在本文中，我们探索了基于排队网络形式化的建模和仿真，以提供具有绝对可靠的时间一致性的诱饵网络接口卡及其相关网络目标。我们提出了一种实用的方法，将建模和仿真的发现集成到操作系统内核中，从而为网络诱饵创建一个可用的时间一致性源。我们在过程控制(OPC)服务器的诱饵对象链接和嵌入(OLE)代码中实现了这项工作。我们针对最近网络攻击活动中涉及的恶意软件样本测试了我们的工具，因此在论文中讨论了研究结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Model-driven Timing Consistency for Active Malware Redirection

Decoy I/O on computers in production is designed to redirect malware towards phantom devices, where malware are intercepted and hence are immediately detected, pinpointed, and possibly controlled and leveraged against the threat actors. On their part, malware seek inconsistencies in their targets to detect decoys and avoid falling into a trap, possibly before it is too late for them. In this paper we explore modeling and simulation based on the queueing network formalism to provide decoy network interface cards and their associated network targets with an infallible timing consistency. We propose a practical approach that integrates the findings of modeling and simulation into the operating system kernel, and thus creates a usable source of timing consistency for network decoys. We implemented this work within the code of a decoy Object Linking and Embedding (OLE) for Process Control (OPC) server. We tested our tool against malware samples involved in recent cyber attack campaigns, and thus discuss the findings in the paper.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 13th International Conference on Malicious and Unwanted Software (MALWARE)

自引率

0.00%

发文量