Dissertations / Theses on the topic 'Malware attack detection'

The enormous growth of the Internet and its use in everyday life make it an attractive target for malicious users. As the network becomes more complex and sophisticated it becomes more vulnerable to attack. There is a pressing need for the future internet to be resilient, manageable and secure. Our research is on distributed challenge detection and is part of the EU Resumenet Project (Resilience and Survivability for Future Networking: Framework, Mechanisms and Experimental Evaluation). It aims to make networks more resilient to a wide range of challenges including malicious attacks, misconfiguration, faults, and operational overloads. Resilience means the ability of the network to provide an acceptable level of service in the face of significant challenges; it is a superset of commonly used definitions for survivability, dependability, and fault tolerance. Our proposed resilience strategy could detect a challenge situation by identifying an occurrence and impact in real time, then initiating appropriate remedial action. Action is autonomously taken to continue operations as much as possible and to mitigate the damage, and allowing an acceptable level of service to be maintained. The contribution of our work is the ability to mitigate a challenge as early as possible and rapidly detect its root cause. Also our proposed multi-stage policy based challenge detection system identifies both the existing and unforeseen challenges. This has been studied and demonstrated with an unknown worm attack. Our multi stage approach reduces the computation complexity compared to the traditional single stage, where one particular managed object is responsible for all the functions. The approach we propose in this thesis has the flexibility, scalability, adaptability, reproducibility and extensibility needed to assist in the identification and remediation of many future network challenges.

In this paper, system of automatic processing of attacks using honeypots is discussed. The first goal of the thesis is to become familiar with the issue of signatures to detect malware on the network, especially the analysis and description of existing methods for automatic generation of signatures using honeypots. The main goal is to use the acquired knowledge to the design and implementation of tool which will perform the detection of new malicious software on the network or end user's workstation.

Machine learning is a subset of Artificial Intelligence which is utilised in a variety of different fields to increase productivity, reduce overheads, and simplify the work process through training machines to automatically perform a task. Machine learning has been implemented in many different fields such as medical science, information technology, finance, and cyber security. Machine learning algorithms build models which identify patterns within data, which when applied to new data, can map the input to an output with a high degree of accuracy. To build the machine learning model, a dataset comprised of appropriate examples is divided into training and testing sets. The training set is used by the machine learning algorithm to identify patterns within the data, which are used to make predictions on new data. The test set is used to evaluate the performance of the machine learning model. These models are popular because they significantly improve the performance of technology through automation of feature detection which previously required human input. However, machine learning algorithms are susceptible to a variety of adversarial attacks, which allow an attacker to manipulate the machine learning model into performing an unwanted action, such as misclassifying data into the attackers desired class, or reducing the overall efficacy of the ML model. One current research area is that of malware detection. Malware detection relies on machine learning to detect previously unknown malware variants, without the need to manually reverse-engineer every suspicious file. Detection of Zero-day malware plays an important role in protecting systems generally but is particularly important in systems which manage critical infrastructure, as such systems often cannot be shut down to apply patches and thus must rely on network defence. In this research, a targeted adversarial poisoning attack was developed to allow Zero-day malware files, which were originally classified as malicious, to bypass detection by being misclassified as benign files. An adversarial poisoning attack occurs when an attacker can inject specifically-crafted samples into the training dataset which alters the training process to the desired outcome of the attacker. The targeted adversarial poisoning attack was performed by taking a random selection of the Zero-day file’s import functions and injecting them into the benign training dataset. The targeted adversarial poisoning attack succeeded for both Multi-Layer Perceptron (MLP) and Decision Tree models without reducing the overall efficacy of the target model. A defensive strategy was developed for the targeted adversarial poisoning attack for the MLP models by examining the activation weights of the penultimate layer at test time. If the activation weights were outside the norm for the target (benign) class, the file is quarantined for further examination. It was found to be possible to identify on average 80% of the target Zero-day files from the combined targeted poisoning attacks by examining the activation weights of the neurons from the penultimate layer.

<p>More money nowadays moves online and it is very understandable that criminals want to make more money online aswell, because these days’ banks don’t have large sums of money in their cash box. Since there are many other internalrisks involved in robbing a bank, criminals have found many other ways to commit crimes and much lower risMore money nowadays moves online and it is very understandable that criminals want to make more money online as well, because these days’ banks don’t have large sums of money in their cash box. Since there are many other internal risks involved in robbing a bank, criminals have found many other ways to commit crimes and much lower risk in online crime. The first level of change involved was email-based phishing, but later circumstances changed again.</p><p>Authentication methods and security of online bank has been improved over the period. This will drastically reduce effects of phishing based on emails and fraudulent website. The next level of online bank fraud is called banking Trojans. These Trojans infect the online customers of banks. These Trojans monitors customer’s activities and uses their authenticated session to steal customers’ money.</p><p>A lot of money is made by these kinds of attacks. Comparatively few perpetrators have been caught, and the problem is getting worse day by day. To have a better understanding of this problem, I have selected a recent malware sample named as SilentBanker. It had the capability of attacking more than 400 banks. This thesis presents the problem in general and includes my results in studying the behaviour of the SilentBanker Trojan.</p>

Industrial Control Systems (ICSes), networked through conventional IT infrastructures, are vulnerable to attacks originating from network channels. Perimeter security techniques such as access control and firewalls have had limited success in mitigating such attacks due to the frequent updates required by standard computing platforms, third-party hardware and embedded process controllers. The high level of human-machine interaction also aids in circumventing perimeter defenses, making an ICS susceptible to attacks such as reprogramming of embedded controllers. The Stuxnet and Aurora attacks have demonstrated the vulnerabilities of ICS security and proved that these systems can be stealthily compromised. We present several run-time methods for preemptive intrusion detection in industrial control systems to enhance ICS security against reconfiguration and network attacks. A run-time prediction using a linear model of the physical plant and a neural-network based classifier trigger mechanism are proposed for preemptive detection of an attack. A standalone, safety preserving, optimal backup controller is implemented to ensure plant safety in case of an attack. The intrusion detection mechanism and the backup controller are instantiated in configurable hardware, making them invisible to operating software and ensuring their integrity in the presence of malicious software. Hardware implementation of our approach on an inverted pendulum system illustrates the performance of both techniques in the presence of reconfiguration and network attacks.<br>Master of Science

La popularisation des smartphones et leur caractère indispensable les rendent aujourd'hui indéniables. Leur croissance exponentielle est également à l'origine de l'apparition de nombreux logiciels malveillants et fait trembler le prospère écosystème mobile. Parmi tous les systèmes d'exploitation des smartphones, Android est le plus ciblé par les auteurs de logiciels malveillants en raison de sa popularité, de sa disponibilité en tant que logiciel libre, et de sa capacité intrinsèque à accéder aux ressources internes. Les approches basées sur l'apprentissage automatique ont été déployées avec succès pour combattre les logiciels malveillants polymorphes et évolutifs. Au fur et à mesure que le classificateur devient populaire et largement adopté, l'intérêt d'échapper au classificateur augmente également. Les chercheurs et les adversaires se livrent à une course sans fin pour renforcer le système de détection des logiciels malveillants androïd et y échapper. Afin de lutter contre ces logiciels malveillants et de contrer les attaques adverses, nous proposons dans cette thèse un système de détection de logiciels malveillants android basé sur le codage d'images, un système qui a prouvé sa robustesse contre diverses attaques adverses. La plateforme proposée construit d'abord le système de détection des logiciels malveillants android en transformant intelligemment le fichier Android Application Packaging (APK) en une image RGB légère et en entraînant un réseau neuronal convolutif (CNN) pour la détection des logiciels malveillants et la classification des familles. Notre nouvelle méthode de transformation génère des modèles pour les APK bénins et malveillants plus faciles à classifier en images de couleur. Le système de détection ainsi conçu donne une excellente précision de 99,37% avec un Taux de Faux Négatifs (FNR) de 0,8% et un Taux de Faux Positifs (FPR) de 0,39% pour les anciennes et les nouvelles variantes de logiciels malveillants. Dans la deuxième phase, nous avons évalué la robustesse de notre système de détection de logiciels malveillants android basé sur l'image. Pour valider son efficacité contre les attaques adverses, nous avons créé trois nouveaux modèles d'attaques. Notre évaluation révèle que les systèmes de détection de logiciels malveillants basés sur l'apprentissage les plus récents sont faciles à contourner, avec un taux d'évasion de plus de 50 %. Cependant, le système que nous avons proposé construit un mécanisme robuste contre les perturbations adverses en utilisant son espace continu intrinsèque obtenu après la transformation intelligente des fichiers Dex et Manifest, ce qui rend le système de détection difficile à contourner<br>The exhilarating proliferation of smartphones and their indispensability to human life is inevitable. The exponential growth is also triggering widespread malware and stumbling the prosperous mobile ecosystem. Among all handheld devices, Android is the most targeted hive for malware authors due to its popularity, open-source availability, and intrinsic infirmity to access internal resources. Machine learning-based approaches have been successfully deployed to combat evolving and polymorphic malware campaigns. As the classifier becomes popular and widely adopted, the incentive to evade the classifier also increases. Researchers and adversaries are in a never-ending race to strengthen and evade the android malware detection system. To combat malware campaigns and counter adversarial attacks, we propose a robust image-based android malware detection system that has proven its robustness against various adversarial attacks. The proposed platform first constructs the android malware detection system by intelligently transforming the Android Application Packaging (APK) file into a lightweight RGB image and training a convolutional neural network (CNN) for malware detection and family classification. Our novel transformation method generates evident patterns for benign and malware APKs in color images, making the classification easier. The detection system yielded an excellent accuracy of 99.37% with a False Negative Rate (FNR) of 0.8% and a False Positive Rate (FPR) of 0.39% for legacy and new malware variants. In the second phase, we evaluate the robustness of our secured image-based android malware detection system. To validate its hardness and effectiveness against evasion, we have crafted three novel adversarial attack models. Our thorough evaluation reveals that state-of-the-art learning-based malware detection systems are easy to evade, with more than a 50% evasion rate. However, our proposed system builds a secure mechanism against adversarial perturbations using its intrinsic continuous space obtained after the intelligent transformation of Dex and Manifest files which makes the detection system strenuous to bypass

De nos jours, nous sommes entourés de périphériques intelligents autonomes qui interagissent avec de nombreux services dans le but d'améliorer notre niveau de vie. Ces périphériques font partie d'écosystèmes plus larges, dans lesquels de nombreuses entreprises collaborent pour faciliter la distribution d'applications entre les développeurs et les utilisateurs. Cependant, des personnes malveillantes en profitent illégalement pour infecter les appareils des utilisateurs avec des application malveillantes. Malgré tous les efforts mis en œuvre pour défendre ces écosystèmes, le taux de périphériques infectés par des malware est toujours en augmentation en 2020.Dans cette thèse, nous explorons trois axes de recherche dans le but d'améliorer globalement la détection de malwares dans l'écosystème Android. Nous démontrons d'abord que la précision des systèmes de détection basés sur le machine learning peuvent être améliorés en automatisant leur évaluation et en ré-utilisant le concept d'AutoML pour affiner les paramètres des algorithmes d'apprentissage. Nous proposons une approche pour créer automatiquement des variantes de malwares à partir de combinaisons de techniques d'évasion complexes pour diversifier les datasets de malwares expérimentaux dans le but de mettre à l'épreuve les systèmes de détection. Enfin, nous proposons des méthodes pour améliorer la qualité des datasets expérimentaux utilisés pour entrainer et tester les systèmes de détection<br>Nowadays, many of us are surrounded by smart devices that seamlessly operate interactively and autonomously together with multiple services to make our lives more comfortable. These smart devices are part of larger ecosystems, in which various companies collaborate to ease the distribution of applications between developers and users. However malicious attackers take advantage of them illegitimately to infect users' smart devices with malicious applications. Despite all the efforts made to defend these ecosystems, the rate of devices infected with malware is still increasing in 2020. In this thesis, we explore three research axes with the aim of globally improving malware detection in the Android ecosystem. We demonstrate that the accuracy of machine learning-based detection systems can be improved by automating their evaluation and by reusing the concept of AutoML to fine-tune learning algorithms parameters. We propose an approach to automatically create malware variants from combinations of complex evasion techniques to diversify experimental malware datasets in order to challenge existing detection systems. Finally, we propose methods to globally increase the quality of experimental datasets used to train and test detection systems

<p> Malware attacks have become a global threat to which no person or organization seems immune. Drive-by attacks and spear-phishing are two of the most prevalent and potentially damaging types of malware attacks, and traditionally both of these rely on exploiting a client application such as a browser or document viewer. This thesis focuses on the detection of a malware attack after a target application has been exploited, and while the malware is still executing in the context of the exploited process. This research presents an implementation of an application monitoring system that hooks critical functions and inspects characteristics of the process state in order to detect malware. The testing of the application monitoring system utilizes a corpus of exploits taken from a variety of real-world malware attacks, including several well-publicized examples. The resulting evaluation demonstrates the utility of function hooking and process state inspection techniques as a platform for detecting and stopping sophisticated malware attacks.</p>

Zero-day intrusion detection system faces serious challenges as hundreds of thousands of new instances of malware are being created every day to cause harm or damage to the computer system. Cyber-attacks are becoming more sophisticated, leading to challenges in intrusion detection. There are many Intrusion Detection Systems (IDSs), which are proposed to identify abnormal activities, but most of these IDSs produce a large number of false positives and low detection accuracy. Hence, a significant quantity of false positives could generate a high-level of alerts in a short period of time as the normal activities are classified as intrusion activities. This thesis proposes a novel framework of hybrid intrusion detection system that integrates the Signature Intrusion Detection System (SIDS) with the Anomaly Intrusion Detection System (AIDS) to detect zero-day attacks with high accuracy. SIDS has been used to identify previously known intrusions, and AIDS has been applied to detect unknown zero-day intrusions. The goal of this research is to combine the strengths of each technique toward the development of a hybrid framework for the efficient intrusion detection system. A number of performance measures including accuracy, F-measure and area under ROC curve have been used to evaluate the efficacy of our proposed models and to compare and contrast with existing approaches. Extensive simulation results conducted in this thesis show that the proposed framework is capable of yielding excellent detection performance when tested with a number of widely used benchmark datasets in the intrusion detection system domain. Experiments show that the proposed hybrid IDS provides higher detection rate and lower false-positive rate in detecting intrusions as compared to the SIDS and AIDS techniques individually.<br>Doctor of Philosophy

Thesis (M.S. in Computer Science)--Naval Postgraduate School, September 2006.<br>Thesis Advisor(s): Craig Martell, Kevin Squire. "September 2006." Includes bibliographical references (p.59-62). Also available in print.

Worldwide computer systems continue to execute malicious software that degrades the systemsâ performance and consumes network capacity by generating high volumes of unwanted traffic. Network-based detectors can effectively identify machines participating in the ongoing attacks by monitoring the traffic to and from the systems. But, network detection alone is not enough; it does not improve the operation of the Internet or the health of other machines connected to the network. We must identify malicious code running on infected systems, participating in global attack networks. This dissertation describes a robust and secure approach that identifies malware present on infected systems based on its undesirable use of network. Our approach, using virtualization, attributes malicious traffic to host-level processes responsible for the traffic. The attribution identifies on-host processes, but malware instances often exhibit parasitic behaviors to subvert the execution of benign processes. We then augment the attribution software with a host-level monitor that detects parasitic behaviors occurring at the user- and kernel-level. User-level parasitic attack detection happens via the system-call interface because it is a non-bypassable interface for user-level processes. Due to the unavailability of one such interface inside the kernel for drivers, we create a new driver monitoring interface inside the kernel to detect parasitic attacks occurring through this interface. Our attribution software relies on a guest kernelâ s data to identify on-host processes. To allow secure attribution, we prevent illegal modifications of critical kernel data from kernel-level malware. Together, our contributions produce a unified research outcome --an improved malicious code identification system for user- and kernel-level malware.

碩士<br>國立臺灣大學<br>電機工程學研究所<br>103<br>In this paper, we proposed the concept of attack scenarios, learned and selected from a set of malicious applications and described by sets of Android APIs, to characterize Android malware. Because of its characteristics that produce almost no false-positive, attack scenarios can be used as a pre-filter of machine-learning based detectors to enhance the detection performance at low false-positive rate. By combining different machine learning techniques, we demonstrate that the proposed approach can increase the detection rates. To evaluate our approach, we analyze 20,914 Android application containing 3,145 malicious samples on two different machine learning techniques, KNN and SVM. The experiment results show that the proposed approach can raise the detection rate up to 95.9% malware at 1% false positive rate and 95.9% malware at 0.1% false positive rate respectively.

Dissertação de mestrado integrado em Engenharia de Comunicações (área de especialização em Telecomunicações)<br>Na sociedade atual, a segurança nos sistemas de informação impõem-se como uma das temáticas de maior importância nas áreas relacionadas com as tecnologias de informação. Existem várias ferramentas que visam apoiar os administradores de redes a detetar e prevenir ataques informáticos, sendo de inestimável valor os sistemas de deteção de intrusões. Infelizmente ainda não existe nenhum método capaz de mensurar a eficácia de um sistema de deteção de intrusões, pelo que ainda é desconhecido se o rácio de falsos positivos e falsos negativos é aceitável. Um modelo de ataques para avaliação de sistemas de deteção de intrusões visa colmatar em parte esse problema. Graças a esse modelo, poderemos simular um ataque ao sistema e conhecer, em avanço, quais os eventos que o sistema de deteção de intrusões deveria despoletar. Neste projeto, pretende-se criar um modelo que vise englobar o maior número de ataques possíveis e recolher os eventos gerados em cada um desses ataques a par com a criação de um dataset de tráfego malicioso.<br>In current society, cyber security is one of the most important topics in the areas related to information technologies. There are several tools with the purpose of assist network administrators to detect and prevent cyber-attacks and one of the most important tool is the Intrusion Detection System. Unfortunately, there still no method capable of measuring and improve the effectiveness of an intrusion detection system, and it is still very hard to find an acceptable ratio of false positives and false negatives. A model of attacks for the evaluation of intrusion detection system is designed to help finding a solution for this problem. With a model off attacks, we can simulate an attack on a network and know in advance what events the intrusion detection system should trigger. In this project, we will create a model that with the purpose of cover the greatest number of potential attacks and collect events and datasets generated in each one of these attacks along with the creation of a dataset of malicious traffic.

In the last decade, a lot of machine learning and data mining based approaches have been used in the areas of intrusion detection, malware detection and classification and also traffic analysis. In the area of malware analysis, static binary analysis techniques have become increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In prior art, a number of clustering and classification techniques have been used to classify the malwares into families and to also identify new malware families, from the behavior reports. In this thesis, we have analysed in detail about the use of Profile Hidden Markov models for the problem of malware classification and clustering. The advantage of building accurate models with limited examples is very helpful in early detection and modeling of malware families. The thesis also revisits the learning setting of an Intrusion Detection System that employs machine learning for identifying attacks and normal traffic. It substantiates the suitability of incremental learning setting(or stream based learning setting) for the problem of learning attack patterns in IDS, when large volume of data arrive in a stream. Related to the above problem, an elaborate survey of the IDS that use data mining and machine learning was done. Experimental evaluation and comparison show that in terms of speed and accuracy, the stream based algorithms perform very well as large volumes of data are presented for classification as attack or non-attack patterns. The possibilities for using stream algorithms in different problems in security is elucidated in conclusion.

In the last decade, a lot of machine learning and data mining based approaches have been used in the areas of intrusion detection, malware detection and classification and also traffic analysis. In the area of malware analysis, static binary analysis techniques have become increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In prior art, a number of clustering and classification techniques have been used to classify the malwares into families and to also identify new malware families, from the behavior reports. In this thesis, we have analysed in detail about the use of Profile Hidden Markov models for the problem of malware classification and clustering. The advantage of building accurate models with limited examples is very helpful in early detection and modeling of malware families. The thesis also revisits the learning setting of an Intrusion Detection System that employs machine learning for identifying attacks and normal traffic. It substantiates the suitability of incremental learning setting(or stream based learning setting) for the problem of learning attack patterns in IDS, when large volume of data arrive in a stream. Related to the above problem, an elaborate survey of the IDS that use data mining and machine learning was done. Experimental evaluation and comparison show that in terms of speed and accuracy, the stream based algorithms perform very well as large volumes of data are presented for classification as attack or non-attack patterns. The possibilities for using stream algorithms in different problems in security is elucidated in conclusion.

Yes<br>As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain information from the targeted system, which has the potential to cause significant damage and substantial financial loss. The accurate detection and prediction of APT is an ongoing challenge. This work proposes a novel machine learning-based system entitled MLAPT, which can accurately and rapidly detect and predict APT attacks in a systematic way. The MLAPT runs through three main phases: (1) Threat detection, in which eight methods have been developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aims to identify alerts that could be related and belong to a single APT scenario; and (3) Attack prediction, in which a machine learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. MLAPT is experimentally evaluated and the presented system is able to predict APT in its early steps with a prediction accuracy of 84.8%.

The Internet has become the primary vector for the delivery of malicious code in cyber attacks, and malware has rapidly become a pervasive critical threat. Anti- malware products offer effective protection from malware threats for servers and endpoint devices using a variety of techniques. Advanced enterprise-level anti-malware products rely on state-of-art behavioral-based detection algorithms, in addition to traditional signature-based mechanisms. These dynamic detection techniques have been around for more than a decade and in response hackers have developed methods to evade them. However, currently known bypass methods require intensive manual labor. Moreover, this manual work has to be repeated whenever a parameter of the environment (such as the payload, operating system, Antivirus version, etc) changes, making these methods impractical. This may lead to the belief that dynamic techniques provide a good deterrence, and hence good protection. In this thesis we evaluate dynamic techniques. Specifically, we build tools to implement generic unhooking and funneling, and using these tools we show how dynamic techniques can be bypassed with considerably less effort than by fully manual methods. We also extend the repertoire of existing bypass methods and introduce a new malicious function call technique which exploits detection techniques that monitor a limited collection of critical system functions, as well as a method for bypassing guard-page protections. We demonstrate the effectiveness of all our techniques by conducting attacks against two enterprise antivirus products. Our results lead us to conclude that that dynamic techniques do not provide sufficient protection.<br>Graduate<br>2018-02-07<br>0984<br>erkanersan@gmail.com