To see the other types of publications on this topic, follow the link: Malware.
Dissertations / Theses on the topic 'Malware'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 50 dissertations / theses for your research on the topic 'Malware.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Alzarooni, K. M. A. "Malware variant detection." Thesis, University College London (University of London), 2012. http://discovery.ucl.ac.uk/1347243/.
Full textAbstract:
Malware programs (e.g., viruses, worms, Trojans, etc.) are a worldwide epidemic. Studies and statistics show that the impact of malware is getting worse. Malware detectors are the primary tools in the defence against malware. Most commercial anti-malware scanners maintain a database of malware patterns and heuristic signatures for detecting malicious programs within a computer system. Malware writers use semantic-preserving code transformation (obfuscation) techniques to produce new stealth variants of their malware programs. Malware variants are hard to detect with today's detection technologies as these tools rely mostly on syntactic properties and ignore the semantics of malicious executable programs. A robust malware detection technique is required to handle this emerging security threat. In this thesis, we propose a new methodology that overcomes the drawback of existing malware detection methods by analysing the semantics of known malicious code. The methodology consists of three major analysis techniques: the development of a semantic signature, slicing analysis and test data generation analysis. The core element in this approach is to specify an approximation for malware code semantics and to produce signatures for identifying, possibly obfuscated but semantically equivalent, variants of a sample of malware. A semantic signature consists of a program test input and semantic traces of a known malware code. The key challenge in developing our semantics-based approach to malware variant detection is to achieve a balance between improving the detection rate (i.e. matching semantic traces) and performance, with or without the e ects of obfuscation on malware variants. We develop slicing analysis to improve the construction of semantic signatures. We back our trace-slicing method with a theoretical result that shows the notion of correctness of the slicer. A proof-of-concept implementation of our malware detector demonstrates that the semantics-based analysis approach could improve current detection tools and make the task more di cult for malware authors. Another important part of this thesis is exploring program semantics for the selection of a suitable part of the semantic signature, for which we provide two new theoretical results. In particular, this dissertation includes a test data generation method that works for binary executables and the notion of correctness of the method.
2
Král, Benjamin. "Forenzní analýza malware." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2018. http://www.nusl.cz/ntk/nusl-385910.
Full textAbstract:
This master's thesis describes methodologies used in malware forensic analysis including methods used in static and dynamic analysis. Based on those methods a tool intended to be used by Computer Security Incident Response Teams (CSIRT) is designed to allow fast analysis and decisions regarding malware samples in security incident investigations. The design of this tool is thorougly described in the work along with the tool's requirements on which the tool design is based on. Based on the design a ForensIRT tool is implemented and then used to analyze a malware sample Cridex to demonstrate its capabilities. Finally the analysis results are compared to those of other comparable available malware forensics tools.
3
Park, Sean. "Neural malware detection." Thesis, Federation University Australia, 2019. http://researchonline.federation.edu.au/vital/access/HandleResolver/1959.17/173759.
Full textAbstract:
At the heart of today’s malware problem lies theoretically infinite diversity created by metamorphism. The majority of conventional machine learning techniques tackle the problem with the assumptions that a sufficiently large number of training samples exist and that the training set is independent and identically distributed. However, the lack of semantic features combined with the models under these wrong assumptions result largely in overfitting with many false positives against real world samples, resulting in systems being left vulnerable to various adversarial attacks. A key observation is that modern malware authors write a script that automatically generates an arbitrarily large number of diverse samples that share similar characteristics in program logic, which is a very cost-effective way to evade detection with minimum effort. Given that many malware campaigns follow this paradigm of economic malware manufacturing model, the samples within a campaign are likely to share coherent semantic characteristics. This opens up a possibility of one-to-many detection. Therefore, it is crucial to capture this non-linear metamorphic pattern unique to the campaign in order to detect these seemingly diverse but identically rooted variants. To address these issues, this dissertation proposes novel deep learning models, including generative static malware outbreak detection model, generative dynamic malware detection model using spatio-temporal isomorphic dynamic features, and instruction cognitive malware detection. A comparative study on metamorphic threats is also conducted as part of the thesis. Generative adversarial autoencoder (AAE) over convolutional network with global average pooling is introduced as a fundamental deep learning framework for malware detection, which captures highly complex non-linear metamorphism through translation invariancy and local variation insensitivity. Generative Adversarial Network (GAN) used as a part of the framework enables oneshot training where semantically isomorphic malware campaigns are identified by a single malware instance sampled from the very initial outbreak. This is a major innovation because, to the best of our knowledge, no approach has been found to this challenging training objective against the malware distribution that consists of a large number of very sparse groups artificially driven by arms race between attackers and defenders. In addition, we propose a novel method that extracts instruction cognitive representation from uninterpreted raw binary executables, which can be used for oneto- many malware detection via one-shot training against frequency spectrum of the Transformer’s encoded latent representation. The method works regardless of the presence of diverse malware variations while remaining resilient to adversarial attacks that mostly use random perturbation against raw binaries. Comprehensive performance analyses including mathematical formulations and experimental evaluations are provided, with the proposed deep learning framework for malware detection exhibiting a superior performance over conventional machine learning methods. The methods proposed in this thesis are applicable to a variety of threat environments here artificially formed sparse distributions arise at the cyber battle fronts.Doctor of Philosophy
4
Iqbal, Muhammad Shahid, and Muhammad Sohail. "Runtime Analysis of Malware." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2011. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-2930.
Full textAbstract:
Context: Every day increasing number of malwares are spreading around the world and infecting not only end users but also large organizations. This results in massive security threat for private data and expensive computer resources. There is lot of research going on to cope up with this large amount of malicious software. Researchers and practitioners developed many new methods to deal with them. One of the most effective methods used to capture malicious software is dynamic malware analysis. Dynamic analysis methods used today are very time consuming and resource greedy. Normally it could take days or at least some hours to analyze a single instance of suspected software. This is not good enough especially if we look at amount of attacks occurring every day. Objective: To save time and expensive resources used to perform these analyses, AMA: an automated malware analysis system is developed to analyze large number of suspected software. Analysis of any software inside AMA, results in a detailed report of its behavior, which includes changes made to file system, registry, processes and network traffic consumed. Main focus of this study is to develop a model to automate the runtime analysis of software which provide detailed analysis report and evaluation of its effectiveness. Methods: A thorough background study is conducted to gain the knowledge about malicious software and their behavior. Further software analysis techniques are studied to come up with a model that will automate the runtime analysis of software. A prototype system is developed and quasi experiment performed on malicious and benign software to evaluate the accuracy of the newly developed system and generated reports are compared with Norman and Anubis. Results: Based on thorough background study an automated runtime analysis model is developed and quasi experiment performed using implemented prototype system on selected legitimate and benign software. The experiment results show AMA has captured more detailed software behavior then Norman and Anubis and it could be used to better classify software. Conclusions: We concluded that AMA could capture more detailed behavior of the software analyzed and it will give more accurate classification of the software. We also can see from experiment results that there is no concrete distinguishing factors between general behaviors of both types of software. However, by digging a bit deep into analysis report one could understand the intensions of the software. That means reports generated by AMA provide enough information about software behavior and can be used to draw correct conclusions.+46 736 51 83 01
5
Carlin, Domhnall. "Dynamic analyses of malware." Thesis, Queen's University Belfast, 2018. https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.766287.
Full textAbstract:
This thesis examines machine learning techniques for detecting malware using dynamic runtime opcodes. Previous work in the field has faltered on inadequately sized and poorly sampled datasets. A novel run-trace dataset is presented, the largest in the literature to date. Using this dataset, malware detection using opcode analysis is shown to be not only feasible, but highly accurate at short run-lengths and without computationally-expensive sequencing analysis. Second, unsupervised learning is used to investigate the effects of anti-virus (AV) labels on detection rates. AV labels offer an English-language description of the malware type, whereas it is found that using an assembly language description is more beneficial in malware triaging. Third, the machine learning techniques are applied to ransomware run-traces, which has not been explored in the literature to date. This offers four further novel contributions: examination of dynamic API calls vs opcode traces in ransomware; run-lengths necessary to detect ransomware accurately; creation of a logical feature reduction algorithm to minimise computational expense in machine learning; the first model in the literature which can differentiate between benign encryption (zipping) and malicious encryption. Lastly, the computational costs of 23 machine learning algorithms are investigated with respect to the run trace dataset. In the literature, researchers discuss the explosion of malware, yet opcode analyses have used fixed-size datasets, with no deference to how this model will cope with retraining on escalating datasets. The cost of retraining and testing updatable and non-updatable classifiers, both parallelised and non-parallelised, is examined with simulated escalating datasets. Lastly, a model is proposed and examined to mitigate the disadvantages of the most successful classifiers for future work.
6
Huang, Alex Yangyang. "Towards robust malware detection." Thesis, Massachusetts Institute of Technology, 2018. http://hdl.handle.net/1721.1/119758.
Full textAbstract:
Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2018.This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
Cataloged from student-submitted PDF version of thesis.
Includes bibliographical references (pages 45-48).
A central challenge of malware detection using machine learning methods is the presence of adversarial variants, small changes to detectable malware that allow it to evade a model (i.e. be classified as benign). We take inspiration from adversarial variant generation methods in the continuous-valued image domain to introduce methods for malware in the binary domain. We incorporate these methods in the training of hardened models towards the goal of robustness against adversarial variants. Additionally, we provide visualization tools for analysis of hardened models. Our tools illustrate the difference in loss behavior between models trained with different methods, the effect of adversarial learning on the loss landscape of a model, and the effect of adversarial learning on the decision map of a model. The adversarial learning framework and the visualization tools in combination allow for the creation and understanding of robust models.
by Alex Yangyang Huang.
M. Eng.
7
O'Kane, P. C. "Detection of obfuscated malware." Thesis, Queen's University Belfast, 2014. http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.680235.
Full textAbstract:
A cyber war exists between anti-malware researchers and malware writers. At the heart of this war rages a weapons race that has existed for decades, originating the 19805, with the arrival of the first computer virus. Obfuscation is one of the latest strategies employed by malware writers to camouflage the tell-tale signs of malware and thereby undermine anti-malware software making malware analysis difficult for anti-malware researchers.The the motivation for this research is, therefore, to find a malware detection strategy that is immune to the obfuscation methods used by the malware writers. One approach is to use program run-time traces (dynamic analysis) to perform N~gram analysis. N-gram analysis is the investigation of a program structure using bytes, charactersor text strings. The research presented in this thesis uses dynamic analysis to investigate malwaredetection using a Support Vector Machine (SVM) approach based on N-gram analysis. The key challenges addressed in this research are: Configuration of a host environment that can trace both benign and malicious software programs; SVM configuration using cross~validation to provide a robust classifier; the challenge of feature selection and feature reduction is addressed by first applying a feature filter and then presenting the reduced feature set to the SVM for feature selection. Several filtering methods are investigated and the findings have identified a suitable filter based on Eigenvectors. The final challenge associated with dynamic analysis is the length of time a program has to be run to ensure a correct classification. This is addressed in this research by investigating 14 different program run-lengths The findings show that obfuscated (packed and polymorphic) malware can be detected using a Support Vector Machine classifier with features extracted from program run-length traces.
8
Калайчев, Г. В. "Microsoft malware prediction competition." Thesis, ХНУРЕ, 2020. http://openarchive.nure.ua/handle/document/12127.
Full textAbstract:
Основна мета цієї роботи - показати способи підготовки обсягу даних, побудова класифікаційної моделі на величезному наборі даних та оцінка отриманої моделі на тестових даних. Початкова проблема, яка була вирішена в цій роботі, була взята з Microsoft Malware Prediction Competition з сайту Kaggle. Ця проблема відповідає меті, оскільки навчальний набір даних містить різні типи функцій для попередньої обробки та 9 мільйонів рядків.
9
Khoda, Mahbub. "Robust Mobile Malware Detection." Thesis, Federation University Australi, 2020. http://researchonline.federation.edu.au/vital/access/HandleResolver/1959.17/176412.
Full textAbstract:
The increasing popularity and use of smartphones and hand-held devices have made them the most popular target for malware attackers. Researchers have proposed machine learning-based models to automatically detect malware attacks on these devices. Since these models learn application behaviors solely from the extracted features, choosing an appropriate and meaningful feature set is one of the most crucial steps for designing an effective mobile malware detection system. There are four categories of features for mobile applications. Previous works have taken arbitrary combinations of these categories to design models, resulting in sub-optimal performance. This thesis systematically investigates the individual impact of these feature categories on mobile malware detection systems. Feature categories that complement each other are investigated and categories that add redundancy to the feature space (thereby degrading the performance) are analyzed. In the process, the combination of feature categories that provides the best detection results is identified. Ensuring reliability and robustness of the above-mentioned malware detection systems is of utmost importance as newer techniques to break down such systems continue to surface. Adversarial attack is one such evasive attack that can bypass a detection system by carefully morphing a malicious sample even though the sample was originally correctly identified by the same system. Self-crafted adversarial samples can be used to retrain a model to defend against such attacks. However, randomly using too many such samples, as is currently done in the literature, can further degrade detection performance. This work proposed two intelligent approaches to retrain a classifier through the intelligent selection of adversarial samples. The first approach adopts a distance-based scheme where the samples are chosen based on their distance from malware and benign cluster centers while the second selects the samples based on a probability measure derived from a kernel-based learning method. The second method achieved a 6% improvement in terms of accuracy. To ensure practical deployment of malware detection systems, it is necessary to keep the real-world data characteristics in mind. For example, the benign applications deployed in the market greatly outnumber malware applications. However, most studies have assumed a balanced data distribution. Also, techniques to handle imbalanced data in other domains cannot be applied directly to mobile malware detection since they generate synthetic samples with broken functionality, making them invalid. In this regard, this thesis introduces a novel synthetic over-sampling technique that ensures valid sample generation. This technique is subsequently combined with a dynamic cost function in the learning scheme that automatically adjusts minority class weight during model training which counters the bias towards the majority class and stabilizes the model. This hybrid method provided a 9% improvement in terms of F1-score. Aiming to design a robust malware detection system, this thesis extensively studies machine learning-based mobile malware detection in terms of best feature category combination, resilience against evasive attacks, and practical deployment of detection models. Given the increasing technological advancements in mobile and hand-held devices, this study will be very useful for designing robust cybersecurity systems to ensure safe usage of these devices.Doctor of Philosophy
10
Cortellazzi, Jacopo. "Code transplantation for adversarial malware." Master's thesis, Alma Mater Studiorum - Università di Bologna, 2018. http://amslaurea.unibo.it/17288/.
Full textAbstract:
In the nefarious fight against attackers, a wide range of smart algorithms have been introduced, in order to block and even prevent new families of malware before their appearance. Machine learning, for instance, recently gained a lot of attention thanks to its ability to use generalization to possibly detect never-before-seen attacks or variants of a known one. During the past years, a lot of works have tested the strength of machine learning in the cybersecurity field, exploring its potentialities and weaknesses. In particular, various studies highlighted its robustness against adversarial attacks, proposing strategies to mitigate them .
Unfortunately, all these findings have focused in testing their own discoveries just operating on the dataset at feature layer space, which is the virtual data representation space, without testing the current feasibility of the attack at the problem space level, modifying the current adversarial sample .
For this reason, in this dissertation, we will introduce PRISM, a framework for executing an adversarial attack operating at the problem space level. Even if this framework focuses only on Android applications, the whole methodology can be generalized on other platforms, like Windows, Mac or Linux executable files.
The main idea is to successfully evade a classifier by transplanting chunks of code, taken from a set of goodware to a given malware. Exactly as in medicine, we have a donor who donates organs and receivers who receive them, in this case, goodware applications are our donors, the organs are the needed code and the receiver is the targeted malware.
In the following work we will discuss about concepts related to a wide variety of topics, ranging from machine learning, due to the target classifier, to static analysis, due to the possible countermeasures considered, to program analysis, due to the extraction techniques adopter, ending in mobile application, because the target operating system is Android.
11
Kinable, Joris. "Malware Detection Through Call Graphs." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2010. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-10908.
Full textAbstract:
Each day, anti-virus companies receive large quantities of potentially harmful executables. Many of the malicious samples among these executables are variations of earlier encountered malware, created by their authors to evade pattern-based detection. Consequently, robust detection approaches are required, capable of recognizing similar samples automatically.In this thesis, malware detection through call graphs is studied. In a call graph, the functions of a binary executable are represented as vertices, and the calls between those functions as edges. By representing malware samples as call graphs, it is possible to derive and detect structural similarities between multiple samples. The latter can be used to implement generic malware detection schemes, which can proactively detect existing versions of the malware, as well as future releases with similar characteristics.To compare call graphs mutually, we compute pairwise graph similarity scores via graphmatchings which minimize an objective function known as the Graph Edit Distance. Finding exact graph matchings is intractable for large call graph instances. Hence we investigate several efficient approximation algorithms. Next, to facilitate the discovery of similar malware samples, we employ several clustering algorithms, including variations on k-medoids clustering and DBSCAN clustering algorithms. Clustering experiments are conducted on a collection of real malware samples, and the results are evaluated against manual classifications provided by virus analysts from F-Secure Corporation. Experiments show that it is indeed possible to accurately detect malware families using the DBSCAN clustering algorithm. Based on our results, we anticipate that in the future it is possible to use call graphs to analyse the emergence of new malware families, and ultimately to automate implementinggeneric protection schemes for malware families.
12
Wedum, Petter Langeland. "Malware Analysis; : A Systematic Approach." Thesis, Norwegian University of Science and Technology, Department of Telematics, 2008. http://urn.kb.se/resolve?urn=urn:nbn:no:ntnu:diva-8948.
Full textAbstract:
An almost incomprehensible amount of data and information is stored on millions and millions of computers worldwide. The computers, interconnected in local, national and international networks, use and share a high number of various software programs. Individuals, corporations, hospitals, communication networks, authorities among others are totally dependent on the reliability and accessibility of the data and information stored, and on the correct and predictable operation of the soft ware programs, the computers and the networks connecting them. Malware types have different objectives and apply different techniques, but they all compromise security in one way or another. To be able to defend against the threat imposed by malware we need to understand both how and why the malware exists. Malware is under constant development, exploiting new vulnerabilities, employing more advanced techniques, and finding new ways to compromise computer security. This document presents the nature of malware today and outlines some analytical techniques used by security experts. Furthermore, a process for analyzing malware samples with the goal of discovering the behaviour of the samples and techniques used by the samples is presented. A flowchart of malware analysis, with tools and procedures, is suggested. The analysis process is shown to be effective and to minimize the time consumption of manual malware analysis. An analysis is performed on two distinct malware samples, disclosing behaviour, location, encryption techniques, and other techniques employed by the samples. It is demonstrated that the two malware samples, both using advanced techniques, have different objectives and varying functionality. Although complex in behaviour, the malware samples show evidence of lacking programming skills with the malware designers, rendering the malware less effective than intended. Both samples are distributed in a packed form. The process of unpacking each of the samples is described together with an outlining of the unpacking process.
13
Santoro, Tiziano. "Automatic behavioural analysis of malware." Thesis, Linköpings universitet, Institutionen för datavetenskap, 2010. http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-64103.
Full textAbstract:
With malware becoming more and more diused and at the same time more sophisticatedin its attack techniques, countermeasures need to be set up so that new kinds ofthreats can be identied and dismantled in the shortest possible time, before they causeharm to the system under attack. With new behaviour patterns like the one shown bypolymorphic and metamorphic viruses, static analysis is not any more a reliable wayto detect those threats, and behaviour analysis seems a good candidate to ght againstthe next-generation families of viruses. In this project, we describe a methodology toanalyze and categorize binaries solely on the basis of their behaviour, in terms of theirinteraction with the Operating System, other processes and network. The approach canstrengten host-based intrusion detection systems by a timely classication of unkownbut similar malware code. It has been evaluated on a dataset from the research communityand tried on a smaller data set from local companies collected at University ofMondragone.
14
Zhu, Feng. "Integrity-Based Kernel Malware Detection." FIU Digital Commons, 2014. http://digitalcommons.fiu.edu/etd/1572.
Full textAbstract:
Kernel-level malware is one of the most dangerous threats to the security of users on the Internet, so there is an urgent need for its detection. The most popular detection approach is misuse-based detection. However, it cannot catch up with today's advanced malware that increasingly apply polymorphism and obfuscation. In this thesis, we present our integrity-based detection for kernel-level malware, which does not rely on the specific features of malware.
We have developed an integrity analysis system that can derive and monitor integrity properties for commodity operating systems kernels. In our system, we focus on two classes of integrity properties: data invariants and integrity of Kernel Queue (KQ) requests.
We adopt static analysis for data invariant detection and overcome several technical challenges: field-sensitivity, array-sensitivity, and pointer analysis. We identify data invariants that are critical to system runtime integrity from Linux kernel 2.4.32 and Windows Research Kernel (WRK) with very low false positive rate and very low false negative rate. We then develop an Invariant Monitor to guard these data invariants against real-world malware. In our experiment, we are able to use Invariant Monitor to detect ten real-world Linux rootkits and nine real-world Windows malware and one synthetic Windows malware.
We leverage static and dynamic analysis of kernel and device drivers to learn the legitimate KQ requests. Based on the learned KQ requests, we build KQguard to protect KQs. At runtime, KQguard rejects all the unknown KQ requests that cannot be validated. We apply KQguard on WRK and Linux kernel, and extensive experimental evaluation shows that KQguard is efficient (up to 5.6% overhead) and effective (capable of achieving zero false positives against representative benign workloads after appropriate training and very low false negatives against 125 real-world malware and nine synthetic attacks).
In our system, Invariant Monitor and KQguard cooperate together to protect data invariants and KQs in the target kernel. By monitoring these integrity properties, we can detect malware by its violation of these integrity properties during execution.
15
Klemperer, Peter Friedrich. "Efficient Hypervisor Based Malware Detection." Research Showcase @ CMU, 2014. http://repository.cmu.edu/dissertations/466.
Full textAbstract:
Recent years have seen an uptick in master boot record (MBR) based rootkits that load before the Windows operating system and subvert the operating system’s own procedures. As such, MBR rootkits are difficult to counter with operating system-based antivirus software that runs at the same privilege-level as the rookits. Hypervisors operate at a higher privilege level than the guests they manage, creating a high-ground position in the host. This high-ground position can be exploited to perform security checks on the virtual machine guests where the checking software is isolated from guest-based viruses. The efficient introspection system described in this thesis targets existing virtualized systems to improve security with real-time, concurrent memory introspection capabilities. Efficient introspection decouples memory introspection from virtual machine guest execution, establishes coherent and consistent memory views between the host and running guest, while maintaining normal guest operation. Existing introspection systems have provided one or two of these properties but not all three at once. This thesis presents a new concurrent-computing approach – high-performance memory snapshotting – to accelerating hypervisor based introspection of virtual machine guest memory that combines all three elements to improve performance and security. Memory snapshots create a coherent and consistent memory view of the guest that can be shared with the independently running introspection application. Three memory snapshotting mechanisms are presented and evaluated for their impact on normal guest operation. Existing introspection systems and security protection techniques that were previously dismissed as too slow are now be enabled by efficient introspection. This thesis explains why existing introspection systems are inadequate, describes how existing system performance can be improved, evaluates an efficient introspection prototype on both applications and microbenchmarks, and discusses two potential security applications that are enabled by efficient introspection. These applications point to efficient introspection’s utility for supporting useful security applications.
16
Paleari, R. "DEALING WITH NEXT-GENERATION MALWARE." Doctoral thesis, Università degli Studi di Milano, 2011. http://hdl.handle.net/2434/155496.
Full textAbstract:
Malicious programs are a serious problem that threatens the security of billions of Internet users. Today's malware authors are motivated by the easy financial gain they can obtain by selling on the underground market the information stolen from the infected hosts. To maximize their profit, miscreants continuously improve their creations to make them more and more resilient against anti-malware solutions. This increasing sophistication in malicious code led to next-generation malware, a new class of threats that exploit the limitations of state-of-the-art anti-malware products to bypass security protections and eventually evade detection. Unfortunately, current anti-malware technologies are inadequate to face next-generation malware. For this reason, in this dissertation we propose novel techniques to address the shortcomings of defensive technologies and to enhance current state-of-the-art security solutions.
Dynamic behavior-based analysis is a very promising approach to automatically understand the behaviors a malicious program may exhibit at run-time. However, behavior-based solutions still present several limitations. First of all, these techniques may give incomplete results because the execution environments in which they are applied are synthetic and do not faithfully resemble the environments of end-users, the intended targets of the malicious activities. To overcome this problem, we present a new framework for improving behavior-based analysis of suspicious programs, that allows an end-user to delegate security labs the execution and the analysis of a program and to force the program to behave as if it were executed directly in the environment of the former. Our evaluation demonstrated that the proposed framework allows security labs to improve the completeness of the analysis, by analyzing a piece of malware on behalf of multiple end-users simultaneously, while performing a fine-grained analysis of the behavior of the program with no computational cost for the end-users.
Another drawback of state-of-the-art defensive solutions is non-transparency: malicious programs are often able to determine that their execution is being monitored, and thus they can tamper with the analysis to avoid detection, or simply behave innocuously to mislead the anti-malware tool. At this aim, we propose a generic framework to perform complex dynamic system-level analyses of deployed production systems. By leveraging hardware support for virtualization available nowadays on all commodity machines, our framework is completely transparent to the system under analysis and it guarantees isolation of the analysis tools running on top of it. The internals of the kernel of the running system need not to be modified and the whole platform runs unaware of the framework. Once the framework has been installed, even kernel-level malware cannot detect it or affect its execution. This is accomplished by installing a minimalistic virtual machine monitor and migrating the system, as it runs, into a virtual machine. To demonstrate the potentials of our framework we developed an interactive kernel debugger, named HyperDbg. As HyperDbg can be used to monitor any critical system component, it is suitable to analyze even malicious programs that include kernel-level modules.
Despite all the progress anti-malware technologies can make, perfect malware detection remains an undecidable problem. When it is not possible to prevent a malicious threat from infecting a system, post-infection remediation remains the only viable possibility. However, if the machine has already been compromised, the execution of the remediation tool could be tampered by the malware that is running on the system. To address this problem we present Conqueror, a software-based attestation scheme for tamper-proof code execution on untrusted legacy systems. Besides providing load-time attestation of a piece of code, Conqueror also ensures run-time integrity. Conqueror constitutes a valid alternative to trusted computing platforms, for systems lacking specialized hardware for attestation. We implemented a prototype, specific for the Intel x86 architecture, and evaluated the proposed scheme. Our evaluation showed that, compared to competitors, Conqueror is resistant to both static and dynamic attacks.
We believe Conqueror and our transparent dynamic analysis framework constitute important building blocks for creating new security applications. To demonstrate this claim, we leverage the aforementioned solutions to realize HyperSleuth, an infrastructure to securely perform live forensic analysis of potentially compromised production systems. HyperSleuth provides a trusted execution environment that guarantees an attacker controlling the system cannot interfere with the analysis and cannot tamper with the results. The framework can be installed as the system runs, without a reboot and without loosing any volatile data. Moreover, the analysis can be periodically and safely interrupted to resume normal execution of the system. On top of HyperSleuth we implemented three forensic analysis tools: a lazy physical memory dumper, a lie detector, and a system call tracer. The experimental evaluation we conducted demonstrated that even time consuming analyses, such as the dump of the content of the physical memory, can be securely performed without interrupting the services offered by the system.
17
Salevski, Paul M., and William R. Taff. "Malware mimics for network security assessment." Thesis, Monterey, California. Naval Postgraduate School, 2011. http://hdl.handle.net/10945/5749.
Full textAbstract:
Approved for public release; distribution is unlimitedFor computer network infiltration and defense training within the Defense, the use of Red Teams results in the most effective, realistic, and comprehensive training for network administrators. Our thesis is meant to mimic that highly trained adversary. We developed a framework that would exist in that operational network, that mimics the actions of that adversary or malware, that creates observable behaviors, and that is fully controllable and configurable. The framework is based upon a client-server relationship. The server is a Java multi-threaded server that issues commands to the Java client software on all of the hosts of the operational network. Our thesis proved that commands could be sent to those clients to generate scanning behavior that was observable on the network, that the clients would generate or cease their behavior within five seconds of the issuance of the command, and that the clients would return to a failsafe state if communication with the command and control server was lost. The framework that was created can be expanded to control more than twenty hosts. Furthermore, the software is extensible so that additional modules can be created for the client software to generate additional and more complex malware mimic behaviors.
18
Siddiqui, Muazzam. "DATA MINING METHODS FOR MALWARE DETECTION." Doctoral diss., University of Central Florida, 2008. http://digital.library.ucf.edu/cdm/ref/collection/ETD/id/2783.
Full textAbstract:
This research investigates the use of data mining methods for malware (malicious programs) detection and proposed a framework as an alternative to the traditional signature detection methods. The traditional approaches using signatures to detect malicious programs fails for the new and unknown malwares case, where signatures are not available. We present a data mining framework to detect malicious programs. We collected, analyzed and processed several thousand malicious and clean programs to find out the best features and build models that can classify a given program into a malware or a clean class. Our research is closely related to information retrieval and classification techniques and borrows a number of ideas from the field. We used a vector space model to represent the programs in our collection. Our data mining framework includes two separate and distinct classes of experiments. The first are the supervised learning experiments that used a dataset, consisting of several thousand malicious and clean program samples to train, validate and test, an array of classifiers. In the second class of experiments, we proposed using sequential association analysis for feature selection and automatic signature extraction. With our experiments, we were able to achieve as high as 98.4% detection rate and as low as 1.9% false positive rate on novel malwares.Ph.D.
Other
Sciences
Modeling and Simulation PhD
19
Redfern, Cory. "Malware Recognition by Properties of Executables." ScholarWorks@UNO, 2009. http://scholarworks.uno.edu/td/1013.
Full textAbstract:
This thesis explores what patterns, if any, exist to differentiate non-malware from malware, given only a sequence of raw bytes composing either a received file or a fixed-length initial segment of a received file. If any such patterns are found, their effectiveness as filtering criteria is investigated.
20
Grégio, André Ricardo Abed. "Malware Behavior = Comportamento de programas maliciosos." [s.n.], 2012. http://repositorio.unicamp.br/jspui/handle/REPOSIP/261000.
Full textAbstract:
Orientadores: Mario Jino, Paulo Licio de GeusTese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação
Made available in DSpace on 2018-08-21T16:40:48Z (GMT). No. of bitstreams: 1 Gregio_AndreRicardoAbed_D.pdf: 5158672 bytes, checksum: 12a24da95543bac78fd3f047f7415314 (MD5) Previous issue date: 2012
Resumo: Ataques envolvendo programas maliciosos (malware) s~ao a grande ameaça atual _a segurança de sistemas. Assim, a motivação desta tese _e estudar o comportamento de malware e como este pode ser utilizado para fins de defesa. O principal mecanismo utilizado para defesa contra malware _e o antivírus (AV). Embora seu propósito seja detectar (e remover) programas maliciosos de máquinas infectadas, os resultados desta detecção provêem, para usuários e analistas, informações insuficientes sobre o processo de infecção realizado pelo malware. Além disso, não há um padrão de esquema de nomenclatura para atribuir, de maneira consistente, nomes de identificação para exemplares de malware detectados, tornando difícil a sua classificação. De modo a prover um esquema de nomenclatura para malware e melhorar a qualidade dos resultados produzidos por sistemas de análise dinâmica de malware, propõe-se, nesta tese, uma taxonomia de malware com base nos comportamentos potencialmente perigosos observados durante vários anos de análise de exemplares encontrados em campo. A meta principal desta taxonomia _e ser clara, de simples manutenção e extensão, e englobar tipos gerais de malware (worms, bots, spyware). A taxonomia proposta introduz quatro classes e seus respectivos comportamentos de alto nível, os quais representam atividades potencialmente perigosas. Para avaliá-la, foram utilizados mais de 12 mil exemplares únicos de malware pertencentes a diferentes classes (atribuídas por antivírus). Outras contribuições provenientes desta tese incluem um breve histórico dos programas maliciosos e um levantamento das taxonomias que tratam de tipos específicos de malware; o desenvolvimento de um sistema de análise dinâmica para extrair pefis comportamentais de malware; a especializa- _c~ao da taxonomia para lidar com exemplares de malware que roubam informações (stealers), conhecidos como bankers, a implementação de ferramentas de visualização para interagir com traços de execução de malware e, finalmente, a introdução de uma técnica de agrupamento baseada nos valores escritos por malware na memória e nos registradores
Abstract: Attacks involving malicious software (malware) are the major current threats to systems security. The motivation behind this thesis is to study malware behavior with that purpose. The main mechanism used for defending against malware is the antivirus (AV) tool. Although the purpose of an AV is to detect (and remove) malicious programs from infected machines, this detection usually provides insufficient information for users and analysts regarding the malware infection process. Furthermore, there is no standard naming scheme for consistently labeling detected malware, making the malware classification process harder. To provide a meaningful naming scheme, as well as to improve the quality of results produced by dynamic analysis systems, we propose a malware taxonomy based on potentially dangerous behaviors observed during several years of analysis of malware found in the wild. The main goal of the taxonomy is, in addition to being simple to understand, extend and maintain, to embrace general types of malware (e.g., worms, bots, spyware). Our behavior-centric malware taxonomy introduces four classes and their respective high-level behaviors that represent potentially dangerous activities. We applied our taxonomy to more than 12 thousand unique malware samples from different classes (assigned by AV scanners) to show that it is useful to better understand malware infections and to aid in malware-related incident response procedures. Other contributions of our work are: a brief history of malware and a survey of taxonomies that address specific malware types; a dynamic analysis system to extract behavioral profiles from malware; specialization of our taxonomy to handle information stealers known as bankers; proposal of visualization tools to interact with malware execution traces and, finally, a clustering technique based on values that malware writes into memory or registers
Doutorado
Engenharia de Computação
Doutor em Engenharia Elétrica
21
Daniš, Daniel. "Detekce malware pomocí analýzy DNS provozu." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2016. http://www.nusl.cz/ntk/nusl-255302.
Full textAbstract:
This master thesis deals with the design and implementation of a tool for malware detection using DNS traffic analysis. Text of the thesis is divided into theoretical and practical part. In theoretical part the reader will be acknowledged with the domain of malware and botnet detection. Consequently, various options and methods of malware detection will be described. Practical part of the thesis contains description of malware detection tool architecture as well as key aspects of its implementation. Moreover, the emphasis is being placed on testing and experiments. The result of the thesis is a tool, written in python, for malware detection using DNS traffic analysis, that uses a combination of several methods of detection.
22
Surovič, Marek. "Statická detekce malware nad LLVM IR." Master's thesis, Vysoké učení technické v Brně. Fakulta informačních technologií, 2016. http://www.nusl.cz/ntk/nusl-255427.
Full textAbstract:
Tato práce se zabývá metodami pro behaviorální detekci malware, které využívají techniky formální analýzy a verifikace. Základem je odvozování stromových automatů z grafů závislostí systémových volání, které jsou získány pomocí statické analýzy LLVM IR. V rámci práce je implementován prototyp detektoru, který využívá překladačovou infrastrukturu LLVM. Pro experimentální ověření detektoru je použit překladač jazyka C/C++, který je schopen generovat mutace malware za pomoci obfuskujících transformací. Výsledky předběžných experimentů a případná budoucí rozšíření detektoru jsou diskutovány v závěru práce.
23
Kim, Ye Kyung. "Framework for Analysis of Android Malware." University of Akron / OhioLINK, 2014. http://rave.ohiolink.edu/etdc/view?acc_num=akron1418252974.
Full text
24
Karlsson, Oliver, and Erik Magnusson. "Malware: Det moderna hotet mot företag." Thesis, Högskolan i Halmstad, Akademin för informationsteknologi, 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-44982.
Full textAbstract:
I denna uppsats granskas de vanligast förekommande typerna av malware, derasfunktioner samt de konsekvenser som förekommer vid angrepp. Konsekvenser innebär skador vid stöld eller förstörelse av data, som finns på den drabbade enheten. Syftet med denna uppsats är att ge en överblick av de nuvarande största hoten för företag med Windowsdatorer när det kommer till malware. En litteraturstudie användes för att framställa vilka de vanligaste typerna av malware är, hur de valda typerna av malware delas in och deras funktion. I arbetet genomförs även ett experiment för att utläsa mer exakt hur vissa malware opererar när de infekterar ett operativsystem. Informationen som utvunnits av experimentet kombinerades med informationen från litteraturstudien och har sammanställts i denna rapport. I diskussionen tas de olika konsekvenserna upp i mer detalj samt med exempel på hur de skiljer sig åt när de påverkar ett företag. Informationen utvunnen från experimentet diskuteras, vilken typ av malware de definieras som samt vad de ändrade i systemet. I slutsatsen visas de vanligaste typerna av malware i en tabell med hänsyn till både konsekvenserna samt sannolikheten. Effekterna av programvaran diskuteras också och några exempel tas upp.
25
Fraley, James B. "Improved Detection for Advanced Polymorphic Malware." NSUWorks, 2017. http://nsuworks.nova.edu/gscis_etd/1008.
Full textAbstract:
Malicious Software (malware) attacks across the internet are increasing at an alarming rate. Cyber-attacks have become increasingly more sophisticated and targeted. These targeted attacks are aimed at compromising networks, stealing personal financial information and removing sensitive data or disrupting operations. Current malware detection approaches work well for previously known signatures. However, malware developers utilize techniques to mutate and change software properties (signatures) to avoid and evade detection. Polymorphic malware is practically undetectable with signature-based defensive technologies. Today’s effective detection rate for polymorphic malware detection ranges from 68.75% to 81.25%. New techniques are needed to improve malware detection rates. Improved detection of polymorphic malware can only be accomplished by extracting features beyond the signature realm. Targeted detection for polymorphic malware must rely upon extracting key features and characteristics for advanced analysis. Traditionally, malware researchers have relied on limited dimensional features such as behavior (dynamic) or source/execution code analysis (static). This study’s focus was to extract and evaluate a limited set of multidimensional topological data in order to improve detection for polymorphic malware. This study used multidimensional analysis (file properties, static and dynamic analysis) with machine learning algorithms to improve malware detection. This research demonstrated improved polymorphic malware detection can be achieved with machine learning. This study conducted a number of experiments using a standard experimental testing protocol. This study utilized three advanced algorithms (Metabagging (MB), Instance Based k-Means (IBk) and Deep Learning Multi-Layer Perceptron) with a limited set of multidimensional data. Experimental results delivered detection results above 99.43%. In addition, the experiments delivered near zero false positives. The study’s approach was based on single case experimental design, a well-accepted protocol for progressive testing. The study constructed a prototype to automate feature extraction, assemble files for analysis, and analyze results through multiple clustering algorithms. The study performed an evaluation of large malware sample datasets to understand effectiveness across a wide range of malware. The study developed an integrated framework which automated feature extraction for multidimensional analysis. The feature extraction framework consisted of four modules: 1) a pre-process module that extracts and generates topological features based on static analysis of machine code and file characteristics, 2) a behavioral analysis module that extracts behavioral characteristics based on file execution (dynamic analysis), 3) an input file construction and submission module, and 4) a machine learning module that employs various advanced algorithms. As with most studies, careful attention was paid to false positive and false negative rates which reduce their overall detection accuracy and effectiveness. This study provided a novel approach to expand the malware body of knowledge and improve the detection for polymorphic malware targeting Microsoft operating systems.
26
Fawaz, Ali. "Hur skyddar man sig mot malware?" Thesis, Högskolan i Halmstad, Akademin för informationsteknologi, 2019. http://urn.kb.se/resolve?urn=urn:nbn:se:hh:diva-40192.
Full textAbstract:
Detta är sammanställning av en lista med åtgärder till helt vanliga datoranvändare för hur dessa ska skydda sig mot skadlig kod. Fokus ligger på misstag av den mänskliga faktorn och mitigering utifrån dessa. Arbetet innehåller en litteraturstudie och ett experiment. Experimentet är uppdelat så att flera åtgärder mot skadlig kod kunde testas. Litteraturstudien redogör för fakta om de olika typerna av skadlig kod. Med hjälp av experimentet kunde ett flertal åtgärder mot skadlig kod användas i listan som sammanställdes. Experimentet visar framförallt hur viktigt det är med enkla uppdateringar av antivirusprogram och operativsystem.
27
Concepcion, Miranda Tomas Javier. "Profiling and Visualizing Android Malware Datasets." Electronic Thesis or Diss., CentraleSupélec, 2022. http://www.theses.fr/2022CSUP0005.
Full textAbstract:
Les dispositifs mobiles sont ubiquitaires: aujourd’hui la majorité des gens possèdent un téléphone mobile. A cause de ce fait, ces dispositifs sont une cible d’intérêt pour les attaquants. Ces attaques sont véhiculées au travers des applications malveillantes qui peuvent nuire aux dispositifs mobiles. Les chercheurs en analyse de malware travaillent à reconnaître ces types de programmes avant qu’ils soient installés sur un dispositif utilisateur. Pour faire cela, ils réalisent des expériences pour automatiquement détecter ces malware, où ils utilisent des ensembles de malware et des applications bénignes déjà connues. Selon le dataset choisi, les résultats des expériences peuvent être acceptables ou bien exceptionnellement bons parce que surestimés. Par conséquent, les datasets de malware et applications bénignes sont des éléments importants à considérer quand nous élaborons une expérience. Cette thèse présente, premièrement, une méthode pour évaluer la qualité des datasets basée sur un test statistique qui aide à comparer un dataset créé avec un grand ensemble d’applications par exemple issu d’un magasin d’applications. Nous montrons alors que les datasets historiques de la littérature sont de mauvaise qualité, ce qui justifie le besoin de créer des nouveaux datasets plus à jour. Deuxièmement, nous introduisons un algorithme pour mettre à jour des datasets mixtes de malware/goodware de mauvaise qualité afin de ressembler à un dataset cible qui ne peut pas être utilisé directement, e.g. un magasin d’applications. Nous évaluons les datasets mixtes mis à jour en utilisant un algorithme d’apprentissage automatique et nous montrons que la détection de malware sur notre dataset mis à jour devient un problème plus difficile à résoudre. Enfin, nous introduisons DaViz, un outil de visualisation de datasets pour explorer et comparer des datasets d’applications Android. Cet outil permet aux chercheurs de visualiser les biais dans les datasets de la littérature, et d’obtenir des informations utiles à leur proposMobile devices are ubiquitous: nowadays most people own a mobile telephone.Because of this, it is a target of interest for attackers.Researchers in malware analysis put their effort to recognize these types of programs before they are installed on a user device.To do this, they perform experiments to automatically detect malware, for example with machine learning, where they use sets of already known malware and goodware.Depending on their choice of datasets, the evaluation of the experiments can yield acceptable results, or outstanding but overestimated results.Consequently, datasets with malware and benign samples are important elements to consider when designing an experiment.This thesis presents, first, a method to evaluate the quality of datasets based on a statistical test that helps to compare a crafted dataset against a large set of applications such as markets.We show that historical datasets of the literature are of low quality, which justifies the need to create new up-to-date datasets.Second, we introduce an algorithm to update mixed datasets of malware/goodware of low quality in order to resemble a target dataset that cannot be used directly, \eg a market.We evaluate the updated mixed datasets using a machine learning algorithm and we show that the detection of malware in our up-to-date dataset becomes a more difficult problem to solve.Lastly, we introduce DaViz, a dataset visualization tool for exploring and comparing Android malware datasets, which enables researchers to visualize the biases in datasets of the literature, and obtain useful information from them
28
ZUPPELLI, MARCO. "Detection and Mitigation of Steganographic Malware." Doctoral thesis, Università degli studi di Genova, 2023. https://hdl.handle.net/11567/1105735.
Full textAbstract:
A new attack trend concerns the use of some form of steganography and information hiding to make malware stealthier and able to elude many standard security mechanisms. Therefore, this Thesis addresses the detection and the mitigation of this class of threats. In particular, it considers malware implementing covert communications within network traffic or cloaking malicious payloads within digital images.
The first research contribution of this Thesis is in the detection of network covert channels. Unfortunately, the literature on the topic lacks of real traffic traces or attack samples to perform precise tests or security assessments. Thus, a propaedeutic research activity has been devoted to develop two ad-hoc tools. The first allows to create covert channels targeting the IPv6 protocol by eavesdropping flows, whereas the second allows to embed secret data within arbitrary traffic traces that can be replayed to perform investigations in realistic conditions. This Thesis then starts with a security assessment concerning the impact of hidden network communications in production-quality scenarios. Results have been obtained by considering channels cloaking data in the most popular protocols (e.g., TLS, IPv4/v6, and ICMPv4/v6) and showcased that de-facto standard intrusion detection systems and firewalls (i.e., Snort, Suricata, and Zeek) are unable to spot this class of hazards.
Since malware can conceal information (e.g., commands and configuration files) in almost every protocol, traffic feature or network element, configuring or adapting pre-existent security solutions could be not straightforward. Moreover, inspecting multiple protocols, fields or conversations at the same time could lead to performance issues.
Thus, a major effort has been devoted to develop a suite based on the extended Berkeley Packet Filter (eBPF) to gain visibility over different network protocols/components and to efficiently collect various performance indicators or statistics by using a unique technology. This part of research allowed to spot the presence of network covert channels targeting the header of the IPv6 protocol or the inter-packet time of generic network conversations. In addition, the approach based on eBPF turned out to be very flexible and also allowed to reveal hidden data transfers between two processes co-located within the same host. Another important contribution of this part of the Thesis concerns the deployment of the suite in realistic scenarios and its comparison with other similar tools. Specifically, a thorough performance evaluation demonstrated that eBPF can be used to inspect traffic and reveal the presence of covert communications also when in the presence of high loads, e.g., it can sustain rates up to 3 Gbit/s with commodity hardware. To further address the problem of revealing network covert channels in realistic environments, this Thesis also investigates malware targeting traffic generated by Internet of Things devices. In this case, an incremental ensemble of autoencoders has been considered to face the ''unknown'' location of the hidden data generated by a threat covertly exchanging commands towards a remote attacker.
The second research contribution of this Thesis is in the detection of malicious payloads hidden within digital images. In fact, the majority of real-world malware exploits hiding methods based on Least Significant Bit steganography and some of its variants, such as the Invoke-PSImage mechanism. Therefore, a relevant amount of research has been done to detect the presence of hidden data and classify the payload (e.g., malicious PowerShell scripts or PHP fragments). To this aim, mechanisms leveraging Deep Neural Networks (DNNs) proved to be flexible and effective since they can learn by combining raw low-level data and can be updated or retrained to consider unseen payloads or images with different features. To take into account realistic threat models, this Thesis studies malware targeting different types of images (i.e., favicons and icons) and various payloads (e.g., URLs and Ethereum addresses, as well as webshells). Obtained results showcased that DNNs can be considered a valid tool for spotting the presence of hidden contents since their detection accuracy is always above 90% also when facing ''elusion'' mechanisms such as basic obfuscation techniques or alternative encoding schemes.
Lastly, when detection or classification are not possible (e.g., due to resource constraints), approaches enforcing ''sanitization'' can be applied. Thus, this Thesis also considers autoencoders able to disrupt hidden malicious contents without degrading the quality of the image.
29
Burji, Supreeth Jagadish. "Reverse Engineering of a Malware : Eyeing the Future of Computer Security." Akron, OH : University of Akron, 2009. http://rave.ohiolink.edu/etdc/view?acc%5Fnum=akron1247447165.
Full textAbstract:
Thesis (M.S.)--University of Akron, Dept. of Computer Science, 2009."August, 2009." Title from electronic thesis title page (viewed 11/11/2009) Advisor, Kathy J. Liszka; Faculty Readers, Timothy W. O'Neil, Wolfgang Pelz; Department Chair, Chien-Chung Chan; Dean of the College, Chand Midha; Dean of the Graduate School, George R. Newkome. Includes bibliographical references.
30
Black, Paul. "Techniques for the reverse engineering of banking malware." Thesis, Federation University of Australia, 2020. http://researchonline.federation.edu.au/vital/access/HandleResolver/1959.17/175276.
Full textAbstract:
Malware attacks are a significant and frequently reported problem, adversely affecting the productivity of organisations and governments worldwide. The well-documented consequences of malware attacks include financial loss, data loss, reputation damage, infrastructure damage, theft of intellectual property, compromise of commercial negotiations, and national security risks. Mitiga-tion activities involve a significant amount of manual analysis. Therefore, there is a need for automated techniques for malware analysis to identify malicious behaviours. Research into automated techniques for malware analysis covers a wide range of activities. This thesis consists of a series of studies: an anal-ysis of banking malware families and their common behaviours, an emulated command and control environment for dynamic malware analysis, a technique to identify similar malware functions, and a technique for the detection of ransomware. An analysis of the nature of banking malware, its major malware families, behaviours, variants, and inter-relationships are provided in this thesis. In doing this, this research takes a broad view of malware analysis, starting with the implementation of the malicious behaviours through to detailed analysis using machine learning. The broad approach taken in this thesis differs from some other studies that approach malware research in a more abstract sense. A disadvantage of approaching malware research without domain knowledge, is that important methodology questions may not be considered. Large datasets of historical malware samples are available for countermea-sures research. However, due to the age of these samples, the original malware infrastructure is no longer available, often restricting malware operations to initialisation functions only. To address this absence, an emulated command and control environment is provided. This emulated environment provides full control of the malware, enabling the capabilities of the original in-the-wild operation, while enabling feature extraction for research purposes. A major focus of this thesis has been the development of a machine learn-ing function similarity method with a novel feature encoding that increases feature strength. This research develops techniques to demonstrate that the machine learning model trained on similarity features from one program can find similar functions in another, unrelated program. This finding can lead to the development of generic similar function classifiers that can be packaged and distributed in reverse engineering tools such as IDA Pro and Ghidra. Further, this research examines the use of API call features for the identi-fication of ransomware and shows that a failure to consider malware analysis domain knowledge can lead to weaknesses in experimental design. In this case, we show that existing research has difficulty in discriminating between ransomware and benign cryptographic software. This thesis by publication, has developed techniques to advance the disci-pline of malware reverse engineering, in order to minimize harm due to cyber-attacks on critical infrastructure, government institutions, and industry.Doctor of Philosophy
31
Schmall, Markus. "Classification and identification of malicious code based on heuristic techniques utilizing meta languages." [S.l. : s.n.], 2003. http://deposit.ddb.de/cgi-bin/dokserv?idn=968845746.
Full text
32
Xuan, Chaoting. "Countering kernel malware in virtual execution environments." Diss., Atlanta, Ga. : Georgia Institute of Technology, 2009. http://hdl.handle.net/1853/31718.
Full textAbstract:
Thesis (Ph.D)--Electrical and Computer Engineering, Georgia Institute of Technology, 2010.Committee Chair: Copeland A. John; Committee Member: Alessandro Orso; Committee Member: Douglas M. Blough; Committee Member: George F. Riley; Committee Member: Raheem A. Beyah. Part of the SMARTech Electronic Thesis and Dissertation Collection.
33
reddy, patlolla pradeep, and pasam raghava reddy. "Modeling The Spread Malware In Computer Networks." Thesis, Blekinge Tekniska Högskola, Sektionen för datavetenskap och kommunikation, 2009. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-3373.
Full textAbstract:
Our research is an exploratory study on how various parameters in the attack, ranging from that of the worm (replication rate), to those of the network (number of nodes, % fire-walled computers) as well as user behaviour (frequency of checking mail) impact the spread of malware. Through the development of a simulator we have created various experiments and have studied the impact of all possible parameters
34
Zeeuwen, Kyle. "Optimizing re-evaluation of malware distribution networks." Thesis, University of British Columbia, 2011. http://hdl.handle.net/2429/37958.
Full textAbstract:
The retrieval and analysis of malicious content is an essential task for security researchers. Security labs use automated HTTP clients known as client honeypots to visit hundreds of thousands of suspicious URLs daily. The dynamic nature of malware distribution networks necessitate periodic re-evaluation of a subset of the confirmed malicious sites, which introduces two problems: 1) the number of URLs requiring re-evaluation exhaust available resources, and 2) repeated evaluation exposes the system to adversarial blacklisting, which affects the accuracy of the content collected. To address these problems, I propose optimizations to the re-evaluation logic that reduce the number of re-evaluations while maintaining a constant sample discovery rate during URLs re-evaluation.
I study these problems in two adversarial scenarios: 1) monitoring malware repositories where no provenance is available, and 2) monitoring Fake Anti-Virus (AV) distribution networks. I perform a study of the adversary by repeatedly content from the distribution networks. This reveals trends in the update patterns and lifetimes of the distribution sites and malicious executables. Using these observations I propose optimizations to reduce the amount of re-evaluations necessary to maintain a high malicious sample discovery rate.
In the first scenario the proposed techniques, when evaluated versus a fixed interval scheduler, are shown to reduce the number of re-evaluations by 80-93% (assuming a re-evaluation interval of 1 hour to 1 day) with a corresponding impact on sample discovery rate of only 2-7% percent. In the second scenario, optimizations proposed are shown to reduce fetch volume by orders of magnitude and, more importantly, reduce the likelihood of blacklisting.
During direct evaluation of malware repositories I observe multiple instances of blacklisting, but on the whole, less than 1% of the repositories studied show evidence of blacklisting. Fake AV distribution networks actively blacklist IPs; I encountered repeated occurrences of IP blacklisting while monitoring Fake AV distribution networks.
35
Denzel, Michael. "Malware tolerance : distributing trust over multiple devices." Thesis, University of Birmingham, 2018. http://etheses.bham.ac.uk//id/eprint/8422/.
Full textAbstract:
Current security solutions try to keep the adversary out of the computer infrastructure. However, with zero-day exploits and certain rootkit attacks, the assumption that attacks can be blocked does not hold any more. This work presents the concept of malware tolerance accepting that every device might be compromised at some point in time. The concept aims to distribute trust over several devices so that no single device is able to compromise security features by itself. I create three malware-tolerant techniques to demonstrate the feasibility of the concept. This thesis introduces a trusted input system which delivers keystrokes securely from the keyboard to a recipient even if one of its components is compromised. The second approach is the design of a self-healing Industrial Control System, a sensor-actuator network to securely control a physical system. If an adversary manages to compromise one of the components, it remains secure and can even recover from attacks. Lastly, this thesis proposes a mesh network architecture aimed at smart-home networks without assuming any device in the network invulnerable to attacks applying isolation mechanisms to otherwise flat mesh networks. This thesis gives formal security proofs with protocol verifier ProVerif. The proof scripts are open-source.
36
Loving, James Howard. "Enabling malware remediation in expanding home networks." Thesis, Massachusetts Institute of Technology, 2017. http://hdl.handle.net/1721.1/108839.
Full textAbstract:
Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, School of Engineering, Institute for Data, Systems, and Society, Technology and Policy Program, 2017.Thesis: S.M., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2017.
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
Cataloged from student-submitted PDF version of thesis.
Includes bibliographical references (pages 79-91).
As the Internet of Things (IoT) grows, malware will increasingly threaten Internet security and stability. Many actors, from individuals installing antivirus on their personal computers to law enforcement conducting botnet takedowns, have some capability to prevent or remediate malware, but these strategies face technical and economic challenges. These challenges worsen as the IoT expands, due to the high number of IoT devices and other characteristics of the IoT. Fortunately, Internet Service Providers (ISPs) are positioned to effectively contribute to malware remediation efforts, through the detection and notification of compromise. However, Network Address Translation (NAT) and IPv6 Privacy Extensions prevent ISPs from identifying the specific compromised device. We refer to this lastmile extension of the IP traceback problem as the residential source identification problem. As the IoT grows, the problem worsens: IoT devices are less capable of self-remediation and expected to soon outnumber traditional devices, thus imposing a significant cost on customers to triangulate and remediate an infection. To address the residential source identification problem, I propose EDICT, an open-source software package for home routers that will enable consumers to identify a specific device, given retrospective notification of the malicious behavior, without compromising the consumer's privacy. EDICT does this by maintaining a mapping of IP flows to devices through a series of scalable Bloom filters, allowing EDICT to operate under the significant memory constraints of home routers. When a customer is informed of compromise, EDICT will query this connection log using a fuzzy check of the timestamp and source port, both provided by the ISP, iterated across a log of identified devices. EDICT will then provide the customer with user-friendly information on the infection's source, enabling remediation.As the Internet of Things (IoT) grows, malware will increasingly threaten Internet security and stability. Many actors, from individuals installing antivirus on their personal computers to law enforcement conducting botnet takedowns, have some capability to prevent or remediate malware, but these strategies face technical and economic challenges. These challenges worsen as the IoT expands, due to the high number of IoT devices and other characteristics of the IoT. Fortunately, Internet Service Providers (ISPs) are positioned to effectively contribute to malware remediation efforts, through the detection and notification of compromise. However, Network Address Translation (NAT) and IPv6 Privacy Extensions prevent ISPs from identifying the specific compromised device. We refer to this lastmile extension of the IP traceback problem as the residential source identification problem. As the IoT grows, the problem worsens: IoT devices are less capable of self-remediation and expected to soon outnumber traditional devices, thus imposing a significant cost on customers to triangulate and remediate an infection. To address the residential source identification problem, I propose EDICT, an open-source software package for home routers that will enable consumers to identify a specific device, given retrospective notification of the malicious behavior, without compromising the consumer's privacy. EDICT does this by maintaining a mapping of IP flows to devices through a series of scalable Bloom filters, allowing EDICT to operate under the significant memory constraints of home routers. When a customer is informed of compromise, EDICT will query this connection log using a fuzzy check of the timestamp and source port, both provided by the ISP, iterated across a log of identified devices. EDICT will then provide the customer with user-friendly information on the infection's source, enabling remediation.
by James Howard Loving.
S.M. in Technology and Policy
S.M.
37
Case, Andrew. "Detecting Objective-C Malware through Memory Forensics." ScholarWorks@UNO, 2016. http://scholarworks.uno.edu/td/2132.
Full textAbstract:
Memory forensics is increasingly used to detect and analyze sophisticated malware. In the last decade, major advances in memory forensics have made analysis of kernel-level malware straightforward. Kernel-level malware has been favored by attackers because it essentially provides complete control over a machine. This has changed recently as operating systems vendors now routinely enforce driving signing and strategies for protecting kernel data, such as Patch Guard, have made userland attacks much more attractive to malware authors.
In this thesis, new techniques for detecting userland malware written in Objective-C on Mac OS X are presented. As the thesis illustrates, Objective-C provides a rich set of APIs that malware uses to manipulate and steal data and to perform other malicious activities. The novel memory forensics techniques presented in this thesis deeply examine the state of the Objective-C runtime, identifying a number of suspicious activities, from keystroke logging to pointer swizzling.
38
Stegner, Wayne. "Context-Aware Malware Detection Using Topic Modeling." University of Cincinnati / OhioLINK, 2021. http://rave.ohiolink.edu/etdc/view?acc_num=ucin162766765703398.
Full text
39
Severyn, Stacie Noel. "Adapting Linguistic Deception Cues for Malware Detection." Wright State University / OhioLINK, 2014. http://rave.ohiolink.edu/etdc/view?acc_num=wright1421025881.
Full text
40
Subramanian, Nandita. "Analysis of Rank Distance for Malware Classification." University of Cincinnati / OhioLINK, 2016. http://rave.ohiolink.edu/etdc/view?acc_num=ucin1479823187035784.
Full text
41
Gorugantu, Swetha. "Malware Analysis Skills Taught in University Courses." Wright State University / OhioLINK, 2018. http://rave.ohiolink.edu/etdc/view?acc_num=wright1527083698607394.
Full text
42
Gitzinger, Louison. "Surviving the massive proliferation of mobile malware." Thesis, Rennes 1, 2020. http://www.theses.fr/2020REN1S058.
Full textAbstract:
De nos jours, nous sommes entourés de périphériques intelligents autonomes qui interagissent avec de nombreux services dans le but d'améliorer notre niveau de vie. Ces périphériques font partie d'écosystèmes plus larges, dans lesquels de nombreuses entreprises collaborent pour faciliter la distribution d'applications entre les développeurs et les utilisateurs. Cependant, des personnes malveillantes en profitent illégalement pour infecter les appareils des utilisateurs avec des application malveillantes. Malgré tous les efforts mis en œuvre pour défendre ces écosystèmes, le taux de périphériques infectés par des malware est toujours en augmentation en 2020.Dans cette thèse, nous explorons trois axes de recherche dans le but d'améliorer globalement la détection de malwares dans l'écosystème Android. Nous démontrons d'abord que la précision des systèmes de détection basés sur le machine learning peuvent être améliorés en automatisant leur évaluation et en ré-utilisant le concept d'AutoML pour affiner les paramètres des algorithmes d'apprentissage. Nous proposons une approche pour créer automatiquement des variantes de malwares à partir de combinaisons de techniques d'évasion complexes pour diversifier les datasets de malwares expérimentaux dans le but de mettre à l'épreuve les systèmes de détection. Enfin, nous proposons des méthodes pour améliorer la qualité des datasets expérimentaux utilisés pour entrainer et tester les systèmes de détectionNowadays, many of us are surrounded by smart devices that seamlessly operate interactively and autonomously together with multiple services to make our lives more comfortable. These smart devices are part of larger ecosystems, in which various companies collaborate to ease the distribution of applications between developers and users. However malicious attackers take advantage of them illegitimately to infect users' smart devices with malicious applications. Despite all the efforts made to defend these ecosystems, the rate of devices infected with malware is still increasing in 2020. In this thesis, we explore three research axes with the aim of globally improving malware detection in the Android ecosystem. We demonstrate that the accuracy of machine learning-based detection systems can be improved by automating their evaluation and by reusing the concept of AutoML to fine-tune learning algorithms parameters. We propose an approach to automatically create malware variants from combinations of complex evasion techniques to diversify experimental malware datasets in order to challenge existing detection systems. Finally, we propose methods to globally increase the quality of experimental datasets used to train and test detection systems
43
Kercher, Kellie Elizabeth. "Distributed Agent Cloud-Sourced Malware Reporting Framework." BYU ScholarsArchive, 2013. https://scholarsarchive.byu.edu/etd/4250.
Full textAbstract:
Malware is a fast growing threat that consists of a malicious script or piece of software that is used to disrupt the integrity of a user's experience. Antivirus software can help protect a user against these threats and there are numerous vendors users can choose from for their antivirus protection. However, each vendor has their own set of virus definitions varying in resources and capabilities in recognizing new threats. Currently, a persistent system is not in place that measures and displays data on the performance of antivirus vendors in responding to new malware over a continuous period of time. There is a need for a system that can evaluate antivirus performance in order to better inform end users of their security options, in addition to informing clients of prevalent threats occurring in their network. This project is dedicated to assessing the viability of a cloud sourced malware reporting framework that uses distributed agents to evaluate the performance of antivirus software based on malware signatures.
44
Liu, Chi-Feng, and 劉其峰. "Malware Family Characterization." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/4m43xu.
Full textAbstract:
碩士國立政治大學
資訊管理學系
106
Nowadays, a massive amount of sensitive data which are accessible and connected through personal computers and cloud services attracts hackers to develop malicious software (malware) to steal them. Owing to the success of deep learning on image and language recognition, researchers direct security systems to analyze and identify malware with deep learning approaches. This paper addresses the problem of analyzing and identifying complex and unstructured malware behaviors by proposing a framework of combining unsupervised and supervised learning algorithms with a novel sequence-aware encoding method. Particularly, we adopt a hybrid GHSOM (the Growing Hierarchical Self-Organizing Map) algorithm to cluster and encode similar malware behavior sequences from system call sequences to clustering feature vectors. Then, a Recurrent Neural Network (RNN) is trained to detect malware and predict their corresponding malware families based on the sequence of the behavior vectors. Our experiments show that the accuracy rate can be up to 0.98 in malware detection and 0.719 in malware classification of an 18-category malware dataset.
45
Peng, Cheng-Hung, and 彭証鴻. "Automated Malware Tagging." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/zgh664.
Full textAbstract:
碩士國立臺灣大學
資訊管理學研究所
107
In recent years, the speed of malware production has grown rapidly, and the threat to individuals and businesses has increased. If we understand the attack techniques used by malware to achieve their malicious purposes, we can directly detect and defend against malware. Although anti-virus vendors try to explain the impact and threat of malware to the security experts by labels. However, [3] pointed out that each Anti-Virus vendor has its own labeling criteria and basis, and many of them are inconsistent. According to [11], although the malware belonging to the same label, their behavior are still quite diverse. It indicates that the currently proposed label does not have a semantic explanatory power. Therefore, this thesis proposes to examine a sequence of API call invocations, and extracts a sequence of activity groups from the execution sequence. After extracting the activity groups, we refer to the attack technique under the MITRE ATT&CK framework, and give each activity group one semantic description tag, and finally get a sequence of semantic description tag. A sequence of semantic description tags can clearly show the execution intent of each stage of execution activities and the purpose of the malware, thereby providing a deep and clear description of the malicious activity of the malware family.
46
KUMAR, UPDESH. "ANDROID MALWARE CLASSIFICATION." Thesis, 2017. http://dspace.dtu.ac.in:8080/jspui/handle/repository/15977.
Full textAbstract:
As indicated by AV merchants vindictive programming has been developing exponentially years ago. One of the principle purposes behind these high volumes is that all together to sidestep discovery, malware creators began utilizing polymorphic and transformative procedures. Therefore, conventional mark based ways to deal with recognize malware are being lacking against new malware and the classification of malware tests had turned out to be basic to know the premise of the conduct of malware and to battle back cybercriminals. Amid the most recent decade, arrangements that battle against pernicious programming had started utilizing machine learning approaches. Tragically, there are few open source datasets accessible for the scholarly group. One of the greatest datasets accessible was discharged a year ago in an opposition facilitated on Kaggle with information gave by Microsoft to the Huge Information Trailblazers Social event (Huge 2015). This proposition presents two novel and adaptable methodologies utilizing Neural Systems (NNs) to dole out malware to its comparing family. On one hand, the principal approach makes utilization of CNNs to take in a include pecking order to segregate among tests of malware spoke to as dark scale pictures. Then again, the second approach utilizes the CNN engineering acquainted by Yoon Kim [12] with order malware tests concurring their x86 guidelines. The proposed strategies accomplished a change of 80.86% and 81.56% as for the equivalent likelihood benchmark.
47
Suen, Shin-Lan, and 孫心蘭. "Distributed Malware Monitor System." Thesis, 2007. http://ndltd.ncl.edu.tw/handle/79249471967501613116.
Full textAbstract:
碩士國立中正大學
通訊工程研究所
95
The internet’s rapid development and burgeoning popularity has led to the increased prevalence of e-mail and electronic file transfers among its users. Concomitantly, malware programs (e.g. Trojans, viruses and spyware) have evolved to infiltrate outgoing e-mails and files at data transmission time without the user’s knowledge and have flourished to rampancy. Malware has caused tremendous loss for personal users, enterprises, and government organizations in recent years. Moreover, malware’s variety is increasing rapidly with advancing technology. Currently, malware’s rapid mutation rate allows it to easily evade antivirus software’s detection since virus definition updates come out relatively slowly. Here we propose a new framework for malware detection called Distributed Malware Monitor Systems (DMMS). In this framework, malware detection is achieved by monitoring all currently running programs. The server, with a signature database, discriminates whether the running programs contain malicious malware by comparing the suspicious programs with the data from the signature database. If the comparison result is above the malware detection threshold, the system notifies the client and administrator, blocks the program, and updates the signature database. However, if the comparison result is under the detection threshold, the system applies data mining techniques to further analyze the suspicious program and then determines the appropriate follow-up actions. Thus, the system’s defenses against evolving malware’s advance will be substantially improved. To sum up, the proposed framework can raise the defense capability and security of enterprise workstations and network servers by providing efficient real-time malware detection and elimination.
48
Калайчев, Г. В., М. В. Сидоров, and М. О. Шпакович. "Microsoft malware prediction competition." Thesis, 2019. http://openarchive.nure.ua/handle/document/11944.
Full textAbstract:
The main goal of this work is to show the ways of preparation the amount of data, building a classification model on the huge dataset and evaluating resulting model on test data. Initial problem which was solved in this work was taken from Microsoft Malware Prediction Competition from Kaggle site. This task is an appropriate for our goal since training dataset contains different types of features for preprocessing and 9 million of rows.
49
Chen, Hung-Yuan, and 陳鴻源. "Android malware detection system." Thesis, 2016. http://ndltd.ncl.edu.tw/handle/89zu7w.
Full textAbstract:
碩士國立臺中科技大學
資訊工程系碩士班
104
Currently, android system has a high market share in the mobile device market, because of the system allows users to install the unofficial apps. Besides, applications decompilation and modification is not difficult, so it will be targeted by malware easily. Using general anti-virus software to scan apps usually detected a known virus species only. As for new type of unknown variant, is not detectable normally. This study proposes a tremendous amount of malicious and benign program sample files, scanning and recording features for both required and used permissions of the list, using machine learning techniques. LibSVM to make the system classify unknown apps. The experimental result indicate the accurate rate of 99% for the correct identification of both benign and malware even for the unknown applications. We propose not only a simple but also feasible approach to detect mobile apps.
50
ANAND, HIMANSHU. "FILE-LESS MALWARE DETECTION." Thesis, 2022. http://dspace.dtu.ac.in:8080/jspui/handle/repository/19105.
Full textAbstract:
Today, Everything is present digitally on our computer system and every organisation
uses the computer for its daily work, Nearly 50 billion devices are currently
connected to the Internet. Every device which is connected to the internet is
vulnerable to cyberattack, to protect them from any attack multiple techniques are
introduced like, Anomaly-based detection, Specification-based detection and
Signature-based detection but with the evolution, in cybersecurity measures, the
threat has also evolved with time, especially in the field of malware.
Typically, malware is based on the file system which can be detected by the antivirus
software. To overcome this file-less malware is developed by the attackers which do
not use any file system, so it bypasses any signature-based detection. File-less
malware can be dangerous for any organisation because of its persistence to over
come from the danger of file-less malware few method are developed like, Detection
on the basis of system behaviour, detection on the basis of rules and detection on the
basis of attack. To make the computer system secure continuous analysis of the
malware is necessary, So that malware can be detected easily.
This project uses 4 different machine learning algorithms i.e Logistic Regression, K Neared Neighbour, Decision Tree and Support Vector Machine all the algorithm
comes under supervised learning and are capable of detecting any type of labeled
value.
Our dataset contains 10 different file-less malware and we have applied the all the
algorithm in it for the detection part.