Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Ping Wang,Wen-Hui Lin,Wun Jie Chao,Kuo-Ming Chao,Chi-Chun Lo

DOI: https://doi.org/10.1109/icebe.2015.75

2015-01-01

Abstract:Most existing approaches focus on examining the values are dangerous for information flow within inter-suspicious modules of cloud applications (apps) in a host by using malware threat analysis, rather than the risk posed by suspicious apps were connected to the cloud computing server. Accordingly, this paper proposes a taint propagation analysis model incorporating a weighted spanning tree analysis scheme to track data with taint marking using several taint checking tools. In the proposed model, Android programs perform dynamic taint propagation to analyse the spread of and risks posed by suspicious apps were connected to the cloud computing server. In determining the risk of taint propagation, risk and defence capability are used for each taint path for assisting a defender in recognising the attack results against network threats caused by malware infection and estimate the losses of associated taint sources. Finally, a case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach. Our approach verified the details of an attack sequence for malware infection by incorporating a finite state machine (FSM) to appropriately reflect the real situations at various configuration settings and safeguard deployment. The experimental results proved that the threat analysis model allows a defender to convert the spread of taint propagation to loss and practically estimate the risk of a specific threat by using behavioural analysis with real malware infection.

Jinfeng Yuan,Weizhong Qiang,Hai Jin,Deqing Zou

DOI: https://doi.org/10.1007/s11227-014-1235-5

IF: 3.3

2014-01-01

The Journal of Supercomputing

Abstract:Full-system, fine-grained taint tracking has been proven to be a novel approach for the detection of malwares, especially for privacy-breaching and kernel buffer overflow malwares. On-demand emulation achieves a taint tracking framework in the cloud through switching a running system between virtual and emulated execution dynamically. However, facing the complexity of the cloud environment, it still suffers a high performance overhead. In this paper, we propose an approach for practical malware detection using elastic taint tracking, which provides the granularity and strategy of taint tracking according to the cloud applications' security requirements, including providing a taint tracking configuration file based on script, automatic deployment and trigger mechanism of the sources for taint tracking based on data flow as well as control flow, and customizable security detection method. We present a prototype implementation named CloudTaint based on Xen virtualization environment. The experimental results indicate that CloudTaint is effective for malware detection in the cloud with acceptable performance overhead using elastic taint tracking.

Rayan Mosli,Rui Li,Bo Yuan,Yin Pan

DOI: https://doi.org/10.1007/978-3-319-67208-3_11

2017-01-01

Abstract:Malware is the fastest growing threat to information technology systems. Although a single absolute solution for defeating malware is improbable, a stacked arsenal against malicious software enhances the ability to maintain security and privacy. This research attempts to reinforce the anti-malware arsenal by studying a behavioral activity common to software -the use of handles. The characteristics of handle usage by benign and malicious software are extracted and exploited in an effort to distinguish between the two classes. An automated malware detection mechanism is presented that utilizes memory forensics, information retrieval and machine learning techniques. Experimentation with a malware dataset yields a malware detection rate of 91.4% with precision and recall of 89.8% and 91.1%, respectively.

Wei Deng,Qiao Liu,Hongrong Cheng,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Malware has been posing a major threat for computer systems. The huge amount and diversity of its variants, such as computer viruses, Internet worms and Trojan horses, render classic security defenses ineffective. For the existence of active adversaries which constantly attempt to evade anti-malware, traditional signature-based approaches fail to detect malware which is new or obfuscated. This paper presents a general malware detection framework based on Kolmogorov complexity. As an example, we use a statistical data compression model which is Dynamic Markov Compression (DMC) to classify a code instance either as a "malware" or "benign" code instance. Our preliminary results are very promising. Our experimental results also demonstrate the framework can effectively detect unknown and obfuscated malware with high quality. © 2005 by Binary Information Press.

Ping Wang,Kuo-Ming Chao,Chi-Chun Lo,Wen-Hui Lin,Hsiao-Chung Lin,Wun-Jie Chao

DOI: https://doi.org/10.1177/1550147716662947

IF: 1.938

2016-01-01

International Journal of Distributed Sensor Networks

Abstract:Numerous security concerns exist in smart home systems in which Internet of Things devices are connected through a home network to enable control using a centralised gateway with a handset device from the Internet. Safeguarding personal information privacy is an increasing concern in smart living services. To guarantee the mobile security of smart living services, security managers use taint checking approaches with dynamic taint propagation analysis operations to examine how a software-defined networking app uses sensitive information and investigate suspicious security vulnerabilities of devices and the effects of the spread of taint propagation over the Internet by identifying taint paths. For solving the dynamic taint propagation analysis problem, most approaches focus on cloud computing applications (apps) with malware threat analysis that involves program vulnerability analyses, rather than on the risk posed by suspicious apps connected to the cloud computing server. Accordingly, this article proposes a taint propagation analysis model incorporating a weighted spanning tree analysis scheme for tracking data with taint marking using several taint checking tools with an open software-defined networking architecture for solving the dynamic taint propagation analysis problem. In the proposed model, Android programs perform dynamic taint propagation to analyse the spread of risks posed by suspicious apps connected to the centralised gateway in a smart home system. In probabilistic risk analysis, risk and defence capability are used for each taint path to assist a defender in recognising the attack results against network threats caused by malware infection and to estimate the losses of associated taint sources. A case of threat analysis of a typical cyber security attack is presented to demonstrate the proposed approach. A new approach was used for verifying the details of an attack sequence for malware infection by incorporating a finite state machine to appropriately represent the real dynamic taint propagation analysis situations at various configuration settings and safeguard deployment. The experimental results proved that the threat analysis model enables a defender to convert the spread of taint propagation to loss and estimate the risk of a specific threat using behavioural analysis associated with 60 families of real malware. Consequently, our scheme was significantly effective in predicting the risk and loss of tainted data propagation for security concerns in smart home systems when the number of taint paths associated with the propagation rules discovered through taint analysis was increased.

Hongying Tang,Bo Zhu,Kui Ren

DOI: https://doi.org/10.1007/978-3-642-02617-1_24

2010-01-01

Abstract:Malware has become one of the most serious threats to computer users. Early techniques based on syntactic signatures can be easily bypassed using program obfuscation. A promising direction is to combine Control Flow Graph (CFG) with instruction-level information. However, since previous work includes only coarse information, i.e., the classes of instructions of basic blocks, it results in false positives during the detection. To address this issue, we propose a new approach that generates formalized expressions upon assignment statements within basic blocks. Through combining CFG with the functionalities of basic blocks, which are represented in terms of upper variables with their corresponding formalized expressions and system calls (if any), our approach can achieve more accurate malware detection compared to previous CFG-based solutions.

JiaJing Li,Tao Wei,Wei Zou,Jian Mao

DOI: https://doi.org/10.1109/isecs.2009.148

2009-01-01

Abstract:Existing techniques based on behavior semantics for information theft malware detection have the main shortcomings of low path coverage and disability of finding hidden malicious behaviors. In this paper we propose a static method for the detection of information theft malware to overcome these shortcomings. It is particularly efficient for inter-procedure taint analysis, and it is suitable for complicated malware detection, such as Trojan and Bot. Its static style makes it able to find hidden malicious behaviors. We also present an implementation of our method that works on x86 executables and a set of experimental studies validate its good efficiency and effectiveness.

Qi Wang,Wajih Ul Hassan,Ding Li,Kangkook Jee,Xiao Yu,Kexuan Zou,Junghwan Rhee,Zhengzhang Chen,Wei Cheng,Carl A. Gunter,Haifeng Chen

DOI: https://doi.org/10.14722/ndss.2020.24167

2020-01-01

Abstract:To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average Fl score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

Heping Tang,Shuguang Huang,Yongliang Li,Lei Bao

DOI: https://doi.org/10.1109/ICCET.2010.5485224

2010-01-01

Abstract:Untrusted Data originating from network input and configuration files, causes many software security problems. Keeping track of the propagation of untrusted data in program runtime is the main idea of dynamic taint analysis for vulnerability exploits detection. In this method data from network user input and configuration files were labeled as taint. In virtue of data flow analysis we design taint propagating algorithm, and define several taint detection policies for security-critical function which used taint data in dangerous ways that could cause vulnerability exploit. A vulnerability exploit detection prototype system was implemented. In contrast to other taint analysis systems, our prototype system has higher accuracy and vulnerability exploits coverage and low workloads.

Yilun Wu,Bofeng Zhang,Zhiquan Lai,Jinshu Su

DOI: https://doi.org/10.1109/icsess.2012.6269469

2012-01-01

Abstract:Malware is a tremendous threat on the Internet. Current malware analysis systems focus on listing the malware behaviors, but make no mention of malware network behaviors which results in malware's self-duplication and self-propagation on the Internet. In this paper, we present a new method to extract malware network behaviors. Our method is based on dynamic binary analysis and dynamic taint analysis. With the dynamic binary analysis, we can extract the malware network behavior and the self-duplication behavior. We also present a method to catch malware self-propagation behavior by using dynamic taint analysis. Finally, we evaluate our method and the results show that our method is successful in extracting malware network behavior and identifying the malware self-duplication behavior.

Zhi Liu,Xiaosong Zhang,Yue Wu,Ting Chen

DOI: https://doi.org/10.1108/03321641311296873

2013-01-01

Abstract:PurposeThe purpose of this paper is to propose an approach to detect Indirect Memory‐Corruption Exploit (IMCE) at runtime on binary code, which is often caused by integer conversion error. Real‐world attacks were evaluated for experimentation.Design/methodology/approachCurrent dynamic analysis detects attacks by enforcing low level policy which can only detect control‐flow hijacking attack. The proposed approach detects IMCE with high level policy enforcement using dynamic taint analysis. Unlike low‐level policy enforced on instruction level, the authors' policy is imposed on memory operation routine. The authors implemented a fine‐grained taint analysis system with accurate taint propagation for detection.FindingsConversion errors are common and most of them are legitimate. Taint analysis with high‐level policy can accurately block IMCE but have false positives. Proper design of data structures to maintain taint tag can greatly improve overhead.Originality/valueThis paper proposes an approach to block IMCE with high‐level policy enforcement using taint analysis. It has very low false negatives, though still causes certain false positives. The authors made several implementation contributions to strengthen accuracy and performance.

Jiang Ming,Zhi Xin,Pengwei Lan,Dinghao Wu,Peng Liu,Bing Mao

DOI: https://doi.org/10.1007/s11416-016-0281-3

2016-01-01

Journal of Computer Virology and Hacking Techniques

Abstract:As the underground market of malware flourishes, there is an exponential increase in the number and diversity of malware. A crucial question in malware analysis research is how to define malware specifications or signatures that faithfully describe similar malicious intent and also clearly stand out from other programs. Although the traditional malware specifications based on syntactic signatures are efficient, they can be easily defeated by various obfuscation techniques. Since the malicious behavior is often stable across similar malware instances, behavior-based specifications which capture real malicious characteristics during run time, have become more prevalent in anti-malware tasks, such as malware detection and malware clustering. This kind of specification is typically extracted from the system call dependence graph that a malware sample invokes. In this paper, we present replacement attacks to camouflage similar behaviors by poisoning behavior-based specifications. The key method of our attacks is to replace a system call dependence graph to its semantically equivalent variants so that the similar malware samples within one family turn out to be different. As a result, malware analysts have to put more efforts into reexamining the similar samples which may have been investigated before. We distil general attacking strategies by mining more than 5200 malware samples’ behavior specifications and implement a compiler-level prototype to automate replacement attacks. Experiments on 960 real malware samples demonstrate the effectiveness of our approach to impede various behavior-based malware analysis tasks, such as similarity comparison and malware clustering. In the end, we also discuss possible countermeasures in order to strengthen existing malware defense.

TANG He-ping,HUANG Shu-guang,ZHANG Liang

2010-01-01

Abstract:Software vulnerabilities have become an omnipresent and dangerous threat to network security.Vulnerability Exploits Detection is proposed to take active defense measures to monitor system state and cut exploit data sources off or terminate program execution before exploitation.Taint analysis for vulnerability exploits detection is composed of taint propagation link,taint propagation,taint analysis and taint track.A Vulnerability exploits detection prototype system was implemented by emulator and many optimization mechanisms.In contrast to the experiment result of other taint analysis systems,our prototype system has higher accuracy and vulnerability exploits coverage.

Erzhou Zhu,Feng Liu,Zuo Wang,Alei Liang,Yiwen Zhang,Xuejian Li,Xuejun Li

DOI: https://doi.org/10.1016/j.cose.2015.03.008

IF: 5.105

2015-01-01

Computers & Security

Abstract:By analyzing information flow at runtime, dynamic taint analysis can precisely detect a wide range of vulnerabilities of software. However, it suffers from substantial runtime overhead and is incapable of discovering potential threats. Yet, realistically, the interested analyst doesn't have access to the source code of the malware. Therefore, the task of software flaw tracking becomes rather complicated. In order to cope with these issues, this paper proposes Dytaint, a novel lightweight 3-state dynamic taint analysis framework, for diagnosing more software vulnerabilities with lower runtime overhead. The framework works for the x86 binary executables and requires no special hardware assistance. Besides the tainted and the untainted states that are discussed by many popularly used taint analysis tools, the third state, controlled-taint state, is proposed to detect more types of software vulnerabilities. The new Chaining Hash Table which reduces the space for storing taint information without increasing the accessing time is also incorporated in the framework. Furthermore, two mechanisms, namely, the irrelevant API filtering based on the function recognition method and basic block handling, are introduced to optimize the runtime performance of our framework. The testing results by running SPEC CINT2006 benchmarks and various popular software have demonstrated that Dytaint is efficient which incurs only 3.1 times overhead to the native on average and practical which is able to discover not only all the real threats but also most of the potential ones.

Chenzhong Yin,Hantang Zhang,Mingxi Cheng,Xiongye Xiao,Xinghe Chen,Xin Ren,Paul Bogdan

2023-12-20

Abstract:Malware represents a significant security concern in today's digital landscape, as it can destroy or disable operating systems, steal sensitive user information, and occupy valuable disk space. However, current malware detection methods, such as static-based and dynamic-based approaches, struggle to identify newly developed (``zero-day") malware and are limited by customized virtual machine (VM) environments. To overcome these limitations, we propose a novel malware detection approach that leverages deep learning, mathematical techniques, and network science. Our approach focuses on static and dynamic analysis and utilizes the Low-Level Virtual Machine (LLVM) to profile applications within a complex network. The generated network topologies are input into the GraphSAGE architecture to efficiently distinguish between benign and malicious software applications, with the operation names denoted as node features. Importantly, the GraphSAGE models analyze the network's topological geometry to make predictions, enabling them to detect state-of-the-art malware and prevent potential damage during execution in a VM. To evaluate our approach, we conduct a study on a dataset comprising source code from 24,376 applications, specifically written in C/C++, sourced directly from widely-recognized malware and various types of benign software. The results show a high detection performance with an Area Under the Receiver Operating Characteristic Curve (AUROC) of 99.85%. Our approach marks a substantial improvement in malware detection, providing a notably more accurate and efficient solution when compared to current state-of-the-art malware detection methods.

Cryptography and Security,Artificial Intelligence,Machine Learning

Xia Xiao-Ling,Ding Yu-Xin,Jiang Jing-Zhi,Zeng Rong

DOI: https://doi.org/10.1109/ICMLC.2017.8107737

2017-01-01

Abstract:Malware in form of Internet worms, computer viruses, and Trojan horses poses a major threat to the security of networked systems. So how to describe the behavior knowledge of malware is an interesting and meaningful work. In recent years, different ontology technologies have been proposed to represent domain knowledge. In the study, we apply ontology techniques into the field of malware detection, and propose the malware detection method based on ontology. This method is based on the behavior of malicious code, and makes a knowledge representation of the malware behaviors from a variety of perspectives. We use the common behaviors of individuals to represent the behaviors of a malware family, and use the ontology reasoning mechanism to detect unknown malware samples. Experiments show that the method has high malicious code detection rate and low false alarm rate.

Ziming Zhao,Zhaoxuan Li,Tingting Li,Fan Zhang

DOI: https://doi.org/10.1109/tcad.2024.3444712

IF: 2.9

2024-11-09

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. A series of solutions based on system calls, system logs, or hardware performance counters achieve promising results. However, such internal monitors are easily tampered with, especially against adaptive adversaries. In addition, existing system log records typically exhibit substantial volume, resulting in data explosion problems. In this article, we present TPE-Det, a side-channel-based external monitor to cope with these issues. Specifically, TPE-Det leverages the serial peripheral interface bus to extract the on-chip traces and designs a recovery pipeline for operating logs. The advantages of this external monitor are adversary-unperceived and tamper-proof. The restored logs mainly include file operation commands, which are lightweight compared to complete records. Meanwhile, we deploy a series of machine learning models with respect to statistical, sequence, and graph features to identify malware. Empirical evaluation shows that our proposal has tamper-proof capability, high-detection accuracy, and low-time/space overhead compared to state-of-the-art methods.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Fangzhou Xu,Wang Zhang,Weizhong Qiang,Hai Jin

DOI: https://doi.org/10.1051/sands/2023023

2023-01-01

Abstract:Static analysis is often impeded by malware obfuscation techniques, such as encryption and packing, whereas dynamic analysis tends to be more resistant to obfuscation by leveraging concrete execution information. Unfortunately, malware can employ evasive techniques to detect the analysis environment and alter its behavior accordingly. While known evasive techniques can be explicitly dismantled, the challenge lies in generically dismantling evasions without full knowledge of their conditions or implementations, such as logic bombs that rely on uncertain conditions, let alone unsupported evasive techniques, which contain evasions without corresponding dismantling strategies and those leveraging unknown implementations. In this paper, we present Antitoxin, a prototype for automatically exploring evasive malware. Antitoxin utilizes multi-path exploration guided by taint analysis and probability calculations to effectively dismantle evasive techniques. The probabilities of branch execution are derived from dynamic coverage, while taint analysis helps identify paths associated with evasive techniques that rely on uncertain conditions. Subsequently, Antitoxin prioritizes branches with lower execution probabilities and those influenced by taint analysis for multi-path exploration. This is achieved through forced execution, which forcefully sets the outcomes of branches on selected paths. Additionally, Antitoxin employs active anti-evasion countermeasures to dismantle known evasive techniques, thereby reducing exploration overhead. Furthermore, Antitoxin provides valuable insights into sensitive behaviors, facilitating deeper manual analysis. Our experiments on a set of highly evasive samples demonstrate that Antitoxin can effectively dismantle evasive techniques in a generic manner. The probability calculations guide the multi-path exploration of evasions without requiring prior knowledge of their conditions or implementations, enabling the dismantling of unsupported techniques such as C2 and significantly improving efficiency compared to linear exploration when dealing with complex control flows. Additionally, taint analysis can accurately identify branches related to logic bombs, facilitating preferential exploration.

Shuaifu Dai,Yaxin Liu,Tielei Wang,Tao Wei,Wei Zou

DOI: https://doi.org/10.1109/WICOM.2010.5601291

2010-01-01

Abstract:Mobile malware is rapidly developing, but current anti-virus products in mobile devices still use the signature-based solutions, which usually need a large database and cannot detect malware variants. In this paper, we proposed a behavior-based malware detection system for Windows Mobile platform called WMMD (Windows Mobile Malware Detection system). WMMD uses API interception techniques to dynamic analyze application's behavior and compare it with malicious behavior characteristics library using model checking. The experiment results show that WMMD can effectively detect the obfuscated or packed malware variants that cannot be detected by other main stream anti-virus products.