Xusheng Li,Zhisheng Hu,Haizhou Wang,Yiwei Fu,Ping Chen,Minghui Zhu,Peng Liu

DOI: https://doi.org/10.48550/arXiv.1807.11110

2024-02-13

Abstract:Return-oriented programming (ROP) is a code reuse attack that chains short snippets of existing code to perform arbitrary operations on target machines. Existing detection methods against ROP exhibit unsatisfactory detection accuracy and/or have high runtime overhead. In this paper, we present ROPNN, which innovatively combines address space layout guided disassembly and deep neural networks to detect ROP payloads. The disassembler treats application input data as code pointers and aims to find any potential gadget chains, which are then classified by a deep neural network as benign or malicious. Our experiments show that ROPNN has high detection rate (99.3%) and a very low false positive rate (0.01%). ROPNN successfully detects all of the 100 real-world ROP exploits that are collected in-the-wild, created manually or created by ROP exploit generation tools. Additionally, ROPNN detects all 10 ROP exploits that can bypass Bin-CFI. ROPNN is non-intrusive and does not incur any runtime overhead to the protected program.

Cryptography and Security

Zhang Zhenchuan,Yang Yingchun,Wu Zhaohui,Ma Qian

DOI: https://doi.org/10.1049/cje.2018.04.003

IF: 1.019

2018-01-01

Chinese Journal of Electronics

Abstract:Rat cyborg is a rat which can receive cerebral commands and act as human wants. The navigation task is a widely used scenario in which the rat cyborg is required to walk along a specified path according to commands. Mostly the commands are given by human operators, but there's a need for automatic control which is quite challenging since several modules need to be elaborately combined together to work as a whole, among which the monitoring system and the commands model are two major components. Previously, few attempts were made for behavior monitoring of rat cyborg. Existing works often implement an over-simple rat information extractor which is capable of giving only a few parameters of the rat cyborg, which greatly limited the performance of their automatic control accuracy. In response to this requirement, we develop a monitoring system that is capable of giving detailed motion parameters and accurate body postures of the rat cyborg. We explore the possibility of recognizing rat postures using shape information, which is described by the powerful Zernike moments. We propose several simple shape descriptors which are fast to compute and achieve acceptable performance.

Ben Pi,Chun Guo,Yunhe Cui,Guowei Shen,Jialong Yang,Yuan Ping

DOI: https://doi.org/10.1016/j.cose.2023.103628

IF: 5.105

2023-12-02

Computers & Security

Abstract:Remote Access Trojan (RAT) allows the attacker to gain remote control of an infected system and steal data from it. Due to over-reliance on expert experience and statistical features, most feature-based RAT detection methods perform inefficiently and can only achieve high accuracy with network traffic collected over a long period of time. Byte-based RAT detection methods often use sequence truncation to process network traffic and meet the uniform-sized input requirements for convolutional neural networks (CNNs). However, the sequence truncation brings a negative impact on detection accuracy for some information loss. Towards effective and efficient RAT detection, we define the early stage from the damage degree caused on victim hosts and propose a new RAT traffic early detection method based on Markov matrices and deep learning (RATMD). In RATMD, the byte sequences of the TCP payloads collected in the early stage are represented by byte transition probability matrices in a fixed size of 256*256, and the matrices are used to construct a detection model by using a CNN architecture. Experiments are conducted on the network traffic of 58 benign applications and 61 RATs. Employing only the byte sequences derived from the TCP payloads of the TCP service packets in the traffic between establishing the first TCP connection by the application client and the third TCP service packet sent by the application server, RATMD achieves a detection accuracy of 95.5%.

computer science, information systems

Cong Dong,Zhigang Lu,Zelin Cui,Baoxu Liu,Kai Chen

DOI: https://doi.org/10.1109/tifs.2021.3071595

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Network trace signature matching is one reliable approach to detect active Remote Control Trojan, (RAT). Compared to statistical-based detection of malicious network traces in the face of known RATs, the signature-based method can achieve more stable performance and thus more reliability. However, with the development of encrypted technologies and disguise tricks, current methods suffer inaccurate signature descriptions and inflexible matching mechanisms. In this paper, we propose to tackle above problems by presenting MBTree, an approach to detect encryption RATs Command and Control (C&C) communication based on host-level network trace behavior. MBTree first models the RAT network behaviors as the malicious set by automatically building the multiple level tree, MLTree from distinctive network traces of each sample. Then, MBTree employs a detection algorithm to detect malicious network traces that are similar to any MLTrees in the malicious set. To illustrate the effectiveness of our proposed method, we adopt theoretical analysis of MBTree from the probability perspective. In addition, we have implemented MBTree to evaluate it on five datasets which are reorganized in a sophisticated manner for comprehensive assessment. The experimental results demonstrate the accurate and robust of MBTree, especially in the face of new emerging benign applications.

computer science, theory & methods,engineering, electrical & electronic

Md Nahid Hossain,Sadegh M Milajerdi,Junao Wang,Birhanu Eshete,Rigel Gjomemo,R Sekar,Scott Stoller,VN Venkatakrishnan

DOI: https://doi.org/10.48550/arXiv.1801.02062

2018-01-06

Cryptography and Security

Abstract:We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team's attacks on hosts running Windows, FreeBSD and Linux.

Ziming Zhao,Zhaoxuan Li,Jiongchi Yu,Fan Zhang,Xiaofei Xie,Haitao Xu,Binbin Chen

DOI: https://doi.org/10.1109/tmc.2023.3311012

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextual semantics from cross-source traffic, and previous host-side methods could be adversary-perceived and expose risks for tampering. More importantly, a single perspective cannot comprehensively track the multi-stage lifecycle of IoT malware. In this paper, we present ${\sf CMD}$ , a co-analyzed IoT malware detection and forensics system by combining hardware and network domains. For the network part, ${\sf CMD}$ proposes a tailored capsule neural network to capture the contextual semantics from cross-source traffic. For the hardware part, ${\sf CMD}$ designs an entire file operation recovery process in a side-channel manner by leveraging the Serial Peripheral Interface (SPI) signals from on-chip traces. These traffic provenance and operating logs information could benefit the anti-virus countermeasures for security practitioners. By practical evaluation, we demonstrate that ${\sf CMD}$ realizes outstanding detection effects ( e.g., $\sim$ 99.88% F1-score) compared with seven state-of-the-art methods, and recovers 96.88% $\sim$ 99.75% operation commands even if against adaptive adversaries (that could kill processes or tamper with operation log files). A by-product benefit of such an external monitor is ${\sf CMD}$ introduces zero latency on the IoT device, and incurs negligible IoT CPU utilization. Also, since SPI focuses on file operations, the proposed hardware trace forensics does not have the data explosion problem like previous work, e.g., recovered logs of ${\sf CMD}$ only take up limited extra space overhead ( e.g., $\sim$ 0.2 MB per malware). Furthermore, we provide the model interpretability for the capsule network and develop a case study (Hajime) of the operation logs recovery.

Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1712.02529

2017-12-07

Cryptography and Security

Abstract:Providing the ability to any law enforcement officer to remotely transfer an image from any suspect computer directly to a forensic laboratory for analysis, can only help to greatly reduce the time wasted by forensic investigators in conducting on-site collection of computer equipment. RAFT (Remote Acquisition Forensic Tool) is a system designed to facilitate forensic investigators by remotely gathering digital evidence. This is achieved through the implementation of a secure, verifiable client/server imaging architecture. The RAFT system is designed to be relatively easy to use, requiring minimal technical knowledge on behalf of the user. One of the key focuses of RAFT is to ensure that the evidence it gathers remotely is court admissible. This is achieved by ensuring that the image taken using RAFT is verified to be identical to the original evidence on a suspect computer.

Sadegh M. Milajerdi,Birhanu Eshete,Rigel Gjomemo,V.N. Venkatakrishnan

DOI: https://doi.org/10.48550/arXiv.1810.05711

2018-10-13

Abstract:Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.

Cryptography and Security

JI Yu-chen,FU Xiao,SHI Jin,LUO Bin,ZHAO Zhi-hong

DOI: https://doi.org/10.3969/j.issn.1000-3428.2014.01.068

2014-01-01

Abstract:According to characteristics of computer intrusion forensic evidence, such as easy revise, easy loss, numerous sources, multifarious content, this paper discusses the current developing states about intrusion event reconstruction, analyzes intrusion event reconstruction source from the system layer object/event and the operate system layer object/event, and introduces the main intrusion event reconstruction tools. It reviews the existing methods for intrusion event reconstruction, including log analysis based on timestamp, semantic integrity checking, tracking technologies based on operate system layer object, event reconstruction models based on finite state machine and so on, evaluates their performance in terms of several metrics, such as reconstruction efficiency, false positives rate, credibility of evidence, authenticity of evidence, reconstruction environment, and summarizes the pros and cons of each method. Some important future research directions in the field of intrusion event reconstruction of computer intrusion forensic are discussed.

Mohammadhossein Amouei,Mohsen Rezvani,Mansoor Fateh

DOI: https://doi.org/10.1109/TDSC.2021.3095417

2023-12-13

Abstract:Due to the increasing sophistication of web attacks, Web Application Firewalls (WAFs) have to be tested and updated regularly to resist the relentless flow of web attacks. In practice, using a brute-force attack to discover vulnerabilities is infeasible due to the wide variety of attack patterns. Thus, various black-box testing techniques have been proposed in the literature. However, these techniques suffer from low efficiency. This paper presents Reinforcement-Learning-Driven and Adaptive Testing (RAT), an automated black-box testing strategy to discover injection vulnerabilities in WAFs. In particular, we focus on SQL injection and Cross-site Scripting, which have been among the top ten vulnerabilities over the past decade. More specifically, RAT clusters similar attack samples together. It then utilizes a reinforcement learning technique combined with a novel adaptive search algorithm to discover almost all bypassing attack patterns efficiently. We compare RAT with three state-of-the-art methods considering their objectives. The experiments show that RAT performs 33.53% and 63.16% on average better than its counterparts in discovering the most possible bypassing payloads and reducing the number of attempts before finding the first bypassing payload when testing well-configured WAFs, respectively.

Cryptography and Security,Artificial Intelligence,Information Retrieval

Xiaoxiao Liu,Fan Xu,Nan Wang,Qinxin Zhao,Dalin Zhang,Xibin Zhao,Jiqiang Liu

2024-04-04

Abstract:Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. Thus, we present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation. LTRDetector employs an innovative graph embedding technique to retain comprehensive contextual information, then derives long-term features from these embedded provenance graphs. During the process, we compress the data of the system provenance graph for effective feature learning. Furthermore, in order to detect attacks conducted by using zero-day exploits, we captured the system's regular behavior and detects abnormal activities without relying on predefined attack signatures. We also conducted extensive evaluations using five prominent datasets, the efficacy evaluation of which underscores the superiority of LTRDetector compared to existing state-of-the-art techniques.

Cryptography and Security

Jian Wang,Lingzhi Wang,Husheng Yu,Xiangmin Shen,Yan Chen

2024-01-01

Abstract:The escalating sophistication of cyber-attacks and the widespread utilization of stealth tactics have led to significant security threats globally. Nevertheless, the existing static detection methods exhibit limited coverage, and traditional dynamic monitoring approaches encounter challenges in bypassing evasion techniques. Thus, it has become imperative to implement nuanced and dynamic analysis to achieve precise behavior detection in real time. There are two pressing concerns associated with current dynamic malware behavior detection solutions. Firstly, the collection and processing of data entail a significant amount of overhead, making it challenging to be employed for real-time detection on the end host. Secondly, these approaches tend to treat malware as a singular entity, thereby overlooking varied behaviors within one instance. To fill these gaps, we propose PARIS, an adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks, significantly reducing the data collection overhead. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior. We implemented a prototype of PARIS and evaluated the system overhead, the accuracy of comparative behavior recognition, and the impact of different models and parameters. The result demonstrates that PARIS can reduce over 98.8 compared to the raw ETW trace and hence decreases the overhead on the host in terms of memory, bandwidth, and CPU usage with a similar detection accuracy to the baselines that suffer from the high overhead. Furthermore, a breakdown evaluation shows that 80 reduction in CPU usage can be attributed to our adaptive trace-fetching collector.

Jaehyeok Han,Jungheum Park,Hyunji Chung,Sangjin Lee

DOI: https://doi.org/10.48550/arXiv.2002.12506

2020-02-28

Abstract:Telemetry is the automated sensing and collection of data from a remote device. It is often used to provide better services for users. Microsoft uses telemetry to periodically collect information about Windows systems and to help improve user experience and fix potential issues. Windows telemetry service functions by creating RBS files on the local system to reliably transfer and manage the telemetry data, and these files can provide useful information in a digital forensic investigation. Combined with the information derived from traditional Windows forensics, investigators can have greater confidence in the evidence derived from various artifacts. It is possible to acquire information that can be confirmed only for live systems, such as the computer hardware serial number, the connection records for external storage devices, and traces of executed processes. This information is included in the RBS files that are created for use in Windows telemetry. In this paper, we introduced how to acquire RBS files telemetry and analyzed the data structure of these RBS files, which are able to determine the types of information that Windows OS have been collected. We also discussed the reliability and the novelty by comparing the conventional artifacts with the RBS files, which could be useful in digital forensic investigation.

Cryptography and Security

Peng Gao,Fei Shao,Xiaoyuan Liu,Xusheng Xiao,Haoyuan Liu,Zheng Qin,Fengyuan Xu,Prateek Mittal,Sanjeev R. Kulkarni,Dawn Song

DOI: https://doi.org/10.1109/icde51399.2021.00309

2021-04-01

Abstract:Log-based cyber threat hunting has emerged as an important solution to counter sophisticated cyber attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external knowledge about threat behaviors provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. Built upon mature system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors, and (4) an efficient query execution engine to search the big system audit logging data.

Zhang Xu,Zhenyu Wu,Zhichun Li,Kangkook Jee,Junghwan Rhee,Xusheng Xiao,Fengyuan Xu,Haining Wang,Guofei Jiang

DOI: https://doi.org/10.1145/2976749.2978378

2016-01-01

Abstract:Intrusive multi-step attacks, such as Advanced Persistent Threat (APT) attacks, have plagued enterprises with significant financial losses and are the top reason for enterprises to increase their security budgets. Since these attacks are sophisticated and stealthy, they can remain undetected for years if individual steps are buried in background "noise." Thus, enterprises are seeking solutions to "connect the suspicious dots" across multiple activities. This requires ubiquitous system auditing for long periods of time, which in turn causes overwhelmingly large amount of system audit events. Given a limited system budget, how to efficiently handle ever-increasing system audit logs is a great challenge. This paper proposes a new approach that exploits the dependency among system events to reduce the number of log entries while still supporting high-quality forensic analysis. In particular, we first propose an aggregation algorithm that preserves the dependency of events during data reduction to ensure the high quality of forensic analysis. Then we propose an aggressive reduction algorithm and exploit domain knowledge for further data reduction. To validate the efficacy of our proposed approach, we conduct a comprehensive evaluation on real-world auditing systems using log traces of more than one month. Our evaluation results demonstrate that our approach can significantly reduce the size of system logs and improve the efficiency of forensic analysis without losing accuracy.

Tab Zhang,Claire Taylor,Bart Coppens,Waleed Mebane,Christian Collberg,Bjorn De Sutter

2024-06-07

Abstract:This paper introduces reAnalyst, a scalable analysis framework designed to facilitate the study of reverse engineering (RE) practices through the semi-automated annotation of RE activities across various RE tools. By integrating tool-agnostic data collection of screenshots, keystrokes, active processes, and other types of data during RE experiments with semi-automated data analysis and annotation, reAnalyst aims to overcome the limitations of traditional RE studies that rely heavily on manual data collection and subjective analysis. The framework enables more efficient data analysis, allowing researchers to explore the effectiveness of protection techniques and strategies used by reverse engineers more comprehensively and efficiently. Experimental evaluations validate the framework's capability to identify RE activities from a diverse range of screenshots with varied complexities, thereby simplifying the analysis process and supporting more effective research outcomes.

Software Engineering

Xinyu Yang,Haoyuan Liu,Ziyu Wang,Peng Gao

DOI: https://doi.org/10.48550/arXiv.2211.05403

2022-11-10

Cryptography and Security

Abstract:System auditing has emerged as a key approach for monitoring system call events and investigating sophisticated attacks. Based on the collected audit logs, research has proposed to search for attack patterns or track the causal dependencies of system events to reveal the attack sequence. However, existing approaches either cannot reveal long-range attack sequences or suffer from the dependency explosion problem due to a lack of focus on attack-relevant parts, and thus are insufficient for investigating complex attacks. To bridge the gap, we propose Zebra, a system that synergistically integrates attack pattern search and causal dependency tracking for efficient attack investigation. With Zebra, security analysts can alternate between search and tracking to reveal the entire attack sequence in a progressive, user-guided manner, while mitigating the dependency explosion problem by prioritizing the attack-relevant parts. To enable this, Zebra provides (1) an expressive and concise domain-specific language, Tstl, for performing various types of search and tracking analyses, and (2) an optimized language execution engine for efficient execution over a big amount of auditing data. Evaluations on a broad set of attack cases demonstrate the effectiveness of Zebra in facilitating a timely attack investigation.

Zhongyu Pei,Xingman Chen,Songtao Yang,Haixin Duan,Chao Zhang

DOI: https://doi.org/10.1109/tdsc.2022.3191693

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Acquiring and analyzing exploits, which take advantage of vulnerabilities to conduct malicious actions, are crucial for victims (and defenders) when responding to system compromising incidents. However, exploits are sensitive and valuable assets that are not available to victims. The most common resource available for victims to investigate is network traffic, which covers the exploitation period. Thus reconstructing exploits from network traffic is demanded. In practice, the reconstruction process is performed manually, thus inefficient and non-scalable. In this article, we present an automated solution TAICHI to reconstruct exploits from network traffic, able to generate replica exploits and facilitate timely incident analysis. By nature, a working exploit has to satisfy (1) path constraints which ensure the program path same as the original exploit's is explored and the same vulnerability is triggered, and (2) exploit constraints which ensure the same exploitation strategy is applied, e.g., to bypass deployed defenses or to stitch multiple gadgets together. We propose a hybrid solution to this problem by integrating techniques including multi-version execution (MVE), dynamic taint analysis (DTA), and concolic execution. We have implemented a prototype of TAICHI on x86 and x86-64 Linux and tested it on the Cyber Grand Challenge (CGC) dataset, several Capture the Flag (CTF) challenges, and Metasploit exploit modules targeting real world applications. The evaluation results showed that TAICHI could reconstruct exploits efficiently with a high success rate. Moreover, it could be applied to production environments without disrupting running services, and could reconstruct exploits even if only one round of exploitation traffic is available.

Lei Wu,Siwei Wu,Yajin Zhou,Runhuai Li,Zhi Wang,Xiapu Luo,Cong Wang,Kui Ren

2020-01-01

Abstract:As one of the representative blockchain platforms, Ethereum has attractedlots of attacks. Due to the existed financial loss, there is a pressing need toperform timely investigation and detect more attack instances. Though multiplesystems have been proposed, they suffer from the scalability issue due to thefollowing reasons. First, the tight coupling between malicious contractdetection and blockchain data importing makes them infeasible to repeatedlydetect different attacks. Second, the coarse-grained archive data makes theminefficient to replay transactions. Third, the separation between maliciouscontract detection and runtime state recovery consumes lots of storage. In this paper, we present the design of a scalable attack detection frameworkon Ethereum. It overcomes the scalability issue by saving the Ethereum stateinto a database and providing an efficient way to locate suspicioustransactions. The saved state is fine-grained to support the replay ofarbitrary transactions. The state is well-designed to avoid saving unnecessarystate to optimize the storage consumption. We implement a prototype namedEthScope and solve three technical challenges, i.e., incomplete Ethereum state,scalability, and extensibility. The performance evaluation shows that oursystem can solve the scalability issue, i.e., efficiently performing alarge-scale analysis on billions of transactions, and a speedup of around2,300x when replaying transactions. It also has lower storage consumptioncompared with existing systems. The result with three different types ofinformation as inputs shows that our system can help an analyst understandattack behaviors and further detect more attacks. To engage the community, wewill release our system and the dataset of detected attacks.

Peng Gao,Fei Shao,Xiaoyuan Liu,Xusheng Xiao,Zheng Qin,Fengyuan Xu,Prateek Mittal,Sanjeev R. Kulkarni,Dawn Song

DOI: https://doi.org/10.1109/icde51399.2021.00024

2020-01-01

Abstract:Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.