Modeling malware propagation in smartphone social networks

Smartphones have become an integral part of our everyday lives, such as online information accessing, SMS/MMS, social networking, online banking, and other applications. The pervasive usage of smartphones also results them in enticing targets of hackers and malware writers. This is a desperate threat to legitimate users and poses considerable challenges to network security community. In this paper, we model smartphone malware propagation through combining mathematical epidemics and social relationship graph of smartphones. Moreover, we design a strategy to simulate the dynamic of SMS/MMS-based worm propagation process from one node to an entire network. The strategy integrates infection factor that evaluates the propagation degree of infected nodes, and resistance factor that offers resistance evaluation towards susceptible nodes. Extensive simulations have demonstrated that the proposed malware propagation model is effective and efficient.

Using response action with Intelligent Intrusion detection and prevention System against web application malware

Findings: After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system.

Control flow-based malware variant detection

Static detection of malware variants plays an important role in system security and control flow has been shown as an effective characteristic that represents polymorphic malware. In our research, we propose a similarity search of malware to detect these variants using novel distance metrics. We describe a malware signature by the set of control flowgraphs the malware contains. We use a distance metric based on the distance between feature vectors of string-based signatures. The feature vector is a decomposition of the set of graphs into either fixed size k-subgraphs, or q-gram strings of the high-level source after decompilation. We use this distance metric to perform pre-filtering. We also propose a more effective but less computationally efficient distance metric based on the minimum matching distance. The minimum matching distance uses the string edit distances between programs' decompiled flowgraphs, and the linear sum assignment problem to construct a minimum sum weight matching between two sets of graphs. We implement the distance metrics in a complete malware variant detection system. The evaluation shows that our approach is highly effective in terms of a limited false positive rate and our system detects more malware variants when compared to the detection rates of other algorithms. © 2013 IEEE.

Android malware detection with contrasting permission patterns

As the risk of malware is sharply increasing in Android platform, Android malware detection has become an important research topic. Existing works have demonstrated that required permissions of Android applications are valuable for malware analysis, but how to exploit those permission patterns for malware detection remains an open issue. In this paper, we introduce the contrasting permission patterns to characterize the essential differences between malwares and clean applications from the permission aspect. Then a framework based on contrasting permission patterns is presented for Android malware detection. According to the proposed framework, an ensemble classifier, Enclamald, is further developed to detect whether an application is potentially malicious. Every contrasting permission pattern is acting as a weak classifier in Enclamald, and the weighted predictions of involved weak classifiers are aggregated to the final result. Experiments on real-world applications validate that the proposed Enclamald classifier outperforms commonly used classifiers for Android Malware Detection.

Modeling and analysis on the propagation dynamics of modern email malware

Due to the critical security threats imposed by email-based malware in recent years, modeling the propagation dynamics of email malware becomes a fundamental technique for predicting its potential damages and developing effective countermeasures. Compared to earlier versions of email malware, modern email malware exhibits two new features, reinfection and self-start. Reinfection refers to the malware behavior that modern email malware sends out malware copies whenever any healthy or infected recipients open the malicious attachment. Self-start refers to the behavior that malware starts to spread whenever compromised computers restart or certain files are visited. In the literature, several models are proposed for email malware propagation, but they did not take into account the above two features and cannot accurately model the propagation dynamics of modern email malware. To address this problem, we derive a novel difference equation based analytical model by introducing a new concept of virtual infected user. The proposed model can precisely present the repetitious spreading process caused by reinfection and self-start and effectively overcome the associated computational challenges. We perform comprehensive empirical and theoretical study to validate the proposed analytical model. The results show our model greatly outperforms previous models in terms of estimation accuracy. © 2013 IEEE.

Smartphone malware and its propagation modeling : A survey

Smartphones are pervasively used in society, and have been both the target and victim of malware writers. Motivated by the significant threat that presents to legitimate users, we survey the current smartphone malware status and their propagation models. The content of this paper is presented in two parts. In the first part, we review the short history of mobile malware evolution since 2004, and then list the classes of mobile malware and their infection vectors. At the end of the first part, we enumerate the possible damage caused by smartphone malware. In the second part, we focus on smartphone malware propagation modeling. In order to understand the propagation behavior of smartphone malware, we recall generic epidemic models as a foundation for further exploration. We then extensively survey the smartphone malware propagation models. At the end of this paper, we highlight issues of the current smartphone malware propagation models and discuss possible future trends based on our understanding of this topic. © © 2014 IEEE.

Malware propagation in large-scale networks

Malware is pervasive in networks, and poses a critical threat to network security. However, we have very limited understanding of malware behavior in networks to date. In this paper, we investigate how malware propagates in networks from a global perspective. We formulate the problem, and establish a rigorous two layer epidemic model for malware propagation from network to network. Based on the proposed model, our analysis indicates that the distribution of a given malware follows exponential distribution, power law distribution with a short exponential tail, and power law distribution at its early, late and final stages, respectively. Extensive experiments have been performed through two real-world global scale malware data sets, and the results confirm our theoretical findings.

Malware distributed collection and pre-classification system using honeypot technology

Malware has become a major threat in the last years due to the ease of spread through the Internet. Malware detection has become difficult with the use of compression, polymorphic methods and techniques to detect and disable security software. Those and other obfuscation techniques pose a problem for detection and classification schemes that analyze malware behavior. In this paper we propose a distributed architecture to improve malware collection using different honeypot technologies to increase the variety of malware collected. We also present a daemon tool developed to grab malware distributed through spam and a pre-classification technique that uses antivirus technology to separate malware in generic classes. © 2009 SPIE.

A malware detection system inspired on the human immune system

Malicious programs (malware) can cause severe damage on computer systems and data. The mechanism that the human immune system uses to detect and protect from organisms that threaten the human body is efficient and can be adapted to detect malware attacks. In this paper we propose a system to perform malware distributed collection, analysis and detection, this last inspired by the human immune system. After collecting malware samples from Internet, they are dynamically analyzed so as to provide execution traces at the operating system level and network flows that are used to create a behavioral model and to generate a detection signature. Those signatures serve as input to a malware detector, acting as the antibodies in the antigen detection process. This allows us to understand the malware attack and aids in the infection removal procedures. © 2012 Springer-Verlag.

Cryptolocker, trick or threat: phishing e malware alla ricerca dell'anello debole

Il Cryptolocker è un malware diffuso su scala globale appartenente alla categoria ransomware. La mia analisi consiste nel ripercorrere le origini dei software maligni alla ricerca di rappresentanti del genere con caratteristiche simili al virus che senza tregua persevera a partire dal 2013: il Cryptolocker. Per imparare di più sul comportamento di questa minaccia vengono esposte delle analisi del malware, quella statica e quella dinamica, eseguite sul Cryptolocker (2013), CryptoWall (2014) e TeslaCrypt (2015). In breve viene descritta la parte operativa per la concezione e la configurazione di un laboratorio virtuale per la successiva raccolta di tracce lasciate dal malware sul sistema e in rete. In seguito all’analisi pratica e alla concentrazione sui punti deboli di queste minacce, oltre che sugli aspetti tecnici alla base del funzionamento dei crypto, vengono presi in considerazione gli aspetti sociali e psicologici che caratterizzano un complesso background da cui il virus prolifica. Vengono confrontate fonti autorevoli e testimonianze per chiarire i dubbi rimasti dopo i test. Saranno questi ultimi a confermare la veridicità dei dati emersi dai miei esperimenti, ma anche a formare un quadro più completo sottolineando quanto la morfologia del malware sia in simbiosi con la tipologia di utente che va a colpire. Capito il funzionamento generale del crypto sono proprio le sue funzionalità e le sue particolarità a permettermi di stilare, anche con l’aiuto di fonti esterne al mio operato, una lista esauriente di mezzi e comportamenti difensivi per contrastarlo ed attenuare il rischio d’infezione. Vengono citati anche le possibili procedure di recupero per i dati compromessi, per i casi “fortunati”, in quanto il recupero non è sempre materialmente possibile. La mia relazione si conclude con una considerazione da parte mia inaspettata: il potenziale dei crypto, in tutte le loro forme, risiede per la maggior parte nel social engineering, senza il quale (se non per certe categorie del ransomware) l’infezione avrebbe percentuali di fallimento decisamente più elevate.

Análisis de características estáticas de ficheros ejecutables para la clasificación de Malware

El Malware es una grave amenaza para la seguridad de los sistemas. Con el uso generalizado de la World Wide Web, ha habido un enorme aumento en los ataques de virus, haciendo que la seguridad informática sea esencial para todas las computadoras y se expandan las áreas de investigación sobre los nuevos incidentes que se generan, siendo una de éstas la clasificación del malware. Los “desarrolladores de malware” utilizan nuevas técnicas para generar malware polimórfico reutilizando los malware existentes, por lo cual es necesario agruparlos en familias para estudiar sus características y poder detectar nuevas variantes de los mismos. Este trabajo, además de presentar un detallado estado de la cuestión de la clasificación del malware de ficheros ejecutables PE, presenta un enfoque en el que se mejora el índice de la clasificación de la base de datos de Malware MALICIA utilizando las características estáticas de ficheros ejecutables Imphash y Pehash, utilizando dichas características se realiza un clustering con el algoritmo clustering agresivo el cual se cambia con la clasificación actual mediante el algoritmo de majority voting y la característica icon_label, obteniendo un Precision de 99,15% y un Recall de 99,32% mejorando la clasificación de MALICIA con un F-measure de 99,23%.---ABSTRACT---Malware is a serious threat to the security of systems. With the widespread use of the World Wide Web, there has been a huge increase in virus attacks, making the computer security essential for all computers. Near areas of research have append in this area including classifying malware into families, Malware developers use polymorphism to generate new variants of existing malware. Thus it is crucial to group variants of the same family, to study their characteristics and to detect new variants. This work, in addition to presenting a detailed analysis of the problem of classifying malware PE executable files, presents an approach in which the classification in the Malware database MALICIA is improved by using static characteristics of executable files, namely Imphash and Pehash. Both features are evaluated through clustering real malware with family labels with aggressive clustering algorithm and combining this with the current classification by Majority voting algorithm, obtaining a Precision of 99.15% and a Recall of 99.32%, improving the classification of MALICIA with an F-measure of 99,23%.

Técnicas criptográficas utilizadas en "MALWARE"

La finalidad de este trabajo es estudiar los tipos de malware existentes así como las técnicas criptográficas utilizadas en ellos para ocultar y ofuscar sus actividades, con el fin de impedir su análisis a las empresas de seguridad. En este trabajo se propone un criptosistema conveniente que, además de en malware, pueda ser empleado en otros ámbitos. El análisis comienza proponiendo una breve definición del término Criptografía y explicando mediante ejemplos los distintos tipos de sistemas criptográficos y algunos posibles usos. A continuación se lleva a cabo un estudio de los distintos tipos de malware existentes, dando una visión histórica de los tipos de Criptografía utilizados hasta el momento en cada caso. El estudio profundiza en las técnicas criptográficas utilizadas actualmente y su seguridad criptográfica. Además, se realiza una propuesta de posibles soluciones criptográficas, analizando la seguridad computacional resultante de aplicar dichas soluciones y calculando la carga computacional adicional precisa. Finalmente se ofrecen una serie de conclusiones y unas líneas de desarrollo futuras.