Alexandre Dulaunoy

Malware behaviour analysis

Several malware analysis techniques suppose that the disassembled code of a piece of malware is available, which is however not always possible. This paper proposes a flexible and automated approach to extract malware behaviour by observing all the system function calls performed in a virtualized execution environment. Similarities and distances between malware behaviours are computed which allows to classify malware behaviours. The main features of our approach reside in coupling a sequence alignment method to compute similarities and leverage the Hellinger distance to compute associated distances. We also show how the accuracy of the classification process can be improved using a phylogenetic tree. Such a tree shows common functionalities and evolution of malware. This is relevant when dealing with obfuscated malware variants that have often similar behaviour. The phylogenetic trees were assessed using known antivirus results and only a few malware behaviours were wrongly classified.

MISP: The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform

The IT community is confronted with incidents of all kinds and nature, new threats appear on a daily basis. Fighting these security incidents individually is almost impossible. Sharing information about threats among the community has become a key element in incident response to stay on top of the attackers. Reliable information resources, providing credible information, are therefore essential to the IT community, or even at broader scale, to intelligence communities or fraud detection groups. This paper presents the Malware Information Sharing Platform (MISP) and threat sharing project, a trusted platform, that allows the collection and sharing of important indicators of compromise (IoC) of targeted attacks, but also threat information like vulnerabilities or financial indicators used in fraud cases. The aim of MISP is to help in setting up preventive actions and counter-measures used against targeted attacks. Enable detection via collaborative-knowledge-sharing about existing malware and other threats.

Towards an Estimation of the Accuracy of TCP Reassembly in Network Forensics

Today, honeypot operators are strongly relying on network analysis tools to examine network traces collected in their honeynet environment. The accuracy of such analysis depends on the ability of the tools to properly reassemble streams especially TCP sessions. Network forensics analysis quality is tight to those tools and we evaluated widely used network analysis tools. We pinpoint TCP reassembly errors with their causes and propose algorithms and analytical techniques to measure them in order to improve network forensic analysis.

DNSSM: A large scale passive DNS security monitoring framework

We present a monitoring approach and the supporting software architecture for passive DNS traffic. Monitoring DNS traffic can reveal essential network and system level activity profiles. Worm infected and botnet participating hosts can be identified and malicious backdoor communications can be detected. Any passive DNS monitoring solution needs to address several challenges that range from architectural approaches for dealing with large volumes of data up to specific Data Mining approaches for this purpose. We describe a framework that leverages state of the art distributed processing facilities with clustering techniques in order to detect anomalies in both online and offline DNS traffic. This framework entitled DNSSM is implemented and operational on several networks. We validate the framework against two large trace sets.

SDBF: Smart DNS brute-forcer

The structure of the domain name is highly relevant for providing insights into the management, organization and operation of a given enterprise. Security assessment and network penetration testing are using information sourced from the DNS service in order to map the network, perform reconnaissance tasks, identify services and target individual hosts. Tracking the domain names used by popular Botnets is another major application that needs to undercover their underlying DNS structure. Current approaches for this purpose are limited to simplistic brute force scanning or reverse DNS, but these are unreliable. Brute force attacks depend of a huge list of known words and thus, will not work against unknown names, while reverse DNS is not always setup or properly configured. In this paper, we address the issue of fast and efficient generation of DNS names and describe practical experiences against real world large scale DNS names. Our approach is based on techniques derived from natural language modeling and leverage Markov Chain Models in order to build the first DNS scanner (SDBF) that is leveraging both, training and advanced language modeling approaches.

Adaptive and self-configurable honeypots

Honeypot evangelists propagate the message that honeypots are particularly useful for learning from attackers. However, by looking at current honeypots, most of them are statically configured and managed, which requires a priori knowledge about attackers. In this paper we propose a high-interaction honeypot capable of learning from attackers and capable of dynamically changing its behavior using a variant of reinforcement learning. It can strategically block the execution of programs, lure the attacker by substituting programs and insult attackers with the intent of revealing the attackers nature and ethnic background. We also investigated the fact that attackers could learn to defeat the honeypot and discovered that attacker and honeypot interests sometimes diverge.

An Instrumented Analysis of Unknown Software and Malware Driven by Free Libre Open Source Software

Reverse engineering is often the last resort for analyzing unknown or closed source software. Such an investigation is motivated by a risk evaluation of closed source programs or by evaluating consequences and countermeasures against infections by malicious programs that are often closed source. This article presents a success story where we used and modified free software serving as environment for analyzing unknown software. We explain how a malware sandbox can be constructed based on free software. Moreover we describe how we modified free software to improve malware analysis with additional features or extensions. Free software helped us to increase the accuracy of malware or unknown software analysis.

Breaking Tor anonymity with game theory and data mining

Attacking anonymous communication networks is very tempting, and many types of attacks have already been observed. In the case for Tor, a widely used anonymous overlay network is considered. Despite the deployment of several protection mechanisms, an attack originated by just one rogue exit node is proposed. The attack is composed of two elements. The first is an active tag injection scheme. The malicious exit node injects image tags into all HTTP replies, which will be cached for upcoming requests and allow different users to be distinguished. The second element is an inference attack that leverages a semi‐supervised learning algorithm to reconstruct browsing sessions. Captured traffic flows are clustered into sessions, such that one session is most probably associated to a specific user. The clustering algorithm uses HTTP headers and logical dependencies encountered in a browsing session. A prototype has been implemented and its performance evaluated on the Tor network. The article also describes several countermeasures and advanced attacks, modeled in a game theoretical framework, and their effectiveness assessed with reference to the Nash equilibrium. Copyright

Heliza: talking dirty to the attackers

In this article we describe a new paradigm for adaptive honeypots that are capable of learning from their interaction with attackers. The main objective of such honeypots is to get as much information as possible about the profile of an intruder, while decoying their true nature and goals. We have leveraged machine learning techniques for this task and have developed a honeypot that uses a variant of reinforcement learning in order to learn the best behavior when facing attackers. The honeypot is capable of adopting behavioral strategies that vary from blocking commands, returning erroneous messages right up to insults that aim to irritate the intruder and serve as reverse Turing Test. Our preliminary experimental results show that behavioral strategies are dependent on contextual parameters and can serve as advanced building blocks for intelligent honeypots.