Aziz Mohaisen

Detecting and classifying android malware using static analysis along with creator information

Thousands of malicious applications targeting mobile devices, including the popular Android platform, are created every day. A large number of those applications are created by a small number of professional underground actors; however previous studies overlooked such information as a feature in detecting and classifying malware and in attributing malware to creators. Guided by this insight, we propose a method to improve the performance of Android malware detection by incorporating the creators information as a feature and classify malicious applications into similar groups. We developed a system that implements this method in practice. Our system enables fast detection of malware by using creator information such as serial number of certificate. Additionally, it analyzes malicious behaviors and permissions to increase detection accuracy. The system also can classify malware based on similarity scoring. Finally, we showed detection and classification performance with 98% and 90% accuracy, respectively.

Kindred domains: detecting and clustering botnet domains using DNS traffic

In this paper we focus on detecting and clustering distinct groupings of domain names that are queried by numerous sets of infected machines. We propose to analyze domain name system (DNS) traffic, such as Non-Existent Domain (NXDomain) queries, at several premier Top Level Domain (TLD) authoritative name servers to identify strongly connected cliques of malware related domains. We illustrate typical malware DNS lookup patterns when observed on a global scale and utilize this insight to engineer a system capable of detecting and accurately clustering malware domains to a particular variant or malware family without the need for obtaining a malware sample. Finally, the experimental results of our system will provide a unique perspective on the current state of globally distributed malware, particularly the ones that use DNS.

AV-Meter: An Evaluation of Antivirus Scans and Labels

Antivirus scanners are designed to detect malware and, to a lesser extent, to label detections based on a family association. The labeling provided by AV vendors has many applications such as guiding efforts of disinfection and countermeasures, intelligence gathering, and attack attribution, among others. Furthermore, researchers rely on AV labels to establish a baseline of ground truth to compare their detection and classification algorithms. This is done despite many papers pointing out the subtle problem of relying on AV labels. However, the literature lacks any systematic study on validating the performance of antivirus scanners, and the reliability of those labels or detection.

Measuring Botnets in the Wild: Some New Trends

Today, botnets are still responsible for most large scale attacks on the Internet. Botnets are versatile, they remain the most powerful attack platform by constantly and continuously adopting new techniques and strategies in the arms race against various detection schemes. Thus, it is essential to understand the latest of the botnets in a timely manner so that the insights can be utilized in developing more efficient defenses. In this work, we conduct a measurement study on some of the most active botnets on the Internet based on a public dataset collected over a period of seven months by a monitoring entity. We first examine and compare the attacking capabilities of different families of todays active botnets. Our analysis clearly shows that different botnets start to collaborate when launching DDoS attacks.

Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis

Internet Distributed Denial of Service (DDoS) at- tacks are prevalent but hard to defend against, partially due to the volatility of the attacking methods and patterns used by attackers. Understanding the latest DDoS attacks can provide new insights for effective defense. But most of existing understandings are based on indirect traffic measures (e.g., backscatters) or traffic seen locally. In this study, we present an in-depth analysis based on 50,704 different Internet DDoS attacks directly observed in a seven-month period. These attacks were launched by 674 botnets from 23 different botnet families with a total of 9,026 victim IPs belonging to 1,074 organizations in 186 countries. Our analysis reveals several interesting findings about todays Internet DDoS attacks. Some highlights include: (1) geolocation analysis shows that the geospatial distribution of the attacking sources follows certain patterns, which enables very accurate source prediction of future attacks for most active botnet families, (2) from the target perspective, multiple attacks to the same target also exhibit strong patterns of inter-attack time interval, allowing accurate start time prediction of the next anticipated attacks from certain botnet families, (3) there is a trend for different botnets to launch DDoS attacks targeting the same victim, simultaneously or in turn. These findings add to the existing literature on the understanding of todays Internet DDoS attacks, and offer new insights for designing new defense schemes at different levels.

Timing Attacks on Access Privacy in Information Centric Networks and Countermeasures

In recently proposed information centric networks (ICN), a user issues “interest” packets to retrieve contents from network by names. Once fetched from origin servers, “data” packets are replicated and cached in all routers along routing and forwarding paths, thus allowing further interests from other users to be fulfilled quickly. However, the way ICN caching and interest fulfillment work poses a great privacy risk: the time difference between responses for an interest of cached and uncached content can be used as an indicator to infer whether or not a near-by user has previously requested the same content as that requested by an adversary. This work introduces the extent to which the problem is applicable in ICN and provides several solutions that try to strike a balance between cost and benefits, and raise the bar for an adversary to apply such attack.

Chatter: Classifying malware families using system event ordering

Using runtime execution artifacts to identify malware and its associated “family” is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniquse computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors. To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and three malware families are highlighted. We show the technique achieves roughly 80% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of non-ordered features (with an accuracy of roughly 95%).

Andro-Dumpsys

Our system (Andro-Dumpsys) leverages volatile memory acquisition.Andro-Dumpsys leverages malware creator information and malware information.Andro-Dumpsys is anti-malware system based on similarity matching of footprints.Andro-Dumpsys is capable of detecting zero-day threats. With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.

Crime Scene Reconstruction: Online Gold Farming Network Analysis

Many online games have their own ecosystems, where players can purchase in-game assets using game money. Players can obtain game money through active participation or “real money trading” through official channels: converting real money into game money. The unofficial market for real money trading gave rise to gold farming groups (GFGs), a phenomenon with serious impact in the cyber and real worlds. GFGs in massively multiplayer online role-playing games (MMORPGs) are some of the most interesting underground cyber economies because of the massive nature of the game. To detect GFGs, there have been various studies using behavioral traits. However, they can only detect gold farmers, not entire GFGs with internal hierarchies. Even worse, GFGs continuously develop techniques to hide, such as forming front organizations, concealing cyber-money, and changing trade patterns when online game service providers ban GFGs. In this paper, we analyze the characteristics of the ecosystem of a large-scale MMORPG, and devise a method for detecting GFGs. We build a graph that characterizes virtual economy transactions, and trace abnormal trades and activities. We derive features from the trading graph and physical networks used by GFGs to identify them in their entirety. Using their structure, we provide recommendations to defend effectively against GFGs while not affecting the existing virtual ecosystem.

Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware

Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.