Felix Brezo

Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most widespread method used in commercial antivirus. In spite of the broad use of this method, it can detect malware only after the malicious executable has already caused damage and provided the malware is adequately documented. Therefore, the signature-based method consistently fails to detect new malware. In this paper, we propose a new method to detect unknown malware families. This model is based on the frequency of the appearance of opcode sequences. Furthermore, we describe a technique to mine the relevance of each opcode and assess the frequency of each opcode sequence. In addition, we provide empirical validation that this new method is capable of detecting unknown malware.

Idea: opcode-sequence-based malware detection

Malware is every malicious code that has the potential to harm any computer or network. The amount of malware is increasing faster every year and poses a serious security threat. Hence, malware detection has become a critical topic in computer security. Currently, signature-based detection is the most extended method within commercial antivirus. Although this method is still used on most popular commercial computer antivirus software, it can only achieve detection once the virus has already caused damage and it is registered. Therefore, it fails to detect new variations of known malware. In this paper, we propose a new method to detect variants of known malware families. This method is based on the frequency of appearance of opcode sequences. Furthermore, we describe a method to mine the relevance of each opcode and, thereby, weigh each opcode sequence frequency. We show that this method provides an effective way to detect variants of known malware families.

OPEM: A Static-Dynamic Approach for Machine-Learning-Based Malware Detection

Malware is any computer software potentially harmful to both computers and networks. The amount of malware is growing every year and poses a serious global security threat. Signature-based detection is the most extended method in commercial antivirus software, however, it consistently fails to detect new malware. Supervised machine learning has been adopted to solve this issue. There are two types of features that supervised malware detectors use: (i) static features and (ii) dynamic features. Static features are extracted without executing the sample whereas dynamic ones requires an execution. Both approaches have their advantages and disadvantages. In this paper, we propose for the first time, OPEM, an hybrid unknown malware detector which combines the frequency of occurrence of operational codes (statically obtained) with the information of the execution trace of an executable (dynamically obtained). We show that this hybrid approach enhances the performance of both approaches when run separately.

Opcode-sequence-based semi-supervised unknown malware detection

Malware is any computer software potentially harmful to both computers and networks. The amount of malware is growing every year and poses a serious global security threat. Signature-based detection is the most extended method in commercial antivirus software, however, it consistently fails to detect new malware. Supervised machine learning has been adopted to solve this issue, but the usefulness of supervised learning is far to be complete because it requires a high amount of malicious executables and benign software to be identified and labelled previously. In this paper, we propose a new method of malware detection that adopts a well-known semi-supervised learning approach to detect unknown malware. This method is based on examining the frequencies of the appearance of opcode sequences to build a semi-supervised machine-learning classifier using a set of labelled (either malware or legitimate software) and unlabelled instances. We performed an empirical validation demonstrating that the labelling efforts are lower than when supervised learning is used while the system maintains high accuracy rate.

Data Leak Prevention through Named Entity Recognition

The rise of the social web has brought a series of privacy concerns and threats. In particular, data leakage is a risk that affects the privacy of not only companies but individuals. Although there are tools that can prevent data losses, they require a prior step that involves the sensitive data to be properly identified. In this paper, we propose a new automatic approach that applies Named Entity Recognition (NER) to prevent data leaks. We conduct an empirical study with real-world data and show that this NER-based approach can enhance the prevention of data losses. In addition, we present and detail the implementation of a prototype built with these techniques and show how it can be used by both particulars and companies in order to handle data losses.

Enhanced foundry production control

Mechanical properties are the attributes that measure the faculty of a metal to withstand several loads and tensions. Specifically, ultimate tensile strength is the force a material can resist until it breaks and, thus, it is one of the variables to control in the foundry process. The only way to examine this feature is the use of destructive inspections that renders the casting invalid with the subsequent cost increment. Nevertheless, the foundry process can be modelled as an expert knowledge cloud upon which we may apply several machine learnings techniques that allow foreseeing the probability for a certain value of a variable to happen. In this paper, we extend previous research on foundry production control by adapting and testing support vector machines and decision trees for the prediction in beforehand of the mechanical properties of castings. Finally, we compare the obtained results and show that decision trees are more suitable than the rest of the counterparts for the prediction of ultimate tensile strength.

Challenges and Limitations in Current Botnet Detection

Botnets are an emerging phenomenon that is becoming one of the most significant threats to security. Its danger lies less in the malicious codes themselves, but in the support they provide to implement a wide branch of very different criminal practices which are quite more compromising than harming an isolated computer, such as distributed denial of service attacks (DDoS), phishing, online fraud, dissemination of malware, building servers for exchange of illegal material or sending spam (bulk mail). Therefore, the scientific community together with the different business related corporations and public entities, should be aware of the need of developing mechanisms to improve their detection, analysis and deactivation. And these measures should be taken as soon as possible to stop the dissemination of a threat which impact factor and ?exibility in perpetrating attacks commanding an army of hijacked computers (bots), makes them a tool capable of compromising even the most complex information systems. Thus, this article sets out the main lines of current research in this field and proposing solutions to detect its existence through the analysis of the communication channels (via HTTP, P2P, IRC...) and the variations in the traffic detected, as well as their propagation mechanisms.

Supervised classification of packets coming from a HTTP botnet

The posibilities that the management of a vast amount of computers and/or networks offer, is attracting an increasing number of malware writers. In this document, the authors propose a methodology thought to detect malicious botnet traffic, based on the analysis of the packets flow that circulate in the network. This objective is achieved by means of the parametrization of the static characteristics of packets, which are lately analysed using supervised machine learning techniques focused on traffic labelling so as to face proactively to the huge volume of information nowadays filters work with.

C&C Techniques in Botnet Development

Botnets are one of the most important threats towards nowadays users of the Internet. The joint of malware capabilities to be exploited in the network services and the increasing number of daily transactions performed in the cloud, makes them an attractive target for cybercriminals who have evolved their old IRC-based communication channels, into decentralized P2P networks, HTTP/S botnets and even Twitter-controlled networks. Against this background, this article analyses the threat that will affect computer networks in the upcoming years by going through these different Command & Control channels used by botmasters to keep the control of their hijacked networks.