Hugo Gonzalez

DroidKin: Lightweight Detection of Android Apps Similarity

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security testing, malware authors commonly plagiarize Android applications (e.g., through code reuse and repackaging) boosting the amount of malware on the markets and consequently the infection rate.

Exploring reverse engineering symptoms in Android apps

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security testing, malware authors commonly plagiarize Android applications (e.g., through code reuse and repackaging) boosting the amount of malware on the markets and consequently the infection rate. In this study, we present AndroidSOO, a lightweight approach for the detection of repackaging symptoms on Android apps. In this work, we introduce and explore novel and easily extractable attribute called String Offset Order. Extractable from string identifiers list in the .dex file, the method is able to pinpoint symptoms of reverse engineered Android apps without the need for complex further analysis. We performed extensive evaluation of String Order metric to assess its capabilities on datasets made available by three recent studies: Android Malware Genome Project, DroidAnalytics and Drebin. We also performed a large-scale study of over 5,000 Android applications extracted from Google Play market and over 80 000 samples from Virus Total service.

Detecting HTTP-based application layer DoS attacks on web servers in the presence of sampling

A recent escalation of application layer Denial of Service (DoS) attacks on the Internet has quickly shifted the interest of the research community traditionally focused on network-based DoS attacks. A number of studies came forward showing the potency of attacks, introducing new varieties and discussing potential detection strategies. The underlying problem that triggered all this research is the stealthiness of application layer DoS attacks. Since they usually do not manifest themselves at the network level, these types of attacks commonly avoid traditional network-layer based detection mechanisms.In this work we turn our attention to this problem and present a novel detection approach for application layer DoS attacks based on nonparametric CUSUM algorithm. We explore the effectiveness of our detection on various types of these attacks in the context of modern web servers. Since in production environments detection is commonly performed on a sampled subset of network traffic, we also study the impact of sampling techniques on detection of application layer DoS attack. Our results demonstrate that the majority of sampling techniques developed specifically for intrusion detection domain introduce significant distortion in the traffic that minimizes a detection algorithms ability to capture the traces of these stealthy attacks.

Application-layer denial of service attacks: taxonomy and survey

The recent escalation of application-layer denial of service DoS attacks has attracted a significant interest of the security research community. Since application-layer DoS attacks usually do not manifest themselves at the network level, they avoid traditional network-layer-based detection. Therefore, the security community has focused on specialised application-layer DoS attacks detection and mitigation mechanisms. However, the deployment of reliable and efficient defence mechanisms against these attacks requires the comprehensive understanding of the existing application-layer DoS attacks supported by a unified terminology. Thus, in this paper we address this issue and devise a taxonomy of application-layer DoS attacks. By devising the proposed taxonomy, we intend to give researchers a better understanding of these attacks and provide a foundation for organising research efforts within this specific field.

Enriching reverse engineering through visual exploration of Android binaries

The appearance of the Android platform and its popularity has resulted in a sharp rise in the number of reported vulnerabilities and consequently in the number of mobile threats. Leveraging openness of Android app markets and the lack of security testing, malware authors commonly employ a suite of widely available tools to facilitate the app development. Analysis of individual apps for malware detection often requires understanding of app functionality and complex, time-consuming analysis of its behavior. Since tools tend to leave traces in the program structure, we can potentially use visual exploration of these artifacts to enrich reverse engineering of malware analysis. In this paper, we focus on this approach and investigate internal structure of Android executable files and their characteristics under various tools and development conditions. We show that the majority of obfuscation and optimization tools leave distinct artifacts that can be leveraged in Android binary analysis to trace origin of a malware sample on hand.

A Performance Evaluation of Hash Functions for IP Reputation Lookup Using Bloom Filters

IP reputation lookup is one of the traditional methods for recognition of blacklisted IPs, i.e., IP addresses known to be sources of spam and malware-related threats. Its use however has been rapidly increasing beyond its traditional domain reaching various IP filtering tasks. One of the solutions able to provide a necessary scalability is a Bloom filter. Efficient in memory consumption, Bloom filters provide a fast membership check, allowing to confirm a presence of set elements in a data structure with a constant false positive probability. With the increased usage of IP reputation check and an increasing adoption of IPv6 protocol, Bloom filters quickly gained popularity. In spite of their wide application, the question of what hash functions to use in practice remains open. In this work, we investigate a 10 cryptographic and non-cryptographic functions for on their suitability for Bloom filter analysis for IP reputation lookup. Experiments are performed with controlled, randomly generated IP addresses as well as a real dataset containing blacklisted IP addresses. Based on our results we recommend two hash functions for their performance and acceptably low false positive rate.