Mamoun Alazab

Towards Understanding Malware Behaviour by the Extraction of API Calls

One of the recent trends adopted by malware authors is to use packers or software tools that instigate code obfuscation in order to evade detection by antivirus scanners. With evasion techniques such as polymorphism and metamorphism malware is able to fool current detection techniques. Thus, security researchers and the anti-virus industry are facing a herculean task in extracting payloads hidden within packed executables. It is a common practice to use manual unpacking or static unpacking using some software tools and analyse the application programming interface (API) calls for malware detection. However, extracting these features from the unpacked executables for reverse obfuscation is labour intensive and requires deep knowledge of low-level programming that includes kernel and assembly language. This paper presents an automated method of extracting API call features and analysing them in order to understand their use for malicious purpose. While some research has been conducted in arriving at file birthmarks using API call features and the like, there is a scarcity of work that relates to features in malcodes. To address this gap, we attempt to automatically analyse and classify the behavior of API function calls based on the malicious intent hidden within any packed program. This paper uses four-step methodology for developing a fully automated system to arrive at six main categories of suspicious behavior of API call features.

Cybercrime: The Case of Obfuscated Malware

Cybercrime has rapidly developed in recent years and malware is one of the major security threats in computer which have been in existence from the very early days. There is a lack of understanding of such malware threats and what mechanisms can be used in implementing security prevention as well as to detect the threat. The main contribution of this paper is a step towards addressing this by investigating the different techniques adopted by obfuscated malware as they are growingly widespread and increasingly sophisticated with zero-day exploits. In particular, by adopting certain effective detection methods our investigations show how cybercriminals make use of file system vulnerabilities to inject hidden malware into the system. The paper also describes the recent trends of Zeus botnets and the importance of anomaly detection to be employed in addressing the new Zeus generation of malware.

Hybrids of support vector machine wrapper and filter based framework for malware detection

Malware replicates itself and produces offspring with the same characteristics but different signatures by using code obfuscation techniques. Current generation Anti-Virus (AV) engines employ a signature-template type detection approach where malware can easily evade existing signatures in the database. This reduces the capability of current AV engines in detecting malware. In this paper we propose a hybrid framework for malware detection by using the hybrids of Support Vector Machines Wrapper, Maximum-Relevance-Minimum-Redundancy Filter heuristics where Application Program Interface (API) call statistics are used as a malware features. The novelty of our hybrid framework is that it injects the filters ranking score in the wrapper selection process and combines the properties of both wrapper and filters and API call statistics which can detect malware based on the nature of infectious actions instead of signature. To the best of our knowledge, this kind of hybrid approach has not been explored yet in the literature in the context of feature selection and malware detection. Knowledge about the intrinsic characteristics of malicious activities is determined by the API call statistics which is injected as a filter score into the wrappers backward elimination process in order to find the most significant APIs. While using the most significant APIs in the wrapper classification on both obfuscated and benign types malware datasets, the results show that the proposed hybrid framework clearly surpasses the existing models including the independent filters and wrappers using only a very compact set of significant APIs. The performances of the proposed and existing models have further been compared using binary logistic regression. Various goodness of fit comparison criteria such as Chi Square, Akaikes Information Criterion (AIC) and Receiver Operating Characteristic Curve ROC are deployed to identify the best performing models. Experimental outcomes based on the above criteria also show that the proposed hybrid framework outperforms other existing models of signature types including independent wrapper and filter approaches to identify malware. A signature-free malware detection approach has been proposed.A hybrid wrapper-Filter based malware feature selection has been proposed.Proposed hybrid approach can take advantages from both filter and wrapper.Models have also been validated by statistical model selection criteria such as Chi Square and Akaike information criterion (AIC).

Profiling and classifying the behavior of malicious codes

Examines the evolution of malware including the nature of its activity and variants.Investigates Malware implication for computer security industry.Provides a framework to extract features from malware binaries that reflect its behavior.Proposes similarity detection based on the sequences and frequency of appearance of API calls.Advances the detection of zero-day malware. Malware is a major security threat confronting computer systems and networks and has increased in scale and impact from the early days of ICT. Traditional protection mechanisms are largely incapable of dealing with the diversity and volume of malware variants which is evident today. This paper examines the evolution of malware including the nature of its activity and variants, and the implication of this for computer security industry practices.As a first step to address this challenge, I propose a framework to extract features statically and dynamically from malware that reflect the behavior of its code such as the Windows Application Programming Interface (API) calls. Similarity based mining and machine learning methods have been employed to profile and classify malware behaviors. This method is based on the sequences of API sequence calls and frequency of appearance.Experimental analysis results using large datasets show that the proposed method is effective in identifying known malware variants, and also classifies malware with high accuracy and low false alarm rates. This encouraging result indicates that classification is a viable approach for similarity detection to help detect malware. This work advances the detection of zero-day malware and offers researchers another method for understanding impact.

Performance evaluation of e-government services using balanced scorecard: an empirical study in Jordan

Purpose – The purpose of this paper is to emphasise on a balance between quantitative and qualitative measures, and examine the use of Balanced Scorecard to evaluate and estimate the performance of information and communication technologies (ICT) in delivering valuable e‐government services through the internet.Design/methodology/approach – This study tests the hypotheses of e‐government effectiveness using Balanced Scorecard technique by incorporating qualitative measures within a quantitative research methodology with data collected by means of a survey questionnaire. The survey sample of 383 stakeholders includes common customers, employees of e‐government, and employees from the IT sector. The survey data were analysed to test the hypothesis in measuring e‐government effectiveness from Balanced Scorecards four dimensions: customer perspective, financial perspective, internal business process perspective, and innovation and learning perspective.Findings – The results show that the Balanced Scorecard f...

Fast authentication in wireless sensor networks

Broadcast authentication is a fundamental security service in wireless sensor networks (WSNs). Although symmetric-key-based µ TESLA -like schemes were employed due to their energy efficiency, they all suffer from DoS attacks resulting from the nature of delayed message authentication. Recently, several public-key-based schemes were proposed to achieve immediate broadcast authentication that may significantly improve security strength. However, while the public-key-based schemes obviate the security vulnerability inherent to symmetric-key-based µ TESLA -like schemes, their signature verification is time-consuming. Thus, speeding up signature verification is a problem of considerable practical importance, especially in resource-constrained environments. This paper exploits the cooperation among sensor nodes to accelerate the signature verification of vBNN-IBS, a pairing-free identity-based signature with reduced signature size. We demonstrate through on extensive performance evaluation study that the accelerated vBNN-IBS achieves the longest network lifetime compared to both the traditional vBNN-IBS and the accelerated ECDSA schemes. The accelerated vBNN-IBS runs 66 % faster than the traditional signature verification method. Results from theoretical analysis, simulation, and real-world experimentation on a MICAz platform are provided to validate our claims. Exploit the cooperation between nodes to accelerate the signature verification.The accelerated scheme allows a longer network lifetime.The new scheme saves up to 45% of the energy drained during the verification.The accelerated scheme runs 66% faster than the traditional signature verification.Theoretical analysis, simulation, and real-world experimentation were conducted.

Detecting malicious behaviour using supervised learning algorithms of the function calls

This paper describes our research in evaluating the use of supervised data mining algorithms for an effective detection of zero-day malware. Our aim is to design the tasks of certain popular types of supervised data mining algorithms for zero-day malware detection and compare their performance in terms of accuracy and efficiency. In this context, we propose and evaluate a novel method of employing such data mining techniques based on the frequency of Windows function calls. Our experimental investigations using large data sets to train the classifiers with a design tool to compare the performance of various data mining algorithms. Analysis of the results suggests the advantages of one data mining algorithm over the other for malware detection. Overall, data mining algorithms are employed with true positive rate as high as 98.5%, and low false positive rate of less than 0.025, indicating good applicability and future enhancements for detecting unknown and infected files with embedded stealthy malcode.

Malicious Spam Emails Developments and Authorship Attribution

The Internet is a decentralized structure that offers speedy communication, has a global reach and provides anonymity, a characteristic invaluable for committing illegal activities. In parallel with the spread of the Internet, cybercrime has rapidly evolved from a relatively low volume crime to a common high volume crime. A typical example of such a crime is the spreading of spam emails, where the content of the email tries to entice the recipient to click a URL linking to a malicious Web site or downloading a malicious attachment. Analysts attempting to provide intelligence on spam activities quickly find that the volume of spam circulating daily is overwhelming; therefore, any intelligence gathered is representative of only a small sample, not of the global picture. While past studies have looked at automating some of these analyses using topic-based models, i.e. separating email clusters into groups with similar topics, our preliminary research investigates the usefulness of applying authorship-based models for this purpose. In the first phase, we clustered a set of spam emails using an authorship-based clustering algorithm. In the second phase, we analysed those clusters using a set of linguistic, structural and syntactic features. These analyses reveal that emails within each cluster were likely written by the same author, but that it is unlikely we have managed to group together all spam produced by each group. This problem of high purity with low recall, has been faced in past authorship research. While it is also a limitation of our research, the clusters themselves are still useful for the purposes of automating analysis, because they reduce the work needing to be performed. Our second phase revealed useful information on the group that can be utilized in future research for further analysis of such groups, for example, identifying further linkages behind spam campaigns.

Spam and Criminal Activity

The Internet is a decentralised structure that offers fast communication with a global reach, but also provides anonymity, a characteristic invaluable for committing illegal activities. Cybercrime has rapidly evolved in parallel with the spread of the Internet and e-commerce but attacks via e-mail (spam) remain one of the major vectors for the dissemination of malware and is a predicate to many forms of cybercrime. Spam epitomises one of the earliest on-line criminal partnerships between malware authors and e-mail spammers and it remains one of the most popular ‘social engineered’ means for spreading and injecting malware on computers and other digital devices. Unlike cybercrime that targets ‘low volume, high value’ victims such as banks and requires advanced hacking capability, spam enables malware to reach ‘high volume, low value’ targets, which are less likely to have effective anti-virus or other countermeasures in place. A typical example is the spread of malicious e-mails, containing content that entices the recipient to click on a Uniform Resource Locator (URL) link to a malicious web site or download a malicious attachment. Deception achieved through ‘social engineered’ e-mail messages are relatively well understood but less is known about advanced methods like ‘spear phishing,’ and whether different forms of social engineering are related to different types of malware and crime. Cloaking methods designed to disguise malicious executable files as fairly harmless documents, such as Microsoft Word files, PDF or text file are now common. These include manipulating the encoding method, applying fake double extensions in compressed form, mimicking “URL shortening” services amongst others as means to mask malicious files and links ensuring their spread through the web. Understanding the nature of spam activity and the threat posed by malicious spam e-mails, especially the prevalence, frequency, duration and severity of these common forms of cybercrime are the key to prevention. Noting that states alone lack the capability to suppress spam and must rely on mutual interest and a host of non-state actors to perform tasks usually the province of law enforcement agencies. This research used ‘real world’ data sets from the Australian Communication Media Authority (ACMA) Spam Intelligence Database (SID) to describe the nature and trends in spam borne malware. We processed 13,450,555 spam e-mails: of the 492,978 found with attachments 21.4 percent were malicious, and of the 6,230,274 that contained a URL, 22.3 percent of the web links proved malicious. We argue that because the focus of IT security on perimeter-protection is becoming increasingly ineffective, there is a need to refocus crime prevention activities on the modus operandi of offenders and victim vulnerabilities.

Using response action with intelligent intrusion detection and prevention system against web application malware

– The purpose of this paper is to mitigate vulnerabilities in web applications, security detection and prevention are the most important mechanisms for security. However, most existing research focuses on how to prevent an attack at the web application layer, with less work dedicated to setting up a response action if a possible attack happened. , – A combination of a Signature-based Intrusion Detection System (SIDS) and an Anomaly-based Intrusion Detection System (AIDS), namely, the Intelligent Intrusion Detection and Prevention System (IIDPS). , – After evaluating the new system, a better result was generated in line with detection efficiency and the false alarm rate. This demonstrates the value of direct response action in an intrusion detection system. , – Data limitation. , – The contributions of this paper are to first address the problem of web application vulnerabilities. Second, to propose a combination of an SIDS and an AIDS, namely, the IIDPS. Third, this paper presents a novel approach by connecting the IIDPS with a response action using fuzzy logic. Fourth, use the risk assessment to determine an appropriate response action against each attack event. Combining the system provides a better performance for the Intrusion Detection System, and makes the detection and prevention more effective.