Shun-Wen Hsiao

Combining Dynamic Passive Analysis and Active Fingerprinting for Effective Bot Malware Detection in Virtualized Environments

We propose a detection mechanism that takes the advantage of virtualized environment and combines both passive and active detection approaches for detecting bot malware. Our proposed passive detection agent lies in the virtual machine monitor to profile the bot behavior and check against it with other hosts. The proposed active detection agent that performs active bot fingerprinting can send specific stimulus to a host and examine if there exists expected triggered behavior. In our experiments, our system can distinguish bots and the benign process with low false alarm. The active fingerprinting technique can detect a bot even when a bot does not do its malicious jobs.

A cooperative botnet profiling and detection in virtualized environment

Cloud security becomes an important topic in recent years, as to overcome the botnet in a virtualized environment is a critical task for the cloud providers. Although numerous intrusion detection systems are available, yet it is not practical to install IDS in every virtual machine. In this paper, we argue that a virtual machine monitor (VMM) can support certain security functions that our proposed design can actively collect information directly from the VMM without installing an agent in the guest OS. In addition, bot could not aware of the existence of such detection agent in the VMM. The proposed detection mechanism takes both passive and active detection approaches that the passive detection agent lies in the VMM to examine the tainted data used by a bot to check against bot behavior profiles and the active detection agent that performs active bot fingerprinting can actively send specific stimulus to a guest and examine if there exists expected triggered behavior. In the real-world bot experiments, we show the passive detection agent can distinguish between bots and benign process with low false positive and false negative rates. Also, the result shows the active detection agent can detect a bot even when before it performs its malicious jobs. The proposed mechanism suites an enterprise having cloud environment well to defeat malware.

A Secure Proxy-Based Cross-Domain Communication for Web Mashups

A web mashup is a web application that integrates content from heterogeneous sources to provide users with a more integrated and seamless browsing experience. Client-side mashups differ from server-side mashups in that the content is integrated in the browser using the client-side scripts. However, the legacy same origin policy (SOP) implemented by the browsers cannot provide a flexible client-side communication mechanism to exchange information between different sources. To address this problem, we propose a secure client-side cross-domain communication model facilitated by a trusted proxy and the HTML 5 post Message method. The proxy-based model supports fine-grained access control for elements that belong to different sources in web mashups, and the design guarantees the confidentiality, integrity, and authenticity during cross-domain communications. The proxy-based design also allows users to browse mashups without installing browser plug-ins. For mashups developers, the provided API minimizes the amount of code modification. The results of experiments demonstrate that the overhead in-curred by our proxy model is low and reasonable.

Cross-level behavioral analysis for robust early intrusion detection

We anticipate future attacks would evolve to become more sophisticated to outwit existing intrusion detection techniques. Existing anomaly analysis techniques and signature-based detection practices can no longer effective. We believe intrusion detection systems (IDSs) of the future will need to be capable to detect or infer attacks based on more valuable information from the network-related properties and characteristics. We observed that even though the signatures or traffic patterns of future stealthy attacks can be modified to outwit current IDSs, certain behavioral aspects of an attack are invariant. We propose a novel approach that jointly monitors network activities at three different levels: transport layer protocols, (vulnerable) network services, and invariant anomaly behaviors (called attack symptoms). Our system, SecMon, captures the network behaviors by simultaneously performing cross-level state correlation for effective detection of anomaly behaviors. For the most part, the invariant anomaly behavior has not been fully exploited in the past. A probabilistic attack inference model is also proposed for attack assessment by correlating the observed attack symptoms to achieve the low false alarm rate. The evaluations demonstrate our prototype system is efficient and effective for sophisticated attacks, including polymorphism, stealthy, and unknown attack.

Slow-Paced Persistent Network Attacks Analysis and Detection Using Spectrum Analysis

A slow-paced persistent attack, such as slow worm or bot, can bewilder the detection system by slowing down their attack. Detecting such attacks based on traditional anomaly detection techniques may yield high false alarm rates. In this paper, we frame our problem as detecting slow-paced persistent attacks from a time series obtained from network trace. We focus on time series spectrum analysis to identify peculiar spectral patterns that may represent the occurrence of a persistent activity in the time domain. We propose a method to adaptively detect slow-paced persistent attacks in a time series and evaluate the proposed method by conducting experiments using both synthesized traffic and real-world traffic. The results show that the proposed method is capable of detecting slow-paced persistent attacks even in a noisy environment mixed with legitimate traffic.

Behavior profiling for robust anomaly detection

Internet attacks are evolving using evasion techniques such as polymorphism and stealth scanning. Conventional detection systems using signature-based and/or rule-based anomaly detection techniques no longer suffice. It is difficult to predict what form the next malware attack will take and these pose a great challenge to the design of a robust intrusion detection system. We focus on the anomalous behavioral characteristics between attack and victim when they undergo sequences of compromising actions and that are inherent to the classes of vulnerability-exploit attacks. A new approach, Gestalt, is proposed to statefully capture and monitor activities between hosts and progressively assess possible network anomalies by multilevel behavior tracking, cross-level triggering and correlation, and a probabilistic inference model is proposed for intrusion assessment and detection. Such multilevel design provides a collective perspective to reveal more anomalies than individual levels. We show that Gestalt is robust and effective in detecting polymorphic, stealthy variants of known attacks.

Behavior grouping of Android malware family

Malicious apps may install unwanted program or gather sensitive information from mobile devices. We notice Android apps fork several threads to accomplish a complex task intrinsically, and so does Android malware, that makes security experts difficult to analyze them without knowing their structure. In this paper, we propose an analysis scheme to group and analyze Android malware based on their dynamic behaviors, and to identify the behaviors of a malware family. In addition, we apply the techniques of phylogenetic tree, significant principal components and dot matrix on different malware families to demonstrate their behavioral correlations. The proposed methods can automatically discover similar behaviors of different malware groups, extract the characteristics of each malware group, and provide visualized information based on runtime behaviors. We anticipate the grouping result and the structure of malware family are important and essential for further malware behavior analysis researches.

ANTSdroid: Automatic Malware Family Behaviour Generation and Analysis for Android Apps.

Malware developers often use various obfuscation techniques to generate polymorphic and metamorphic versions of malwares. Keeping up with new variants and creating signatures for each individuals in a timely fashion has been an important problem but tedious works that anti-virus companies face all the time. It motivates us the idea of no more dancing with variants. In this paper, we aim to find a malware family’s main characteristic operations directly related to its intent. We propose global execution sequence alignment and segmentation algorithms to generate the execution stage chart of a malware family which presents a simple and easy-to-understand overview of the lifecycle as well as common and different operations that individual variants perform at a stage. We also present an automated dynamic Android malware profiling and family security analysis system in which we focus on the execution sequences of sensitive and permission-related API calls referred to as motifs of variants of malware family. To achieve the goal, we modify Android Debug Bridge (ADB) tool to add on several new features including enabling the recording of parameters and return value of an API call, the support of UID-based profiling to capture all the processes and threads to gain complete understanding of the activities of target malware app, and per thread trace generation. Finally, we use real-world dataset to validate the proposed system and methods. The generated family stage chart and motifs can provide security analysts semantics-rich understanding of what and how a malware family is designed and implemented. The main characteristic API call sequences of malware families can be used as signatures for effective and efficient malware detection in the future.

A distributed channel access scheduling scheme with clean-air spatial reuse for wireless mesh networks

There are two effective approaches to maximize network capacity throughput: increasing concurrent non-interfering transmissions by exploiting spatial reuse and increasing transmission rates of active senders. These two ways are, however, a tradeoff due to the signal interference. In this paper, we propose a distributed channel access scheduling scheme under a Clean-Air Spatial Reuse architecture which spans both the MAC layer and the network planning plane to scale a wireless mesh network to high network capacity throughput and large coverage. Simulations results of the network capacity throughput performance under different levels of Clean-Air Spatial Reuse policies are presented. The results show that having more number of concurrent transmission pairs scheduled in each time slot usually can compensate the negative effect of using lower transmission rates of transmission links and result in better throughput performance.