Smita Naval

Employing Program Semantics for Malware Detection

In recent years, malware has emerged as a critical security threat. In addition, malware authors continue to embed numerous anti-detection features to evade the existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior-based malware detection approaches outperform the traditional signature-based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system-calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important anti-detection feature of modern malware, i.e., systemcall injection attack. This attack allows the malicious binaries to inject irrelevant and independent system-calls during the program execution thus modifying the execution sequences defeating the existing system-call-based detection. To address this problem, we propose an evasion-proof solution that is not vulnerable to system-call injection attacks. Our proposed approach characterizes program semantics using asymptotic equipartition property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract information-rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call-injection attacks as the discriminating components are not directly visible to malware authors. We run a thorough set of experiments to evaluate our solution and compare it with the existing system-call-based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances.

MCF: MultiComponent Features for Malware Analysis

In this paper, we use machine learning techniques for classifying a Portable Executable (PE) file as malware or benign. This is achieved by extracting a new feature also referred to us as MultiComponent Feature composed of (a) PE metadata (b) Principal Instruction Code (PIC)(c) mnemonic bi-gram and (d) prominent unigrams that characterizes malware/benign files. Reduced feature set are obtained using feature selection and reduction methods such as Minimum Redundancy and Maximum Relevance (mRMR), Principal Component Analysis (PCA) and prominent EigenVector Feature (EVF). We demonstrate that amongst mRMR, PCA and EVF, mRMR feature selection method is suitable for extracting optimal PE attributes. The performance of our proposed method is compared with similar work reported in previous literatures and we have found that the detection rate with our methodology is found to be better compared to prior work. This suggest that the proposed method can be used effectively for the identification of malicious files.

PEAL--Packed executable analysis

The proliferation of packed malware has posed a serious threat to computers connected to Internet across the globe. Packers are popular tools used by malware authors to hide malicious payloads that bypass traditional signature antiviruses (AV). Packing being the easiest way to defeat signature based detection, unpacking of samples is important. As unpacking is a time consuming pro- cess, it reduces overall efficiency of AV scanner. Unpacking is a compulsory step in malware analysis, else it would increase the rate of false alarms and misses. In this paper we propose PEAL, a pre---processing phase to identify packed executables from a set of packed and native files. Our method reduces overall execution time of AV by filtering packed samples from non-packed. Experimental results show that the proposed method is capable of identifying packed and native executables with high accuracy.

SPADE: Signature based PAcker DEtection

Malware is a powerful weapon to hamper various confidential and secure data of a personal computer. Code packing helps the malware authors to create new variants of existing malwares and thus signature based malware detection is defeated. Packing tools hinder the reverse engineering process and hence it is difficult for security researchers to perform analysis of new or unknown malware. Dynamic unpacker requires dedicated hardware and software for analyzing samples and it is computationally expensive. Hence a fast method is required for analysing packers used to create packed executable. Every packer uses its own unpacking algorithm to unpack the payload in memory, so if apriori information on packer used is available, the unpacking becomes easy. In this paper, we have proposed a novel technique for generating the signature of packed malware to identify the packer used for obfuscating the binary.

Environment–Reactive Malware Behavior: Detection and Categorization

Present malicious threats have been consolidated in past few years by incorporating diverse stealthy techniques. Detecting these malwares on the basis of their dynamic behavior has become a potential approach as it suppresses the shortcomings of static approaches raised due to the obfuscated malware binaries. Additionally, existing behavior based malware detection approaches are resilient to zero–day malware attacks. These approaches rely on isolated analysis environment to monitor and capture the run–time malware behavior. Malware bundled with environment–aware payload may degrade detection accuracy of such approaches. These malicious programs detect the presence of execution environment and thus inspite of having their malicious payload they mimic a benign behavior to avoid detection. In this paper, we have presented an approach using system–calls to identify a malware on the basis of their malignant and environment–reactive behavior. The proposed approach offers an automated screening mechanism to segregate malware samples on the basis of aforementioned behaviors. We have built a decision model which is based on multi–layer perceptron learning with back propagation algorithm. Our proposed model decides the candidacy of a sample to be put into one of the four classes (clean, malignant, guest–crashing and infinite–running). Clean behavior denotes benign sample and rest of the behaviors denote the presence of malware sample. The proposed technique has been evaluated with known and unknown instances of real malware and benign programs.

Exploring Worm Behaviors using DTW

Worms are becoming a potential threat to Internet users across the globe. The financial damages due to computer worms increased significantly in past few years. Analyzing these hazardous worm attacks has become a crucial issue to be addressed. Given the fact that worm analysts would prefer to analyze classes of worms rather than individual files, their task will be significantly reduced. In this paper, we have proposed a dynamic host--based worm categorization approach to segregate worms. These groups indicate that worm samples constitute different behavior according to their infection and anti--detection vectors. Our proposed approach utilizes system--call traces and computes a distance matrix using Dynamic Time Warping (DTW) algorithm to form these groups. In conjunction to that, the proposed approach also discriminates worm and benign executables. The constructed model is further evaluated with unknown instances of real--world worms.

P-SPADE: GPU accelerated malware packer detection

Packed malware imposes negative impact on the accuracy of AV scanners. It is essential for a security researcher to nullify the effects of packing tools, prior to malware detection. Numerous open and commercial packers are available to facilitate unwelcome intentions of malware authors. Thus, identification of packers becomes necessary phase prior to malware scanning. In this paper, we have proposed a GPGPU based approach for accelerating our previous signature based packer detection (SPADE) [1] method. SPADE generates packer signature by utilizing the intra-family malware alignments. It makes use of Smith-Waterman algorithm to reveal the actual relationship among the packer family samples and achieves high detection rate as compared to other packer detection tools. The use of Smith-Waterman comes with a trade off between accuracy and high computational complexity. So, we have implemented a parallel version of Smith-Waterman to improve the signature generation phase of SPADE. Our GPU based approach (O(m+n)) produces 14.89X to 49.91X speedup over CPU based implementation of SPADE preserving detection accuracy. Moreover, the proposed approach opens up new domain of applying GPUs to the existing signature based approaches for malware detection where signature database updation is done on daily basis.

ESCAPE: entropy score analysis of packed executable

Malware developers hide the malicious payload of malware binary by employing various obfuscation techniques. One such technique commonly applied is packing. Packer transforms the original bytes so it is difficult to recognize the behaviour of any executable. Although the contents of a file is changed, some byte patterns may be preserved across different packed executables. Malware detectors need to apply unpacking mechanism prior to any detection or analysis to every sample under consideration. In this paper, we have proposed a method that discriminate packed binaries from the native files to minimize the processing time of AV scanners. We have used the blockwise entropy score of byte features of the executable. Experimental results show that the proposed method is capable of identifying packed and native executable which are packed using different malware packers.

Improving Leakage Path Coverage in Android Apps

With the phenomenal increase in Android apps usage and storing of personal information on mobile devices, securing this sensitive information has assumed significance. The Android application developers knowingly or unknowingly create apps that may directly or indirectly leak this information to outside world. The majority of state-of-the-art approachesdetect leaks through inter-component communication (ICC) within an app. Android allows inter-component communication (ICC) within the components of the same application or across multiple applications. ICC mechanism is used for the exchange of information among apps. Via ICC, an app or a set of apps can send the sensitive information out of the application or device.In this paper, we propose an approach for intra-app as well as inter-app data transfer analysis through intents and/or sharedpreferences that improve the coverage of leakage paths detectedas compared to existing approaches. Our proposed approach iscapable of analyzing more than two applications at a time. Wehave evaluated proposed approach on the DroidBench datasetand 116 real-time apps randomly selected and downloadedfrom Google PlayStore. We detected 1298 inter-component pathswithin an app and 215 inter-app sensitive paths. Our approachreported ~17.71% of more inter-component paths using sharedpreferences for data transfer.

Relevant hex patterns for malcode detection

Malware poses a big threat to computer systems now a days. Malware authors often use encryption/compression methods to conceal their malicious executables data and code. These methods that transform some or all of the original bytes into a series of random looking data bytes appear in 80 to 90% of malware samples. This fact creates special challenges for anti-virus scanners who use static and dynamic methods to analyze large malware collections. In this paper we propose a method to identify malware executables by reading initial 2500 byte patterns of the sample. Our method reduces overall scanner execution time by considering 2500 bytes instead of whole file. Experimental results are evaluated using different classification algorithms (Random Forest, Ada-Boost, IBK, J48, Naïve-Bayes) followed by a feature selection method.