Vitor Monte Afonso

Behavioral analysis of malicious code through network traffic and system call monitoring

Malicious code (malware) that spreads through the Internet-such as viruses, worms and trojans-is a major threat to information security nowadays and a profitable business for criminals. There are several approaches to analyze malware by monitoring its actions while it is running in a controlled environment, which helps to identify malicious behaviors. In this article we propose a tool to analyze malware behavior in a non-intrusive and effective way, extending the analysis possibilities to cover malware samples that bypass current approaches and also fixes some issues with these approaches.

Ontology for Malware Behavior: A Core Model Proposal

The ubiquity of Internet-connected devices motivates attackers to create malicious programs (malware) to exploit users and their systems. Malware detection requires a deep understanding of their possible behaviors, one that is detailed enough to tell apart suspicious programs from benign, legitimate ones. A step to effectively address the malware problem leans toward the development of an ontology. Current efforts are based on an obsolete hierarchy of malware classes that defines a malware family by one single prevalent behavior (e.g., viruses infect other files, worms spread and exploit remote systems autonomously, Trojan horses disguise themselves as benign programs, and so on). In order to address the detection of modern, complex malware families whose infections involve sets of multiple exploit methods, we need an ontology broader enough to deal with these suspicious activities performed on the victims system. In this paper, we propose a core model for a novel malware ontology that is based on their exhibited behavior, filling a gap in the field.

A hybrid framework to analyze web and OS malware

Malicious programs (malware) cause serious security issues to home users and even to highly secured enterprise systems. The main infection vector currently used by attackers is the Internet. To improve the detection rate and to develop protection mechanisms, it is very important to analyze and study these threats. To this end, several systems were developed to perform malware analysis, which support operating system (OS) programs or Web codes, but they all suffer from limitations. Also, the existing systems focus only on one type of malware, those that target the OS or that require a Web browser. In this article, we propose a framework that is able to analyze Web and OS-based malware, which provides better detection rates and a broader range of malware types analysis. We have also evaluated and compared our analysis results to the state-of-the-art systems, presenting the advantages of the developed framework over them when regarding Web and OS-based malware.

Pinpointing malicious activities through network and system-level malware execution behavior

Malicious programs pose a major threat to Internet-connected systems, increasing the importance of studying their behavior in order to fight against them. In this paper, we propose definitions to the different types of behavior that a program can present during its execution. Based on those definitions, we define suspicious behavior as the group of actions that change the state of a target system. We also propose a set of network and system-level dangerous activities that can be used to denote the malignity in suspicious behaviors, which were extracted from a large set of malware samples. In addition, we evaluate the malware samples according to their suspicious behavior. Moreover, we developed filters to translate from lower-level execution traces to the observed dangerous activities and evaluated them in the context of actual malware.

Interactive, visual-aided tools to analyze malware behavior

Malicious software attacks can disrupt information systems, violating security principles of availability, confidentiality and integrity. Attackers use malware to gain control, steal data, keep access and cover traces left on the compromised systems. The dynamic analysis of malware is useful to obtain an execution trace that can be used to assess the extent of an attack, to do incident response and to point to adequate counter-measures. An analysis of the captured malware can provide analysts with information about its behavior, allowing them to review the malicious actions performed during its execution on the target. The behavioral data gathered during the analysis consists of filesystem and network activity traces; a security analyst would have a hard time sieving through a maze of textual event data in search of relevant information. We present a behavioral event visualization framework that allows for an easier realization of the malicious chain of events and for quickly spotting interesting actions performed during a security compromise. Also, we analyzed more than 400 malware samples from different families and showed that they can be classified based on their visual signature. Finally, we distribute one of our tools to be freely used by the community.

Lumus : Dynamically Uncovering Evasive Android Applications

Dynamic analysis of Android malware suffers from techniques that identify the analysis environment and prevent the malicious behavior from being observed. While there are many analysis solutions that can thwart evasive malware on Windows, the application of similar techniques for Android has not been studied in-depth. In this paper, we present Lumus, a novel technique to uncover evasive malware on Android. Lumus compares the execution traces of malware on bare metal and emulated environments. We used Lumus to analyze 1,470 Android malware samples and were able to uncover 192 evasive samples. Comparing our approach with other solutions yields better results in terms of accuracy and false positives. We discuss which information are typically used by evasive malware for detecting emulated environments, and conclude on how analysis sandboxes can be strengthened in the future.