Kevin A. Roundy scite author profile

The first steps in analyzing defensive malware are understanding what obfuscations are present in realworld malware binaries, how these obfuscations hinder analysis, and how they can be overcome. While some obfuscations have been reported independently, this survey consolidates the discussion while adding substantial depth and breadth to it. This survey also quantifies the relative prevalence of these obfuscations by using the Dyninst binary analysis and instrumentation tool that was recently extended for defensive malware analysis. The goal of this survey is to encourage analysts to focus on resolving the obfuscations that are most prevalent in real-world malware.

show abstract

Generating Graph Snapshots from Streaming Edge Data

Soundarajan

Tamersoy

Khalil

et al. 2016

View full text Add to dashboard Cite

We study the problem of determining the proper aggregation granularity for a stream of time-stamped edges. Such streams are used to build time-evolving networks, which are subsequently used to study topics such as network growth. Currently, aggregation lengths are chosen arbitrarily, based on intuition or convenience. We describe ADAGE, which detects the appropriate aggregation intervals from streaming edges and outputs a sequence of structurally mature graphs. We demonstrate the value of ADAGE in automatically finding the appropriate aggregation intervals on edge streams for belief propagation to detect malicious files and machines.

show abstract

Large-Scale Identification of Malicious Singleton Files

Roundy

Gates

et al. 2017

View full text Add to dashboard Cite

Hybrid Analysis and Control of Malware

Roundy

Miller

2010

View full text Add to dashboard Cite

Abstract. Malware attacks necessitate extensive forensic analysis efforts that are manual-labor intensive because of the analysis-resistance techniques that malware authors employ. The most prevalent of these techniques are code unpacking, code overwriting, and control transfer obfuscations. We simplify the analyst's task by analyzing the code prior to its execution and by providing the ability to selectively monitor its execution. We achieve pre-execution analysis by combining static and dynamic techniques to construct control-and data-flow analyses. These analyses form the interface by which the analyst instruments the code. This interface simplifies the instrumentation task, allowing us to reduce the number of instrumented program locations by a hundred-fold relative to existing instrumentation-based methods of identifying unpacked code. We implement our techniques in SD-Dyninst and apply them to a large corpus of malware, performing analysis tasks such as code coverage tests and call-stack traversals that are greatly simplified by hybrid analysis.

show abstract

The Many Kinds of Creepware Used for Interpersonal Attacks

Roundy

Mendelberg

Dell

et al. 2020

View full text Add to dashboard Cite

Technology increasingly facilitates interpersonal attacks such as stalking, abuse, and other forms of harassment. While prior studies have examined the ecosystem of software designed for stalking, there exists an unstudied, larger landscape of apps-what we call creepware-used for interpersonal attacks. In this paper, we initiate a study of creepware using access to a dataset detailing the mobile apps installed on over 50 million Android devices. We develop a new algorithm, CreepRank, that uses the principle of guilt by association to help surface previously unknown examples of creepware, which we then characterize through a combination of quantitative and qualitative methods. We discovered apps used for harassment, impersonation, fraud, information theft, concealment, and even apps that purport to defend victims against such threats. As a result of our work, the Google Play Store has already removed hundreds of apps for policy violations. More broadly, our findings and techniques improve understanding of the creepware ecosystem, and will inform future efforts that aim to mitigate interpersonal attacks.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Kevin A. Roundy

Binary-code obfuscations in prevalent packer tools

Generating Graph Snapshots from Streaming Edge Data

Large-Scale Identification of Malicious Singleton Files

Hybrid Analysis and Control of Malware

The Many Kinds of Creepware Used for Interpersonal Attacks

Contact Info

Product

Resources

About