Developing malware evaluation infrastructure

Cabaj, Krzysztof; Gawkowski, Piotr; Grochowski, Konrad; Kosik, Amadeusz

doi:10.15439/2016f490

Cited by 5 publications

(4 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cabaj et al [11] investigated six CryptoWall samples dynamically, focussing on the network activity, which allowed the tracking of infected proxies and the infrastructure behind the infection. This work was furthered in [12] with an expanded dataset (350 instances). In this work, multiple domain names resolved to the same IP addresses were found to be responsible for multiple C&C services Scaife et al [13] employed dynamic analysis on 492 ransomware samples from 14 families.…”

Section: B Dynamic Analysis Of Ransomwarementioning

confidence: 99%

Dynamic Opcode Analysis of Ransomware

Carlin

O’Kane

Sezer

2018

2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

View full text Add to dashboard Cite

The explosion of ransomware in recent years has served as a costly reminder that the malware threatscape has moved from that of socially-inept hobbyists to career criminals. This paper investigates the efficacy of dynamic opcode analysis in distinguishing cryptographic ransomware from benignware, and presents several novel contributions. Firstly, a new dataset of cryptoransomware dynamic run-traces, the largest of its kind in the literature. We release this to the wider research community to foster further research in the field. Our second novel contribution demonstrates that a short runlength of 32k opcodes can provide highly accurate detection of ransomware (99.56%) compared to benign software. Third, our model offers a distinct advantage over other models in the literature, in that it can detect a form of benign encryption (i.e. file zipping) with 100% accuracy against not only ransomware, but also the non-encrypting benignware in our dataset. The research presented here demonstrates that dynamic opcode tracing is capable of detecting ransomware in comparable times to static analysis, without being thwarted by obfuscation tactics.

show abstract

Section: B Dynamic Analysis Of Ransomwarementioning

confidence: 99%

Dynamic Opcode Analysis of Ransomware

Carlin

O’Kane

Sezer

2018

2018 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

View full text Add to dashboard Cite

show abstract

“…Cabaj et al (2015) investigated six CryptoWall samples dynamically, focusing on the network activity, which allowed the tracking of infected proxies and the infrastructure behind the infection. This work was furthered in Cabaj et al (2016) with an expanded dataset (350 instances). In this work, multiple domain names resolved to the same IP addresses were found to be responsible for multiple C&C services.…”

Section: B Dynamic Analysis Of Ransomwarementioning

confidence: 99%

Dynamic Analysis of Ran-somware using Opcodes and Opcode Categories

Carlin¹,

O’Kane²,

Sezer³

2018

IJCSA

View full text Add to dashboard Cite

The explosion of ransomware in recent years has served as a costly reminder that the malware threatscape has moved from that of socially-inept hobbyists to career criminals. This paper investigates the efficacy of dynamic opcode analysis in distinguishing cryptographic ransomware from benignware, and presents several novel contributions. Firstly, a new dataset of cryptoransomware dynamic run-traces, the largest of its kind in the literature. We release this to the wider research community to foster further research in the field. Our second novel contribution demonstrates that a short run-length of 32k opcodes can provide highly accurate detection of ransomware (99.56%) compared to benign software. Third, our model offers a distinct advantage over other models in the literature, in that it can detect a form of benign encryption (i.e. file zipping) with 100% accuracy against not only ransomware, but also the non-encrypting benignware in our dataset. The research presented here demonstrates that dynamic opcode tracing is capable of detecting ransomware in comparable times to static analysis, without being thwarted by obfuscation tactics.

show abstract

“…Of course, the Internet traffic cannot be completely denied due to the fact that modern malware, during the infection, downloads further elements from the Internet (e.g. the second stage of Locky ransomware) or contact Command and Control servers (C&C) [12]. The security researcher must determine the trade off between the risk introduced and collection of possibly valuable information when some protection mechanisms are loosen.…”

Section: Overview Of the Analytical Infrastructurementioning

confidence: 99%

“…Unfortunately, due to the great popularity of this system, these two virtual environments are the most often detected by the malware (in such case it simply stops its hostile activity). To deal with that, during our research we have developed two different environments dedicated for dynamic analysis -Maltester [13] and MESS [12].…”

Section: Overview Of the Analytical Infrastructurementioning

confidence: 99%

The impact of malware evolution on the analysis methods and infrastructure

Cabaj

Gawkowski

Grochowski

et al. 2017

Proceedings of the 2017 Federated Conference on Computer Science and Information Systems

Self Cite

View full text Add to dashboard Cite

Abstract-The huge number of malware introduced each day demands methods and tools for their automated analyses. Complex and distributed infrastructure of malicious software and new sophisticated techniques used to obstruct the analyses are discussed in the paper based on real-life malware evolution observed for a long time. Their impact on both toolsets and methods are presented based on practical development of systems for malware analyses and new features for existing tools.

show abstract

Developing malware evaluation infrastructure

Cited by 5 publications

References 4 publications

Dynamic Opcode Analysis of Ransomware

Dynamic Opcode Analysis of Ransomware

Dynamic Analysis of Ran-somware using Opcodes and Opcode Categories

The impact of malware evolution on the analysis methods and infrastructure

Contact Info

Product

Resources

About