EnCoD: Distinguishing Compressed and Encrypted File Fragments

Gaspari, Fabio De; Hitaj, Dorjan; Pagnotta, Giulio; Carli, Lorenzo De; Mancini, Luigi V.

doi:10.1007/978-3-030-65745-1_3

Cited by 19 publications

(10 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Mbol et al [45] use a test based on the Kullback-Liebler divergence to detect ransomware converting high-entropy JPEG files to encrypted content. Depending exclusively on randomness is dangerous [46,47] for reasons pointed out in Sect. 4.1.…”

Section: Ransomware Detectionmentioning

confidence: 99%

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Gaspari

Hitaj

Pagnotta

et al. 2022

Neural Comput & Applic

Self Cite

View full text Add to dashboard Cite

Recent progress in machine learning has led to promising results in behavioral malware detection. Behavioral modeling identifies malicious processes via features derived by their runtime behavior. Behavioral features hold great promise as they are intrinsically related to the functioning of each malware, and are therefore considered difficult to evade. Indeed, while a significant amount of results exists on evasion of static malware features, evasion of dynamic features has seen limited work. This paper examines the robustness of behavioral ransomware detectors to evasion and proposes multiple novel techniques to evade them. Ransomware behavior differs significantly from that of benign processes, making it an ideal best case for behavioral detectors, and a difficult candidate for evasion. We identify and propose a set of novel attacks that distribute the overall malware workload across a small set of independent, cooperating processes in order to avoid the generation of significant behavioral features. Our most effective attack decreases the accuracy of a state-of-the-art classifier from 98.6 to 0% using only 18 cooperating processes. Furthermore, we show our attacks to be effective against commercial ransomware detectors in a black-box setting. Finally, we evaluate a detector designed to identify our most effective attack, as well as discuss potential directions to mitigate our most advanced attack.

show abstract

Section: Ransomware Detectionmentioning

confidence: 99%

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Gaspari

Hitaj

Pagnotta

et al. 2022

Neural Comput & Applic

Self Cite

View full text Add to dashboard Cite

show abstract

“…Entropy of binaries has also been reliably used as an indicator of maliciousness [37,49], although recent research has shown that this assumption may be flawed [38] regarding packers. This is similar to network forensics, wherein it can be assumed that entropy is an indicator of encryption and therefore maliciousness [22]. These works are only loosely related to our proposal, as they give the intuition that integrating measures of entropy as part of the features can potentially improve detection and classification results.…”

Section: Year Workmentioning

confidence: 86%

MalPhase: Fine-Grained Malware Detection Using Network Flow Data

Piskozub,

De Gaspari,

Barr-Smith

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Economic incentives encourage malware authors to constantly develop new, increasingly complex malware to steal sensitive data or blackmail individuals and companies into paying large ransoms. In 2017, the worldwide economic impact of cyberattacks is estimated to be between 445 and 600 billion USD, or 0.8% of global GDP 1 . Traditionally, one of the approaches used to defend against malware is network traffic analysis, which relies on network data to detect the presence of potentially malicious software. However, to keep up with increasing network speeds and amount of traffic, network analysis is generally limited to work on aggregated network data, which is traditionally challenging and yields mixed results. In this paper we present MalPhase, a system that was designed to cope with the limitations of aggregated flows. MalPhase features a multiphase pipeline for malware detection, type and family classification. The use of an extended set of network flow features and a simultaneous multi-tier architecture facilitates a performance improvement for deep learning models, making them able to detect malicious flows (> 98% F1) and categorize them to a respective malware type (> 93% F1) and family (> 91% F1). Furthermore, the use of robust features and denoising autoencoders allows MalPhase to perform well on samples with varying amounts of benign traffic mixed in. Finally, MalPhase detects unseen malware samples with performance comparable to that of known samples, even when interlaced with benign flows to reflect realistic network environments.

show abstract

“…В [18] используется NIST для определения сжатых и зашифрованных документов. В [19] (и расширенной версии статьи [20]) для классификации шифрованного и популярных форматов сжатого трафика используется нейронная сеть со значениями функции плотности вероятности поинтервального распределения значений байтов в фрагментах данных в качестве признаков. По результатам экспериментов на наборе файлов этот метод показывает высокие качество и скорость работы, но для хороших результатов минимальный размер анализируемого фрагмента ограничен снизу примерно 2 КБ.…”

Section: обзор существующих методов решенияunclassified

“…Также есть исследования по применению искусственных сетей к решаемой задаче. Среди архитектур есть как сети прямого распространения ( [12], [19]), так и свёрточные ( [12]). В [12] авторам не удалось добиться высоких результатов классификации, хотя лучший из полученных (около 70%) всё-таки статистически превосходит классификацию случайным выбором).…”

Section: использование машинного обученияunclassified

“…В [12] авторам не удалось добиться высоких результатов классификации, хотя лучший из полученных (около 70%) всё-таки статистически превосходит классификацию случайным выбором). В [19] классификаторы, объединяющие признаки, получаемые тестами из NIST, тест хи-квадрат и сам фрагмент, показали хорошие результаты, превосходящие другие методы, при достаточном размере анализируемого фрагмента данных.…”

Section: использование машинного обученияunclassified

See 1 more Smart Citation

Identification of transparent, compressed and encrypted data in network traffic

Getman¹,

Иконникова²

2021

Proceedings of ISP RAS

View full text Add to dashboard Cite

The article is dedicated to the problem of classifying network traffic into three categories: transparent, compressed and opaque, preferably in real-time. It begins with the description of the areas where this problem needs to be solved, then proceeds to the existing solutions with their methods, advantages and limitations. As most of the current research is done either in the area of separating traffic into transparent and opaque or into compressed and encrypted, the need arises to combine a subset of existing methods to unite these two problems into one. As later the main mathematical ideas and suggestions that lie behind the ideas used in the research done by other scientists are described, the list of the best performing of them is composed to be combined together and used as the features for the random forest classificator, which will divide the provided traffic into three classes. The best performing of these features are used, the optimal tree parameters are chosen and, what’s more, the initial three class classifier is divided into two sequential ones to save time needed for classifying in case of transparent packets. Then comes the proposition of the new method to classify the whole network flow as one into one of those three classes, the validity of which is confirmed on several examples of the protocols most specific in this area (SSH, SSL). The article concludes with the directions in which this research is to be continued, mostly optimizing it for real-time classification and obtaining more samples of traffic suitable for experiments and demonstrations.

show abstract

EnCoD: Distinguishing Compressed and Encrypted File Fragments

Cited by 19 publications

References 22 publications

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

Evading behavioral classifiers: a comprehensive analysis on evading ransomware detection techniques

MalPhase: Fine-Grained Malware Detection Using Network Flow Data

Identification of transparent, compressed and encrypted data in network traffic

Contact Info

Product

Resources

About