Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Kim, Minho; Cho, Haehyun; Yi, Jeong Hyun

doi:10.1109/access.2022.3190978

Cited by 8 publications

(7 citation statements)

References 15 publications

(21 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In line with recent research detailing the success of DBI tools in countering malware evasive behavior 19,23,[32][33][34] Pin allocates on the heap. Pinvm.dll makes a copy of the malware executable along with the injected Peekaboo instrumentation code in the code cache 70 .…”

Section: Methodssupporting

confidence: 77%

“…However, there is an existing body of research that have developed methods to defeat the anti-instrumentation probes performed by malware 19,21,30,33,34 . In contrast to the 80% and 99% of malware samples that used anti-analysis techniques, identi ed above, Kim, et al 32 and Polino, et al 33 found that approximately 16% and 15% of malware used anti-instrumentation techniques. This indicates the evasive techniques used by malware authors are not focused on DBI but rather virtualization, debuggers, and sandboxes.…”

Section: Introductionmentioning

confidence: 91%

“…NtGlobalFlag is a variable in the Process Execution Block (PEB) that is set to 0x70 when a debugger is attached 32 . A 64-bit and 32-bit PEB is created by the Windows 10 64-bit VM when running the 32-bit malware, where the NtGlobalFlag is set to 0x70 for the 64-bit PEB.…”

Section: Anti-dbimentioning

confidence: 99%

“…These API and System calls are used by benign software for legitimate purposes but are also exploited by malware. Further, Central Processing Unit (CPU) identi cation, detecting differences in the memory address space as well as differences in operation timings can be used to identify debuggers, sandboxes and DBI 12,19,24,25,32,33 .…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Defeating Evasive Malware with Peekaboo: Extracting Authentic Malware Behavior with Dynamic Binary Instrumentation

Gaber,

Ahmed,

Janicke

2024

Preprint

View full text Add to dashboard Cite

The accuracy of Artificial Intelligence (AI) in malware detection is dependent on the features it is trained with, where the quality and authenticity of these features is dependent on the dataset and the analysis tool. Evasive malware, that alters its behavior in analysis environments, is challenging to extract authentic features from where widely used static and dynamic analysis tools have several limitations. However, Dynamic Binary Instrumentation (DBI) allows deep and precise control of the malware sample, thereby facilitating the extraction of authentic behavior from evasive malware. Considering the limitations of malware analysis for use with AI, this research had two primary objectives: investigation of the evasive techniques used by modern malware and the creation of Peekaboo, a DBI tool to extract authentic data from live malware samples. Peekaboo instruments and defeats evasive techniques that target analysis tools and virtual environments. A dataset of 20,500 samples was assembled and each sample was run for up to 15 minutes to observe not only the anti-analysis techniques used but also its complete behavior. Peekaboo outperforms other tools on several fronts, it is the only tool to measure start and completion rates, capture the executed Assembly (ASM) instructions, record all network traffic and implements the largest coverage against evasive techniques.

show abstract

Section: Methodssupporting

confidence: 77%

Section: Introductionmentioning

confidence: 91%

Section: Anti-dbimentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Defeating Evasive Malware with Peekaboo: Extracting Authentic Malware Behavior with Dynamic Binary Instrumentation

Gaber,

Ahmed,

Janicke

2024

Preprint

View full text Add to dashboard Cite

show abstract

“…Several studies ( Shijo & Salim, 2015 ; Darshan & Jaidhar, 2019 ; Yoo et al, 2021 ) stated that dynamic analysis offers more reliable detection capabilities than static analysis. On the other hand, malware authors use immediate evasion techniques as a defense against dynamic analysis ( Kim et al, 2022 ). By analyzing 45,375 malware samples, Galloro et al (2022) concluded that the use of evasion mechanisms has increased among malware by 12% over the past ten years, and 88% of malicious software can perform new evasion behaviors rather than the older ones.…”

Section: Introductionmentioning

confidence: 99%

A Kullback-Liebler divergence-based representation algorithm for malware detection

Aboaoja,

Zainal,

Ghaleb

et al. 2023

PeerJ Computer Science

View full text Add to dashboard Cite

Background Malware, malicious software, is the major security concern of the digital realm. Conventional cyber-security solutions are challenged by sophisticated malicious behaviors. Currently, an overlap between malicious and legitimate behaviors causes more difficulties in characterizing those behaviors as malicious or legitimate activities. For instance, evasive malware often mimics legitimate behaviors, and evasion techniques are utilized by legitimate and malicious software. Problem Most of the existing solutions use the traditional term of frequency-inverse document frequency (TF-IDF) technique or its concept to represent malware behaviors. However, the traditional TF-IDF and the developed techniques represent the features, especially the shared ones, inaccurately because those techniques calculate a weight for each feature without considering its distribution in each class; instead, the generated weight is generated based on the distribution of the feature among all the documents. Such presumption can reduce the meaning of those features, and when those features are used to classify malware, they lead to a high false alarms. Method This study proposes a Kullback-Liebler Divergence-based Term Frequency-Probability Class Distribution (KLD-based TF-PCD) algorithm to represent the extracted features based on the differences between the probability distributions of the terms in malware and benign classes. Unlike the existing solution, the proposed algorithm increases the weights of the important features by using the Kullback-Liebler Divergence tool to measure the differences between their probability distributions in malware and benign classes. Results The experimental results show that the proposed KLD-based TF-PCD algorithm achieved an accuracy of 0.972, the false positive rate of 0.037, and the F-measure of 0.978. Such results were significant compared to the related work studies. Thus, the proposed KLD-based TF-PCD algorithm contributes to improving the security of cyberspace. Conclusion New meaningful characteristics have been added by the proposed algorithm to promote the learned knowledge of the classifiers, and thus increase their ability to classify malicious behaviors accurately.

show abstract

Cybersecurity for autonomous vehicles against malware attacks in smart-cities

Aurangzeb,

Aleem,

Khan

et al. 2023

Cluster Comput

View full text Add to dashboard Cite

Smart Autonomous Vehicles (AVSs) are networks of Cyber-Physical Systems (CPSs) in which they wirelessly communicate with other CPSs sub-systems (e.g., smart -vehicles and smart-devices) to efficiently and securely plan safe travel. Due to unreliable wireless communication among them, such vehicles are an easy target of malware attacks that may compromise vehicles’ autonomy, increase inter-vehicle communication latency, and drain vehicles’ power. Such compromises may result in traffic congestion, threaten the safety of passengers, and can result in financial loss. Therefore, real-time detection of such attacks is key to the safe smart transportation and Intelligent Transport Systems (ITSs). Current approaches either employ static analysis or dynamic analysis techniques to detect such attacks. However, these approaches may not detect malware in real-time because of zero-day attacks and huge computational resources. Therefore, we introduce a hybrid approach that combines the strength of both analyses to efficiently detect malware for the privacy of smart-cities.

show abstract

Large-Scale Analysis on Anti-Analysis Techniques in Real-World Malware

Cited by 8 publications

References 15 publications

Defeating Evasive Malware with Peekaboo: Extracting Authentic Malware Behavior with Dynamic Binary Instrumentation

Defeating Evasive Malware with Peekaboo: Extracting Authentic Malware Behavior with Dynamic Binary Instrumentation

A Kullback-Liebler divergence-based representation algorithm for malware detection

Cybersecurity for autonomous vehicles against malware attacks in smart-cities

Contact Info

Product

Resources

About