Multi-stage delivery of malware

Ramilli, Marco; Bishop, Matt

doi:10.1109/malware.2010.5665788

Cited by 21 publications

(13 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In some attacks, the document contains the complete malware payload the attacker wishes to deploy, while in others, the document only has enough code to download additional malware components [19,25,9,27]. Although exploitation of the reader program can result in the viewer program hanging or crashing, potentially alerting the user of a problem, sometimes such faults remain hidden from the end-user because the reader program is used as plug-in in a larger program, such as Internet browsers [11,5,17,3].…”

Section: Introductionmentioning

confidence: 99%

Malicious PDF detection using metadata and structural features

Smutz

Stavrou

2012

Proceedings of the 28th Annual Computer Security Applications Conference

222

204

View full text Add to dashboard Cite

Owed to their versatile functionality and widespread adoption, PDF documents have become a popular avenue for user exploitation ranging from large-scale phishing attacks to targeted attacks. In this paper, we present a framework for robust detection of malicious documents through machine learning. Our approach is based on features extracted from document metadata and structure. Using real-world datasets, we demonstrate the the adequacy of these document properties for malware detection and the durability of these features across new malware variants. Our analysis shows that the Random Forests classification method, an ensemble classifier that randomly selects features for each individual classification tree, yields the best detection rates, even on previously unseen malware.Indeed, using multiple datasets containing an aggregate of over 5,000 unique malicious documents and over 100,000 benign ones, our classification rates remain well above 99% while maintaining low false positives of 0.2% or less for different classification parameters and experimental scenarios. Moreover, the classifier has the ability to detect documents crafted for targeted attacks and separate them from broadly distributed malicious PDF documents. Remarkably, we also discovered that by artificially reducing the influence of the top features in the classifier, we can still achieve a high rate of detection in an adversarial setting where the attacker is aware of both the top features utilized in the classifier and our normality model. Thus, the classifier is resilient against mimicry attacks even with knowledge of the document features, classification method, and training set.

show abstract

Section: Introductionmentioning

confidence: 99%

Malicious PDF detection using metadata and structural features

Smutz

Stavrou

2012

Proceedings of the 28th Annual Computer Security Applications Conference

222

204

View full text Add to dashboard Cite

show abstract

“…This sleeper code can be activated anytime to alter or destroy information. Similar stealth methodologies are also employed during multistage delivery of malware discussed in [35] and the botnet's stealthy command and control execution model in [15].…”

Section: Advanced Persistent Threatsmentioning

confidence: 99%

“…They use deception to hide from detection while gradually gaining more privileges and information about the system. Such attacks are extremely dangerous and need innovative defense [35].…”

Section: Advanced Persistent Threatsmentioning

confidence: 99%

Deception-Based Survivability

Mehresh

Upadhyaya

2016

Secure System Design and Trustable Computing

View full text Add to dashboard Cite

Critical systems in current threat landscape demand more than just fault-tolerance and security; they demand survivability. Survivability is the ability of a system to continue delivering essential services during attacks, faults or accidents. This is usually accomplished via a four-layered defense setting that consists of prevention, detection, recovery and adaption. As evident by the recent incline in advanced persistent threats, the existing defense systems are in a dire need of evolution. This new generation of defense systems should be smart, adaptive and unlike traditional systems, stay ahead of the malicious actors. Many researchers have started to consider deception as a means to this end. Deception involves misrepresenting or hiding information in order to manipulate a user's actions. When engrafted in the prevention and detection layers, deception can help trace attacker intent, objective and strategies (AIOS) which aids in the development of targeted recovery and adaptation procedures. Such procedures, in turn, help a system survive in hostile environments. Though the adoption of deception-based defense has been hindered by legal and moral issues in the past but the recent increase in interest in this field holds great promise. This chapter discusses deception-based survivability, its benefits and shortcomings. It presents a high-level deployment architecture that uses deception to ensure system survivability. Other aspects of deception-based survivability such as performance overhead, continued effectiveness and precision have also been discussed.

show abstract

“…Malware has emerged as a challenging threat with the increased infection rates and levels of sophistication [1][2][3]. Examples of such threats include data exfiltration [4], denial-of-service attacks [5], and espionage [6], among many others.…”

Section: Introductionmentioning

confidence: 99%

“…This is achievable even when limiting the number of features below a quantity commonly used in the related literature. 3…”

Section: Introductionmentioning

confidence: 99%

Network-based Analysis and Classiﬁcation of Malware using Behavioral Artifacts Ordering

Mohaisen¹,

Alrawi²,

Park³

et al. 2018

ICST Transactions on Security and Safety

View full text Add to dashboard Cite

Using runtime execution artifacts to identify malware and its associated "family" is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, the use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics are often circumvented by subsequent malware authors. In this work, we propose Chatter, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse concatenations of those letters. Then, leveraging an analyst labeled corpus of malware, n-gram document classification techniques are applied to produce a classifier predicting malware family. This paper describes that technique and its proof-of-concept evaluation. In its prototype form only network events are considered and eleven malware families are used. We show the technique achieves 83%-94% accuracy in isolation and makes non-trivial performance improvements when integrated with a baseline classifier of combined order features to reach an accuracy of up to 98.8%.

show abstract

Multi-stage delivery of malware

Cited by 21 publications

References 11 publications

Malicious PDF detection using metadata and structural features

Malicious PDF detection using metadata and structural features

Deception-Based Survivability

Network-based Analysis and Classiﬁcation of Malware using Behavioral Artifacts Ordering

Contact Info

Product

Resources

About