Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud

Dang, Fan; Li, Zhenhua; Zhai, Ennan; Chen, Qi Alfred; Xu, Tianyin; Chen, Yan; Jing-yu, Yang

doi:10.1145/3307334.3326083

Cited by 51 publications

(36 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recently developed new techniques such as process hollowing [13], AtomBombing [3] and shim-based DLL injection [2] have also been applied in real-world malware. Fileless malware, which follows the "living off the land" attack strategy, has been actively studied by both industry [6] and academia [42]. While characterized by its avoidance of using files during an attack, we believe that PROVDETECTOR will also be helpful in detecting certain types of fileless malware whose behavior can be tracked by our kernel-level provenance tracing.…”

Section: Stealthy Malwarementioning

confidence: 99%

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Wang¹,

Hassan²,

Ding³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

106

View full text Add to dashboard Cite

To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average F1 score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

show abstract

Section: Stealthy Malwarementioning

confidence: 99%

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Wang¹,

Hassan²,

Ding³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

106

View full text Add to dashboard Cite

show abstract

“…In a similar manner to LotL techniques on Windows, these binaries can be used to achieve malicious functionality. Whilst Linux malware are not as numerous as their Windows counterparts, it is a subject worthy of analysis due to the rise of IoT botnets running lightweight Linux systems [12].…”

Section: Limitations and Future Workmentioning

confidence: 99%

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Barr-Smith

Ugarte-Pedrero

Graziano

et al. 2021

2021 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

As malware detection algorithms and methods become more sophisticated, malware authors adopt equally sophisticated evasion mechanisms to defeat them. Anecdotal evidence claims Living-Off-The-Land (LotL) techniques are one of the major evasion techniques used in many malware attacks. These techniques leverage binaries already present in the system to conduct malicious actions. We present the first large-scale systematic investigation of the use of these techniques by malware on Windows systems.In this paper, we analyse how common the use of these native system binaries is across several malware datasets, containing a total of 31,805,549 samples. We identify an average 9.41% prevalence. Our results show that the use of LotL techniques is prolific, particularly in Advanced Persistent Threat (APT) malware samples where the prevalence is 26.26%, over twice that of commodity malware.To illustrate the evasive potential of LotL techniques, we test the usage of LotL techniques against several fully patched Windows systems in a local sandboxed environment and show that there is a generalised detection gap in 10 of the most popular anti-virus products.

show abstract

“…Various studies on fileless cyberattacks have been conducted. For example, to identify fileless cyberattacks against Linux-based Internet-of-Things machines, Dang and others designed a software-and hardware-based honey pot and collected data on malicious code for approximately one year [4]. They confirmed that among the malicious code collected, 10% were fileless cyberattacks, which were then classified into eight groups using the characteristics of the corresponding attacks.…”

Section: Literature Reviewmentioning

confidence: 99%

Fileless cyberattacks: Analysis and classification

et al. 2020

View full text Add to dashboard Cite

With cyberattack techniques on the rise, there have been increasing developments in the detection techniques that defend against such attacks. However, cyber attackers are now developing fileless malware to bypass existing detection techniques. To combat this trend, security vendors are publishing analysis reports to help manage and better understand fileless malware. However, only fragmentary analysis reports for specific fileless cyberattacks exist, and there have been no comprehensive analyses on the variety of fileless cyberattacks that can be encountered. In this study, we analyze 10 selected cyberattacks that have occurred over the past five years in which fileless techniques were utilized. We also propose a methodology for classification based on the attack techniques and characteristics used in fileless cyberattacks.Finally, we describe how the response time can be improved during a fileless attack using our quick and effective classification technique.

show abstract

Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud

Cited by 51 publications

References 14 publications

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Fileless cyberattacks: Analysis and classification

Contact Info

Product

Resources

About