Exploiting an antivirus interface

Hamlen, Kevin W.; Mohan, Vishwath; Masud, Mohammad Mehedy; Khan, Latifur; Thuraisingham, Bhavani

doi:10.1016/j.csi.2009.04.004

Cited by 30 publications

(9 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Modification of the malware code features used by a decision tree classifier on the basis of static analysis was presented in the work of Hamlen et al 18 The features used by the classification process were binary n-gram-a specific byte sequence (equals to sub-string of bytes) in the binary, collected via static analysis. The authors have con- the authors used feature insertion on the attacker's code to manually transform its feature set to the one found.…”

Section: Camouflage Algorithmsmentioning

confidence: 99%

“…As shown in the work of Hamlen et al, 18 an IDS decision tree can be recovered this way by exploiting public interfaces of an IDS and building the decision tree by feeding it with many samples and examining their classifications. Such knowledge can be gained by reverse engineering the IDS on the attacker's computer, without the need to gain access to the attacked system-one just needs access to IDS.…”

Section: Problem Descriptionmentioning

confidence: 99%

See 1 more Smart Citation

Bypassing system calls–based intrusion detection systems

Rosenberg

Gudes

2016

Concurrency and Computation

View full text Add to dashboard Cite

Machine learning augments today's intrusion detection system (IDS) capability to cope with unknown malware. However, if an attacker gains partial knowledge about the IDS' classifier, he can create a modified version of his malware, which can evade detection. In this article we present an IDS on the basis of various classifiers using system calls, executed by the inspected code as features. We then present a camouflage algorithm that is used to modify malicious code to be classified as benign, while preserving the code's functionality, for decision tree and random forest classifiers. We also present transformations to the classifier's input, to prevent this camouflageand a modified camouflage algorithm that overcomes those transformations. Our research shows that it is not enough to provide a decision tree based classifier with a large training set to counter malware. One must also be aware of the possibility that the classifier would be fooled by a camouflage algorithm, and try to counter such an attempt with techniques such as input transformation or training set updates.

show abstract

Section: Camouflage Algorithmsmentioning

confidence: 99%

Section: Problem Descriptionmentioning

confidence: 99%

Bypassing system calls–based intrusion detection systems

Rosenberg

Gudes

2016

Concurrency and Computation

View full text Add to dashboard Cite

show abstract

“…One way to address this problem is to update the signatures, which achieves superior adaptability over current polymorphic malware. While this advantage has kept antivirus products mostly ahead in the virus-antivirus co-evolution race [16] up to the present time, a malware detector needs to be adaptive to cope with the changes in the wild.…”

Section: Introductionmentioning

confidence: 99%

Evolving Stream Classification using Change Detection

Mustafa

Haque

Khan

et al. 2014

Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing

Self Cite

View full text Add to dashboard Cite

Classifying instances in evolving data stream is a challenging task because of its properties, e.g., infinite length, concept drift, and concept evolution. Most of the currently available approaches to classify stream data instances divide the stream data into fixed size chunks to fit the data in memory and process the fixed size chunk one after another. However, this may lead to failure of capturing the concept drift immediately. We try to determine the chunk size dynamically by exploiting change point detection (CPD) techniques on stream data. In general, the distribution families before and after the change point are unknown over the stream, therefore non-parametric CPD algorithms are used in this case. We propose a multi-dimensional non-parametric CPD technique to determine chunk boundary over data streams dynamically which leads to better models to classify instances of evolving data streams. Experimental results show that our approach can detect the change points and classify instances of evolving data stream with high accuracy as compared to other baseline approaches.

show abstract

“…However, the escalating rate of new malware appearances and the advent of self-mutating, polymorphic malware over the past decade have made manual signature updating less practical. This has led to the development of automated data mining techniques for malware detection (e.g., Kolter and Maloof [2004], Schultz et al [2001], Masud et al [2008a], and Hamlen et al [2009] executable. These malware detectors are first trained so that they can generalize the distinction between malicious and benign executables, and thus detect future instances of malware.…”

Section: Related Workmentioning

confidence: 99%

Secure Cloud Query Processing with Relational Data

Thuraisingham¹

2013

Developing and Securing the Cloud

View full text Add to dashboard Cite

Data stream classification for intrusion detection poses at least three major challenges. First, these data streams are typically infinite-length, making traditional multipass learning algorithms inapplicable. Second, they exhibit significant concept-drift as attackers react and adapt to defenses. Third, for data streams that do not have any fixed feature set, such as text streams, an additional feature extraction and selection task must be performed. If the number of candidate features is too large, then traditional feature extraction techniques fail.In order to address the first two challenges, this article proposes a multipartition, multichunk ensemble classifier in which a collection of v classifiers is trained from r consecutive data chunks using v-fold partitioning of the data, yielding an ensemble of such classifiers. This multipartition, multichunk ensemble technique significantly reduces classification error compared to existing single-partition, single-chunk ensemble approaches, wherein a single data chunk is used to train each classifier. To address the third challenge, a feature extraction and selection technique is proposed for data streams that do not have any fixed feature set. The technique's scalability is demonstrated through an implementation for the Hadoop MapReduce cloud computing architecture. Both theoretical and empirical evidence demonstrate its effectiveness over other state-of-the-art stream classification techniques on synthetic data, real botnet traffic, and malicious executables.

show abstract

Exploiting an antivirus interface

Cited by 30 publications

References 12 publications

Bypassing system calls–based intrusion detection systems

Bypassing system calls–based intrusion detection systems

Evolving Stream Classification using Change Detection

Secure Cloud Query Processing with Relational Data

Contact Info

Product

Resources

About