Identification of executable files on the basis of statistical criteria

Krivtsova, Irina; Lebedev, Ilya; Salakhutdinova, Kseniya I.

doi:10.23919/fruct.2017.8071312

Cited by 6 publications

(1 citation statement)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This work is broadly similar to n-gram analysis (Kim , 2014). Another paper discusses identification of executable signatures on the basis of statistical criteria (Krivtsova, Lebedev and Salakhutdinova, 2017) but, again, there is no analysis of file sizes. The importance of the detection of executable files may lead to discovery of malware, either individually or as part of a botnet (Satrya, Cahyani and Andreta, 2015).…”

Section: File Sizesmentioning

confidence: 99%

The Treatment of Advanced Persistent Threats on Windows Based Systems

Bentley¹

View full text Add to dashboard Cite

Advanced Persistent Threat (APT) is the name given to individuals or groups who write malicious software (malware) and who have the intent to perform actions detrimental to the victim or the victims' organisation. This thesis investigates ways in which it is possible to treat APTs before, during and after the malware has been laid down on the victim's computer. The scope of the thesis is restricted to desktop and laptop computers with hard disk drives. APTs have different motivations for their work and this thesis is agnostic towards their origin and intent. Anti-malware companies freely present the work of APTs in many ways but summarise mainly in the form of white papers. Individually, pieces of these works give an incomplete picture of an APT but in aggregate it is possible to construct a view of APT families and pan-APT commonalities by comparing and contrasting the work of many anti-malware companies; it as if there are alot of the pieces of a jigsaw puzzle but there is no box lid available with the complete picture. In addition, academic papers provide proof of concept attacks and observations, some of which may become used by malware writers. Gaps in, and extensions to, the public knowledge may be filled through inference, implication, interpolation and extrapolation and form the basis for this thesis. The thesis presents a view of where APTs lie on windows-based systems. It uses this view to create and build generic views of where APTs lie on Hard Disc Drives on Windows based systems using the Lockheed Martin Cyber Kill Chain. This is then used to treat APTs on Windows based IT systems using purpose-built software in such a way that the malware is negated by. The thesis does not claim to find all malware on but it demonstrates how to increase the cost of doing business for APTs, for example by overwriting unused disc space so APTs cannot place malware there. The software developed was able to find Indicators of Compromise on all eight Hard Disc Drives provided for analysis. Separately, from a corpus of 228 files known to be associated with malware it identified approximately two thirds as Indicators of Compromise.

show abstract

Section: File Sizesmentioning

confidence: 99%