Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Mills, Alan; Legg, Phil

doi:10.3390/jcp1010003

Cited by 16 publications

(5 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The evaluation confirmed that parameter-tuned LightGBM in the 3rd stage detected DoH traffic generated by Pad-Crypt [22], Sisron [23], Tinba [24], [25], and Zloader [26] with 99.12% accuracy. In addition, parameter-tuned LightGBM in the 1st stage filtered DoH traffic with 99.92% accuracy, and parameter-tuned CatBoost in the 2nd stage recognized suspi- cious DoH traffic with 99.97% accuracy.…”

Section: Introductionsupporting

confidence: 57%

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Mitsuhashi

Jin

Iida

et al. 2023

2023 IEEE 20th Consumer Communications &Amp; Networking Conference (CCNC)

View full text Add to dashboard Cite

Encrypted domain name resolution can reduce the risk of privacy leakage for Internet users, but it may also prevent network administrators from detecting suspicious communications. Since operating systems supporting DNS over HTTPS (DoH) have increased in recent years, malware that uses Domain Generation Algorithm (DGA) can exploit it to hide the generated domain names. In this paper, we propose a system that detects DGA-based malware communications from DoH traffic. Based on the concept of hierarchical machine learning analysis, the proposed system classifies network traffic with Gradient Boosting Decision Tree (GBDT) and tree-ensemble models. The evaluation confirmed that the system was able to detect DoH traffic generated by PadCrypt, Sisron, Tinba, and Zloader with 99.12% accuracy. The results indicate that the system has the ability to detect different DGA-based malware communications from DoH traffic with sufficient accuracy to support network administrators.

show abstract

Section: Introductionsupporting

confidence: 57%

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Mitsuhashi

Jin

Iida

et al. 2023

2023 IEEE 20th Consumer Communications &Amp; Networking Conference (CCNC)

View full text Add to dashboard Cite

show abstract

“…One challenge in any sandbox monitoring agent is whether the agent itself is compromised or interferes with the malware execution. Many malware samples look for environment parameters that may suggest they are running in a sandbox [19], such as the present of agent.py which is used by Cuckoo or the phrase "VMware" occurring in the Windows registry. We found that our various data collectors would terminate at different times, which is likely related to this.…”

Section: Discussionmentioning

confidence: 99%

Investigating Malware Propagation and Behaviour Using System and Network Pixel-Based Visualisation

Williams

Legg

2021

SN COMPUT. SCI.

Self Cite

View full text Add to dashboard Cite

Malicious software, known as malware, is a perpetual game of cat and mouse between malicious software developers and security professionals. Recent years have seen many high profile cyber attacks, including the WannaCry and NotPetya ransomware attacks that resulted in major financial damages to many businesses and institutions. Understanding the characteristics of such malware, including how malware can propagate and interact between systems and networks is key for mitigating these threats and containing the infection to avoid further damage. In this study, we present visualisation techniques for understanding the propagation characteristics in dynamic malware analysis. We propose the use of pixel-based visualisations to convey large-scale complex information about network hosts in a scalable and informative manner. We demonstrate our approach using a virtualised network environment, whereby we can deploy malware variants and observe their propagation behaviours. As a novel form of visualising system and network activity data across a complex environment, we can begin to understand visual signatures that can help analysts identify key characteristics of the malicious behaviours, and, therefore, provoke response and mitigation against such attacks.

show abstract

“…Moreover, mimicking legitimate behavior is a widely used strategy by todays malware ( Bulazel & Yener, 2017 ; Alaeiyan, Parsa & Conti, 2019 ; Or-Meir et al, 2019 ; Afianian, Niksefat & Sadeghiyan, 2019 ; Mills & Legg, 2020 ; Amer, El-Sappagh & Hu, 2020 ). In addition, evasion behaviors have been observed in both benign and malicious classes ( Galloro et al, 2022 ).…”

Section: The Proposed Methodsmentioning

confidence: 99%

“…By analyzing 45,375 malware samples, Galloro et al (2022) concluded that the use of evasion mechanisms has increased among malware by 12% over the past ten years, and 88% of malicious software can perform new evasion behaviors rather than the older ones. Evasive malware instances either imitate legitimate behaviors or violently interrupt the execution in sandboxed execution conditions ( Bulazel & Yener, 2017 ; Alaeiyan, Parsa & Conti, 2019 ; Or-Meir et al, 2019 ; Afianian, Niksefat & Sadeghiyan, 2019 ; Mills & Legg, 2020 ). Additionally, Galloro et al (2022) in their work, reported that evasion behaviors have picked up in both malware and benign instances because those evasion techniques have been originally developed for a legitimate purpose, such as to prevent reversing, and protect intellectual property.…”

Section: Introductionmentioning

confidence: 99%

A Kullback-Liebler divergence-based representation algorithm for malware detection

Aboaoja,

Zainal,

Ghaleb

et al. 2023

PeerJ Computer Science

View full text Add to dashboard Cite

Background Malware, malicious software, is the major security concern of the digital realm. Conventional cyber-security solutions are challenged by sophisticated malicious behaviors. Currently, an overlap between malicious and legitimate behaviors causes more difficulties in characterizing those behaviors as malicious or legitimate activities. For instance, evasive malware often mimics legitimate behaviors, and evasion techniques are utilized by legitimate and malicious software. Problem Most of the existing solutions use the traditional term of frequency-inverse document frequency (TF-IDF) technique or its concept to represent malware behaviors. However, the traditional TF-IDF and the developed techniques represent the features, especially the shared ones, inaccurately because those techniques calculate a weight for each feature without considering its distribution in each class; instead, the generated weight is generated based on the distribution of the feature among all the documents. Such presumption can reduce the meaning of those features, and when those features are used to classify malware, they lead to a high false alarms. Method This study proposes a Kullback-Liebler Divergence-based Term Frequency-Probability Class Distribution (KLD-based TF-PCD) algorithm to represent the extracted features based on the differences between the probability distributions of the terms in malware and benign classes. Unlike the existing solution, the proposed algorithm increases the weights of the important features by using the Kullback-Liebler Divergence tool to measure the differences between their probability distributions in malware and benign classes. Results The experimental results show that the proposed KLD-based TF-PCD algorithm achieved an accuracy of 0.972, the false positive rate of 0.037, and the F-measure of 0.978. Such results were significant compared to the related work studies. Thus, the proposed KLD-based TF-PCD algorithm contributes to improving the security of cyberspace. Conclusion New meaningful characteristics have been added by the proposed algorithm to promote the learned knowledge of the classifiers, and thus increase their ability to classify malicious behaviors accurately.

show abstract

Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques

Cited by 16 publications

References 27 publications

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Detection of DGA-based Malware Communications from DoH Traffic Using Machine Learning Analysis

Investigating Malware Propagation and Behaviour Using System and Network Pixel-Based Visualisation

A Kullback-Liebler divergence-based representation algorithm for malware detection

Contact Info

Product

Resources

About