Shadow attacks: automatically evading system-call-behavior based malware detection

Ma, Weiqin; Duan, Pu; Liu, Sanmin; Gu, Guofei; Liu, Jyh-Charn

doi:10.1007/s11416-011-0157-5

Cited by 68 publications

(33 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Because behavioral systems do not make assumptions on the types of attacks that can be detected, they target detection of unknown attacks, unlike signature-based intrusion detection systems which can be easily bypassed by new attacks. It has also been shown that it is possible for attackers to bypass such detection mechanisms as well [30,38,53,55]. Hence, although behavioral intrusion detection could, as a side effect, reduce the kernel attack surface (because a kernel exploit's sequence of system calls might deviate from the normal use of the application), it is bypassable by using one of many known techniques, especially in the context of kernel attack surface reduction.…”

Section: System Call Monitoring and Access Controlmentioning

confidence: 99%

Quantifiable Run-Time Kernel Attack Surface Reduction

Kurmus

Dechand

Kapitza

2014

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

Abstract. The sheer size of commodity operating system kernels makes them a prime target for local attackers aiming to escalate privileges. At the same time, as much as 90% of kernel functions are not required for processing system calls originating from a typical network daemon. This results in an unnecessarily high exposure. In this paper, we introduce kRazor, an approach to reduce the kernel's attack surface by limiting the amount of kernel code accessible to an application. KRAZOR first traces individual kernel functions used by an application. KRAZOR can then detect and prevent uses of unnecessary kernel functions by a process. This step is implemented as a kernel module that instruments select kernel functions. A heuristic on the kernel function selection allows KRAZOR to have negligible performance overhead. We evaluate results under real-world workloads for four typical server applications. Results show that the performance overhead and false positives remain low, while the attack surface reduction can be as high as 80%.

show abstract

Section: System Call Monitoring and Access Controlmentioning

confidence: 99%

Quantifiable Run-Time Kernel Attack Surface Reduction

Kurmus

Dechand

Kapitza

2014

Detection of Intrusions and Malware, and Vulnerability Assessment

View full text Add to dashboard Cite

show abstract

“…First, traditional solutions would only intercept a lot of system calls used to interact with the Binder driver, hiding the real actions performed by the application. Second, the use of IPC in Android apps breaks the execution flow of an app into chains among multiple processes, making the evasion of traditional syscall-based behavior monitoring easier [42].…”

Section: Introductionmentioning

confidence: 99%

Vetting undesirable behaviors in android apps with permission use analysis

Zhang

Yang

et al. 2013

Proceedings of the 2013 ACM SIGSAC Conference on Computer &Amp; Communications Security - CCS '13

Self Cite

264

138

View full text Add to dashboard Cite

Android platform adopts permissions to protect sensitive resources from untrusted apps. However, after permissions are granted by users at install time, apps could use these permissions (sensitive resources) with no further restrictions. Thus, recent years have witnessed the explosion of undesirable behaviors in Android apps. An important part in the defense is the accurate analysis of Android apps. However, traditional syscall-based analysis techniques are not well-suited for Android, because they could not capture critical interactions between the application and the Android system. This paper presents VetDroid, a dynamic analysis platform for reconstructing sensitive behaviors in Android apps from a novel permission use perspective. VetDroid features a systematic framework to effectively construct permission use behaviors, i.e., how applications use permissions to access (sensitive) system resources, and how these acquired permission-sensitive resources are further utilized by the application. With permission use behaviors, security analysts can easily examine the internal sensitive behaviors of an app. Using real-world Android malware, we show that VetDroid can clearly reconstruct fine-grained malicious behaviors to ease malware analysis. We further apply VetDroid to 1,249 top free apps in Google Play. VetDroid can assist in finding more information leaks than TaintDroid [24], a state-of-the-art technique. In addition, we show how we can use VetDroid to analyze fine-grained causes of information leaks that TaintDroid cannot reveal. Finally, we show that VetDroid can help identify subtle vulnerabilities in some (top free) applications otherwise hard to detect.

show abstract

“…To counter system-call based approaches, malware authors make use of shadow attacks [13] and system-call injection attacks [14]. The feasibility of former attacks was first demonstrated by authors in [13].…”

Section: Introductionmentioning

confidence: 99%

“…The feasibility of former attacks was first demonstrated by authors in [13]. The authors in their paper have shown that the critical system-call sequences of malware can be divided and exported into separate shadow processes.…”

Section: Introductionmentioning

confidence: 99%

Employing Program Semantics for Malware Detection

Naval

Laxmi

Rajarajan

et al. 2015

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

This is the accepted version of the paper.This version of the publication may differ from the final published version. Abstract-In recent years, malware has emerged as a critical security threat. Additionally, malware authors continue to embed numerous anti-detection features to evade existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior-based malware detection approaches outperform the traditional signature-based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system-calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important antidetection feature of modern malware, i.e., system-call injection attack. This attack allows the malicious binaries to inject irrelevant and independent system-calls during the program execution thus modifying the execution sequences defeating the existing system-call based detection. To address this problem, we propose an evasion-proof solution that is not vulnerable to system-call injection attacks. Our proposed approach precisely characterizes the program semantics using Asymptotic Equipartition Property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract the information-rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call-injection attacks as the discriminating components are not directly visible to malware authors. This particular characteristic of proposed approach hampers a malware author's aim of defeating our approach. We run a thorough set of experiments to evaluate our solution and compare it with existing systemcall based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances. Permanent repository link

show abstract

Shadow attacks: automatically evading system-call-behavior based malware detection

Cited by 68 publications

References 22 publications

Quantifiable Run-Time Kernel Attack Surface Reduction

Quantifiable Run-Time Kernel Attack Surface Reduction

Vetting undesirable behaviors in android apps with permission use analysis

Employing Program Semantics for Malware Detection

Contact Info

Product

Resources

About