The arms race: Adversarial search defeats entropy used to detect malware

Menéndez, Héctor D.; Bhattacharya, Swapan; Clark, David; Barr, Earl T.

doi:10.1016/j.eswa.2018.10.011

Cited by 31 publications

(38 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The process of extracting an entropy profile is based on Sorokin’s structural entropy method [ 8 ]. For a detailed description we reference Section 2 of [ 9 ], the following summarizes this process. The main three steps are: Partition the file in chunks, i.e., small parts of the same size, and calculate their entropy to generate an entropy sequence.…”

Section: Mimickav: Mimicking Anti-virus Softwarementioning

confidence: 99%

“…Suppose

as the set of all chunks ( N chunks) after partitioning. Following the work of Sorokin [ 8 ] on entropy profiles and subsequent works [ 9 ], we consider the entropy at byte granularity, therefore we use the chunk string as a byte string, and calculate the probability of every byte inside the chunk to measure the Shannon entropy. The Shannon entropy, which measures the levels of randomness on data, for a specific chunk

is computed as:

where B is the set of all possible bytes ( b ) in the chunk string.…”

Section: Mimickav: Mimicking Anti-virus Softwarementioning

confidence: 99%

“…An entropy profile considers the binary representation of a file, divides it into chunks, calculates the Shannon entropy of these chunks, and aggregates them, forming an entropy sequence called the entropy profile. These entropy profiles have shown a strong accuracy for deciding whether a piece of software is malware or not, even when the piece of malware is using metamorphic or polymorphic/packing-based concealment [ 9 ]. Their strength comes from the entropy variations on the binary files.…”

Section: Introductionmentioning

confidence: 99%

“…Their strength comes from the entropy variations on the binary files. These variations are similar among different variants of the same malware or different concealments using the same or similar strategies [ 8 , 9 , 10 ]. These variations, or signals, are relevant patterns to distinguish different kinds of binaries.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Mimicking Anti-Viruses with Machine Learning and Entropy Profiles

Menéndez

Llorente

2019

Entropy

Self Cite

View full text Add to dashboard Cite

The quality of anti-virus software relies on simple patterns extracted from binary files. Although these patterns have proven to work on detecting the specifics of software, they are extremely sensitive to concealment strategies, such as polymorphism or metamorphism. These limitations also make anti-virus software predictable, creating a security breach. Any black hat with enough information about the anti-virus behaviour can make its own copy of the software, without any access to the original implementation or database. In this work, we show how this is indeed possible by combining entropy patterns with classification algorithms. Our results, applied to 57 different anti-virus engines, show that we can mimic their behaviour with an accuracy close to 98% in the best case and 75% in the worst, applied on Windows’ disk resident malware.

show abstract

Section: Mimickav: Mimicking Anti-virus Softwarementioning

confidence: 99%

“…Suppose

is computed as:

where B is the set of all possible bytes ( b ) in the chunk string.…”

Section: Mimickav: Mimicking Anti-virus Softwarementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Mimicking Anti-Viruses with Machine Learning and Entropy Profiles

Menéndez

Llorente

2019

Entropy

Self Cite

View full text Add to dashboard Cite

show abstract

“…The authors carry out several studies and conclude that, by the time of 2015, the detection by the platforms present on VirusTotal site was worse in all cases. A more recent study also outperformed the VirusTotal in 2019 [ 78 ].…”

Section: Kolmogorov Complexity Application Scenariosmentioning

confidence: 99%

A Survey on Using Kolmogorov Complexity in Cybersecurity

Resende

Martins

Antunes

2019

Entropy

View full text Add to dashboard Cite

Security and privacy concerns are challenging the way users interact with devices. The number of devices connected to a home or enterprise network increases every day. Nowadays, the security of information systems is relevant as user information is constantly being shared and moving in the cloud; however, there are still many problems such as, unsecured web interfaces, weak authentication, insecure networks, lack of encryption, among others, that make services insecure. The software implementations that are currently deployed in companies should have updates and control, as cybersecurity threats increasingly appearing over time. There is already some research towards solutions and methods to predict new attacks or classify variants of previous known attacks, such as (algorithmic) information theory. This survey combines all relevant applications of this topic (also known as Kolmogorov Complexity) in the security and privacy domains. The use of Kolmogorov-based approaches is resource-focused without the need for specific knowledge of the topic under analysis. We have defined a taxonomy with already existing work to classify their different application areas and open up new research questions.

show abstract

Core‐level cybersecurity assurance using cloud‐based adaptive machine learning techniques for manufacturing industry

Sakthivel

Nagasubramanian

Al‐Turjman³

et al. 2020

Trans Emerging Tel Tech

View full text Add to dashboard Cite

Cybersecurity is the domain that ensures safeness in both individual system and overall network systems. The classification and learning approaches used in different machine learning (ML) techniques improve the protection of the cyber systems against various attacks. Techniques such as support vector machine (SVM), neural networks (NN), principle component analysis (PCA), and reinforcement learning (RL) are used against various cyber threats. Applying these techniques at the front-end services (either online or offline) makes less effect than back end process-level services of any computer system. The proposed work analyzes the benefits of implementing customized ML and deep learning (DL) techniques on the core of the operating system than application level services, which in effect increases the speed and correctness of attack detection. The core (kernel) of the operating system has the capability to extract all internal attributes of process and file systems. The kernel space security activities can be improved by proposed work where the process level attributes classified using ML and DL techniques. The cloud service helps in sharing of the kernel abilities of the system ensuring core level security. The following work uses recurrent NN (RNN), SVM, PCA, and RL for analyzing the system data collected using Process Explorer. This technique finds application in manufacturing domain where the systems are protected from the various attacks to secure the data of the manufacturing company.

show abstract

The arms race: Adversarial search defeats entropy used to detect malware

Cited by 31 publications

References 15 publications

Mimicking Anti-Viruses with Machine Learning and Entropy Profiles

Mimicking Anti-Viruses with Machine Learning and Entropy Profiles

A Survey on Using Kolmogorov Complexity in Cybersecurity

Core‐level cybersecurity assurance using cloud‐based adaptive machine learning techniques for manufacturing industry

Contact Info

Product

Resources

About