On the (in)security of behavioral-based dynamic anti-malware techniques

Ersan, Erkan

21 April 2017

The Internet has become the primary vector for the delivery of malicious code in cyber attacks, and malware has rapidly become a pervasive critical threat. Anti- malware products offer effective protection from malware threats for servers and endpoint devices using a variety of techniques. Advanced enterprise-level anti-malware products rely on state-of-art behavioral-based detection algorithms, in addition to traditional signature-based mechanisms. These dynamic detection techniques have been around for more than a decade and in response hackers have developed methods to evade them. However, currently known bypass methods require intensive manual labor. Moreover, this manual work has to be repeated whenever a parameter of the environment (such as the payload, operating system, Antivirus version, etc) changes, making these methods impractical. This may lead to the belief that dynamic techniques provide a good deterrence, and hence good protection. In this thesis we evaluate dynamic techniques. Specifically, we build tools to implement generic unhooking and funneling, and using these tools we show how dynamic techniques can be bypassed with considerably less effort than by fully manual methods. We also extend the repertoire of existing bypass methods and introduce a new malicious function call technique which exploits detection techniques that monitor a limited collection of critical system functions, as well as a method for bypassing guard-page protections. We demonstrate the effectiveness of all our techniques by conducting attacks against two enterprise antivirus products. Our results lead us to conclude that that dynamic techniques do not provide sufficient protection. / Graduate / 2018-02-07 / 0984 / erkanersan@gmail.com

Malware

Malware Detection

Computer Security

Anti-malware

Antivirus

Cyber Attacks

Behavioral-based Detection

EMET

Hooking

Unhooking

Guard Pages

Bypassing Techniques

Evasion Techniques

Evasion

funneling

Control Flow Integrity

CFI

Web-based malware

ROP

Return-Oriented Programming

Shellcode

Payload

Windows

Anti-malware Evaluation

Antivirus Evaluation

Anti-malware Effectiveness

Antivirus Effectiveness

Computer virus : design and detection

Arding, Petter, Hedelin, Hugo

January 2014

Computer viruses uses a few different techniques, with various intentions, toinfect files. However, what most of them have in common is that they wantto avoid detection by anti-malware software. To not get detected and stay unnoticed,virus creators have developed several methods for this. Anti-malwaresoftware is constantly trying to counter these methods of virus infections withtheir own detection-techniques. In this paper we have analyzed the differenttypes of viruses and their infection techniques, and tried to determined whichworks the best to avoid detection. In the experiments we have done we havesimulated executing the viruses at the same time as an anti-malware softwarewas running. Our conclusion is that metamorphic viruses uses the best methodsto stay unnoticed by anti-malware software’s detection techniques.

computer virus

antimalware

anti-malware

antivirus

anti-virus

Other Computer and Information Science

Annan data- och informationsvetenskap

Machine learning and system administration : A structured literature review

Jonsson, Karl

January 2020

Denna literaturöversikt går igenom två olika system inom IT-säkerhet och hur de fungerar tillsammans med maskinlärningstekniker till en relativt ytlig nivå.Syftet med denna rapport är att kunna sammanfatta dessa system och se hur de kan hjälpa med en systemadministratörs uppgifter, hur det kan användas för automatisera och vad för positiva och negativa förändringar det kan ha på en infrastruktur.Maskinlärning kan vara ett kraftigt verktyg för systemadministratörer för att lätta på arbetsmängden som kan förekomma inom en organisation, vilket är också varför det är viktigt att diskutera när och var man ska utplacera en lösning. Den här studien ska diskutera användningen av maskinlärning och när och var det kan användas. / This literature review discusses two different systems within IT-security and how they work within machine learning to a relatively surface-level degree.The purpose of this paper is to be able to summarize these systems and see how they can help a system administrator’s assignments. how it can be used for automation and the positives and negatives.Machine learning can be a powerful tool for system administrators to alleviate the workload which can exist within an organization, which is why it is important to discuss when and where to deploy a solution.

Intrusion Detection systems

IDS

Machine Learning

Anti-virus

Anti-malware

malware

Information Systems