A Survey on malware analysis and mitigation techniques

Abstract In recent days, malwares are advanced, sophisticatedly engineered to attack the target. Most of such advanced malwares are highly persistent and capable of escaping from the security systems. This paper explores such an advanced malware type called Advanced Persistent Threats (APTs). APTs pave the way for most of the Cyber espionages and sabotages. APTs are highly sophisticated, target specific and operate in a stealthy mode till the target is compromised. The intention of the APTs is to deploy target specific automated malwares in a host or network to initiate an on-demand attack based on continuous monitoring. Encrypted covert communication and advanced, sophisticated attack techniques make the identification of APTs more challenging. Conventional security systems like antivirus, anti-malware systems which depend on signatures and static analysis fail to identify these APTs. The Advanced Evasive Techniques (AET) used in APTs are capable of bypassing the stateful firewalls housed in the enterprise choke points at ease. Hence, this paper presents a detailed study on sophisticated attack and evasion techniques used by the contemporary malwares. Furthermore, existing malware analysis techniques, application hardening techniques and CPU assisted application security schemes are also discussed. Finally, the study concludes by presenting the System and Network Security Design (SNSD) using existing mitigation techniques.

[1]  Mohamed Wahbi,et al.  Advanced Persistent Threat: New analysis driven by life cycle phases and their challenges , 2016, 2016 International Conference on Advanced Communication Systems and Information Security (ACOSIS).

[2]  Sancheng Peng,et al.  Detection and Prevention of Code Injection Attacks on HTML5-Based Apps , 2015, 2015 Third International Conference on Advanced Cloud and Big Data.

[3]  Srinivas Mukkamala,et al.  Visualization techniques for efficient malware detection , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[4]  Jestin Joy,et al.  Rootkit Detection Mechanism: A Survey , 2011 .

[5]  R. Weaver,et al.  Visualizing and Modeling the Scanning Behavior of the Conficker Botnet in the Presence of User and Network Activity , 2015, IEEE Transactions on Information Forensics and Security.

[6]  Muttukrishnan Rajarajan,et al.  Employing Program Semantics for Malware Detection , 2015, IEEE Transactions on Information Forensics and Security.

[7]  Ivan Marsá-Maestre,et al.  Detecting and defeating advanced man-in-the-middle attacks against TLS , 2014, 2014 6th International Conference On Cyber Conflict (CyCon 2014).

[8]  Mathieu Couture,et al.  Navigating and visualizing the malware intelligence space , 2012, IEEE Network.

[9]  Hongjun Dai,et al.  A Cloud Certificate Authority Architecture for Virtual Machines with Trusted Platform Module , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[10]  Bart Preneel,et al.  A taxonomy of self-modifying code for obfuscation , 2011, Comput. Secur..

[11]  Yang Xiang,et al.  Malware Variant Detection Using Similarity Search over Sets of Control Flow Graphs , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[12]  Edgar R. Weippl,et al.  Notary-Assisted Certificate Pinning for Improved Security of Android Apps , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[13]  Jared D. DeMott,et al.  Bypassing EMET 4.1 , 2015, IEEE Security & Privacy.

[14]  Srinivas Mukkamala,et al.  Image visualization based malware detection , 2013, 2013 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[15]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[16]  Terrance E. Boult,et al.  A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions , 2016, IEEE Communications Surveys & Tutorials.

[17]  Michalis Polychronakis,et al.  Return to the Zombie Gadgets: Undermining Destructive Code Reads via Code Inference Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[18]  Charles Lim,et al.  Mal-EVE: Static detection model for evasive malware , 2015, 2015 10th International Conference on Communications and Networking in China (ChinaCom).

[19]  Juan del Cuvillo,et al.  Using innovative instructions to create trustworthy software solutions , 2013, HASP '13.

[20]  Malcolm I. Heywood,et al.  Evolving successful stack overflow attacks for vulnerability testing , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[21]  Ian Welch,et al.  Detecting heap-spray attacks in drive-by downloads: Giving attackers a hand , 2013, 38th Annual IEEE Conference on Local Computer Networks.

[22]  Jens Tölle,et al.  ARMing the Trusted Platform Module pro-active system integrity monitoring focussing on peer system notification , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[23]  Hamid Sharif,et al.  An Event-Based Unified System Model to Characterize and Evaluate Timing Covert Channels , 2016, IEEE Systems Journal.

[24]  Wen Fu,et al.  Detecting Malicious Behavior Using Critical API-Calling Graph Matching , 2009, 2009 First International Conference on Information Science and Engineering.

[25]  Stephen Taylor,et al.  The KPLT: The Kernel as a shared object , 2015, MILCOM 2015 - 2015 IEEE Military Communications Conference.

[26]  Yi-Chun Yeh,et al.  BrowserGuard: A Behavior-Based Solution to Drive-by-Download Attacks , 2011, IEEE Journal on Selected Areas in Communications.

[27]  Wanlei Zhou,et al.  Control Flow-Based Malware VariantDetection , 2014, IEEE Transactions on Dependable and Secure Computing.

[28]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Edgar R. Weippl,et al.  Pin it! Improving Android network security at runtime , 2016, 2016 IFIP Networking Conference (IFIP Networking) and Workshops.

[30]  Giuliano Antoniol,et al.  An Approach for Search Based Testing of Null Pointer Exceptions , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[31]  Angelos Stavrou,et al.  SPECTRE: A dependable introspection framework via System Management Mode , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[32]  Alexander Pretschner,et al.  A framework for empirical evaluation of malware detection resilience against behavior obfuscation , 2015, 2015 10th International Conference on Malicious and Unwanted Software (MALWARE).

[33]  Eric Baize Developing Secure Products in the Age of Advanced Persistent Threats , 2012, IEEE Security & Privacy.

[34]  Prabaharan Poornachandran,et al.  An efficient classification model for detecting advanced persistent threat , 2015, 2015 International Conference on Advances in Computing, Communications and Informatics (ICACCI).

[35]  Dragos Gavrilut,et al.  Improving Malware Detection Response Time with Behavior-Based Statistical Analysis Techniques , 2015, 2015 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC).

[36]  Jens Myrup Pedersen,et al.  An approach for detection and family classification of malware based on behavioral analysis , 2016, 2016 International Conference on Computing, Networking and Communications (ICNC).

[37]  Habibah Hashim,et al.  Forming virtualized test bed for Trusted Platform Module in Windows environment , 2011, 2011 IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE).

[38]  Rynson W. H. Lau,et al.  On Mitigating the Risk of Cross-VM Covert Channels in a Public Cloud , 2015, IEEE Transactions on Parallel and Distributed Systems.

[39]  Shyi-Ming Chen,et al.  Drive-by Disclosure: A Large-Scale Detector of Drive-by Downloads Based on Latent Behavior Prediction , 2015, TrustCom 2015.

[40]  Hugo F Gonzalez-Robledo Analyzing characteristics of malicious PDFs , 2012 .

[41]  Ismael Ripoll,et al.  On the Effectiveness of NX, SSP, RenewSSP, and ASLR against Stack Buffer Overflows , 2014, 2014 IEEE 13th International Symposium on Network Computing and Applications.

[42]  Sen Ma,et al.  Practical null pointer dereference detection via value-dependence analysis , 2015, 2015 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW).

[43]  Aaron Beuhring,et al.  Beyond Blacklisting: Cyberdefense in the Era of Advanced Persistent Threats , 2014, IEEE Security & Privacy.

[44]  Ahmed Patel,et al.  An intrusion detection and prevention system in cloud computing: A systematic review , 2013, J. Netw. Comput. Appl..

[45]  Jeongnyeo Kim,et al.  A method based on platform integrity verification for activating a mobile trusted module , 2015, 2015 International Conference on Information and Communication Technology Convergence (ICTC).

[46]  Liu Liang,et al.  A static detection model of malicious PDF documents based on naive Bayesian classifier technology , 2012, 2012 International Conference on Wavelet Active Media Technology and Information Processing (ICWAMTIP).

[47]  Lei Zhang,et al.  A New Static Detection Method of Malicious Document Based on Wavelet Package Analysis , 2015, 2015 International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP).

[48]  Tolga Arul,et al.  A novel architecture for a secure update of cryptographic engines on trusted platform module , 2011, 2011 International Conference on Field-Programmable Technology.

[49]  Seref Sagiroglu,et al.  Android malware analysis approach based on control flow graphs and machine learning algorithms , 2016, 2016 4th International Symposium on Digital Forensic and Security (ISDFS).

[50]  Elmar Gerhards-Padilla,et al.  Host-based code injection attacks: A popular technique used by malware , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[51]  Susan Dery Using Whitelisting to Combat Malware Attacks at Fannie Mae , 2013, IEEE Security & Privacy.

[52]  Abhishek Singhal,et al.  A literature survey on social engineering attacks: Phishing attack , 2016, 2016 International Conference on Computing, Communication and Automation (ICCCA).

[53]  Tarique Mustafa Malicious Data Leak Prevention and Purposeful Evasion Attacks: An approach to Advanced Persistent Threat (APT) management , 2013, 2013 Saudi International Electronics, Communications and Photonics Conference.

[54]  Mohammad S. Obaidat,et al.  Honeypots deployment for the analysis and visualization of malware activity and malicious connections , 2014, 2014 IEEE International Conference on Communications (ICC).

[55]  Wei Zhang,et al.  Semantics-Based Online Malware Detection: Towards Efficient Real-Time Protection Against Malware , 2016, IEEE Transactions on Information Forensics and Security.

[56]  Joshua Saxe,et al.  Malware Similarity Identification Using Call Graph Based System Call Subsequence Features , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops.

[57]  Mohd Aizaini Maarof,et al.  Malware behavior image for malware variant identification , 2014, 2014 International Symposium on Biometrics and Security Technologies (ISBAST).

[58]  Wei Li,et al.  Fault Localization for Null Pointer Exception Based on Stack Trace and Program Slicing , 2012, 2012 12th International Conference on Quality Software.

[59]  Chris Rohlf,et al.  The Security Challenges of Client-Side Just-in-Time Engines , 2012, IEEE Security & Privacy.

[60]  Mauro Conti,et al.  A Survey of Man In The Middle Attacks , 2016, IEEE Communications Surveys & Tutorials.

[61]  Rui Wu,et al.  JITSafe: a framework against Just-in-time spraying attacks , 2013, IET Inf. Secur..

[62]  Peng Ning,et al.  Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[63]  Sean Carlisto de Alvarenga,et al.  A survey of intrusion detection in Internet of Things , 2017, J. Netw. Comput. Appl..

[64]  Yuewu Wang,et al.  Reliable and Trustworthy Memory Acquisition on Smartphones , 2015, IEEE Transactions on Information Forensics and Security.

[65]  Mariusz Stawowski The Principles of Network Security Design , 2007 .

[66]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[67]  Wenke Lee,et al.  From Zygote to Morula: Fortifying Weakened ASLR on Android , 2014, 2014 IEEE Symposium on Security and Privacy.