Privacy theft malware multi-process collaboration analysis

Privacy theft malware has become a serious and challenging problem to cyber security. Previous methods are of different categories: one focuses on the outbound network traffic and the other one dives into the inside information flow of the program. We incorporate dynamic behavior analysis with network traffic analysis and present an abstract model called Privacy Petri Net PPN, which is more applicable to various kinds of malware and more understandable to users. In consideration of the multi-process technique adopted by new malware, we also model the collaborative behaviors between different malicious functionality modules with PPN. We apply our approach to real-world malware, and the experiment result shows that our approach can effectively find categories, content, source, and destination of the privacy theft behavior of the malware sample. Copyright © 2013 John Wiley & Sons, Ltd.

[1]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[2]  Marco Ramilli,et al.  Multiprocess malware , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[3]  Yuanzhuo Wang,et al.  Analyzing application private information leaks with privacy Petri Net , 2012, 2012 IEEE Symposium on Computers and Communications (ISCC).

[4]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[5]  Eric Filiol,et al.  Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language , 2009, RAID.

[6]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[7]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[8]  Christopher Krügel,et al.  Identifying Dormant Functionality in Malware Programs , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  Chuang Lin,et al.  Stochastic game net and applications in security analysis for enterprise network , 2011, International Journal of Information Security.

[10]  Sahin Albayrak,et al.  Static Analysis of Executables for Collaborative Malware Detection on Android , 2009, 2009 IEEE International Conference on Communications.

[11]  Jerald Dawkins,et al.  A structural framework for modeling multi-stage network attacks , 2002, Proceedings. International Conference on Parallel Processing Workshop.

[12]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[13]  Mattia Monga,et al.  Detecting Self-mutating Malware Using Control-Flow Graph Matching , 2006, DIMVA.

[14]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[15]  Dirk Ourston,et al.  Applications of hidden Markov models to detecting multi-stage network attacks , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[16]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[17]  Stephen McCamant,et al.  Differential Slicing: Identifying Causal Execution Differences for Security Applications , 2011, 2011 IEEE Symposium on Security and Privacy.

[18]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[19]  Victor Skormin,et al.  Dynamic, resilient detection of complex malicious functionalities in the system call domain , 2010, 2010 - MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE.

[20]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[21]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[22]  David Wetherall,et al.  Privacy oracle: a system for finding application leaks with black box differential testing , 2008, CCS.

[23]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[24]  Chuang Lin,et al.  Security Analysis of Enterprise Network Based on Stochastic Game Nets Model , 2009, 2009 IEEE International Conference on Communications.

[25]  Chuang Lin,et al.  Security Analysis for Online Banking System Using Hierarchical Stochastic Game Nets Model , 2009, GLOBECOM 2009 - 2009 IEEE Global Telecommunications Conference.

[26]  Chuang Lin,et al.  Analysis of Attack Actions for E-Commerce Based on Stochastic Game Nets Model , 2009, J. Comput..

[27]  Chuang Lin,et al.  Modeling and survivability analysis of service composition using Stochastic Petri Nets , 2009, The Journal of Supercomputing.

[28]  He Dake,et al.  Worm detection using CPN , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[29]  Marco Ramilli,et al.  Multi-stage delivery of malware , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[30]  Victor A. Skormin,et al.  Expressive, Efficient and Obfuscation Resilient Behavior Based IDS , 2010, ESORICS.

[31]  Li Wang,et al.  Trojan characteristics analysis based on Stochastic Petri Nets , 2011, Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics.

[32]  Tzi-cker Chiueh,et al.  Automatic Generation of String Signatures for Malware Detection , 2009, RAID.

[33]  Somesh Jha,et al.  Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors , 2010, 2010 IEEE Symposium on Security and Privacy.