Dynamic Malware Analysis Research Articles

Bane or Boon: Measuring the effect of evasive malware on system call classifiers

Malware refers to software that is designed to achieve a malicious purpose usually to benefit its creator. To accomplish this, malware hides its true purpose from its target and malware analysts until it has established a foothold on the victim’s machine. Malware analysts, therefore, have to find increasingly sophisticated methods to detect malware prompting malware authors to increase the number of evasive techniques employed by their malware. Dynamic malware analysis has been framed as a potential solution as it runs malware in its preferred environment to ensure that it observes its true behaviour. However, it is usually a restricted form of the preferred environment and malware may only be run for two minutes or less. This means that if malware does not demonstrate its malicious intent within that time frame and environment, the behaviour observed and subsequently learned may not be the behaviour that needs to be prevented. There is a risk that classifiers trained using the standard dynamic malware analysis process will only recognise malware by its evasive behaviour rather than a mix of behaviours. In this paper, we study the extent to which classifiers are dependent on evasive behaviour when identifying malware. We achieve this by training them on real ransomware and benignware and then testing their ability to detect carefully crafted simulated ransomware. The simulated ransomware gives us the freedom to create samples with different levels of evasive and malicious behaviour. The simulated samples, like the real samples, are run in a sandboxed environment where data is collected at a user- and Kernel-level. The results of our experiments indicated that, in general, the classifiers were more likely to label the simulated samples as malicious once the amount of evasive behaviour present in a sample went beyond a threshold. Generally, this threshold was crossed when the simulated ransomware waited 2 s or more between each file it encrypted. Additionally, the classifiers trained on the user-level data were not as robust against small changes in system calls made. Whereas, when trained on system calls gathered at a Kernel, system-wide level, the classifiers’ results were less variable. Finally, in attempting to simulate malware for our experiments, we discovered that the field of malware simulation is relatively unstudied despite its potential and therefore provide recommendations for simulating malware for system-call analysis.

Image-based malware classification hybrid framework based on space-filling curves

There exists a never-ending “arms race” between malware analysts and adversarial malicious code developers as malevolent programs evolve and countermeasures are developed to detect and eradicate them. Malware has become more complex in its intent and capabilities over time, which has prompted the need for constant improvement in detection and defence methods. Of particular concern are the anti-analysis obfuscation techniques, such as packing and encryption, that are employed by malware developers to evade detection and thwart the analysis process. In such cases, malware is generally impervious to basic analysis methods and so analysts must use more invasive techniques to extract signatures for classification, which are inevitably not scalable due to their complexity. In this article, we present a hybrid framework for malware classification designed to overcome the challenges incurred by current approaches. The framework incorporates novel static and dynamic malware analysis methods, where static malware executables and dynamic process memory dumps are converted to images mapped through space-filling curves, from which visual features are extracted for classification. The framework is less invasive than traditional analysis methods in that there is no reverse engineering required, nor does it suffer from the obfuscation limitations of static analysis. On a dataset of 13,599 obfuscated and non-obfuscated malware samples from 23 families, the framework outperformed both static and dynamic standalone methods with precision, recall and accuracy scores of 97.6%, 97.6% and 97.6% respectively.

Time-interval temporal patterns can beat and explain the malware

Malware-based cyber-attacks are mainly aimed at obtaining sensitive data, intellectual property theft, denying critical services and data, and financial gain. Malware has continuously evolved, becoming more sophisticated and evasive, and thus it remains a major cyber-security threat. To keep pace with malware’s evolution, there is a critical need to develop new, advanced malware detection methods. Widely-used solutions, such as antivirus software and other static host-based intrusion detection systems, have limitations, particularly in detecting new, unknown, and evasive malware. Many of the limitations of static analysis can be overcome when dynamic malware analysis is leveraged by machine learning (ML) algorithms by executing the malware in an isolated environment (e.g., sandbox), which enables the acquisition of rich behavioral and time-oriented information associated with malware behavior. Prior studies have proposed various detection methods based on dynamically extracted API calls for malware detection, but other than simple order-based approaches, the use of more advanced time-based methods has not been explored. In this paper, we propose a more comprehensive detection framework which, by analyzing the raw multivariate time-series data associated with malware execution, can accurately capture malware behavior and provide clear explainability regarding malware behavior and detection model decisions. We are the first to mine and automatically discover meaningful and explainable time-interval temporal API call patterns associated with malware behavior and leverage them, using a variety of ML algorithms, for malware detection and categorization. To evaluate our proposed solution, we established a comprehensive dynamic-analysis environment using Cuckoo Sandbox and analyzed more than 17,000 portable executables executed in Windows 10, the most widely-used operating system today. We conducted extensive experiments on malware detection and categorization and compared the performance of our solution to state-of-the-art methods, including non-time-oriented (classic ML algorithms) and order-based methods (LSTM networks). The results show that our proposed solution outperforms the other methods, obtaining 99.6% detection accuracy for unknown malware and 97.65% categorization accuracy. In a more complex scenario of detecting an unknown malware type with unseen modus operandi, our method obtained almost 90% detection accuracy, outperforming the state-of-the-art methods. To demonstrate our ability to provide human explainability, we present some temporal patterns of different malware families that we discovered which shed light on malware behavior that can be used by cyber-security experts to better understand malware, better defend against future attacks, and even attribute malware campaigns to the cyber-attackers launching them.

Network Traffic Analysis Using Machine Learning Techniques in IoT Networks

Internet of things devices are not very intelligent and resource-constrained; thus, they are vulnerable to cyber threats. Cyber threats would become potentially harmful and lead to infecting the machines, disrupting the network topologies, and denying services to their legitimate users. Artificial intelligence-driven methods and advanced machine learning-based network investigation prevent the network from malicious traffics. In this research, a support vector machine learning technique was used to classify normal and abnormal traffic. Network traffic analysis has been done to detect and prevent the network from malicious traffic. Static and dynamic analysis of malware has been done. Mininet emulator was selected for network design, VMware fusion for creating a virtual environment, hosting OS was Ubuntu Linux, network topology was a tree topology. Wireshark was used to open an existing pcap file that contains network traffic. The support vector machine classifier demonstrated the best performance with 99% accuracy.

An approach to dynamic malware analysis based on system and application code split

This paper discusses the development of tools for dynamic malware analysis. The main idea is to provide total control on a suspicious sample execution on the test computer. The approach we propose is to separate the application code from the system code by using memory pages access control. Thus, we are able to detect all system API calls and non-standard ways to transfer the control flow. Our tools (codename ToolChain) intentionally consist of a Control module, a Scheduling module, and a Cloaking module. In this paper, we focus mainly on the Control module. We monitor internal target process events by using invasive methods such as a system call hook or an executable file patch. This research describes the key creation stages of the prototype, with the basic functionality and technical ideas on handling several issues, such as analysis of multi-threaded applications, cloaking of the presence of analytical tools, and mitigation of the performance degradation of the operation system.

Research and Application of Malware Classification Method Based on LSTM

Information technology enhances efficiency and introduces the threat of malware. A typical means of destruction, malware affects the operational security of information systems and poses certain risks to human life, production, and social operations. One of the key research directions in the field of information security is the identification and classification of malware. Currently, mainstream malware analysis and identification methods fall into static and dynamic categories. As a result of obfuscated system calls, it is difficult to detect malware using static analysis, and traditional dynamic analysis methods based on local features are not sufficiently accurate. This paper combines sequence-based LSTM neural networks with learning algorithms for traditional API call features to study malware classification. Furthermore, this paper discusses the idea of hybrid classification based on LSTM and expands the research in this area to some extent. As a result of the research presented in this paper, dynamic analysis and classification of malware are expected to be more effective.

Investigating Malware Propagation and Behaviour Using System and Network Pixel-Based Visualisation

Malicious software, known as malware, is a perpetual game of cat and mouse between malicious software developers and security professionals. Recent years have seen many high profile cyber attacks, including the WannaCry and NotPetya ransomware attacks that resulted in major financial damages to many businesses and institutions. Understanding the characteristics of such malware, including how malware can propagate and interact between systems and networks is key for mitigating these threats and containing the infection to avoid further damage. In this study, we present visualisation techniques for understanding the propagation characteristics in dynamic malware analysis. We propose the use of pixel-based visualisations to convey large-scale complex information about network hosts in a scalable and informative manner. We demonstrate our approach using a virtualised network environment, whereby we can deploy malware variants and observe their propagation behaviours. As a novel form of visualising system and network activity data across a complex environment, we can begin to understand visual signatures that can help analysts identify key characteristics of the malicious behaviours, and, therefore, provoke response and mitigation against such attacks.

Curious-Monkey: Evolved Monkey for Triggering Malicious Payloads in Android Malware

Dynamic analysis is a prominent approach in analyzing the behavior of Android apps. To perform dynamic analysis, we need an event generator to provide proper environment for executing the app in an emulator. Monkey is the most popular event generator for Android apps in general, and is used in dynamic analysis of Android malware as well. Monkey provides high code coverage and yet high speed in generating events. However, in the case of malware analysis, Monkey suffers from several limitations. It only considers UI events but no system events, and because of random behavior in generating UI events, it may lose dropping the connectivity of the test environment during the analysis process. Moreover, it provides no defense against malware evasion techniques. In this paper, we try to enhance Monkey by reducing its limitations while preserving its advantages. The proposed approach has been implemented as an extended version of Monkey, named Curious-Monkey. Curious-Monkey provides facilities for handling system events, handling evasion techniques, and keeping the test environment's connectivity up during the analysis process. We conducted many experiments to evaluate the effectiveness of the proposed tool regarding two important criteria in dynamic malware analysis: the ability to trigger malicious payloads and the code coverage. In the evaluation process, we used the Evadroid benchmark and the AMD malware dataset. Moreover, we compared Curious-Monkey with Monkey and Ares tools. The results show that the Curious-Monkey provides better results in case of triggering malicious payloads, as well as better code coverage.

CSForest: an approach for imbalanced family classification of android malicious applications

Recently, a variety of mobile security threats have been emerged due to the exponential growth in mobile technologies. Various techniques have been developed to address the risks associated with malware. The most popular method to detect Android malware relies on the signature-based method. The drawback of this method is that it is unable to detect unknown malware. Due to this problem, machine learning came into existence for detecting and classifying malware applications. The conventional machine learning algorithms focus on optimizing classification accuracy. However, the imbalanced real-life datasets cause the traditional classification algorithm to perform poorly in classifying malicious apps. To handle the problem of imbalanced family classification of malicious applications, we propose a Cost-Sensitive Forest (CSForest) method which contains a group of decision trees. A cost-sensitive voting technique is used for prediction purposes. The proposed approach is evaluated on a dataset that includes the features extracted from both static and dynamic malware analysis and consisting of 13 imbalanced families of Android malware. Furthermore, the results of proposed technique are compared with the C4.5, Random Forest and CSTree to determine its effectiveness in classifying the families of malicious applications while considering only static features, only dynamic features and their hybrid. From the experimental results, it is found that CSForest performs better than the other algorithms in handling the imbalanced family classification of Android malicious applications while considering the hybrid set of features. It acquires the highest F-measure rate i.e. 0.919 with a minimum total cost of 180.

MEGDroid: A model-driven event generation framework for dynamic android malware analysis

The tremendous growth of Android malware in recent years is a strong motivation for the vast endeavor in detection and analysis of malware apps. A prominent approach for this purpose is dynamic analysis in which providing complex interactions with the samples under analysis is a need. Event generation tools are almost used to provide such interactions, but they have deficiencies for effective malware analysis. For example, anti-static and anti-dynamic analysis techniques employed by the malware prevent event generators to extract sufficient information for generating appropriate events. As a result, they fail to trigger malicious payloads or obtain high code coverage in most cases. In this paper, we aim to present a new framework to improve the event generation process for dynamic analysis of Android malware. We propose MEGDroid, a Model Driven Engineering (MDE) framework in which malware-related information is automatically extracted and represented as a domain-specific model. This model, then is used to generate appropriate events for malware analysis using model-to-model and model-to-code transformations. The proposed model-driven artifacts also provide required facilities to put the human in the loop for properly taking his/her knowledge into account. The proposed framework has been realized as an Eclipse plugin and we performed extensive practical analysis on a set of malware samples selected from the AMD dataset. The experimental results showed that MEGDroid considerably increases the number of triggered malicious payloads as well as the execution code coverage compared with Monkey and DroidBot, as two state of the art general-purpose and malware specific event generators respectively. The proposed MDE approach, enhances the event generation process through both automatic event generation and analyzer user involvement who can efficiently direct the process to increase the effectiveness of the generated events considering small amount of information that is extractable from the malware code.

Intelligent Dynamic Malware Detection using Machine Learning in IP Reputation for Forensics Data Analytics

In the near future, objects have to connect with each other which can result in gathering private sensitive data and cause various security threats and cyber crimes. To prevent cyber crimes, novel cyber security techniques are required that can identify malicious Internet Protocol (IP) addresses before communication. One of the best techniques is the IP reputation system used for profiling the behavior of security threats to the cyber–physical system. Existing reputation systems do not perform well due to their high management cost, false-positive rate, consumption time, and considering very few data sources for claiming IP address reputation. To overcome the aforementioned issues, we have proposed a novel hybrid approach based on Dynamic Malware Analysis, Cyber Threat Intelligence, Machine Learning (ML), and Data Forensics. Using the concept of big data forensics, IP reputation is predicted in its pre-acceptance stage and its associated zero-day attacks are categorized via behavioral analysis by applying the Decision Tree (DT) technique. The proposed approach highlights the big data forensic issues and computes severity, risk score along with assessing the confidence and lifespan simultaneously. The proposed system is evaluated in two ways; first, we compare the ML techniques to attain the best F-measure, precision and recall scores, and then we compare the entire reputation system with the existing reputation systems. Our proposed framework is not only cross checked with external sources but also able to reduce the security issues which were neglected by existing outdated reputation engines.

Detection of Malicious Servers for Preventing Client-Side Attacks

The number of client-side attacks is increasing day-by-day. These attacks are launched by using various methods like phishing, drive-by downloads, click-frauds, social engineering, scareware, and ransomware. To get more advantage with less exertion and time, the attackers are focus on the clients, rather than servers which are more secured as compared to the clients. This makes clients as an easy target for the attackers on the Internet. A number of systems/tools have been created by the security community with various functions for detection of client-side attacks. The discovery of malicious servers that launch the client side attacks can be characterized in two types. First to detect malicious servers with passive detection which is often signature based. Second to detect the malicious servers with active detection often with dynamic malware analysis. Current systems or tools have more focus on identifying malicious servers rather than preventing the clients from those malicious servers. In this paper, we have proposed a solution for the detection and prevention of malicious servers that use the Bro Intrusion Detection System (IDS) and VirusTotal API 2.0. The detected malicious link is then blocked at the gateway.

Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks

Dynamic malware analysis involves the debugging of the associated binary files and the monitoring of changes in sandboxed environments. This allows the investigator to manipulate the code execution path and environment to develop an understanding of the malware’s internal workings, aims and modus operandi. However, the malware may incorporate anti-virtual environment (VM) and anti-debugging countermeasures (e.g. determining whether the malware is being executed in a VM, or using a debugger prior to payload execution). In essence, the malware needs to adopt a “defence in depth” paradigm. Beyond the malicious uses, software vendors seeking to preserve the intellectual property rights of their products often resort to similar methods to deter competitors from gaining intelligence from the binaries or prevent customers from using their products without unauthorization. In this work, we illustrate how the Windows architecture impedes the work of debuggers in the analysis of armoured binaries. The debugger and the malware have the same privileges, so the attacker may manipulate the address space that the debugger operates to bypass detection. We showcase this by presenting a new framework (ANTI), which automates the procedure of integrating anti-debugging and anti-VM in the binary. Specifically, ANTI introduces an anti-hooking method targeting Windows binaries, where hooks applied by state of the art debuggers are removed and injects its code in other processes. This significantly compounds the challenge of binary analysis. Our extensive evaluation also demonstrates that ANTI successfully circumvents detection from state-of-the-art detection methods. In other words, we show using ANTI that implementation gaps in current tools for dynamic analysis can be exploited to allow binaries to bypass them. More concerningly, ANTI shows how one can use well-known methods to “resurrect” old attacks.

Combat Mobile Evasive Malware via Skip-Gram-Based Malware Detection

Android malware detection is an important research topic in the security area. There are a variety of existing malware detection models based on static and dynamic malware analysis. However, most of these models are not very successful when it comes to evasive malware detection. In this study, we aimed to create a malware detection model based on a natural language model called skip-gram to detect evasive malware with the highest accuracy rate possible. In order to train and test our proposed model, we used an up-to-date malware dataset called Argus Android Malware Dataset (AMD) since the AMD contains various evasive malware families and detailed information about them. Meanwhile, for the benign samples, we used Comodo Android Benign Dataset. Our proposed model starts with extracting skip-gram-based features from instruction sequences of Android applications. Then it applies several machine learning algorithms to classify samples as benign or malware. We tested our proposed model with two different scenarios. In the first scenario, the random forest-based classifier performed with 95.64% detection accuracy on the entire dataset and 95% detection accuracy against evasive only samples. In the second scenario, we created a test dataset that contained zero-day malware samples only. For the training set, we did not use any sample that belongs to the malware families in the test set. The random forest-based model performed with 37.36% accuracy rate against zero-day malware. In addition, we compared our proposed model’s malware detection performance against several commercial antimalware applications using VirusTotal API. Our model outperformed 7 out of 10 antimalware applications and tied with one of them on the same test scenario.

Dynamic Malware Analysis with Feature Engineering and Feature Learning

Dynamic malware analysis executes the program in an isolated environment and monitors its run-time behaviour (e.g. system API calls) for malware detection. This technique has been proven to be effective against various code obfuscation techniques and newly released (“zero-day”) malware. However, existing works typically only consider the API name while ignoring the arguments, or require complex feature engineering operations and expert knowledge to process the arguments. In this paper, we propose a novel and low-cost feature extraction approach, and an effective deep neural network architecture for accurate and fast malware detection. Specifically, the feature representation approach utilizes a feature hashing trick to encode the API call arguments associated with the API name. The deep neural network architecture applies multiple Gated-CNNs (convolutional neural networks) to transform the extracted features of each API call. The outputs are further processed through bidirectional LSTM (long-short term memory networks) to learn the sequential correlation among API calls. Experiments show that our solution outperforms baselines significantly on a large real dataset. Valuable insights about feature engineering and architecture design are derived from the ablation study.

IoT Botnet Forensics: A Comprehensive Digital Forensic Case Study on Mirai Botnet Servers

Internet of Things (IoT) bot malware is relatively new and not yet well understood forensically, despite its potential role in a broad range of malicious cyber activities. For example, it was abused to facilitate the distributed denial of service (DDoS) attack that took down a significant portion of the Internet on October 21, 2016, keeping millions of people from accessing over 1200 websites, including Twitter and NetFlix for nearly an entire day. The widespread adoption of an estimated 50 billion IoT devices, as well as the increasing interconnectivity of those devices to traditional networks, not to mention to one another with the advent of fifth generation (5G) networks, underscore the need for IoT botnet forensics. This study is the first published, comprehensive digital forensic case study on one of the most well known families of IoT bot malware - Mirai. Past research has largely studied the botnet architecture and analyzed the Mirai source code (and that of its variants) through traditional static and dynamic malware analysis means, but has not fully and forensically analyzed infected devices or Mirai network devices. In this paper, we set up a fully functioning Mirai botnet network architecture and conduct a comprehensive forensic analysis on the Mirai botnet server. We discuss forensic artifacts left on the attacker's terminal, command and control (CNC) server, database server, scan receiver and loader, as well as the network packets therefrom. We discuss how a forensic investigator might acquire some of these artifacts remotely, without direct physical access to the botnet server itself. This research provides findings tactically useful to forensic investigators, not only from the perspective of what data can be obtained (e.g., IP addresses of bot members), but also important information about which device they should target for acquisition and investigation to obtain the most investigatively useful information.

Forensic Analysis of a Ransomware

In the present digital world malware is the most potent weapon. Malware, especially ransomware, is used in security breaches on a large scale which leads to huge losses in terms of money and critical information for big firms and government organisations. In order to counter the future ransomware attacks it is necessary to carry out a forensic analysis of the malware. This experiment proposes a manual method for dynamic malware analysis so that security researchers or malware analyst can easily understand the behaviour of the ransomware and implement a better solution for reducing the risk of malware attack in future. For doing this experiment Volatility, Regshot and FTK Imager Lite Forensics toolkit were used in a virtual and safe environment. The forensic analysis of a Ransomware is done in a virtual setup to prevent any infection to the base machine and carry out detailed analysis of the behaviour of the malware under different conditions. Malware analysis is important because the behavioral analysis helps in developing better mitigation techniques thereby reducing infection risks. The research can prove effective in development of a ransomware decryptor which can be used to recover data after an attack has encrypted the files.

Towards Increasing Trust In Expert Evidence Derived From Malware Forensic Tools

Following a series of high profile miscarriages of justice in the UK linked to questionable expert evidence, the post of the Forensic Science Regulator was created in 2008. The main objective of this role is to improve the standard of practitioner competences and forensic procedures. One of the key strategies deployed to achieve this is the push to incorporate a greater level of scientific conduct in the various fields of forensic practice. Currently there is no statutory requirement for practitioners to become accredited to continue working with the Criminal Justice System of England and Wales. However, the Forensic Science Regulator is lobbying the UK Government to make this mandatory. This paper focuses upon the challenge of incorporating a scientific methodology to digital forensic investigations where malicious software (‘malware’) has been identified. One aspect of such a methodology is the approach followed to both select and evaluate the tools used to perform dynamic malware analysis during an investigation. Based on the literature, legal, regulatory and practical needs we derive a set of requirements to address this challenge. We present a framework, called the ‘Malware Analysis Tool Evaluation Framework’ (MATEF), to address this lack of methodology to evaluate software tools used to perform dynamic malware analysis during investigations involving malware and discuss how it meets the derived requirements.

Visualizing the outcome of dynamic analysis of Android malware with VizMal

Malware detection techniques based on signature extraction require security analysts to manually inspect samples to find evidences of malicious behavior. This time-consuming task received little attention by researchers and practitioners, as most of the effort is on the identification as malware or non-malware of an entire sample. There are no tools for supporting the analyst in identifying when the malicious behavior occurs, given a sample. In this paper we propose VizMal, a tool able to visualize the execution traces of Android applications and to highlight which portions of the traces correspond to a potentially malicious behavior. The aim of VizMal is twofold: assisting the malware analyst during the inspection of an application and pushing the research community to organize and focus its effort on the malicious behavior localization. VizMal is able to discern if the application behavior during each second of execution are legitimate or malicious and to show this information in a simple and understandable way. We validate VizMal experimentally and by means of a user study: the results are promising and confirm that the tool can be useful.

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Although malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for—especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based anti-virus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.