cryptographic technology has been commonly used in malware for hiding their static characteristics and malicious behaviors to avoid the detection of anti-virus engines and counter the reverse analysis from security re...
详细信息
cryptographic technology has been commonly used in malware for hiding their static characteristics and malicious behaviors to avoid the detection of anti-virus engines and counter the reverse analysis from security researchers. The detection of cryptographicfunctions in an effective way in malware has vital significance for malicious code detection and deep analysis. Many efforts have been made to solve this issue, while existing methods suffer from some issues, such as unable to achieve promising results in accuracy, limited by prior knowledge, and have a high overhead. In this paper, we draw on the idea of text classification in the field of natural language processing and propose a novel neural network to detect the type of cryptographicfunctions. The new network is an end-2-end model which includes two important modules: Instruction-2-vec and K-Max-CNN-Attention. The Instruction-2-vec model extracts the "words" of assembly instructions and transfers them into continuous vectors. The K-Max-CNN-Attention is used to encode the instruction vectors and generate the representation of the function. And we designed a softmax classifier to predict the categories of the functions. Extensive experiments were conducted on a collected dataset which contains 15 common types of cryptographicfunctions extracted from malware, to assess the validity of the proposed approach. The experiment results showed that the proposed approach archives a better performance than the recent embedding network SAFE with the Precision, Recall and F1-score of 0.9349, 0.8933 and 0.9020, respectively. We also compared it with four widely-used tools, the results demonstrated that our approach is much better in accuracy and effectiveness than all of them.
cryptographicfunctions have been commonly abused by malware developers to hide malicious behaviors, disguise destructive payloads, and bypass network-based firewalls. Now-infamous crypto-ransomware even encrypts vict...
详细信息
ISBN:
(纸本)9781509055333
cryptographicfunctions have been commonly abused by malware developers to hide malicious behaviors, disguise destructive payloads, and bypass network-based firewalls. Now-infamous crypto-ransomware even encrypts victim's computer documents until a ransom is paid. Therefore, detecting cryptographicfunctions in binary code is an appealing approach to complement existing malware defense and forensics. However, pervasive control and data obfuscation schemes make cryptographicfunction identification a challenging work. Existing detection methods are either brittle to work on obfuscated binaries or ad hoc in that they can only identify specific cryptographicfunctions. In this paper, we propose a novel technique called bit-precise symbolic loop mapping to identify cryptographicfunctions in obfuscated binary code. Our trace-based approach captures the semantics of possible cryptographic algorithms with bit-precise symbolic execution in a loop. Then we perform guided fuzzing to efficiently match boolean formulas with known reference implementations. We have developed a prototype called CryptoHunt and evaluated it with a set of obfuscated synthetic examples, well-known cryptographic libraries, and malware. Compared with the existing tools, CryptoHunt is a general approach to detecting commonly used cryptographicfunctions such as TEA, AES, RC4, MD5, and RSA under different control and data obfuscation scheme combinations.
The existing methods of ransomware detection have limitations. To be specific, static analysis is not effective to obfuscated binaries, while dynamic analysis is usually restricted to a certain platform and often take...
详细信息
The existing methods of ransomware detection have limitations. To be specific, static analysis is not effective to obfuscated binaries, while dynamic analysis is usually restricted to a certain platform and often takes tens of minutes. In this paper, we propose a block level monitoring system to detect potentially malicious cryptographic operations. We carry out statistical analysis to find heuristic rules to distinguish between normal and encrypted blocks. In order to apply the heuristic rule to the filesystem without kernel modification, we adopt Filesystem in Userspace (FUSE) and define our filesystem Rcryptect for real-time detection of cryptographicfunction. We demonstrate the protection of well-known ransomware and show that various cryptographicfunctions can be detected with about 13% overhead. (c) 2021 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license ( http://***/licenses/by-nc-nd/4.0/ )
An opaque predicate is a predicate whose value is known to the obfuscator but is difficult to deduce. It can be seamlessly applied together with other obfuscation methods such as junk code to turn reverse engineering ...
详细信息
An opaque predicate is a predicate whose value is known to the obfuscator but is difficult to deduce. It can be seamlessly applied together with other obfuscation methods such as junk code to turn reverse engineering attempts into arduous work. Opaque predicates have been widely used in various areas of software security such as software protection, software watermarking, obfuscation, and metamorphic malware. The arms race between the construction and detection of opaque predicates is an interesting topic in computer security *** thesis introduces new attack and defense techniques about opaque predicates in binary code. First, a logic oriented opaque predicate detection tool called LOOP is proposed. By conducting symbolic execution along a trace, LOOP constructs general logical formulas to represent the intrinsic characteristics of opaque predicates. The formulas are then solved by a constraint solver and the result answers whether the predicate under examination is opaque or not. Besides, LOOP is obfuscation resilient and able to detect previously unknown opaque predicates. Our experimental result demonstrates LOOP is effective and efficient. By integrating LOOP with code normalization for matching metamorphic malware variants, we show that LOOP is an appealing complement to existing malware ***, a new control flow obfuscation scheme called generalized dynamic opaque predicate is proposed. We extend the conventional concept of dynamic opaque predicate to common program structures (e.g., straight-line code, branch, and loop). Besides, our new design does not require dynamic opaque predicates to be strictly adjacent, which is more resilient to deobfuscation techniques. The evaluation result shows generalized dynamic opaque predicates overcome the limitations in conventional opaque ***, we propose a novel technique called bit-precise symbolic loop mapping to identify cryptographicfunctions in obfuscated binary code. Advanced opaque pred
暂无评论