My keynote at the Brazilian Security Symposium (SBSeg), as part of the Computer Forensics Workshop (WFC), talking about fileless malware, the challenges for antivirus detection, and new detection strategies. I present the prototype of a hardware AV with integrated signature matching to decrease the performance penalty imposed by software-only AVs.
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
Proposal of a hardware-based AV embedded within the memory controller to mitigate the performance penalty when searching for fileless malware samples. Presented at 2020 MEMSYS.
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
My presentation for the DIMVA 2020 conference about the security of application installers. I show the operation dynamics of the repositories and reverse engineer some application installers to show their vulnerabilities, such as to man-in-the-middle attacks.
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
My talk at Federal University of Minas Gerais (UFMG) to present some aspects of modern malware research and some of my contributions to the field (derived from my PhD defense). I cover all steps of a detection pipelines: threat hunting, malware triage, sandbox execution, threat intelligence, and endpoint protection.
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
Proposal of a hardware-based AV embedded within the memory controller to mitigate the performance penalty when searching for fileless malware samples. Presented at 2020 MEMSYS.
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
My presentation for the DIMVA 2020 conference about the security of application installers. I show the operation dynamics of the repositories and reverse engineer some application installers to show their vulnerabilities, such as to man-in-the-middle attacks.
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
My talk at Federal University of Minas Gerais (UFMG) to present some aspects of modern malware research and some of my contributions to the field (derived from my PhD defense). I cover all steps of a detection pipelines: threat hunting, malware triage, sandbox execution, threat intelligence, and endpoint protection.
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
In recent years, endpoint security has evolved well beyond signature-based antivirus which proved unable to keep pace with the speed and volume of evolving threats. With the onslaught of new security technologies available, it can be difficult to determine where to begin. In this webinar, 451 Senior Analyst, Adrian Sanabria and Cylance Product Marketing Manager, Steve Salinas will discuss a proven approach to securing your endpoints.
Adrian and Steve will present the fundamental steps to securing endpoints:
• Step 1: A Better Malware Mousetrap
• Step 2: More Resilient Endpoints
• Step 3: Stopping Non-Malware Attacks
• Step 4: Full System Visibility with Endpoint Detection and Response
• Step 5: Dynamic Defense with User Behavior
• Step 6: Data Visibility
• Conclusion: Malware is Solved! What Now?
Endpoint security can be complex. Join us for this webinar to learn how applying a reasoned, results-based approach can help you can take control of your endpoints and silence attackers.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
This paper presents the source code analysis of a file reader server socket program (connection-oriented
sockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove five
important software security vulnerabilities, which if left unattended could severely impact the server
running the software and also the network hosting the server. The five vulnerabilities we study in this
paper are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, (4) Denial of
Service and (5) Unreleased Resource vulnerabilities. We analyze the reason why each of these
vulnerabilities occur in the file reader server socket program, discuss the impact of leaving them
unattended in the program, and propose solutions to remove each of these vulnerabilities from the
program. We also analyze any potential performance tradeoffs (such as increase in code size and loss of
features) that could arise while incorporating the proposed solutions on the server program. The
proposed solutions are very generic in nature, and can be suitably modified to correct any such
vulnerabilities in software developed in any other programming language. We use the Fortify Source
Code Analyzer to conduct the source code analysis of the file reader server program, implemented on a
Windows XP virtual machine with the standard J2SE v.7 development kit
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
How the CC Harmonizes with Secure Software Development Lifecycle @ ICCC 2013 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...IJNSA Journal
This paper presents the source code analysis of a file reader server socket program (connection-oriented sockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove five important software security vulnerabilities, which if left unattended could severely impact the server running the software and also the network hosting the server. The five vulnerabilities we study in this paper are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, (4) Denial of Service and (5) Unreleased Resource vulnerabilities. We analyze the reason why each of these vulnerabilities occur in the file reader server socket program, discuss the impact of leaving them unattended in the program, and propose solutions to remove each of these vulnerabilities from the program. We also analyze any potential performance tradeoffs (such as increase in code size and loss of features) that could arise while incorporating the proposed solutions on the server program. The proposed solutions are very generic in nature, and can be suitably modified to correct any suchvulnerabilities in software developed in any other programming language. We use the Fortify Source Code Analyzer to conduct the source code analysis of the file reader server program, implemented on a Windows XP virtual machine with the standard J2SE v.7 development kit.
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
There is often a considerable delay between the discovery of a vulnerability and the issue of a patch. One mitigation strategy for this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but if one is available. Since application configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities.
To minimize patch delay vulnerabilities and address the limitations of configuration workarounds, we propose Security Workarounds for Rapid Response (SWRRs), which are designed to neutralize security vulnerabilities in a timely, secure, and unobtrusive manner. Similar to configuration workarounds, SWRRs neutralize vulnerabilities by preventing vulnerable code from being executed at the cost of some lost functionality. However, the key difference is that SWRRs use existing error-handling code within applications, which enables them to be mechanically inserted with minimal knowledge of the application and minimal developer effort. This allows SWRRs to achieve high coverage while still being fast and easy to deploy.
We designed and implemented Talos, a system that mechanically instrument SWRRs into a given application, and evaluate it on five popular Linux server applications. We run exploits against 11 real-world software vulnerabilities and show that SWRRs neutralize the vulnerabilities in all cases. Quantitative measurements on 320 SWRRs indicate that SWRRs instrumented by Talos can neutralize 75.1% of all potential vulnerabilities and incur a loss of functionality similar to configuration workarounds in 71.3% of those cases. Our overall conclusion is that automatically generated SWRRs can safely mitigate 2.1x times more vulnerabilities, while only incurring a loss of functionality comparable to that of traditional configuration workarounds.
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.
ER Publication,
IJETR, IJMCTR,
Journals,
International Journals,
High Impact Journals,
Monthly Journal,
Good quality Journals,
Research,
Research Papers,
Research Article,
Free Journals, Open access Journals,
erpublication.org,
Engineering Journal,
Science Journals,
GPThreats-3: Is Automated Malware Generation a Threat?Marcus Botacin
My talk about generating malware automatically using GPT-3, the differences for ChatGPT, limits, and possibilities. Multiple malware variants are generated and submitted to Antivirus (AV) scans. We also present a defense perspective on how defenders can use aritificial intelligence to deobfuscate malware samples.
More Related Content
Similar to Near-memory & In-Memory Detection of Fileless Malware
451 and Cylance - The Roadmap To Better Endpoint SecurityAdrian Sanabria
In recent years, endpoint security has evolved well beyond signature-based antivirus which proved unable to keep pace with the speed and volume of evolving threats. With the onslaught of new security technologies available, it can be difficult to determine where to begin. In this webinar, 451 Senior Analyst, Adrian Sanabria and Cylance Product Marketing Manager, Steve Salinas will discuss a proven approach to securing your endpoints.
Adrian and Steve will present the fundamental steps to securing endpoints:
• Step 1: A Better Malware Mousetrap
• Step 2: More Resilient Endpoints
• Step 3: Stopping Non-Malware Attacks
• Step 4: Full System Visibility with Endpoint Detection and Response
• Step 5: Dynamic Defense with User Behavior
• Step 6: Data Visibility
• Conclusion: Malware is Solved! What Now?
Endpoint security can be complex. Join us for this webinar to learn how applying a reasoned, results-based approach can help you can take control of your endpoints and silence attackers.
International Journal of Engineering and Science Invention (IJESI) is an international journal intended for professionals and researchers in all fields of computer science and electronics. IJESI publishes research articles and reviews within the whole field Engineering Science and Technology, new teaching methods, assessment, validation and the impact of new technologies and it will continue to provide information on the latest trends and developments in this ever-expanding subject. The publications of papers are selected through double peer reviewed to ensure originality, relevance, and readability. The articles published in our journal can be accessed online.
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...IJNSA Journal
This paper presents the source code analysis of a file reader server socket program (connection-oriented
sockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove five
important software security vulnerabilities, which if left unattended could severely impact the server
running the software and also the network hosting the server. The five vulnerabilities we study in this
paper are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, (4) Denial of
Service and (5) Unreleased Resource vulnerabilities. We analyze the reason why each of these
vulnerabilities occur in the file reader server socket program, discuss the impact of leaving them
unattended in the program, and propose solutions to remove each of these vulnerabilities from the
program. We also analyze any potential performance tradeoffs (such as increase in code size and loss of
features) that could arise while incorporating the proposed solutions on the server program. The
proposed solutions are very generic in nature, and can be suitably modified to correct any such
vulnerabilities in software developed in any other programming language. We use the Fortify Source
Code Analyzer to conduct the source code analysis of the file reader server program, implemented on a
Windows XP virtual machine with the standard J2SE v.7 development kit
How the CC Harmonizes with Secure Software Development LifecycleSeungjoo Kim
How the CC Harmonizes with Secure Software Development Lifecycle @ ICCC 2013 (International Common Criteria Conference), which is a major conference for the community of experts involved in security evaluation
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...IJNSA Journal
This paper presents the source code analysis of a file reader server socket program (connection-oriented sockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove five important software security vulnerabilities, which if left unattended could severely impact the server running the software and also the network hosting the server. The five vulnerabilities we study in this paper are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, (4) Denial of Service and (5) Unreleased Resource vulnerabilities. We analyze the reason why each of these vulnerabilities occur in the file reader server socket program, discuss the impact of leaving them unattended in the program, and propose solutions to remove each of these vulnerabilities from the program. We also analyze any potential performance tradeoffs (such as increase in code size and loss of features) that could arise while incorporating the proposed solutions on the server program. The proposed solutions are very generic in nature, and can be suitably modified to correct any suchvulnerabilities in software developed in any other programming language. We use the Fortify Source Code Analyzer to conduct the source code analysis of the file reader server program, implemented on a Windows XP virtual machine with the standard J2SE v.7 development kit.
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
There is often a considerable delay between the discovery of a vulnerability and the issue of a patch. One mitigation strategy for this window of vulnerability is to use a configuration workaround, which prevents the vulnerable code from being executed at the cost of some lost functionality -- but if one is available. Since application configurations are not specifically designed to mitigate software vulnerabilities, we find that they only cover 25.2% of vulnerabilities.
To minimize patch delay vulnerabilities and address the limitations of configuration workarounds, we propose Security Workarounds for Rapid Response (SWRRs), which are designed to neutralize security vulnerabilities in a timely, secure, and unobtrusive manner. Similar to configuration workarounds, SWRRs neutralize vulnerabilities by preventing vulnerable code from being executed at the cost of some lost functionality. However, the key difference is that SWRRs use existing error-handling code within applications, which enables them to be mechanically inserted with minimal knowledge of the application and minimal developer effort. This allows SWRRs to achieve high coverage while still being fast and easy to deploy.
We designed and implemented Talos, a system that mechanically instrument SWRRs into a given application, and evaluate it on five popular Linux server applications. We run exploits against 11 real-world software vulnerabilities and show that SWRRs neutralize the vulnerabilities in all cases. Quantitative measurements on 320 SWRRs indicate that SWRRs instrumented by Talos can neutralize 75.1% of all potential vulnerabilities and incur a loss of functionality similar to configuration workarounds in 71.3% of those cases. Our overall conclusion is that automatically generated SWRRs can safely mitigate 2.1x times more vulnerabilities, while only incurring a loss of functionality comparable to that of traditional configuration workarounds.
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
In this webinar, we explore the process of zero-day vulnerability management from initial threat analysis to automated detection and remediation. We will demonstrate how easy it is to detect attack vectors and to quickly assess the reliability and security of those interfaces using general purpose fuzzing solutions. We will also show you how you can complement these solutions with known vulnerability data and do patch verification easily and cost-effectively. Finally, we will discuss how you can tailor your defenses to block zero day attacks, which is a key aspect of vulnerability management.
ER Publication,
IJETR, IJMCTR,
Journals,
International Journals,
High Impact Journals,
Monthly Journal,
Good quality Journals,
Research,
Research Papers,
Research Article,
Free Journals, Open access Journals,
erpublication.org,
Engineering Journal,
Science Journals,
Similar to Near-memory & In-Memory Detection of Fileless Malware (20)
GPThreats-3: Is Automated Malware Generation a Threat?Marcus Botacin
My talk about generating malware automatically using GPT-3, the differences for ChatGPT, limits, and possibilities. Multiple malware variants are generated and submitted to Antivirus (AV) scans. We also present a defense perspective on how defenders can use aritificial intelligence to deobfuscate malware samples.
[HackInTheBOx] All You Always Wanted to Know About AntivirusesMarcus Botacin
My talk at the HackInTheBox security conference Amsterdam 2023 about the reverse engineering of AV engines, covering signatures, whitelists, blocklists, kernel drivers, hooking, and much more.
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!Marcus Botacin
My talk at the USENIX Enigma 2023 discussing challenges and pitfalls in malware research. I discuss 5 aspects to change, from diversity of research work to reproducibility crisis.
In this talk, I cover the basic idea of hardware-assisted, two-level architectures for security monitoring and its applications to the malware detection problem. I propose detection triggers involving branch predictor, MMU, memory controller, co-processors, and FPGAs.
Talk presented at the Real Time systems group seminar series at the University of York.
How do we detect malware? A step-by-step guideMarcus Botacin
Slides from my talk at Texas A&M University (TAMU) seminar series (2002), where I present a landscape of the malware detection pipeline currently used by the industry and how academia can contribute to that. I present new solutions ranging from the use of ML, sandbox solutions, and hardware support for the development of more performance-efficient Antivirus.
On the Malware Detection Problem: Challenges & Novel ApproachesMarcus Botacin
Marcus Botacin's PhD Defense at Federal University of Paraná (UFPR).
Advisor: Dr André Grégio
Co-Advisor: Paulo de Geus
Evaluation Committee:
Dr Leigh Metcalf, Dr Leyla Bilge, Daniel Alfonso Oliveira
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...Marcus Botacin
Describing our experience in the MLSec competition for the seminar series of the University of Waikato. Presenteed by Fabricio Ceschin and Marcus Botacin from the Federal University of Paraná.
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Marcus Botacin
My talk at USENIX ENIGMA 2021 about Brazilian Financial Malware. It encompasses desktop and mobile environments, analyzed both statically and dynamically.
Towards Malware Decompilation and ReassemblyMarcus Botacin
I present RevEngE, the Reverse Engineering Engine, a PoC for the debug-based decompilation approach. Presentation given at Reverse Engineering (ROOTS) confence in Vienna, Austria, 20219.
Malware Variants Identification in PracticeMarcus Botacin
Research project discussin how to identify malware variants in actual scenarios. We discuss same-behavior function replacement and the relevance of similarity and continence metrics.
Machine Learning for Malware Detection: Beyond Accuracy RatesMarcus Botacin
Research work of my student Lucas Galante, presented at SBSEG2019. We discuss the implications of adopting distinct machine learning models for malware detection.
The AV says: Your Hardware Definitions were Updated!Marcus Botacin
Presentation @ RECOSOC2019. Proposal of a reconfigurable Antivirus implemented on FPGA. The solution captures performance counters data via shared memory bus and classifies it as outlier or not using machine learning classifiers, such as SVM, Random Forest and MLP.
Comparing Evolved Extractive Text Summary Scores of Bidirectional Encoder Rep...University of Maribor
Slides from:
11th International Conference on Electrical, Electronics and Computer Engineering (IcETRAN), Niš, 3-6 June 2024
Track: Artificial Intelligence
https://www.etran.rs/2024/en/home-english/
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
Slide 1: Title Slide
Extrachromosomal Inheritance
Slide 2: Introduction to Extrachromosomal Inheritance
Definition: Extrachromosomal inheritance refers to the transmission of genetic material that is not found within the nucleus.
Key Components: Involves genes located in mitochondria, chloroplasts, and plasmids.
Slide 3: Mitochondrial Inheritance
Mitochondria: Organelles responsible for energy production.
Mitochondrial DNA (mtDNA): Circular DNA molecule found in mitochondria.
Inheritance Pattern: Maternally inherited, meaning it is passed from mothers to all their offspring.
Diseases: Examples include Leber’s hereditary optic neuropathy (LHON) and mitochondrial myopathy.
Slide 4: Chloroplast Inheritance
Chloroplasts: Organelles responsible for photosynthesis in plants.
Chloroplast DNA (cpDNA): Circular DNA molecule found in chloroplasts.
Inheritance Pattern: Often maternally inherited in most plants, but can vary in some species.
Examples: Variegation in plants, where leaf color patterns are determined by chloroplast DNA.
Slide 5: Plasmid Inheritance
Plasmids: Small, circular DNA molecules found in bacteria and some eukaryotes.
Features: Can carry antibiotic resistance genes and can be transferred between cells through processes like conjugation.
Significance: Important in biotechnology for gene cloning and genetic engineering.
Slide 6: Mechanisms of Extrachromosomal Inheritance
Non-Mendelian Patterns: Do not follow Mendel’s laws of inheritance.
Cytoplasmic Segregation: During cell division, organelles like mitochondria and chloroplasts are randomly distributed to daughter cells.
Heteroplasmy: Presence of more than one type of organellar genome within a cell, leading to variation in expression.
Slide 7: Examples of Extrachromosomal Inheritance
Four O’clock Plant (Mirabilis jalapa): Shows variegated leaves due to different cpDNA in leaf cells.
Petite Mutants in Yeast: Result from mutations in mitochondrial DNA affecting respiration.
Slide 8: Importance of Extrachromosomal Inheritance
Evolution: Provides insight into the evolution of eukaryotic cells.
Medicine: Understanding mitochondrial inheritance helps in diagnosing and treating mitochondrial diseases.
Agriculture: Chloroplast inheritance can be used in plant breeding and genetic modification.
Slide 9: Recent Research and Advances
Gene Editing: Techniques like CRISPR-Cas9 are being used to edit mitochondrial and chloroplast DNA.
Therapies: Development of mitochondrial replacement therapy (MRT) for preventing mitochondrial diseases.
Slide 10: Conclusion
Summary: Extrachromosomal inheritance involves the transmission of genetic material outside the nucleus and plays a crucial role in genetics, medicine, and biotechnology.
Future Directions: Continued research and technological advancements hold promise for new treatments and applications.
Slide 11: Questions and Discussion
Invite Audience: Open the floor for any questions or further discussion on the topic.
Deep Behavioral Phenotyping in Systems Neuroscience for Functional Atlasing a...Ana Luísa Pinho
Functional Magnetic Resonance Imaging (fMRI) provides means to characterize brain activations in response to behavior. However, cognitive neuroscience has been limited to group-level effects referring to the performance of specific tasks. To obtain the functional profile of elementary cognitive mechanisms, the combination of brain responses to many tasks is required. Yet, to date, both structural atlases and parcellation-based activations do not fully account for cognitive function and still present several limitations. Further, they do not adapt overall to individual characteristics. In this talk, I will give an account of deep-behavioral phenotyping strategies, namely data-driven methods in large task-fMRI datasets, to optimize functional brain-data collection and improve inference of effects-of-interest related to mental processes. Key to this approach is the employment of fast multi-functional paradigms rich on features that can be well parametrized and, consequently, facilitate the creation of psycho-physiological constructs to be modelled with imaging data. Particular emphasis will be given to music stimuli when studying high-order cognitive mechanisms, due to their ecological nature and quality to enable complex behavior compounded by discrete entities. I will also discuss how deep-behavioral phenotyping and individualized models applied to neuroimaging data can better account for the subject-specific organization of domain-general cognitive systems in the human brain. Finally, the accumulation of functional brain signatures brings the possibility to clarify relationships among tasks and create a univocal link between brain systems and mental functions through: (1) the development of ontologies proposing an organization of cognitive processes; and (2) brain-network taxonomies describing functional specialization. To this end, tools to improve commensurability in cognitive science are necessary, such as public repositories, ontology-based platforms and automated meta-analysis tools. I will thus discuss some brain-atlasing resources currently under development, and their applicability in cognitive as well as clinical neuroscience.
What is greenhouse gasses and how many gasses are there to affect the Earth.moosaasad1975
What are greenhouse gasses how they affect the earth and its environment what is the future of the environment and earth how the weather and the climate effects.
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.Sérgio Sacani
The return of a sample of near-surface atmosphere from Mars would facilitate answers to several first-order science questions surrounding the formation and evolution of the planet. One of the important aspects of terrestrial planet formation in general is the role that primary atmospheres played in influencing the chemistry and structure of the planets and their antecedents. Studies of the martian atmosphere can be used to investigate the role of a primary atmosphere in its history. Atmosphere samples would also inform our understanding of the near-surface chemistry of the planet, and ultimately the prospects for life. High-precision isotopic analyses of constituent gases are needed to address these questions, requiring that the analyses are made on returned samples rather than in situ.
Earliest Galaxies in the JADES Origins Field: Luminosity Function and Cosmic ...Sérgio Sacani
We characterize the earliest galaxy population in the JADES Origins Field (JOF), the deepest
imaging field observed with JWST. We make use of the ancillary Hubble optical images (5 filters
spanning 0.4−0.9µm) and novel JWST images with 14 filters spanning 0.8−5µm, including 7 mediumband filters, and reaching total exposure times of up to 46 hours per filter. We combine all our data
at > 2.3µm to construct an ultradeep image, reaching as deep as ≈ 31.4 AB mag in the stack and
30.3-31.0 AB mag (5σ, r = 0.1” circular aperture) in individual filters. We measure photometric
redshifts and use robust selection criteria to identify a sample of eight galaxy candidates at redshifts
z = 11.5 − 15. These objects show compact half-light radii of R1/2 ∼ 50 − 200pc, stellar masses of
M⋆ ∼ 107−108M⊙, and star-formation rates of SFR ∼ 0.1−1 M⊙ yr−1
. Our search finds no candidates
at 15 < z < 20, placing upper limits at these redshifts. We develop a forward modeling approach to
infer the properties of the evolving luminosity function without binning in redshift or luminosity that
marginalizes over the photometric redshift uncertainty of our candidate galaxies and incorporates the
impact of non-detections. We find a z = 12 luminosity function in good agreement with prior results,
and that the luminosity function normalization and UV luminosity density decline by a factor of ∼ 2.5
from z = 12 to z = 14. We discuss the possible implications of our results in the context of theoretical
models for evolution of the dark matter halo mass function.
This presentation explores a brief idea about the structural and functional attributes of nucleotides, the structure and function of genetic materials along with the impact of UV rays and pH upon them.
4. Introduction Proposed Solution Evaluation Conclusions
0x0. What is the most concerning type of
malware these days?
Near-memory & In-Memory Detection of Fileless Malware 4 / 52 SBSEG’23
5. Introduction Proposed Solution Evaluation Conclusions
Fileless malware on the news
Figure: Source: https://www.wired.com/2017/02/
say-hello-super-stealthy-malware-thats-going-mainstream/
Figure: Source: https://www.cyberscoop.com/
kaspersky-fileless-malware-memory-attribution-detection/
Near-memory & In-Memory Detection of Fileless Malware 5 / 52 SBSEG’23
6. Introduction Proposed Solution Evaluation Conclusions
0x1. How do fileless malware work?
Near-memory & In-Memory Detection of Fileless Malware 6 / 52 SBSEG’23
8. Introduction Proposed Solution Evaluation Conclusions
0x2. How hard is to go fileless?
Near-memory & In-Memory Detection of Fileless Malware 8 / 52 SBSEG’23
10. Introduction Proposed Solution Evaluation Conclusions
0x3. Is this a real threat?
Near-memory & In-Memory Detection of Fileless Malware 10 / 52 SBSEG’23
11. Introduction Proposed Solution Evaluation Conclusions
Fileless malware in the wild
Figure: Source: https://www.wiz.io/blog/
pyloose-first-python-based-fileless-attack-on-cloud-workloads/
Near-memory & In-Memory Detection of Fileless Malware 11 / 52 SBSEG’23
12. Introduction Proposed Solution Evaluation Conclusions
0x4. Are current AVs ready for that?
Near-memory & In-Memory Detection of Fileless Malware 12 / 52 SBSEG’23
13. Introduction Proposed Solution Evaluation Conclusions
A Drawback for Current Security Solutions
Figure: Default policy is not to scan memory.
Near-memory & In-Memory Detection of Fileless Malware 13 / 52 SBSEG’23
14. Introduction Proposed Solution Evaluation Conclusions
0x5. Why not to scan all the time?
Near-memory & In-Memory Detection of Fileless Malware 14 / 52 SBSEG’23
15. Introduction Proposed Solution Evaluation Conclusions
The Cost of Scanning Memory
0
50
100
150
200
250
300
perl namd Bzip milc mfc
Execution
Time
(s)
Benchmark
AV scanning overhead
Scan
Baseline
Figure: In-memory AV scans worst-case and best-case performance penalties.
Near-memory & In-Memory Detection of Fileless Malware 15 / 52 SBSEG’23
16. Introduction Proposed Solution Evaluation Conclusions
0x6. Where does this overhead come from?
Near-memory & In-Memory Detection of Fileless Malware 16 / 52 SBSEG’23
17. Introduction Proposed Solution Evaluation Conclusions
0x6.1 How do we detect malware?
Near-memory & In-Memory Detection of Fileless Malware 17 / 52 SBSEG’23
21. Introduction Proposed Solution Evaluation Conclusions
0x6.1.1 Are signatures still widely-used?
Near-memory & In-Memory Detection of Fileless Malware 21 / 52 SBSEG’23
22. Introduction Proposed Solution Evaluation Conclusions
Signature Prevalence
0
5
10
15
20
25
30
35
40
45
AVG NOD32 Yandex GData DrWeb Emsisoft eScan AdAwe MAX BitDef Arcabit ZAlarm Kaspersky AhnLab Bkav Ikarus Microsoft Zillya ALYac NANOCybereason Avira Rising
Samples
(%)
AVs
AVs Detecting Specific Binary Sections
Figure: Signature Prevalence. Around a third of the AV’s detections are based on specific
section’s contents.
Near-memory & In-Memory Detection of Fileless Malware 22 / 52 SBSEG’23
23. Introduction Proposed Solution Evaluation Conclusions
0x6. Where does this overhead come from?
Near-memory & In-Memory Detection of Fileless Malware 23 / 52 SBSEG’23
24. Introduction Proposed Solution Evaluation Conclusions
Memory Dumping Techniques
10
100
1000
1 2 4 8
Time
(s)
RAM (GB)
Virtual−Proc Virtual−Full Physical
Figure: Memory dump time for distinct software-based techniques and memory sizes.
Near-memory & In-Memory Detection of Fileless Malware 24 / 52 SBSEG’23
25. Introduction Proposed Solution Evaluation Conclusions
0x7. Is there a way to eliminate this performance
cost?
Near-memory & In-Memory Detection of Fileless Malware 25 / 52 SBSEG’23
27. Introduction Proposed Solution Evaluation Conclusions
Understanding Malware Detection Tasks
Monitoring
You need to know: When to inspect.
Classifying
You need to know: What to inspect.
Near-memory & In-Memory Detection of Fileless Malware 27 / 52 SBSEG’23
28. Introduction Proposed Solution Evaluation Conclusions
Hardware-Enhanced AntiVirus Engine (HEAVEN)
2-level Architecture
Do not fully replace AVs, but add
efficient matching capabilities to them.
Near-memory & In-Memory Detection of Fileless Malware 28 / 52 SBSEG’23
29. Introduction Proposed Solution Evaluation Conclusions
0x8. Why not using existing hardware?
Near-memory & In-Memory Detection of Fileless Malware 29 / 52 SBSEG’23
30. Introduction Proposed Solution Evaluation Conclusions
Can’t We Rely on Page Faults?
Table: Blocking on Page Faults. The performance impact is greater as more complex is the
applied detection routine.
Benchmark Cycles PF 5K 10K 20K 30K
perf 187G 1,8M 4,74% 9,48% 18,96% 28,44%
mcf 69G 375K 2,72% 5,45% 10,89% 16,34%
milc 556G 1,2M 1,05% 2,10% 4,21% 6,31%
bzip 244G 170K 0,35% 0,69% 1,38% 2,08%
namd 491G 325K 0,33% 0,66% 1,32% 1,98%
Near-memory & In-Memory Detection of Fileless Malware 30 / 52 SBSEG’23
33. Introduction Proposed Solution Evaluation Conclusions
0x9. How does the memory work?
What can we explore?
Near-memory & In-Memory Detection of Fileless Malware 33 / 52 SBSEG’23
34. Introduction Proposed Solution Evaluation Conclusions
Observing Memory Accesses Patterns
Figure: Write-to-Read window. Read requests originated from the MSHR might overlap
other memory-buffered read requests for any address, but must not overlap previous
memory-buffered write requests for the same address.
Near-memory & In-Memory Detection of Fileless Malware 34 / 52 SBSEG’23
35. Introduction Proposed Solution Evaluation Conclusions
0xA. How does the hardware detector look like?
Near-memory & In-Memory Detection of Fileless Malware 35 / 52 SBSEG’23
36. Introduction Proposed Solution Evaluation Conclusions
Malware Identification based on Near- and In-Memory Evaluation
(MINI-ME)
Figure: MINI-ME Architecture. MINI-ME is implemented within the memory controller.
Near-memory & In-Memory Detection of Fileless Malware 36 / 52 SBSEG’23
37. Introduction Proposed Solution Evaluation Conclusions
0xB. How does the software know about
hardware detections?
Near-memory & In-Memory Detection of Fileless Malware 37 / 52 SBSEG’23
38. Introduction Proposed Solution Evaluation Conclusions
Handling Notifications via Page Faults
1 void __do_page_fault (...) {
2 // Original Code
3 if (X86_PF_WRITE) ...
4 if (X86_PF_INSTR) ...
5 // Added Code
6 if (X86_MALICIOUS) ...
Code 4: Modified PF handler. Malicious bit is set
when suspicious pages are mapped.
Near-memory & In-Memory Detection of Fileless Malware 38 / 52 SBSEG’23
40. Introduction Proposed Solution Evaluation Conclusions
0xC. How many CPU cycles can we delay?
Near-memory & In-Memory Detection of Fileless Malware 40 / 52 SBSEG’23
41. Introduction Proposed Solution Evaluation Conclusions
How Much Performance Overhead is Acceptable?
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
6.0%
0 8 24 32 64 128
IPC
Overhead
(%)
Delay (Cycles)
IPC vs. Memory Delay
astar
calculix
dealII
gromacs
namd
Figure: MINI-ME database overhead. Delays of up 32 cycles impose less than 1% of IPC
overhead.
Near-memory & In-Memory Detection of Fileless Malware 41 / 52 SBSEG’23
42. Introduction Proposed Solution Evaluation Conclusions
0xD. What signature size should we use?
Near-memory & In-Memory Detection of Fileless Malware 42 / 52 SBSEG’23
43. Introduction Proposed Solution Evaluation Conclusions
Signature Size Definition
Table: Signature Generation. Signatures (%) detected as false positives for each signature
size and memory dump size.
Memory Size
1 GB 2 GB 4 GB 8 GB
Signature
Size
8 B 8.65% 9.92% 10.18% 11.45%
16 B 3.06% 3.32% 3.32% 3.32%
32 B 0.00% 0.00% 0.00% 0.00%
64 B 0.00% 0.00% 0.00% 0.00%
Near-memory & In-Memory Detection of Fileless Malware 43 / 52 SBSEG’23
44. Introduction Proposed Solution Evaluation Conclusions
0xE. Which storage type should we use?
Near-memory & In-Memory Detection of Fileless Malware 44 / 52 SBSEG’23
45. Introduction Proposed Solution Evaluation Conclusions
Matching Mechanism Definition
Table: Matching Techniques. FP rates for multiple signature sizes and techniques.
Signature size
8 B 16 B 32 B 64 B
Match.
Tech.
Dir. Mapped Table 8.33% 3.15% 0.00% 0.00%
Signature Tree 8.33% 3.15% 0.00% 0.00%
Bloom Filter 8.41% 3.47% 0.00% 0.00%
Near-memory & In-Memory Detection of Fileless Malware 45 / 52 SBSEG’23
46. Introduction Proposed Solution Evaluation Conclusions
0xF. What scan policy should we use?
Near-memory & In-Memory Detection of Fileless Malware 46 / 52 SBSEG’23
47. Introduction Proposed Solution Evaluation Conclusions
Matching Policies Definition
Table: Scan Policies. FP rate for multiple signature sizes and policies.
Signature size
8 B 16 B 32 B 64 B
Scan
Policy
Whole Memory 8.33% 3.15% 0.00% 0.00%
Mapped Pages 0.06% 0.01% 0.00% 0.00%
Whitelist 0.00% 0.00% 0.00% 0.00%
Code-Only 0.01% 0.00% 0.00% 0.00%
Near-memory & In-Memory Detection of Fileless Malware 47 / 52 SBSEG’23
48. Introduction Proposed Solution Evaluation Conclusions
0xF+1 (OOB). Is it better than a
software-based, on-access AV?
Near-memory & In-Memory Detection of Fileless Malware 48 / 52 SBSEG’23
49. Introduction Proposed Solution Evaluation Conclusions
MINI-ME in Practice
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
6.0%
7.0%
8.0%
9.0%
10.0%
11.0%
12.0%
13.0%
perl namd bzip mcf milc
Execution
Time
Overhead
(%)
Monitoring Overhead
On−Access
MINI−ME
Figure: Monitoring Overhead. MINI-ME imposes a smaller overhead while still checking more
pages than an on-access solution.
Near-memory & In-Memory Detection of Fileless Malware 49 / 52 SBSEG’23
51. Introduction Proposed Solution Evaluation Conclusions
Conclusions
Challenges & Lessons
Fileless malware is a growing hard-to-detect class of threats.
Traditional AntiViruses (AVs) impose significant performance overhead to perform
memory scans.
In-memory and Near-memory AVs helps reducing AV’s performance overheads.
The more complex the matching mechanism, the greater the performance
overhead.
MINI-ME as platform for future developments.
Near-memory & In-Memory Detection of Fileless Malware 51 / 52 SBSEG’23