SlideShare a Scribd company logo
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
On the Malware Detection Problem:
Challenges & Novel Approaches
Marcus Botacin1, Paulo Lı́cio de Geus2, André Grégio1
1PhD. Candidate
Federal University of Paraná (UFPR)
mfbotacin@inf.ufpr.br
2Co-Advisor
Institute of Computing - UNICAMP
paulo@lasca.ic.unicamp.br
1Advisor
Federal University of Paraná (UFPR)
gregio@inf.ufpr.br
On the Malware Detection Problem:Challenges & Novel Approaches 1 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 2 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 3 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Security remains “unsolved”.
Source: https://thehackernews.
com/2021/03/why-do-companies-f
ail-to-stop-breaches.html
On the Malware Detection Problem:Challenges & Novel Approaches 4 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
The Reasons (1/2)
1. Security is Hard!
On the Malware Detection Problem:Challenges & Novel Approaches 5 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Malware Computation Theory
Figure: Source:
https://web.eecs.umich.edu/˜aprakash/
eecs588/handouts/cohen-viruses.html
Figure: Source: https://www.cs.virgini
a.edu/˜evans/pubs/virus.pdf
1 Application:
2 do_something () // returns?
3 malicious ()
Code 1: Malware detection and the halting
problem.
On the Malware Detection Problem:Challenges & Novel Approaches 6 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Don’t Give up!
Approximations* of Security
On the Malware Detection Problem:Challenges & Novel Approaches 7 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Evaluation Criteria
Effectiveness
Do AVs really detect the malware samples?
Efficiency
How much resources do AVs require to operate?
On the Malware Detection Problem:Challenges & Novel Approaches 8 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Aren’t AVs effective?
0
20
40
60
80
100
0 2 4 6 8 10 12 14 16 18 20 22 24 26 28
Detection
Rate
(%)
AV
Coverage
(%)
Days
AV Opportunity Window
World PE Detection
BR PE Detection
World AV Coverage
BR AV Coverage
Figure: Source: We Need to Talk About AVs (2020).
Attack Opportunity Win-
dow. How long does it take
for AVs to detect new sam-
ples?
On the Malware Detection Problem:Challenges & Novel Approaches 9 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Aren’t AVs effective?
Figure: Source: https://tinyurl.com/yyphbxjc
On the Malware Detection Problem:Challenges & Novel Approaches 10 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Aren’t AVs efficient?
0
50
100
150
200
250
300
perl namd Bzip milc mfc
Execution
Time
(s)
Benchmark
AV scanning overhead
Scan
Baseline
Figure: Source: Near-Memory and In-Memory Detection
of Fileless Malware (2020).
Memory Scan Overhead.
How much SPEC benchmark
applications are affected?
On the Malware Detection Problem:Challenges & Novel Approaches 11 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
Aren’t AVs efficient?
Figure: Source: https://tinyurl.com/y39vquku
On the Malware Detection Problem:Challenges & Novel Approaches 12 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
The Reasons (2/2)
2. Security lacks a Method!
On the Malware Detection Problem:Challenges & Novel Approaches 13 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
The Science of Security
Herley and Oorschot (2017) about the JASON report
“The science seems under-developed in reporting experimental results, and consequently
in the ability to use them. The research community does not seem to have developed
a generally accepted way of reporting empirical studies so that people could reproduce
the work”
Shostack and Stewart (2008). The New School of Information Security.
“We don’t want to minimize the difficulties involved in answering such questions. We
can’t arrange a set of companies in test tubes, add heat, and see what comes out. In
that respect, our data sources are more like those of astrophysicists or sociologists than
those that a chemist or physicist might create by careful design. But this doesn’t mean
we can’t learn from observation.”
On the Malware Detection Problem:Challenges & Novel Approaches 14 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
The Problem
The importance of methods in science
Auguste Comte and the Positivism
“On the subject of stars, all investigations which are not ultimately reducible to simple
visual observations are...necessarily denied to us...we shall not at all be able to determine
their chemical composition or even their density... I regard any notion concerning the
true mean temperature of the various stars as forever denied to us.”
Astronomy Nowadays, Scientific American
Figure: Source: tinyurl.com/nfwwkw4r
On the Malware Detection Problem:Challenges & Novel Approaches 15 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Formalization
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 16 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Formalization
Research Questions
1 Why did current malware research work failed on providing greater
security to actual systems?
1 Which types of research work have been conducted so-far?
2 How research works have been conducted so-far?
3 What are the limits and implications of this current scenario?
2 What could be done to improve future malware research work to be
successful in operating on actual scenarios?
1 Which type of research could be developed to support real-world needs?
2 Which methods could be applied to malware research work developments to make
them more successful in handling actual malware?
3 Who are the stakeholder involved in designing research solutions that can be evolved
to operate in actual scenarios?
On the Malware Detection Problem:Challenges & Novel Approaches 17 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Formalization
Research Plan
Roadmap
Systematic review of malware
research literature.
Identify development gaps fields.
Bridge a sub-problem in each field.
Guideline
Contributing in broadness in addition
to contributing in depth.
Strong Assumptions
Need Strong Proofs
AV Background
(Chapter 2)
Literature
Review
(Chapter 3)
Considering Only
Global Samples
Generalization
Heuristics and ML
Models
Sample's
Context
(Chapter 4)
Lower Detection Detection Rate Focus
Multiple Detectors:
Signatures,
Heuristics, ML, Cloud
AV Evaluation
Metrics
(Chapter 5)
Performance Should
be Evaluated
Unsolved Updated
Problem
Need for New
Detection Engines
Hardware AVs
(Chapter 6)
Improvements can be
Designed to
Multiple Ad-hoc
Solutions
AVs have been
Reactive
Future Threats
(Chapter 7)
Figure: Thesis Organization
On the Malware Detection Problem:Challenges & Novel Approaches 18 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
How Actual AVs Work
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 19 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
How Actual AVs Work
Why Study AVs?
Knowing AVs
“I was more surprised that...there was
very little information about AV soft-
ware...Although it’s comprised of ex-
tremely nice people, the AV commu-
nity tends to be very industry-driven
and insular, and isn’t in the habit of
giving its secrets.”
Figure: John Aycock (2006). Computer
Viruses and Malware.
On the Malware Detection Problem:Challenges & Novel Approaches 20 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
How Actual AVs Work
Publication
Figure: Source:
https://www.sciencedirect.com/science/article/pii/S0167404821003242
On the Malware Detection Problem:Challenges & Novel Approaches 21 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
How Actual AVs Work
Which AVs to analyze?
Table: Analyzed AVs.
AV Version MD5
Avast 19.7.4674.0 172ee63bf3e0fa54abd656193d225013
AVG 19.8.4793.0 0d19e6fc1a4d239e02117f174d00d024
BitDefender 24.0.14.74 0e54eab75c8fd4059f3e97f771c737de
F-Secure 21.05.103.0 2393777281f3a9b11832558f5f3c0bce
Kaspersky 20.0.14.1085 7dc4fb6f026f9713dca49fc1941b22ce
MalwareBytes 3.0.0.199 9c69b2a22080c53521c6e88bd99686a1
Norton 22.17.1.50 2f1f762658dc7e41ecc66abd0270df97
TrendMicro 12.0 f8b8a3701ec53c7e716cf5008fad9aa1
Vipre 11.0.4.2 77a9dbd31ed5ebe490011ffa139afe03
WinDefender 4.18.1902.5 Built-in W10
On the Malware Detection Problem:Challenges & Novel Approaches 22 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
How Actual AVs Work
What to analyze?
Installation
Uninstallation
Updates
Modularity
Signatures
Databases
Real-Time Checks
Machine Learning
Cloud Scans
Heuristics
Attack Surface
Self-Protection
On the Malware Detection Problem:Challenges & Novel Approaches 23 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 24 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
Academic Production
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2006 2008 2010 2012 2014 2016 2018
Paper
Prevalence
(%)
Papers leveraging signatures vs. behaviors in defensive solutions
Signatures Behaviors
Figure: Source: Challenges and Pitfalls in Malware
Research (2021).
Malware Detection Methods.
Signatures vs. Behavioral (e.g.,
Machine Learning) approaches.
On the Malware Detection Problem:Challenges & Novel Approaches 25 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
Implications (1/2)
1. What About Signatures?
On the Malware Detection Problem:Challenges & Novel Approaches 26 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
AVs and Common-Sense
Signatures
“It may seem at first that such sig-
natures are not frequently used in
today’s antivirus products, but the
reality is otherwise...Cryptographic
hashes are often used by antivirus
products.” Figure: Joxean Koret and Elias Bachaalany
(2015). The Antivirus Hacker’s Handbook.
On the Malware Detection Problem:Challenges & Novel Approaches 27 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
Signature Extraction Algorithm
2.1
Patched 2.2
Patched 2.1
2.2
Header
Section 1
Section 2
Detected
Header
Patched 1
Section 2
Detected
Header
Section 1
Patched 2
Undetected
Header
Section 1
Detected
Undetected
Header
Section 1
2.1.1
2.1.1
2.2
Header
Section 1
Undetected
Undetected
Header
Section 1
2.1.2
2.1.2
(7) Signature
2.2.1
Patched 2.2.2
Patched 2.2.1
2.2.2
(1)
(2)
(4)
(3)
(5)
(6)
Figure: Binary Search-Like Signature Identification.
On the Malware Detection Problem:Challenges & Novel Approaches 28 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
Signatures in Practice
0
5
10
15
20
25
30
35
40
45
AVG NOD32 Yandex GData DrWeb Emsisoft eScan AdAwe MAX BitDef Arcabit ZAlarm Kaspersky AhnLab Bkav Ikarus Microsoft Zillya ALYac NANOCybereason Avira Rising
Samples
(%)
AVs
AVs Detecting Specific Binary Sections
Figure: Signature Prevalence. Around a third of the AV’s detections are based on specific
section’s contents.
On the Malware Detection Problem:Challenges & Novel Approaches 29 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
Implications (2/2)
2. What About Machine Learning?
On the Malware Detection Problem:Challenges & Novel Approaches 30 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Implications
ML and Academic Models
Table: DLL Hooking. Can we assume a unified model?
Antivirus Functions Libraries
Avast 17 2
BitDefender 132 11
Fsecure 17 4
VIPRE 45 3
On the Malware Detection Problem:Challenges & Novel Approaches 31 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 32 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Reflecting about our own field.
Analyzing the Scientific Production
“How many anthropologists write books,
theses or articles that are read, commented
on and criticized by the people they study?”
Figure: Latour, Bruno; Woolgar, Steve (1986).
Laboratory life: the construction of scientific
facts.
On the Malware Detection Problem:Challenges & Novel Approaches 33 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Publication
Figure: Link:
https://www.sciencedirect.com/science/article/pii/S0167404821001115
On the Malware Detection Problem:Challenges & Novel Approaches 34 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Malware Literature Venues
Table: Selected Papers. Distribution per year (2000 – 2018) and per venue.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Total
USENIX (Security, LEET & WOOT) 1 0 0 0 0 1 1 6 2 3 7 8 10 12 9 7 9 13 6 95
CCS 0 0 0 0 0 0 0 2 4 6 6 7 11 9 11 14 2 11 6 89
ACSAC 0 0 0 0 2 3 2 4 4 1 3 8 10 7 10 6 3 7 8 78
IEEE S&P 0 1 0 0 0 1 3 2 1 0 0 10 17 12 3 6 4 5 3 68
DIMVA 0 0 0 0 0 4 4 3 8 2 3 0 8 4 8 7 7 5 4 67
NDSS 0 0 0 0 1 0 2 0 3 3 3 3 2 4 5 4 9 7 3 49
RAID 0 0 1 0 0 1 3 0 0 0 0 0 3 5 5 3 4 3 3 31
ESORICS 0 0 0 0 0 1 0 0 2 1 0 0 2 3 3 0 1 1 0 14
Total 1 1 1 0 3 11 15 17 24 16 22 36 63 56 54 47 39 52 33 491
On the Malware Detection Problem:Challenges & Novel Approaches 35 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Is Security Art?
Figure: Matthew Bishop
(1974). Computer
Security: Art and Science.
Figure: Our paper. Ruimin Sun et al (2020). IEEE Transactions
on Dependable and Secure Computing (TDSC).
On the Malware Detection Problem:Challenges & Novel Approaches 36 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
A Method for Malware Research
Hypothesis
Definition &
Research
Requirements
Background
Research
Solution
Requirements
Solution
Design
Solution
Development /
Prototyping
Research
Objective
Definition
Engineering Method
Common Core
Experiment
Design
Test of
Hypothesis /
Evaluation of
Solution
Analysis of
Results
Results align with
Hypothesis /
Requirements?
Communicate
Results
Non-Engineering Research
Yes
Scientific Method
No
Figure: Malware Research Method. Integrating Science and Engineering.
On the Malware Detection Problem:Challenges & Novel Approaches 37 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Research Types
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
55%
60%
2
0
0
5
2
0
0
6
2
0
0
7
2
0
0
8
2
0
0
9
2
0
1
0
2
0
1
1
2
0
1
2
2
0
1
3
2
0
1
4
2
0
1
5
2
0
1
6
2
0
1
7
2
0
1
8
Paper
Prevalence
(%)
Published papers distribution per research type
Engineering Offensive Observational Network
Malware Research Types
Is it good to have more engineer-
ing solutions than all other types
of research?
On the Malware Detection Problem:Challenges & Novel Approaches 38 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Dataset Sizes
1
10
100
1k
10k
100k
1M
10M
2004 2006 2008 2010 2012 2014 2016 2018
Samples
(#)
Year
Dataset size evolution over time
Dataset Size
Median
Dataset Size Definition
How to define how many samples
are representative? Shouldn’t we
have some kind of guideline?
On the Malware Detection Problem:Challenges & Novel Approaches 39 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Dataset Sources
0%
1%
2%
3%
4%
5%
6%
7%
8%
9%
10%
Github
Honeypot
Marvin
Drebin
Metasploit
CWsandbox
Phishtank
MalwareDB
SandDroid
MalHeur
Malfease
Real
Users
VxHeaven
Virustotal
Devices
Offensive
Universities
Enterprises
McAfee
Sec.
Company
Genome
Contagio
Symantec
Unclear
Anubis
Blacklists
Paper
Prevalence
(%)
Repository
Prevalence of malware repositories
Research Reproducibility
Are these samples available? Are
they described? Were repositories
sinkholed?
On the Malware Detection Problem:Challenges & Novel Approaches 40 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
Summary
1 Inbalance in research work types.
2 Solutions developed not informed by
previous study’s data.
3 Most work still don’t clearly state
threat models.
4 Failure in positioning work as
prototypes or real-world solutions.
5 Offline and online solutions
developed and evaluated using the
same criteria.
6 No dataset definition criteria.
7 Few attention to dataset
representativity.
8 Most studies are not reproducible.
9 Sandbox execution criteria are not
explained.
10 Non-homogeneous AV labels are still
a problem.
On the Malware Detection Problem:Challenges & Novel Approaches 41 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Challenges & Pitfalls
A final verdict?
About theories
“We start out confused, and end up
confused at a higher level.”
Figure: A. F. Chalmers (1976). What Is This
Thing Called Science?
On the Malware Detection Problem:Challenges & Novel Approaches 42 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Brazilian Malware
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 43 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Brazilian Malware
Contextual Issues.
Analyzing Security Practices
“Best practices typically don’t take into
account differences between companies or,
more generally, between industries. The se-
curity decisions at an oil firm are made in
a very different context than in a clothing
wholesaler, and yet we are told that best
practices can apply to both”
Figure: Adam Shostack and Andrew Stewart
(2008). The New School of Information
Security.
On the Malware Detection Problem:Challenges & Novel Approaches 44 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Brazilian Malware
Publication
Figure: Link: https://dl.acm.org/doi/10.1145/3429741
On the Malware Detection Problem:Challenges & Novel Approaches 45 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Brazilian Malware
Brazilian Financial Malware
Figure: Passive Banker Malware for
Santander bank waiting for user’s
credential input.
Figure: Passive Banker Malware for Itaú bank
waiting for user’s credential input.
On the Malware Detection Problem:Challenges & Novel Approaches 46 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Brazilian Malware
Brazilian Financial Malware Filetypes.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
2012 2013 2014 2015 2016 2017 2018
Samples
(%)
Year
Evolution of threat’s filetype
PE
CPL
.NET
DLL
JAR
JS
VBE
Brazilian malware filetypes.
Varied file formats are prevalent
over the years.
On the Malware Detection Problem:Challenges & Novel Approaches 47 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Brazilian Malware
Research Impact
Figure: Source:
https://www.usenix.org/conference/enigma2021/presentation/botacin
On the Malware Detection Problem:Challenges & Novel Approaches 48 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 49 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Why Do We Need Metrics?
Analyzing Security Practices
“If security can’t be measured, it
continues to be impossible to say
whether we have more of it today
than we did yesterday.”
Figure: Adam Shostack and Andrew Stewart
(2008). The New School of Information
Security.
On the Malware Detection Problem:Challenges & Novel Approaches 50 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Publication
Figure: Source:
https://www.sciencedirect.com/science/article/pii/S0167404820301310
On the Malware Detection Problem:Challenges & Novel Approaches 51 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Detection Rates Over Time (1/2)
0.0%
5.0%
10.0%
15.0%
20.0%
25.0%
30.0%
35.0%
40.0%
45.0%
50.0%
55.0%
60.0%
65.0%
70.0%
75.0%
80.0%
85.0%
90.0%
95.0%
100.0%
World (PE) Brazil (PE) World (Web)Brazil (Web)
Detection
Rate
(%)
Dataset
AV detection evolution after 30 days
Final
Initial
Initial and Final Detection
Rates.
Detection rates increase in a 30-
day period.
On the Malware Detection Problem:Challenges & Novel Approaches 52 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Detection Rates Over Time (2/2)
84%
86%
88%
90%
92%
94%
96%
98%
100%
0 5 10 15 20 25 30
Detection
(%)
Days
Detection rates along time
World PEs
BR PEs
Detection Regression.
Some samples stop being detected
after some time.
On the Malware Detection Problem:Challenges & Novel Approaches 53 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Summary.
Initial Detection Rate (IDR)
Final Detection Rate (FDR)
Attack Opportunity Window (AOW)
Detection Regression (DRE)
Label Regression (LRE)
Label Meaningfulness (LME)
On the Malware Detection Problem:Challenges & Novel Approaches 54 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Multi-Dimensional AV Evaluation.
AOW
DRE
FDR
IDR
LME
LRE
10
30
60
90
(a) AV1. Recommended for
incident response teams.
AOW
DRE
FDR
IDR
LME
LRE
10
30
60
90
(b) AV2. Recommended for
corporate users.
AOW
DRE
FDR
IDR
LME
LRE
10
30
60
90
(c) AV3. Recommended for
domestic users.
Figure: AV’s operational aspects, considering the six proposed metrics.
On the Malware Detection Problem:Challenges & Novel Approaches 55 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
AV Evaluation Metrics
Evaluation Metrics Adoption
Figure: Dissertation Source:
https://www.royalholloway.ac.uk/media/16565/techreport-giusepperaffa.pdf.
Figure: Dissertation Source:
https://www.royalholloway.ac.uk/media/16565/techreport-giusepperaffa.pdf.
On the Malware Detection Problem:Challenges & Novel Approaches 56 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 57 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Improving AVs Performance
Strategies
Reduce amount scanned.
Reduce amount of scans.
Lower resource requirements.
Change the algorithm.
Figure: John Aycock (2006). Computer
Viruses and Malware.
On the Malware Detection Problem:Challenges & Novel Approaches 58 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Publication
Figure: Source: Under Review.
On the Malware Detection Problem:Challenges & Novel Approaches 59 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Branch Prediction Background.
Figure: 2-level branch predictor.
On the Malware Detection Problem:Challenges & Novel Approaches 60 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Branch Patterns and Code Patterns
(a) Code. (b) Flow. (c) Signature
Figure: Associating high-level code constructs with their occurrence in the execution flow.
On the Malware Detection Problem:Challenges & Novel Approaches 61 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Branch Patterns as Signatures (1/3)
0
10
20
30
40
50
60
70
80
90
100
8 16 24 32 40
Percentage
of
signature
collision
in
the
k−bit
space
Branch pattern length (in k bits)
Percentage of signature collision per branch−pattern length (in bits)
Patterns
Viability
How long should a branch pattern
be to be used as a signature?
On the Malware Detection Problem:Challenges & Novel Approaches 62 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Branch Patterns as Signatures (2/3)
Table: Signature distribution along code region in the malware samples evaluated. Percentage
of good signatures per code region and percentage of malware samples allowing generation of
at least one signature for the given code region. A code region [0%-10%] corresponds to the
first 10% of the malware trace.
Code region Signatures Samples
0%-10% 6% 100%
10%-50% 10% 54%
50%-70% 19% 98%
70%-80% 28% 78%
80%-90% 24% 90%
90%-100% 13% 100%
On the Malware Detection Problem:Challenges & Novel Approaches 63 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Branch Patterns as Signatures (3/3)
Table: Malware behaviors associated with HEAVEN produced signatures and the code region
in which they are matched (percentage of sample’s execution).
Behavior
Signature Code
Samples
prevalence region
Image Load 18% 0%-10% 100%
Image Launch 45% 0%-10% 100%
File Deletion 81% 80%-90% 100%
Connection 100% 0%-10% 100%
Exfiltration 67% 80%-90% 100%
On the Malware Detection Problem:Challenges & Novel Approaches 64 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Hardware-Enhanced AntiVirus Engine (HEAVEN)
2-level Architecture
Do not fully replace AVs, but add effi-
cient matching capabilities to them.
On the Malware Detection Problem:Challenges & Novel Approaches 65 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Performance Characterization
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
5 10 15 20 25 30 35 40
CPU
(%)
Time (s)
AV Monitoring Overhead
HEAVEN+AV
AV
No−AV
2-Phase HEAVEN CPU Performance
The inspection phase causes occasional,
and quick bursts of CPU usage. The AV
operating alone incurs a continuous 10%
performance overhead.
On the Malware Detection Problem:Challenges & Novel Approaches 66 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Malware Execution “Prediction”
Hardware Solutions Adoption.
Intel Patent Source:
https:
//patentimages.stora
ge.googleapis.com/fb
/23/ff/9d11b27884f05
0/US10540498.pdf.
On the Malware Detection Problem:Challenges & Novel Approaches 67 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Fileless Malware Detection
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 68 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Fileless Malware Detection
Memory Scans
About Current AVs
“Some antivirus...claim to support
memory analysis, but that is not ac-
curate. Such products do not re-
ally perform memory analysis but,
rather, query the list of processes
being executed and analyze the
modules loaded in each one using
the files as they are on disk.”
Figure: Joxean Koret and Elias Bachaalany
(2015). The Antivirus Hacker’s Handbook.
On the Malware Detection Problem:Challenges & Novel Approaches 69 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Fileless Malware Detection
Publication
Figure: Link: https://dl.acm.org/doi/10.1145/3422575.3422775
On the Malware Detection Problem:Challenges & Novel Approaches 70 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Fileless Malware Detection
Memory Controller Background
Figure: Memory Controller Queues.
On the Malware Detection Problem:Challenges & Novel Approaches 71 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Fileless Malware Detection
Malware Identification based on Near- and In-Memory Evaluation
(MINIME)
Figure: MINIME Architecture.
On the Malware Detection Problem:Challenges & Novel Approaches 72 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Fileless Malware Detection
Performance Gains
MINIME vs. On-Access AVs
Significant performance gains even
in the worst case.
0.0%
1.0%
2.0%
3.0%
4.0%
5.0%
6.0%
7.0%
8.0%
9.0%
10.0%
11.0%
12.0%
13.0%
perl namd bzip mcf milc
Execution
Time
Overhead
(%)
Monitoring Overhead
On−Access
MINI−ME
On the Malware Detection Problem:Challenges & Novel Approaches 73 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 74 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Contextual Issues: Mobile Banking
Figure: Source: https://dl.acm.org/doi/10.1145/3339252.3340103
On the Malware Detection Problem:Challenges & Novel Approaches 75 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Similarity Identification
Figure: Link:
https://www.sciencedirect.com/science/article/abs/pii/S2666281721001281
On the Malware Detection Problem:Challenges & Novel Approaches 76 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Hardware Solutions: FPGA AV
Figure: Source: https://ieeexplore.ieee.org/document/9034972/
On the Malware Detection Problem:Challenges & Novel Approaches 77 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Hardware Solutions: SMC Detector
Figure: Source: https://link.springer.com/article/10.1007/s11416-020-00348-w
On the Malware Detection Problem:Challenges & Novel Approaches 78 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Hardware Solutions: Real-Time Processor
Figure: Source: To Appear Soon (ACM TOPS).
On the Malware Detection Problem:Challenges & Novel Approaches 79 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Attack Prediction: Distributed Malware
Figure: Source: https://link.springer.com/article/10.1007/s11416-019-00333-y
On the Malware Detection Problem:Challenges & Novel Approaches 80 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Research Methodology: The Use of Application Installers
Figure: Source: https://link.springer.com/chapter/10.1007/978-3-030-52683-2 10
On the Malware Detection Problem:Challenges & Novel Approaches 81 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Detection Robustness: Adversarial ML
Figure: Source: https://dl.acm.org/doi/10.1145/3375894.3375898
On the Malware Detection Problem:Challenges & Novel Approaches 82 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Complements
Transition to Practice: Corvus Sandbox
Figure: Source: https://corvus.inf.ufpr.br/
On the Malware Detection Problem:Challenges & Novel Approaches 83 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Final Remarks
Topics
1 Introduction
The Problem
Formalization
2 AV Background
How Actual AVs Work
Implications
3 The Academic Production
Challenges & Pitfalls
4 Contextual Issues
Brazilian Malware
5 Evaluation Issues
AV Evaluation Metrics
6 Hardware-Assisted Solutions
Malware Execution “Prediction”
7 Predicting the Future
Fileless Malware Detection
8 Conclusions
Complements
Final Remarks
On the Malware Detection Problem:Challenges & Novel Approaches 84 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Final Remarks
Summary
1 Hypothesis: Malware Research lacks a methodology.
2 Contribution: We proposed a possible methodology.
3 Implications:
1 The Need For Context
Brazilian Financial Malware.
2 The Need For Better Evaluations
AV Evaluation Metrics.
3 The Viability of Hardware Support
Branch Predictor-Based Signature Matching.
4 The Need For Predicting the Future
FIleless Malware Detection.
On the Malware Detection Problem:Challenges & Novel Approaches 85 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Final Remarks
Acknowledgement time
On the Malware Detection Problem:Challenges & Novel Approaches 86 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Final Remarks
Thanks!
Questions? Comments?
On the Malware Detection Problem:Challenges & Novel Approaches 87 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Final Remarks
Really?
Figure: Source: tinyurl.com/26rsww
On the Malware Detection Problem:Challenges & Novel Approaches 88 / 89 UFPR
Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con
Final Remarks
Thanks!
Questions? Comments?
On the Malware Detection Problem:Challenges & Novel Approaches 89 / 89 UFPR

More Related Content

What's hot

Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Pluribus One
 
Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creation
UltraUploader
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Pluribus One
 
Preventive Software Maintenance: The Past, the Present, the Future
Preventive Software Maintenance: The Past, the Present, the FuturePreventive Software Maintenance: The Past, the Present, the Future
Preventive Software Maintenance: The Past, the Present, the Future
Nikolaos Tsantalis
 
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
butest
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
Ganesan Narayanasamy
 
nullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexitiesnullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexities
n|u - The Open Security Community
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 
Social Debt Analytics for Improving the Management of Software Evolution Tasks
Social Debt Analytics for Improving the Management of Software Evolution TasksSocial Debt Analytics for Improving the Management of Software Evolution Tasks
Social Debt Analytics for Improving the Management of Software Evolution Tasks
Fabio Palomba
 
A software fault localization technique based on program mutations
A software fault localization technique based on program mutationsA software fault localization technique based on program mutations
A software fault localization technique based on program mutations
Tao He
 
Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...
Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...
Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...
Fabio Palomba
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Pluribus One
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
Pluribus One
 
adversarial robustness through local linearization
 adversarial robustness through local linearization adversarial robustness through local linearization
adversarial robustness through local linearization
taeseon ryu
 
[Tho Quan] Fault Localization - Where is the root cause of a bug?
[Tho Quan] Fault Localization - Where is the root cause of a bug?[Tho Quan] Fault Localization - Where is the root cause of a bug?
[Tho Quan] Fault Localization - Where is the root cause of a bug?
Ho Chi Minh City Software Testing Club
 
Btec National Unit 18 Dna Technology
Btec National Unit 18 Dna TechnologyBtec National Unit 18 Dna Technology
Btec National Unit 18 Dna Technology
Teresa Briercliffe
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
Meghna Arora
 
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET-  	  Effective Technique Used for Malware Detection using Machine LearningIRJET-  	  Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET Journal
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Pluribus One
 
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEEFINALYEARSTUDENTPROJECTS
 

What's hot (20)

Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
Sparse Support Faces - Battista Biggio - Int'l Conf. Biometrics, ICB 2015, Ph...
 
Applications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creationApplications of genetic algorithms to malware detection and creation
Applications of genetic algorithms to malware detection and creation
 
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
Battista Biggio, Invited Keynote @ AISec 2014 - On Learning and Recognition o...
 
Preventive Software Maintenance: The Past, the Present, the Future
Preventive Software Maintenance: The Past, the Present, the FuturePreventive Software Maintenance: The Past, the Present, the Future
Preventive Software Maintenance: The Past, the Present, the Future
 
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
Christopher N. Bull History-Sensitive Detection of Design Flaws B ...
 
Robustness in deep learning
Robustness in deep learningRobustness in deep learning
Robustness in deep learning
 
nullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexitiesnullcon 2011 - Fuzzing with Complexities
nullcon 2011 - Fuzzing with Complexities
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
 
Social Debt Analytics for Improving the Management of Software Evolution Tasks
Social Debt Analytics for Improving the Management of Software Evolution TasksSocial Debt Analytics for Improving the Management of Software Evolution Tasks
Social Debt Analytics for Improving the Management of Software Evolution Tasks
 
A software fault localization technique based on program mutations
A software fault localization technique based on program mutationsA software fault localization technique based on program mutations
A software fault localization technique based on program mutations
 
Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...
Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...
Smells Like Teen Spirit: Improving Bug Prediction Performance using the Inten...
 
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
Battista Biggio @ AISec 2013 - Is Data Clustering in Adversarial Settings Sec...
 
Secure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion AttacksSecure Kernel Machines against Evasion Attacks
Secure Kernel Machines against Evasion Attacks
 
adversarial robustness through local linearization
 adversarial robustness through local linearization adversarial robustness through local linearization
adversarial robustness through local linearization
 
[Tho Quan] Fault Localization - Where is the root cause of a bug?
[Tho Quan] Fault Localization - Where is the root cause of a bug?[Tho Quan] Fault Localization - Where is the root cause of a bug?
[Tho Quan] Fault Localization - Where is the root cause of a bug?
 
Btec National Unit 18 Dna Technology
Btec National Unit 18 Dna TechnologyBtec National Unit 18 Dna Technology
Btec National Unit 18 Dna Technology
 
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
How I Pass ASTQB Mobile Tester (ASTQB-MT) Certification in First Attempt?
 
IRJET- Effective Technique Used for Malware Detection using Machine Learning
IRJET-  	  Effective Technique Used for Malware Detection using Machine LearningIRJET-  	  Effective Technique Used for Malware Detection using Machine Learning
IRJET- Effective Technique Used for Malware Detection using Machine Learning
 
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub...
 
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
 

Similar to On the Malware Detection Problem: Challenges & Novel Approaches

Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Why Do Computational Scientists Trust Their So
Why Do Computational Scientists Trust Their SoWhy Do Computational Scientists Trust Their So
Why Do Computational Scientists Trust Their So
jpipitone
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware Analysis
Marcus Botacin
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith Jones, PhD
 
Defect Prediction: Accomplishments and Future Challenges
Defect Prediction: Accomplishments and Future ChallengesDefect Prediction: Accomplishments and Future Challenges
Defect Prediction: Accomplishments and Future Challenges
Yasutaka Kamei
 
COMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIES
COMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIESCOMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIES
COMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIES
IJNSA Journal
 
Bug debug keynote - Present problems and future solutions
Bug debug keynote - Present problems and future solutionsBug debug keynote - Present problems and future solutions
Bug debug keynote - Present problems and future solutions
RIA RUI Society
 
Past, Present, and Future of Analyzing Software Data
Past, Present, and Future of Analyzing Software DataPast, Present, and Future of Analyzing Software Data
Past, Present, and Future of Analyzing Software Data
Jeongwhan Choi
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET -  	  Survey on Malware Detection using Deep Learning MethodsIRJET -  	  Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET Journal
 
130531 francis nahm - on the evolution of antipatterns genealogies
130531   francis nahm - on the evolution of antipatterns genealogies130531   francis nahm - on the evolution of antipatterns genealogies
130531 francis nahm - on the evolution of antipatterns genealogies
Ptidej Team
 
MSRC - Funcionamiento
MSRC - FuncionamientoMSRC - Funcionamiento
MSRC - Funcionamiento
Chema Alonso
 
A Case Study Injecting Safety-Critical Thinking Into Graduate Software Engin...
A Case Study  Injecting Safety-Critical Thinking Into Graduate Software Engin...A Case Study  Injecting Safety-Critical Thinking Into Graduate Software Engin...
A Case Study Injecting Safety-Critical Thinking Into Graduate Software Engin...
Arlene Smith
 
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Source Conference
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Codenomicon
 
An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...
An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...
An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...
Sebastiano Panichella
 
Concepts in Software Safety
Concepts in Software SafetyConcepts in Software Safety
Concepts in Software Safety
dalesanders
 

Similar to On the Malware Detection Problem: Challenges & Novel Approaches (20)

Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
 
Why Do Computational Scientists Trust Their So
Why Do Computational Scientists Trust Their SoWhy Do Computational Scientists Trust Their So
Why Do Computational Scientists Trust Their So
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware Analysis
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
 
Defect Prediction: Accomplishments and Future Challenges
Defect Prediction: Accomplishments and Future ChallengesDefect Prediction: Accomplishments and Future Challenges
Defect Prediction: Accomplishments and Future Challenges
 
COMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIES
COMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIESCOMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIES
COMPARATIVE REVIEW OF MALWARE ANALYSIS METHODOLOGIES
 
Bug debug keynote - Present problems and future solutions
Bug debug keynote - Present problems and future solutionsBug debug keynote - Present problems and future solutions
Bug debug keynote - Present problems and future solutions
 
Past, Present, and Future of Analyzing Software Data
Past, Present, and Future of Analyzing Software DataPast, Present, and Future of Analyzing Software Data
Past, Present, and Future of Analyzing Software Data
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 
IRJET - Survey on Malware Detection using Deep Learning Methods
IRJET -  	  Survey on Malware Detection using Deep Learning MethodsIRJET -  	  Survey on Malware Detection using Deep Learning Methods
IRJET - Survey on Malware Detection using Deep Learning Methods
 
130531 francis nahm - on the evolution of antipatterns genealogies
130531   francis nahm - on the evolution of antipatterns genealogies130531   francis nahm - on the evolution of antipatterns genealogies
130531 francis nahm - on the evolution of antipatterns genealogies
 
MSRC - Funcionamiento
MSRC - FuncionamientoMSRC - Funcionamiento
MSRC - Funcionamiento
 
A Case Study Injecting Safety-Critical Thinking Into Graduate Software Engin...
A Case Study  Injecting Safety-Critical Thinking Into Graduate Software Engin...A Case Study  Injecting Safety-Critical Thinking Into Graduate Software Engin...
A Case Study Injecting Safety-Critical Thinking Into Graduate Software Engin...
 
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
Nazira Omuralieva - Susan Kaufman - Improving Application Security - Vulnerab...
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
 
An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...
An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...
An Empirical Characterization of Software Bugs in Open-Source Cyber-Physical ...
 
Concepts in Software Safety
Concepts in Software SafetyConcepts in Software Safety
Concepts in Software Safety
 

More from Marcus Botacin

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
UMLsec
UMLsecUMLsec
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
Marcus Botacin
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Marcus Botacin
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
Marcus Botacin
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
Marcus Botacin
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
Marcus Botacin
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
Marcus Botacin
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
Marcus Botacin
 

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
 

Recently uploaded

Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 

Recently uploaded (20)

Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 

On the Malware Detection Problem: Challenges & Novel Approaches

  • 1. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con On the Malware Detection Problem: Challenges & Novel Approaches Marcus Botacin1, Paulo Lı́cio de Geus2, André Grégio1 1PhD. Candidate Federal University of Paraná (UFPR) mfbotacin@inf.ufpr.br 2Co-Advisor Institute of Computing - UNICAMP paulo@lasca.ic.unicamp.br 1Advisor Federal University of Paraná (UFPR) gregio@inf.ufpr.br On the Malware Detection Problem:Challenges & Novel Approaches 1 / 89 UFPR
  • 2. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 2 / 89 UFPR
  • 3. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 3 / 89 UFPR
  • 4. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Security remains “unsolved”. Source: https://thehackernews. com/2021/03/why-do-companies-f ail-to-stop-breaches.html On the Malware Detection Problem:Challenges & Novel Approaches 4 / 89 UFPR
  • 5. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem The Reasons (1/2) 1. Security is Hard! On the Malware Detection Problem:Challenges & Novel Approaches 5 / 89 UFPR
  • 6. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Malware Computation Theory Figure: Source: https://web.eecs.umich.edu/˜aprakash/ eecs588/handouts/cohen-viruses.html Figure: Source: https://www.cs.virgini a.edu/˜evans/pubs/virus.pdf 1 Application: 2 do_something () // returns? 3 malicious () Code 1: Malware detection and the halting problem. On the Malware Detection Problem:Challenges & Novel Approaches 6 / 89 UFPR
  • 7. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Don’t Give up! Approximations* of Security On the Malware Detection Problem:Challenges & Novel Approaches 7 / 89 UFPR
  • 8. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Evaluation Criteria Effectiveness Do AVs really detect the malware samples? Efficiency How much resources do AVs require to operate? On the Malware Detection Problem:Challenges & Novel Approaches 8 / 89 UFPR
  • 9. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Aren’t AVs effective? 0 20 40 60 80 100 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 Detection Rate (%) AV Coverage (%) Days AV Opportunity Window World PE Detection BR PE Detection World AV Coverage BR AV Coverage Figure: Source: We Need to Talk About AVs (2020). Attack Opportunity Win- dow. How long does it take for AVs to detect new sam- ples? On the Malware Detection Problem:Challenges & Novel Approaches 9 / 89 UFPR
  • 10. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Aren’t AVs effective? Figure: Source: https://tinyurl.com/yyphbxjc On the Malware Detection Problem:Challenges & Novel Approaches 10 / 89 UFPR
  • 11. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Aren’t AVs efficient? 0 50 100 150 200 250 300 perl namd Bzip milc mfc Execution Time (s) Benchmark AV scanning overhead Scan Baseline Figure: Source: Near-Memory and In-Memory Detection of Fileless Malware (2020). Memory Scan Overhead. How much SPEC benchmark applications are affected? On the Malware Detection Problem:Challenges & Novel Approaches 11 / 89 UFPR
  • 12. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem Aren’t AVs efficient? Figure: Source: https://tinyurl.com/y39vquku On the Malware Detection Problem:Challenges & Novel Approaches 12 / 89 UFPR
  • 13. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem The Reasons (2/2) 2. Security lacks a Method! On the Malware Detection Problem:Challenges & Novel Approaches 13 / 89 UFPR
  • 14. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem The Science of Security Herley and Oorschot (2017) about the JASON report “The science seems under-developed in reporting experimental results, and consequently in the ability to use them. The research community does not seem to have developed a generally accepted way of reporting empirical studies so that people could reproduce the work” Shostack and Stewart (2008). The New School of Information Security. “We don’t want to minimize the difficulties involved in answering such questions. We can’t arrange a set of companies in test tubes, add heat, and see what comes out. In that respect, our data sources are more like those of astrophysicists or sociologists than those that a chemist or physicist might create by careful design. But this doesn’t mean we can’t learn from observation.” On the Malware Detection Problem:Challenges & Novel Approaches 14 / 89 UFPR
  • 15. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con The Problem The importance of methods in science Auguste Comte and the Positivism “On the subject of stars, all investigations which are not ultimately reducible to simple visual observations are...necessarily denied to us...we shall not at all be able to determine their chemical composition or even their density... I regard any notion concerning the true mean temperature of the various stars as forever denied to us.” Astronomy Nowadays, Scientific American Figure: Source: tinyurl.com/nfwwkw4r On the Malware Detection Problem:Challenges & Novel Approaches 15 / 89 UFPR
  • 16. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Formalization Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 16 / 89 UFPR
  • 17. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Formalization Research Questions 1 Why did current malware research work failed on providing greater security to actual systems? 1 Which types of research work have been conducted so-far? 2 How research works have been conducted so-far? 3 What are the limits and implications of this current scenario? 2 What could be done to improve future malware research work to be successful in operating on actual scenarios? 1 Which type of research could be developed to support real-world needs? 2 Which methods could be applied to malware research work developments to make them more successful in handling actual malware? 3 Who are the stakeholder involved in designing research solutions that can be evolved to operate in actual scenarios? On the Malware Detection Problem:Challenges & Novel Approaches 17 / 89 UFPR
  • 18. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Formalization Research Plan Roadmap Systematic review of malware research literature. Identify development gaps fields. Bridge a sub-problem in each field. Guideline Contributing in broadness in addition to contributing in depth. Strong Assumptions Need Strong Proofs AV Background (Chapter 2) Literature Review (Chapter 3) Considering Only Global Samples Generalization Heuristics and ML Models Sample's Context (Chapter 4) Lower Detection Detection Rate Focus Multiple Detectors: Signatures, Heuristics, ML, Cloud AV Evaluation Metrics (Chapter 5) Performance Should be Evaluated Unsolved Updated Problem Need for New Detection Engines Hardware AVs (Chapter 6) Improvements can be Designed to Multiple Ad-hoc Solutions AVs have been Reactive Future Threats (Chapter 7) Figure: Thesis Organization On the Malware Detection Problem:Challenges & Novel Approaches 18 / 89 UFPR
  • 19. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con How Actual AVs Work Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 19 / 89 UFPR
  • 20. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con How Actual AVs Work Why Study AVs? Knowing AVs “I was more surprised that...there was very little information about AV soft- ware...Although it’s comprised of ex- tremely nice people, the AV commu- nity tends to be very industry-driven and insular, and isn’t in the habit of giving its secrets.” Figure: John Aycock (2006). Computer Viruses and Malware. On the Malware Detection Problem:Challenges & Novel Approaches 20 / 89 UFPR
  • 21. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con How Actual AVs Work Publication Figure: Source: https://www.sciencedirect.com/science/article/pii/S0167404821003242 On the Malware Detection Problem:Challenges & Novel Approaches 21 / 89 UFPR
  • 22. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con How Actual AVs Work Which AVs to analyze? Table: Analyzed AVs. AV Version MD5 Avast 19.7.4674.0 172ee63bf3e0fa54abd656193d225013 AVG 19.8.4793.0 0d19e6fc1a4d239e02117f174d00d024 BitDefender 24.0.14.74 0e54eab75c8fd4059f3e97f771c737de F-Secure 21.05.103.0 2393777281f3a9b11832558f5f3c0bce Kaspersky 20.0.14.1085 7dc4fb6f026f9713dca49fc1941b22ce MalwareBytes 3.0.0.199 9c69b2a22080c53521c6e88bd99686a1 Norton 22.17.1.50 2f1f762658dc7e41ecc66abd0270df97 TrendMicro 12.0 f8b8a3701ec53c7e716cf5008fad9aa1 Vipre 11.0.4.2 77a9dbd31ed5ebe490011ffa139afe03 WinDefender 4.18.1902.5 Built-in W10 On the Malware Detection Problem:Challenges & Novel Approaches 22 / 89 UFPR
  • 23. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con How Actual AVs Work What to analyze? Installation Uninstallation Updates Modularity Signatures Databases Real-Time Checks Machine Learning Cloud Scans Heuristics Attack Surface Self-Protection On the Malware Detection Problem:Challenges & Novel Approaches 23 / 89 UFPR
  • 24. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 24 / 89 UFPR
  • 25. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications Academic Production 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2006 2008 2010 2012 2014 2016 2018 Paper Prevalence (%) Papers leveraging signatures vs. behaviors in defensive solutions Signatures Behaviors Figure: Source: Challenges and Pitfalls in Malware Research (2021). Malware Detection Methods. Signatures vs. Behavioral (e.g., Machine Learning) approaches. On the Malware Detection Problem:Challenges & Novel Approaches 25 / 89 UFPR
  • 26. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications Implications (1/2) 1. What About Signatures? On the Malware Detection Problem:Challenges & Novel Approaches 26 / 89 UFPR
  • 27. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications AVs and Common-Sense Signatures “It may seem at first that such sig- natures are not frequently used in today’s antivirus products, but the reality is otherwise...Cryptographic hashes are often used by antivirus products.” Figure: Joxean Koret and Elias Bachaalany (2015). The Antivirus Hacker’s Handbook. On the Malware Detection Problem:Challenges & Novel Approaches 27 / 89 UFPR
  • 28. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications Signature Extraction Algorithm 2.1 Patched 2.2 Patched 2.1 2.2 Header Section 1 Section 2 Detected Header Patched 1 Section 2 Detected Header Section 1 Patched 2 Undetected Header Section 1 Detected Undetected Header Section 1 2.1.1 2.1.1 2.2 Header Section 1 Undetected Undetected Header Section 1 2.1.2 2.1.2 (7) Signature 2.2.1 Patched 2.2.2 Patched 2.2.1 2.2.2 (1) (2) (4) (3) (5) (6) Figure: Binary Search-Like Signature Identification. On the Malware Detection Problem:Challenges & Novel Approaches 28 / 89 UFPR
  • 29. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications Signatures in Practice 0 5 10 15 20 25 30 35 40 45 AVG NOD32 Yandex GData DrWeb Emsisoft eScan AdAwe MAX BitDef Arcabit ZAlarm Kaspersky AhnLab Bkav Ikarus Microsoft Zillya ALYac NANOCybereason Avira Rising Samples (%) AVs AVs Detecting Specific Binary Sections Figure: Signature Prevalence. Around a third of the AV’s detections are based on specific section’s contents. On the Malware Detection Problem:Challenges & Novel Approaches 29 / 89 UFPR
  • 30. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications Implications (2/2) 2. What About Machine Learning? On the Malware Detection Problem:Challenges & Novel Approaches 30 / 89 UFPR
  • 31. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Implications ML and Academic Models Table: DLL Hooking. Can we assume a unified model? Antivirus Functions Libraries Avast 17 2 BitDefender 132 11 Fsecure 17 4 VIPRE 45 3 On the Malware Detection Problem:Challenges & Novel Approaches 31 / 89 UFPR
  • 32. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 32 / 89 UFPR
  • 33. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Reflecting about our own field. Analyzing the Scientific Production “How many anthropologists write books, theses or articles that are read, commented on and criticized by the people they study?” Figure: Latour, Bruno; Woolgar, Steve (1986). Laboratory life: the construction of scientific facts. On the Malware Detection Problem:Challenges & Novel Approaches 33 / 89 UFPR
  • 34. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Publication Figure: Link: https://www.sciencedirect.com/science/article/pii/S0167404821001115 On the Malware Detection Problem:Challenges & Novel Approaches 34 / 89 UFPR
  • 35. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Malware Literature Venues Table: Selected Papers. Distribution per year (2000 – 2018) and per venue. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Total USENIX (Security, LEET & WOOT) 1 0 0 0 0 1 1 6 2 3 7 8 10 12 9 7 9 13 6 95 CCS 0 0 0 0 0 0 0 2 4 6 6 7 11 9 11 14 2 11 6 89 ACSAC 0 0 0 0 2 3 2 4 4 1 3 8 10 7 10 6 3 7 8 78 IEEE S&P 0 1 0 0 0 1 3 2 1 0 0 10 17 12 3 6 4 5 3 68 DIMVA 0 0 0 0 0 4 4 3 8 2 3 0 8 4 8 7 7 5 4 67 NDSS 0 0 0 0 1 0 2 0 3 3 3 3 2 4 5 4 9 7 3 49 RAID 0 0 1 0 0 1 3 0 0 0 0 0 3 5 5 3 4 3 3 31 ESORICS 0 0 0 0 0 1 0 0 2 1 0 0 2 3 3 0 1 1 0 14 Total 1 1 1 0 3 11 15 17 24 16 22 36 63 56 54 47 39 52 33 491 On the Malware Detection Problem:Challenges & Novel Approaches 35 / 89 UFPR
  • 36. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Is Security Art? Figure: Matthew Bishop (1974). Computer Security: Art and Science. Figure: Our paper. Ruimin Sun et al (2020). IEEE Transactions on Dependable and Secure Computing (TDSC). On the Malware Detection Problem:Challenges & Novel Approaches 36 / 89 UFPR
  • 37. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls A Method for Malware Research Hypothesis Definition & Research Requirements Background Research Solution Requirements Solution Design Solution Development / Prototyping Research Objective Definition Engineering Method Common Core Experiment Design Test of Hypothesis / Evaluation of Solution Analysis of Results Results align with Hypothesis / Requirements? Communicate Results Non-Engineering Research Yes Scientific Method No Figure: Malware Research Method. Integrating Science and Engineering. On the Malware Detection Problem:Challenges & Novel Approaches 37 / 89 UFPR
  • 38. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Research Types 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% 55% 60% 2 0 0 5 2 0 0 6 2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2 2 0 1 3 2 0 1 4 2 0 1 5 2 0 1 6 2 0 1 7 2 0 1 8 Paper Prevalence (%) Published papers distribution per research type Engineering Offensive Observational Network Malware Research Types Is it good to have more engineer- ing solutions than all other types of research? On the Malware Detection Problem:Challenges & Novel Approaches 38 / 89 UFPR
  • 39. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Dataset Sizes 1 10 100 1k 10k 100k 1M 10M 2004 2006 2008 2010 2012 2014 2016 2018 Samples (#) Year Dataset size evolution over time Dataset Size Median Dataset Size Definition How to define how many samples are representative? Shouldn’t we have some kind of guideline? On the Malware Detection Problem:Challenges & Novel Approaches 39 / 89 UFPR
  • 40. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Dataset Sources 0% 1% 2% 3% 4% 5% 6% 7% 8% 9% 10% Github Honeypot Marvin Drebin Metasploit CWsandbox Phishtank MalwareDB SandDroid MalHeur Malfease Real Users VxHeaven Virustotal Devices Offensive Universities Enterprises McAfee Sec. Company Genome Contagio Symantec Unclear Anubis Blacklists Paper Prevalence (%) Repository Prevalence of malware repositories Research Reproducibility Are these samples available? Are they described? Were repositories sinkholed? On the Malware Detection Problem:Challenges & Novel Approaches 40 / 89 UFPR
  • 41. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls Summary 1 Inbalance in research work types. 2 Solutions developed not informed by previous study’s data. 3 Most work still don’t clearly state threat models. 4 Failure in positioning work as prototypes or real-world solutions. 5 Offline and online solutions developed and evaluated using the same criteria. 6 No dataset definition criteria. 7 Few attention to dataset representativity. 8 Most studies are not reproducible. 9 Sandbox execution criteria are not explained. 10 Non-homogeneous AV labels are still a problem. On the Malware Detection Problem:Challenges & Novel Approaches 41 / 89 UFPR
  • 42. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Challenges & Pitfalls A final verdict? About theories “We start out confused, and end up confused at a higher level.” Figure: A. F. Chalmers (1976). What Is This Thing Called Science? On the Malware Detection Problem:Challenges & Novel Approaches 42 / 89 UFPR
  • 43. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Brazilian Malware Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 43 / 89 UFPR
  • 44. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Brazilian Malware Contextual Issues. Analyzing Security Practices “Best practices typically don’t take into account differences between companies or, more generally, between industries. The se- curity decisions at an oil firm are made in a very different context than in a clothing wholesaler, and yet we are told that best practices can apply to both” Figure: Adam Shostack and Andrew Stewart (2008). The New School of Information Security. On the Malware Detection Problem:Challenges & Novel Approaches 44 / 89 UFPR
  • 45. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Brazilian Malware Publication Figure: Link: https://dl.acm.org/doi/10.1145/3429741 On the Malware Detection Problem:Challenges & Novel Approaches 45 / 89 UFPR
  • 46. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Brazilian Malware Brazilian Financial Malware Figure: Passive Banker Malware for Santander bank waiting for user’s credential input. Figure: Passive Banker Malware for Itaú bank waiting for user’s credential input. On the Malware Detection Problem:Challenges & Novel Approaches 46 / 89 UFPR
  • 47. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Brazilian Malware Brazilian Financial Malware Filetypes. 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2012 2013 2014 2015 2016 2017 2018 Samples (%) Year Evolution of threat’s filetype PE CPL .NET DLL JAR JS VBE Brazilian malware filetypes. Varied file formats are prevalent over the years. On the Malware Detection Problem:Challenges & Novel Approaches 47 / 89 UFPR
  • 48. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Brazilian Malware Research Impact Figure: Source: https://www.usenix.org/conference/enigma2021/presentation/botacin On the Malware Detection Problem:Challenges & Novel Approaches 48 / 89 UFPR
  • 49. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 49 / 89 UFPR
  • 50. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Why Do We Need Metrics? Analyzing Security Practices “If security can’t be measured, it continues to be impossible to say whether we have more of it today than we did yesterday.” Figure: Adam Shostack and Andrew Stewart (2008). The New School of Information Security. On the Malware Detection Problem:Challenges & Novel Approaches 50 / 89 UFPR
  • 51. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Publication Figure: Source: https://www.sciencedirect.com/science/article/pii/S0167404820301310 On the Malware Detection Problem:Challenges & Novel Approaches 51 / 89 UFPR
  • 52. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Detection Rates Over Time (1/2) 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0% 50.0% 55.0% 60.0% 65.0% 70.0% 75.0% 80.0% 85.0% 90.0% 95.0% 100.0% World (PE) Brazil (PE) World (Web)Brazil (Web) Detection Rate (%) Dataset AV detection evolution after 30 days Final Initial Initial and Final Detection Rates. Detection rates increase in a 30- day period. On the Malware Detection Problem:Challenges & Novel Approaches 52 / 89 UFPR
  • 53. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Detection Rates Over Time (2/2) 84% 86% 88% 90% 92% 94% 96% 98% 100% 0 5 10 15 20 25 30 Detection (%) Days Detection rates along time World PEs BR PEs Detection Regression. Some samples stop being detected after some time. On the Malware Detection Problem:Challenges & Novel Approaches 53 / 89 UFPR
  • 54. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Summary. Initial Detection Rate (IDR) Final Detection Rate (FDR) Attack Opportunity Window (AOW) Detection Regression (DRE) Label Regression (LRE) Label Meaningfulness (LME) On the Malware Detection Problem:Challenges & Novel Approaches 54 / 89 UFPR
  • 55. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Multi-Dimensional AV Evaluation. AOW DRE FDR IDR LME LRE 10 30 60 90 (a) AV1. Recommended for incident response teams. AOW DRE FDR IDR LME LRE 10 30 60 90 (b) AV2. Recommended for corporate users. AOW DRE FDR IDR LME LRE 10 30 60 90 (c) AV3. Recommended for domestic users. Figure: AV’s operational aspects, considering the six proposed metrics. On the Malware Detection Problem:Challenges & Novel Approaches 55 / 89 UFPR
  • 56. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con AV Evaluation Metrics Evaluation Metrics Adoption Figure: Dissertation Source: https://www.royalholloway.ac.uk/media/16565/techreport-giusepperaffa.pdf. Figure: Dissertation Source: https://www.royalholloway.ac.uk/media/16565/techreport-giusepperaffa.pdf. On the Malware Detection Problem:Challenges & Novel Approaches 56 / 89 UFPR
  • 57. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 57 / 89 UFPR
  • 58. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Improving AVs Performance Strategies Reduce amount scanned. Reduce amount of scans. Lower resource requirements. Change the algorithm. Figure: John Aycock (2006). Computer Viruses and Malware. On the Malware Detection Problem:Challenges & Novel Approaches 58 / 89 UFPR
  • 59. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Publication Figure: Source: Under Review. On the Malware Detection Problem:Challenges & Novel Approaches 59 / 89 UFPR
  • 60. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Branch Prediction Background. Figure: 2-level branch predictor. On the Malware Detection Problem:Challenges & Novel Approaches 60 / 89 UFPR
  • 61. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Branch Patterns and Code Patterns (a) Code. (b) Flow. (c) Signature Figure: Associating high-level code constructs with their occurrence in the execution flow. On the Malware Detection Problem:Challenges & Novel Approaches 61 / 89 UFPR
  • 62. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Branch Patterns as Signatures (1/3) 0 10 20 30 40 50 60 70 80 90 100 8 16 24 32 40 Percentage of signature collision in the k−bit space Branch pattern length (in k bits) Percentage of signature collision per branch−pattern length (in bits) Patterns Viability How long should a branch pattern be to be used as a signature? On the Malware Detection Problem:Challenges & Novel Approaches 62 / 89 UFPR
  • 63. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Branch Patterns as Signatures (2/3) Table: Signature distribution along code region in the malware samples evaluated. Percentage of good signatures per code region and percentage of malware samples allowing generation of at least one signature for the given code region. A code region [0%-10%] corresponds to the first 10% of the malware trace. Code region Signatures Samples 0%-10% 6% 100% 10%-50% 10% 54% 50%-70% 19% 98% 70%-80% 28% 78% 80%-90% 24% 90% 90%-100% 13% 100% On the Malware Detection Problem:Challenges & Novel Approaches 63 / 89 UFPR
  • 64. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Branch Patterns as Signatures (3/3) Table: Malware behaviors associated with HEAVEN produced signatures and the code region in which they are matched (percentage of sample’s execution). Behavior Signature Code Samples prevalence region Image Load 18% 0%-10% 100% Image Launch 45% 0%-10% 100% File Deletion 81% 80%-90% 100% Connection 100% 0%-10% 100% Exfiltration 67% 80%-90% 100% On the Malware Detection Problem:Challenges & Novel Approaches 64 / 89 UFPR
  • 65. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Hardware-Enhanced AntiVirus Engine (HEAVEN) 2-level Architecture Do not fully replace AVs, but add effi- cient matching capabilities to them. On the Malware Detection Problem:Challenges & Novel Approaches 65 / 89 UFPR
  • 66. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Performance Characterization 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 5 10 15 20 25 30 35 40 CPU (%) Time (s) AV Monitoring Overhead HEAVEN+AV AV No−AV 2-Phase HEAVEN CPU Performance The inspection phase causes occasional, and quick bursts of CPU usage. The AV operating alone incurs a continuous 10% performance overhead. On the Malware Detection Problem:Challenges & Novel Approaches 66 / 89 UFPR
  • 67. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Malware Execution “Prediction” Hardware Solutions Adoption. Intel Patent Source: https: //patentimages.stora ge.googleapis.com/fb /23/ff/9d11b27884f05 0/US10540498.pdf. On the Malware Detection Problem:Challenges & Novel Approaches 67 / 89 UFPR
  • 68. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Fileless Malware Detection Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 68 / 89 UFPR
  • 69. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Fileless Malware Detection Memory Scans About Current AVs “Some antivirus...claim to support memory analysis, but that is not ac- curate. Such products do not re- ally perform memory analysis but, rather, query the list of processes being executed and analyze the modules loaded in each one using the files as they are on disk.” Figure: Joxean Koret and Elias Bachaalany (2015). The Antivirus Hacker’s Handbook. On the Malware Detection Problem:Challenges & Novel Approaches 69 / 89 UFPR
  • 70. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Fileless Malware Detection Publication Figure: Link: https://dl.acm.org/doi/10.1145/3422575.3422775 On the Malware Detection Problem:Challenges & Novel Approaches 70 / 89 UFPR
  • 71. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Fileless Malware Detection Memory Controller Background Figure: Memory Controller Queues. On the Malware Detection Problem:Challenges & Novel Approaches 71 / 89 UFPR
  • 72. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Fileless Malware Detection Malware Identification based on Near- and In-Memory Evaluation (MINIME) Figure: MINIME Architecture. On the Malware Detection Problem:Challenges & Novel Approaches 72 / 89 UFPR
  • 73. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Fileless Malware Detection Performance Gains MINIME vs. On-Access AVs Significant performance gains even in the worst case. 0.0% 1.0% 2.0% 3.0% 4.0% 5.0% 6.0% 7.0% 8.0% 9.0% 10.0% 11.0% 12.0% 13.0% perl namd bzip mcf milc Execution Time Overhead (%) Monitoring Overhead On−Access MINI−ME On the Malware Detection Problem:Challenges & Novel Approaches 73 / 89 UFPR
  • 74. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 74 / 89 UFPR
  • 75. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Contextual Issues: Mobile Banking Figure: Source: https://dl.acm.org/doi/10.1145/3339252.3340103 On the Malware Detection Problem:Challenges & Novel Approaches 75 / 89 UFPR
  • 76. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Similarity Identification Figure: Link: https://www.sciencedirect.com/science/article/abs/pii/S2666281721001281 On the Malware Detection Problem:Challenges & Novel Approaches 76 / 89 UFPR
  • 77. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Hardware Solutions: FPGA AV Figure: Source: https://ieeexplore.ieee.org/document/9034972/ On the Malware Detection Problem:Challenges & Novel Approaches 77 / 89 UFPR
  • 78. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Hardware Solutions: SMC Detector Figure: Source: https://link.springer.com/article/10.1007/s11416-020-00348-w On the Malware Detection Problem:Challenges & Novel Approaches 78 / 89 UFPR
  • 79. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Hardware Solutions: Real-Time Processor Figure: Source: To Appear Soon (ACM TOPS). On the Malware Detection Problem:Challenges & Novel Approaches 79 / 89 UFPR
  • 80. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Attack Prediction: Distributed Malware Figure: Source: https://link.springer.com/article/10.1007/s11416-019-00333-y On the Malware Detection Problem:Challenges & Novel Approaches 80 / 89 UFPR
  • 81. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Research Methodology: The Use of Application Installers Figure: Source: https://link.springer.com/chapter/10.1007/978-3-030-52683-2 10 On the Malware Detection Problem:Challenges & Novel Approaches 81 / 89 UFPR
  • 82. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Detection Robustness: Adversarial ML Figure: Source: https://dl.acm.org/doi/10.1145/3375894.3375898 On the Malware Detection Problem:Challenges & Novel Approaches 82 / 89 UFPR
  • 83. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Complements Transition to Practice: Corvus Sandbox Figure: Source: https://corvus.inf.ufpr.br/ On the Malware Detection Problem:Challenges & Novel Approaches 83 / 89 UFPR
  • 84. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Final Remarks Topics 1 Introduction The Problem Formalization 2 AV Background How Actual AVs Work Implications 3 The Academic Production Challenges & Pitfalls 4 Contextual Issues Brazilian Malware 5 Evaluation Issues AV Evaluation Metrics 6 Hardware-Assisted Solutions Malware Execution “Prediction” 7 Predicting the Future Fileless Malware Detection 8 Conclusions Complements Final Remarks On the Malware Detection Problem:Challenges & Novel Approaches 84 / 89 UFPR
  • 85. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Final Remarks Summary 1 Hypothesis: Malware Research lacks a methodology. 2 Contribution: We proposed a possible methodology. 3 Implications: 1 The Need For Context Brazilian Financial Malware. 2 The Need For Better Evaluations AV Evaluation Metrics. 3 The Viability of Hardware Support Branch Predictor-Based Signature Matching. 4 The Need For Predicting the Future FIleless Malware Detection. On the Malware Detection Problem:Challenges & Novel Approaches 85 / 89 UFPR
  • 86. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Final Remarks Acknowledgement time On the Malware Detection Problem:Challenges & Novel Approaches 86 / 89 UFPR
  • 87. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Final Remarks Thanks! Questions? Comments? On the Malware Detection Problem:Challenges & Novel Approaches 87 / 89 UFPR
  • 88. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Final Remarks Really? Figure: Source: tinyurl.com/26rsww On the Malware Detection Problem:Challenges & Novel Approaches 88 / 89 UFPR
  • 89. Introduction AV Background The Academic Production Contextual Issues Evaluation Issues Hardware-Assisted Solutions Predicting the Future Con Final Remarks Thanks! Questions? Comments? On the Malware Detection Problem:Challenges & Novel Approaches 89 / 89 UFPR