Physical Sciences and Mathematics Commons^™

Chatter: Classifying Malware Families Using System Event Ordering, Aziz Mohaisen, Andrew G. West, Allison Mankin, Omar Alrawi

Andrew G. West

Using runtime execution artifacts to identify malware and its associated "family" is an established technique in the security domain. Many papers in the literature rely on explicit features derived from network, file system, or registry interaction. While effective, use of these fine-granularity data points makes these techniques computationally expensive. Moreover, the signatures and heuristics this analysis produces are often circumvented by subsequent malware authors.

To this end we propose CHATTER, a system that is concerned only with the order in which high-level system events take place. Individual events are mapped onto an alphabet and execution traces are captured via terse …

Metadata-Driven Threat Classification Of Network Endpoints Appearing In Malware, Andrew G. West, Aziz Mohaisen

Andrew G. West

Networked machines serving as binary distribution points, C&C channels, or drop sites are a ubiquitous aspect of malware infrastructure. By sandboxing malcode one can extract the network endpoints (i.e., domains and URL paths) contacted during execution. Some endpoints are benign, e.g., connectivity tests. Exclusively malicious destinations, however, can serve as signatures enabling network alarms. Often these behavioral distinctions are drawn by expert analysts, resulting in considerable cost and labeling latency.

Leveraging 28,000 expert-labeled endpoints derived from ~100k malware binaries this paper characterizes those domains/URLs towards prioritizing manual efforts and automatic signature generation. Our analysis focuses on endpoints' static metadata properties …

Effective Detection Of Vulnerable And Malicious Browser Extensions, Hossain Shahriar, Komminist Weldemariam, Mohammad Zulkernine, Thibaud Lutellier

Faculty and Research Publications

Unsafely coded browser extensions can compromise the security of a browser, making them attractive targets for attackers as a primary vehicle for conducting cyber-attacks. Among others, the three factors making vulnerable extensions a high-risk security threat for browsers include: i) the wide popularity of browser extensions, ii) the similarity of browser extensions with web applications, and iii) the high privilege of browser extension scripts. Furthermore, mechanisms that specifically target to mitigate browser extension-related attacks have received less attention as opposed to solutions that have been deployed for common web security problems (such as SQL injection, XSS, logic flaws, client-side vulnerabilities, …

Automated Reverse Engineering Of Malware To Develop Network Signatures To Match With Known Network Signatures, Dan Sinema

All Graduate Theses and Dissertations, Spring 1920 to Summer 2023

Illicit software that seeks to steal user information, deny service, or cause general mayhem on computer networks is often discovered after the damage has been done. The ability to discover network behavior of software before a computer network is utilized would allow administrators to protect and preserve valuable resources. Static reverse engineering is the process of discovering in a offline environment how a software application is built and how it will behave. By automating static reverse engineering, software behavior can be discovered before it is executed on client devices. Fingerprints are then built from the discovered behavior which is matched …