Collaborating Authors

Protecting from Malware Obfuscation Attacks through Adversarial Risk Analysis Machine Learning

Standard algorithms in detection systems perform insufficiently when dealing with malware passed through obfuscation tools. We illustrate this studying in detail an open source metamorphic software, making use of a hybrid framework to obtain the relevant features from binaries. We then provide an improved alternative solution based on adversarial risk analysis which we illustrate describe with an example. KEYWORDS: Adversarial Risk Analysis, Malware Obfuscation, Cybersecurity 1 INTRODUCTION The digital era is bringing along new global threats among which cybersecurity related ones emerge as truly worrisome, see for example the evolution of the Global Risks Map from the World Economic Forum (2017, 2018, 2019). Indeed, the operation of critical cyber infrastructures relies on components which could be cyber attacked, both incidentally and intentionally, suffering major performance degradation, Rao et al. (2016).

Latest WikiLeaks dump exposes CIA methods to mask malware


WikiLeaks may have dealt another blow to the CIA's hacking operations by releasing files that allegedly show how the agency was masking its malware attacks. On Friday, the site dumped the source code to the Marble Framework, a set of anti-forensic tools that WikiLeaks claims the CIA used last year. The files do appear to show "obfuscation techniques" that can hide CIA-developed malicious coding from detection, said Jake Williams, a security researcher at Rendition InfoSec, who has been examining the files. Every hacker, from the government-sponsored ones to amateurs, will use their own obfuscation techniques when developing malware, he said. But thanks to WikiLeaks, some of the CIA's methods are out in the public.

Task-Aware Meta Learning-based Siamese Neural Network for Classifying Obfuscated Malware Artificial Intelligence

Malware authors apply different obfuscation techniques on the generic feature of malware (i.e., unique malware signature) to create new variants to avoid detection. Existing Siamese Neural Network (SNN) based malware detection methods fail to correctly classify different malware families when similar generic features are shared across multiple malware variants resulting in high false-positive rates. To address this issue, we propose a novel Task-Aware Meta Learning-based Siamese Neural Network resilient against obfuscated malware while able to detect malware trained with one or a few training samples. Using entropy features of each malware signature alongside image features as task inputs, our task-aware meta leaner generates the parameters for the feature layers to more accurately adjust the feature embedding for different malware families. In addition, our model utilizes meta-learning with the extracted features of a pre-trained network (e.g., VGG-16) to avoid the bias typically associated with a model trained with a limited number of training samples. Our proposed approach is highly effective in recognizing unique malware signatures, thus correctly classifying malware samples that belong to the same malware family even in the presence of obfuscation technique applied to malware. Our experimental results, validated with N-way on N-shot learning, show that our model is highly effective in classification accuracy exceeding the rate>91% compared to other similar methods.

A new Adwind variant involved in attacks on US petroleum industry


A new variant of the popular Adwind RAT (aka jRAT, AlienSpy, and JSocket) is targeting entities in the US petroleum industry. The new variant implements advanced features such as multi-layer obfuscation. The malware is distributed via a malspam campaign, the spam messages come with malicious attachments or include URL to malicious content. "A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection."

DOOM: A Novel Adversarial-DRL-Based Op-Code Level Metamorphic Malware Obfuscator for the Enhancement of IDS Artificial Intelligence

We designed and developed DOOM (Adversarial-DRL based Opcode level Obfuscator to generate Metamorphic malware), a novel system that uses adversarial deep reinforcement learning to obfuscate malware at the op-code level for the enhancement of IDS. The ultimate goal of DOOM is not to give a potent weapon in the hands of cyber-attackers, but to create defensive-mechanisms against advanced zero-day attacks. Experimental results indicate that the obfuscated malware created by DOOM could effectively mimic multiple-simultaneous zero-day attacks. To the best of our knowledge, DOOM is the first system that could generate obfuscated malware detailed to individual op-code level. DOOM is also the first-ever system to use efficient continuous action control based deep reinforcement learning in the area of malware generation and defense. Experimental results indicate that over 67% of the metamorphic malware generated by DOOM could easily evade detection from even the most potent IDS. This achievement gains significance, as with this, even IDS augment with advanced routing sub-system can be easily evaded by the malware generated by DOOM.