MARS: uma arquitetura para análise de malwares utilizando SDN
Resumo
Investigar características de códigos maliciosos é um processo essencial para aprimorar os sistemas de segurança. No entanto, malwares modernos requerem condições específicas no ambiente em que são executados para revelar seu comportamento malicioso. Esta tese propõe arquitetura flexível para analisar códigos maliciosos controlando de maneira unificada o ambiente de análise, incluindo o sandbox e os elementos que o circundam. Dessa maneira, é possível gerenciar regras de contenção, configuração dinâmica de recursos, e manipular o tráfego de rede gerado pelos malwares. Os resultados experimentais demonstraram que a arquitetura pode revelar comportamentos de malwares que não são exibidos em soluções tradicionais de análise.
Referências
Dinaburg, A., Royal, P., Sharif, M., and Lee, W. (2008). Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM conference on Computer and communications security, pages 51–62. ACM.
Graziano, M., Leita, C., and Balzarotti, D. (2012). Towards network containment in malware analysis systems. In 28th Annual Computer Security Applications Conference, ACSAC 2012, Orlando, FL, USA, 3-7 December 2012, pages 339–348. ACM.
Holz, T. and Raynal, F. (2005). Detecting honeypots and other suspicious environments. In Information Assurance Workshop, 2005. IAW’05. Proceedings from the Sixth Annual IEEE SMC, pages 29–36, West Point, New York, USA. IEEE.
Kirat, D., Vigna, G., and Kruegel, C. (2014). Barecloud: bare-metal analysis-based evasive malware detection. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC’14). USENIX Association, Berkeley, CA, USA, pages 287–301. USENIX.
Kreibich, C., Weaver, N., Kanich, C., Cui, W., and Paxson, V. (2011). Gq: Practical containment for measuring modern malware systems. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, pages 397–412. ACM, ACM.
Kruegel, C., Kirda, E., and Bayer, U. (2006). TTanalyze: A tool for analyzing malware. In Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR 2006) Annual Conference, volume 4, Vienna, Austria. EICAR.
Laurianne, M. (2004). Bot software spreads, causes new worries.
McLaughlin, L. (2004). Bot software spreads, causes new worries. Distributed Systems Online, IEEE, 5(6):1.
Moser, A., Kruegel, C., and Kirda, E. (2007). Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP’07. IEEE Symposium on, pages 231–245. IEEE, IEEE Computer Society.
Norman (2003). Norman sandbox technical repor. Technical report, Technical report, New York, USA.
Oktavianto, D. and Muhardianto, I. (2013). Cuckoo Malware Analysis. Packt Publishing Ltd, New York, USA.
Pa, Y. M. P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., and Rossow, C. (2015). Iotpot: Analysing the rise of iot compromises. EMU, 9:1.
Virvilis, N. and Gritzalis, D. (2013). The big four-what we did wrong in advanced persistent threat detection? In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on, pages 248–254, Regensburg, Germany, September. IEEE, IEEE Computer Society.