Fraud and financial crime detection model using malware forensics

Recently various electronic financial services are provided by development of electronic devices and communication technology. By diversified electronic financial services and channels, users of none face-to-face electronic financial transaction services continuously increase. At the same time, under financial security environment, leakage threats of inside information and security threats against financial transaction users steadily increase. Accordingly, in this paper, based on framework standards of financial transaction detection and response, digital forensics techniques that has been used to analyze system intrusion incidents traditionally is used to detect anomaly transactions that may occur in the user terminal environment during electronic financial transactions. Particularly, for the method to analyze user terminals, automated malware forensics techniques that is used as supporting tool for malware code detection and analysis is used, and for the method to detect anomaly prior behaviors and transaction patterns of users, moving average based on the statistical basis is applied. In addition, the risk point calculation model is proposed by scoring anomaly transaction cases in the detection step by items. This model logs calculated risk point results as well as maintains incident accountability, which can be utilized as basic data for establishing security incident response and security policies.     

A Game Theoretical Method for Cost-Benefit Analysis of Malware Dissemination Prevention

ABSTRACT

Literature in malware proliferation focuses on modeling and analyzing its spread dynamics. Epidemiology models, which are inspired by the characteristics of biological disease spread in human populations, have been used against this threat to analyze the way malware spreads in a network. This work presents a modified version of the commonly used epidemiology models Susceptible Infected Recovered (SIR) and Susceptible Infected Susceptible (SIS), which incorporates the ability to capture the relationships between nodes within a network, along with their effect on malware dissemination process. Drawing upon a model that illustrates the network’s behavior based on the attacker’s and the defender’s choices, we use game theory to compute optimal strategies for the defender to minimize the effect of malware spread, at the same time minimizing the security cost. We consider three defense mechanisms: patch, removal, and patch and removal, which correspond to the defender’s strategy and use probabilistically with a certain rate. The attacker chooses the type of attack according to its effectiveness and cost. Through the interaction between the two opponents we infer the optimal strategy for both players, known as Nash Equilibrium, evaluating the related payoffs. Hence, our model provides a cost-benefit risk management framework for managing malware spread in computer networks.     

Evaluation of malware phylogeny modelling systems using automated variant generation

A malware phylogeny model is an estimation of the derivation relationships between a set of malware samples. Systems that construct phylogeny models are expected to be useful for malware analysts. While several such systems have been proposed, little is known about the consistency of their results on different data sets, about their generalizability across different types of malware evolution. This paper explores these issues using two artificial malware history generators: systems that simulate malware evolution according to different evolution models. A quantitative study was conducted using two phylogeny model construction systems and multiple samples of artificial evolution. High variability was found in the quality of their results on different data sets, and the systems were shown to be sensitive to the characteristics of evolution in the data sets. The results call into question the adequacy of evaluations typical in the field, raise pragmatic concerns about tool choice for malware analysts, and underscore the important role that model-based simulation is expected to play in evaluating and selecting suitable malware phylogeny construction systems.     

基于大数据的电力通信网络风险辨识与评估方法研究

为了高效、准确地识别网络庞大、结构复杂电力通信网中所潜在的风险点，从网络结构、承载业务等方面分析其对电力通信的影响，并结合电力事故事件调查规程的评定标准，客观且科学地评估其对电力通信引起的电力安全事件，为电力通信风险管控提供决策支撑。本文结合电力通信风险管控具体内容及特点，分析电力通信网事故发生原因，推理事故演变过程，提出解决思路和方案，并通过实际测试案例，验证电力事故评估模型具有较高的计算效率和准确性，为准确定位事故发生原因和评判风险等级提供科学依据。该模型结合复杂网络理论可靠性因素的抗毁性、生存性、有效性等特征，计算其相关特性的风险因子值；利用通径系数分析技术，验证风险因子的完备性；根据已标注的风险等级样例数据，构建深层卷积神经网络CNN模型，实时评测事故的风险等级。     

Malware Threat Assessment Using Fuzzy Logic Paradigm

Academicians and industrialists working on malware use static and dynamic analysis in order to understand their functionality and the menace level posed by them. Industries providing anti-malware solutions calculate malware threat level using the approaches that involve human intervention and demand the skilled analysts along with a large number of resources. With the increasing volume, velocity, and complexity of malware, assigning such a large number of resources is not possible. Thus, there is a need to develop techniques that can automatically compute the threat or damage posed by a piece of malware (to a victim machine) as soon as it appears in the wild. This assessment of damage capability level to a zero-day malware can help in providing early warnings about a specific piece of malware so that immediate attention could be paid to it in terms of allocating resources for performing a closer analysis. This paper presents an automated technique based on fuzzy modeling for computing damage potential of malicious programs, which is calculated on the basis of features obtained after performing automated analysis of malware binaries in the sandboxed environment.     

基于带权欧拉距离的PE文件壳检测技术

越来越多的恶意软件出现在网络上。恶意软件作者通过网络将软件中的恶意代码植入用户的电脑中,从而达到诸如获得用户名与密码的非法目的。为了阻止它们对用户电脑的侵害,软件分析人员必须分析恶意软件的工作原理。但是,如果这些恶意软件加壳,那么分析它们就会变得非常困难,因此必须对他们进行脱壳。脱壳的第一步即检测这些恶意软件是否加壳。本文通过对未加壳和已经加壳的软件PE头部进行分析与比较,提出了带权欧拉距离PE文件壳检测(PDWED)算法,其中包括构造一个含有10个元素的向量,并为每个向量中每个元素分配一个权重值,计算向量的带权欧拉距离。实验结果表明,PDWED能够比较快速而又准确地检测软件是否加壳。     

Trends of anti-analysis operations of malwares observed in API call logs

Some malwares execute operations that determine whether they are running in an analysis environment created by monitoring software, such as debuggers, sandboxing systems, or virtual machine monitors, and if such an operation finds that the malware is running in an analysis environment, it terminates execution to prevent analysis. The existence of malwares that execute such operations (anti-analysis operations) is widely known. However, the knowledge acquired thus far, regarding what proportion of current malwares execute anti-analysis operations, what types of anti-analysis operations they execute, and how effectively such operations prevent analysis, is insufficient. In this study, we analyze FFRI Dataset, which is a dataset of dynamic malware analysis results, and clarify the trends in the anti-analysis operations executed by malware samples collected in 2016. Our findings revealed that, among 8243 malware samples, 856 (10.4%) samples executed at least one type of the 28 anti-analysis operations investigated in this study. We also found that, among the virtual machine monitors, VMware was the most commonly searched for by the malware samples.     

基于节点差异性的无线传感网恶意软件传播模型研究*

针对目前无线传感网络中恶意软件模型化工作的不足,在二维元胞自动机基础上提出了节点差异性的恶意软件传播模型。该模型引入了MAC无线信道争用机制和邻域通信距离因素,描述了节点差异度对恶意软件在无线传感网传播扩散的影响。分析仿真实验表明,大规模无线传感网络的节点差异度、无线信道争用机制都对传播行为产生了重要影响,降低了恶意软件的传播速度。与传统传播模型相比,该模型更能够准确描述恶意软件在无线传感网络环境下的传播行为,为无线传感网络安全防御研究提供基础。     

Stealth malware analysis from kernel space with Kolumbo

Most of today’s malware are able to detect traditional debuggers and change their behavior whenever somebody tries to analyze them. The analysis of such malware becomes then a much more complex task. In this paper, we present the functionalities provided by the Kolumbo kernel module that can help simplify the analysis of malware. Four functionalities are provided for the analyst: system calls monitoring, virtual memory contents dumping, pseudo-breakpoints insertion and eluding anti-debugging protections based on ptrace. The module as been designed to minimize its impact on the system and to be as undetectable as possible. However, it has not been conceived to analyze programs with kernel access.     

基于图模式与内存足迹的Android恶意应用与行为检测

现有的各个Android应用商店大多检查已知的静态恶意应用,难以检测新颖、动态加载的恶意应用与行为,对此提出一种基于图结构与内存足迹分析的恶意应用检测系统。首先,采集应用的内存信息,分析应用的足迹与序列号,检测动态打包的恶意代码与新颖的恶意应用;然后,提取应用所请求的共生权限,将权限建模为图结构,并使用图的度量指标分析图的分类模式与中心权限,根据中心权限值选择可表示各类的最优图指标;最终,计算应用的隐私分数与风险阈值,基于该阈值检测各种恶意软件或恶意行为。仿真实验的结果表明,本算法对不同类型的恶意应用均具有较好的效果,对于未知的恶意应用也具有较好的检测率。