Malware | EPFL Graph Search

Malware (a portmanteau for malicious software) is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types (i.e. computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and keyloggers). Malware poses serious problems to individuals and businesses on the Internet. According to Symantec's 2018 Internet Security Threat Report (ISTR), malware variants number has increased to 669,947,865 in 2017, which is twice as many malware variants as in 2016. Cybercrime, which includes malware attacks as well as other crimes committed by computer, was predicted to cost the world economy $6 trillion USD in 2021, and is increasing at a ra

Traffic Anomaly Detection and Diagnosis on the Network Flow Level

Marc Philippe Stöcklin

Monitoring traffic events in computer network has become a critical task for operators to maintain an accurate view of a network's condition, to detect emerging security threats, and to safeguard the availability of resources. Conditions detrimental to a network's performance need to be detected timely and accurately. Such conditions are observed as anomalies in the network traffic and may be caused by malicious attacks, abuse of resources, or failures of mission-critical servers and devices. Behavior-based anomaly detection techniques examine the traffic for patterns that significantly deviate from the network normal activities. Such techniques provide a complementary layer of defense to identify undesired conditions which traditional, signature-based methods fail to detect. These conditions may, for example, emerge from zero-day exploits, outbreaks of new worms, unanticipated user behavior, or deficiencies in the network infrastructure. This thesis is concerned with the challenge of detecting traffic anomalies with behavior-based methods from flow-level network traffic measurements while providing interpretable alert information. We address the problem from two opposite perspectives by analyzing network behavior and individual host behavior. Learning the normal behavior of network activities and detecting relevant deviations thereof is a complex task since behavior changes may also occur under legitimate conditions and should not be reported as anomalies. Due to the absence of explicit detection rules, behavior-based methods moreover provide less precise information as to the causes of aberrant events. Network operators, however, critically depend on meaningful detection results to timely react to alerts by defining effective countermeasures or ruling out potential false alarms. The first part of this work introduces a novel detection scheme which mines for anomalies in the network behavior observed from traffic feature distributions. We study how various types of anomalies may be detected while providing sufficient information to administrators for their characterization. Based on the observation that networks have multiple behavior modes, we propose a method to estimate and model the modes during an unsupervised learning phase. Observed network behavior is compared to the baseline models by means of a two-layered distance computation: Fine-grained anomaly indices indicate suspicious behavior of individual components of traffic features whereas collective anomaly scores for each feature enable effective detection of anomalies that affect multiple components. We show that the two detection layers reliably expose different types of anomalies. Compared with existing detection methods, the resulting alerts provide important additional information that enables administrators to draw early conclusions as to the anomaly causes. In the second part, we address the challenge of processing high-cardinality traffic information in behavior-based anomaly detection. We introduce an adaptive, locality preserving pre-processing method of measurement data into histogram representations with a manageable number of variable-sized bins. Our technique iteratively adapts, with limited, tunable memory requirements, to the empirical distribution of observations in a data stream in order to evenly balance the observations over the histogram bins. As an important result, we show that our method approximates input distributions well and improves the level of detail in histograms compared to traditional methods. Applied to behavior-based anomaly detection, higher detection sensitivity is achieved while, thanks to preserving the locality of observations, the meaning of bins and the interpretability of detection results is retained. In the third part, we focus on the problem that many low-volume anomalies, emerging from individual hosts, are likely to evade from detection because they are not reflected as significant deviations in the variability of aggregate behavior patterns of hosts on the network level. To address this problem, we examine the behavior of individual hosts from their network connection-level activities using an unobtrusive, passive monitoring approach. We develop an unsupervised method to track properties in the activities that recur over time and establish detailed behavior profiles. We propose three anomaly detectors that compare observed activities to the profiles in order to recognize suspicious changes in a host's activities, giving evidence of abnormal behavior. We demonstrate their effectiveness in revealing different types of anomalies, which are not detectable in aggregate network statistics, while providing meaningful alert information to administrators. In addition, we show that the profiles of individual hosts are stable over time and representative of their activities, and may even be used to identify hosts solely from their traffic behavior. In summary, the methods and algorithms presented in this thesis enable practical and interpretable detection of traffic anomalies on the network ow level with behavior-based methods.

EPFL2011

The Limits of Composable Crypto with Transferable Setup Devices

Miyako Ohkubo, Serge Vaudenay

UC security realized with setup devices imposes that single instances of these setups are used. In most cases, UC-realization relies further on other properties of the setups devices, like tamper-resistance. But what happens in stronger versions of the UC framework, like EUC or JUC, where multiple instances of these setups are allowed? Can we formalise what it is about setups like these which makes them sometimes hinder UC, JUC, EUC realizability? In this paper, we answer this question. As such, we formally introduce transferable setups, which can be viewed as setup devices that do not (publicly) disclose if they have been maliciously passed on. Further, we prove the general result that one cannot realize oblivious transfer (OT) or any "interesting" 2-party protocol using transferable setups in the EUC model. As a by-product, we show that physically unclonable functions (PUFs) themselves are transferable devices, which means that one cannot use PUFs as a global setups; this is interesting because non-transferability is a weaker requirement than locality, which until now was the property informally blamed for UC-impossibility results regarding PUFs as global setups. If setups are transferable (i.e., they can be passed on from one party to another without explicit disclosure of a malicious transfer), then they will not intrinsically leak if a relay attack takes place. Indeed, we further prove that if relay attacks are possible then oblivious transfer cannot be realized in the JUC model. Linked to the prevention of relaying, authenticated channels have historically been an essential building stone of the UC model. Related to this, we show how to strengthen some existing protocols UC-realized with PUFs, and render them not only UC-secure but also JUC-secure.

ACM2015

Malware in the SGX supply chain: Be careful when signing enclaves!

Pascal Felber, Rafael Pereira Pires

Malware attacks are a significant part of the new software security threats detected each year. Intel Software Guard Extensions (SGX) are a set of hardware instructions introduced by Intel in their recent lines of processors that are intended to provide a secure execution environment for user-developed applications. To our knowledge, there was no serious attempt yet to overcome the SGX protection by exploiting the weaknesses in the software supply chain infrastructure, namely at the level of the development, build or signing servers. While SGX protection does not specifically take into consideration such threats, we show in the current paper that a simple malware attack exploiting a separation between the build and signing processes can have a serious damaging impact, practically nullifying SGX integrity protection measures. We also explore two possible mitigations against the attack, one centralized leveraging SGX itself, and one distributed that relies on a smart contract deployed on a blockchain infrastructure. Our evaluation shows that both methods are feasible in practice and their added costs are acceptable for the offered protection.

2020

Traffic Anomaly Detection and Diagnosis on the Network Flow Level

Marc Philippe Stöcklin

EPFL2011