1.
Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, Selcuk Uluagac
RøB: Ransomware over Modern Web Browsers Conference Paper
In the Proceedings of the 32nd USENIX Security Symposium, 2023.
Abstract | Links | BibTeX | Tags: Malware, Ransomware, Web Security
@conference{OZRans2023,
title = {RøB: Ransomware over Modern Web Browsers},
author = {Harun Oz and Ahmet Aris and Abbas Acar and Güliz Seray Tuncay and Leonardo Babun and Selcuk Uluagac},
url = {https://www.usenix.org/conference/usenixsecurity23/presentation/oz
https://www.youtube.com/watch?v=MUVNz6p3_jk
https://research.google/pubs/r%C3%B8b-ransomware-over-modern-web-browsers/},
year = {2023},
date = {2023-08-01},
urldate = {2023-08-01},
booktitle = {In the Proceedings of the 32nd USENIX Security Symposium},
abstract = {File System Access (FSA) API enables web applications to interact with files on the users' local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RøB as a malicious web application that encrypts the user's files from the browser. We use RøB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RøB can encrypt the victim's local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RøB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, file-system-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RøB-like browser-based ransomware strains and shows that the emerging API documentation (i.e., the popular FSA) can be equivocal in terms of reflecting the extent of the threat.},
keywords = {Malware, Ransomware, Web Security},
pubstate = {published},
tppubtype = {conference}
}
File System Access (FSA) API enables web applications to interact with files on the users' local devices. Even though it can be used to develop rich web applications, it greatly extends the attack surface, which can be abused by adversaries to cause significant harm. In this paper, for the first time in the literature, we extensively study this new attack vector that can be used to develop a powerful new ransomware strain over a browser. Using the FSA API and WebAssembly technology, we demonstrate this novel browser-based ransomware called RøB as a malicious web application that encrypts the user's files from the browser. We use RøB to perform impact analysis with different OSs, local directories, and antivirus solutions as well as to develop mitigation techniques against it. Our evaluations show that RøB can encrypt the victim's local files including cloud-integrated directories, external storage devices, and network-shared folders regardless of the access limitations imposed by the API. Moreover, we evaluate and show how the existing defense solutions fall short against RøB in terms of their feasibility. We propose three potential defense solutions to mitigate this new attack vector. These solutions operate at different levels (i.e., browser-level, file-system-level, and user-level) and are orthogonal to each other. Our work strives to raise awareness of the dangers of RøB-like browser-based ransomware strains and shows that the emerging API documentation (i.e., the popular FSA) can be equivocal in terms of reflecting the extent of the threat.
2.
Harun Oz, Ahmet Aris, Albert Levi, A. Selcuk Uluagac
A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions Journal Article
ACM Computing Surveys (CSUR), 2022.
Abstract | Links | BibTeX | Tags: Malware, Ransomware
@article{OzSurveyRansomware,
title = {A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions},
author = {Harun Oz and Ahmet Aris and Albert Levi and A. Selcuk Uluagac},
url = {https://doi.org/10.1145/3514229},
year = {2022},
date = {2022-09-01},
urldate = {2022-09-01},
journal = {ACM Computing Surveys (CSUR)},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial losses of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, and is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms},
keywords = {Malware, Ransomware},
pubstate = {published},
tppubtype = {article}
}
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial losses of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, and is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms
3.
Amit Kumar Sikder, Leonardo Babun, Z. Berkay Celik, Hidayet Aksu, Patrick McDaniel, Engin Kirda, A. Selcuk Uluagac
Who’s Controlling My Device? Multi-User Multi-Device-Aware Access Control System for Shared Smart Home Environment Journal Article
ACM Transactions on Internet of Things Journal, 2022.
Abstract | Links | BibTeX | Tags: Adverserial Machine Learning, Malware
@article{SikderControl2022,
title = {Who’s Controlling My Device? Multi-User Multi-Device-Aware Access Control System for Shared Smart Home Environment},
author = {Amit Kumar Sikder and Leonardo Babun and Z. Berkay Celik and Hidayet Aksu and Patrick McDaniel and Engin Kirda and A. Selcuk Uluagac},
url = {https://doi.org/10.1145/3543513},
year = {2022},
date = {2022-09-01},
urldate = {2022-09-01},
journal = {ACM Transactions on Internet of Things Journal},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Multiple users have access to multiple devices in a smart home system typically through a dedicated app installed on a mobile device. Traditional access control mechanisms consider one unique, trusted user that controls access to the devices. However, multi-user multi-device smart home settings pose fundamentally different challenges to traditional single-user systems. For instance, in a multi-user environment, users have conflicting, complex, and dynamically-changing demands on multiple devices that cannot be handled by traditional access control techniques. Moreover, smart devices from different platforms/vendors can share the same home environment, making existing access control obsolete for smart home systems. To address these challenges, in this paper, we introduce Kratos+, a novel multi-user and multi-device-aware access control mechanism that allows smart home users to flexibly specify their},
keywords = {Adverserial Machine Learning, Malware},
pubstate = {published},
tppubtype = {article}
}
Multiple users have access to multiple devices in a smart home system typically through a dedicated app installed on a mobile device. Traditional access control mechanisms consider one unique, trusted user that controls access to the devices. However, multi-user multi-device smart home settings pose fundamentally different challenges to traditional single-user systems. For instance, in a multi-user environment, users have conflicting, complex, and dynamically-changing demands on multiple devices that cannot be handled by traditional access control techniques. Moreover, smart devices from different platforms/vendors can share the same home environment, making existing access control obsolete for smart home systems. To address these challenges, in this paper, we introduce Kratos+, a novel multi-user and multi-device-aware access control mechanism that allows smart home users to flexibly specify their
4.
Shrenik Bhansali, Ahmet Aris, Abbas Acar, Harun Oz, Selcuk Uluagac
A First Look at Code Obfuscation for WebAssembly Conference Paper
In the Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) , 2022.
Abstract | Links | BibTeX | Tags: Malware, WebAssembly
@conference{ShrenikCodeObfus,
title = {A First Look at Code Obfuscation for WebAssembly},
author = {Shrenik Bhansali and Ahmet Aris and Abbas Acar and Harun Oz and Selcuk Uluagac},
url = {https://doi.org/10.1145/3507657.3528560},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
booktitle = {In the Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec) },
abstract = {WebAssembly (Wasm) has seen a lot of attention lately as it spreads through the mobile computing domain and becomes the new standard for performance-oriented web development. It has diversified its uses far beyond just web applications by acting as an execution environment for mobile agents, containers for IoT devices, and enabling new serverless approaches for edge computing. Within the numerous uses of Wasm, not all of them are benign. With the rise of Wasm-based cryptojacking malware, analyzing Wasm applications has been a hot topic in the literature, resulting in numerous Wasm-based cryptojacking detection systems. Many of these methods rely on static analysis, which traditionally can be circumvented through obfuscation. However, the feasibility of the obfuscation techniques for Wasm programs has never been investigated thoroughly. In this paper, we address this gap and perform the first look at code obfuscation for Wasm. We apply numerous obfuscation techniques to Wasm programs, and test their effectiveness in producing a fully obfuscated Wasm program. Particularly, we obfuscate both benign Wasm-based web applications and cryptojacking malware instances and feed them into a state-of-the-art Wasm cryptojacking detector to see if current Wasm analysis methods can be subverted with obfuscation. Our analysis shows that obfuscation can be highly effective and can cause even a state-of-the-art detector to misclassify the obfuscated Wasm samples.
},
keywords = {Malware, WebAssembly},
pubstate = {published},
tppubtype = {conference}
}
WebAssembly (Wasm) has seen a lot of attention lately as it spreads through the mobile computing domain and becomes the new standard for performance-oriented web development. It has diversified its uses far beyond just web applications by acting as an execution environment for mobile agents, containers for IoT devices, and enabling new serverless approaches for edge computing. Within the numerous uses of Wasm, not all of them are benign. With the rise of Wasm-based cryptojacking malware, analyzing Wasm applications has been a hot topic in the literature, resulting in numerous Wasm-based cryptojacking detection systems. Many of these methods rely on static analysis, which traditionally can be circumvented through obfuscation. However, the feasibility of the obfuscation techniques for Wasm programs has never been investigated thoroughly. In this paper, we address this gap and perform the first look at code obfuscation for Wasm. We apply numerous obfuscation techniques to Wasm programs, and test their effectiveness in producing a fully obfuscated Wasm program. Particularly, we obfuscate both benign Wasm-based web applications and cryptojacking malware instances and feed them into a state-of-the-art Wasm cryptojacking detector to see if current Wasm analysis methods can be subverted with obfuscation. Our analysis shows that obfuscation can be highly effective and can cause even a state-of-the-art detector to misclassify the obfuscated Wasm samples.
5.
Harun Oz, Faraz Naseem, Ahmet Aris, Abbas Acar, Guliz Seray Tuncay, A Selcuk Uluagac
Feasibility of Malware Visualization Techniques against Adversarial Machine Learning Attacks Demo/Poster
In the Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P), 2022.
BibTeX | Tags: Adverserial Machine Learning, Malware
@Demo/Posters{Oz2022MalwareVisualization,
title = {Feasibility of Malware Visualization Techniques against Adversarial Machine Learning Attacks},
author = {Harun Oz and Faraz Naseem and Ahmet Aris and Abbas Acar and Guliz Seray Tuncay and A Selcuk Uluagac},
year = {2022},
date = {2022-01-01},
urldate = {2022-01-01},
booktitle = {In the Proceedings of the 43rd IEEE Symposium on Security and Privacy (S&P)},
keywords = {Adverserial Machine Learning, Malware},
pubstate = {published},
tppubtype = {Demo/Posters}
}
6.
Ege Tekiner, Abbas Acar, A Selcuk Uluagac, Engin Kirda, Ali Aydin Selcuk
In-Browser Cryptomining for Good: An Untold Story Conference Paper
In the Proceedings of the IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS), 2021.
Abstract | Links | BibTeX | Tags: Cryptojacking, Malware
@conference{untoldStory,
title = {In-Browser Cryptomining for Good: An Untold Story},
author = {Ege Tekiner and Abbas Acar and A Selcuk Uluagac and Engin Kirda and Ali Aydin Selcuk},
url = {https://ieeexplore.ieee.org/abstract/document/9566204/},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
booktitle = {In the Proceedings of the IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS)},
abstract = {In-browser cryptomining uses the computational power of a website's visitors to mine cryptocurrency, i.e., to create new coins. With the rise of ready-to-use mining scripts distributed by service providers (e.g., Coinhive), it has become trivial to turn a website into a cryptominer by copying and pasting the mining script. Both legitimate webpage owners who want to raise an extra revenue under users' explicit consent and malicious actors who wish to exploit the computational power of the users' computers without their consent have started to utilize this emerging paradigm of cryptocurrency operations. In-browser cryptomining, though mostly abused by malicious actors in practice, is indeed a promising funding model that can be utilized by website owners, publishers, or non-profit organizations for legitimate business purposes, such as to collect revenue or donations for humanitarian projects, inter alia. However, our analysis in this paper shows that in practice, regardless of their being legitimate or not, all in-browser mining scripts are treated the same as malicious cryptomining samples (aka cryptojacking) and blacklisted by browser extensions or antivirus programs. Indeed, there is a need for a better understanding of the in-browser cryptomining ecosystem. Hence, in this paper, we present an in-depth empirical analysis of in-browser cryptomining processes, focusing on the samples explicitly asking for user consent, which we call permissioned cryptomining. To the best of our knowledge, this is the first study focusing on the permissioned cryptomining samples. For this, we created a dataset of 6269 unique web sites containing cryptomining scripts in their source codes to characterize the in-browser cryptomining ecosystem by differentiating permissioned and permissionless cryptomining samples. We believe that (1) this paper is the first attempt showing that permissioned in-browser cryptomining could be a legitimate and viable monetization tool if implemented responsibly and without interrupting the user, and (2) this paper will catalyze the widespread adoption of legitimate crvptominina with user consent and awareness.},
keywords = {Cryptojacking, Malware},
pubstate = {published},
tppubtype = {conference}
}
In-browser cryptomining uses the computational power of a website's visitors to mine cryptocurrency, i.e., to create new coins. With the rise of ready-to-use mining scripts distributed by service providers (e.g., Coinhive), it has become trivial to turn a website into a cryptominer by copying and pasting the mining script. Both legitimate webpage owners who want to raise an extra revenue under users' explicit consent and malicious actors who wish to exploit the computational power of the users' computers without their consent have started to utilize this emerging paradigm of cryptocurrency operations. In-browser cryptomining, though mostly abused by malicious actors in practice, is indeed a promising funding model that can be utilized by website owners, publishers, or non-profit organizations for legitimate business purposes, such as to collect revenue or donations for humanitarian projects, inter alia. However, our analysis in this paper shows that in practice, regardless of their being legitimate or not, all in-browser mining scripts are treated the same as malicious cryptomining samples (aka cryptojacking) and blacklisted by browser extensions or antivirus programs. Indeed, there is a need for a better understanding of the in-browser cryptomining ecosystem. Hence, in this paper, we present an in-depth empirical analysis of in-browser cryptomining processes, focusing on the samples explicitly asking for user consent, which we call permissioned cryptomining. To the best of our knowledge, this is the first study focusing on the permissioned cryptomining samples. For this, we created a dataset of 6269 unique web sites containing cryptomining scripts in their source codes to characterize the in-browser cryptomining ecosystem by differentiating permissioned and permissionless cryptomining samples. We believe that (1) this paper is the first attempt showing that permissioned in-browser cryptomining could be a legitimate and viable monetization tool if implemented responsibly and without interrupting the user, and (2) this paper will catalyze the widespread adoption of legitimate crvptominina with user consent and awareness.
7.
Ahmet Arış, Faraz Naseem, Leonardo Babun, Ege Tekiner, Selcuk Uluagac
MINOS: A Lightweight Real-Time Cryptojacking Detection System Conference Paper
In the Processings of 28th the Network and Distributed System Security Symposium (NDSS), 2021.
Abstract | Links | BibTeX | Tags: Cryptojacking, Machine Learning Security, Malware
@conference{FarazMinos,
title = {MINOS: A Lightweight Real-Time Cryptojacking Detection System},
author = {Ahmet Arış and Faraz Naseem and Leonardo Babun and Ege Tekiner and Selcuk Uluagac},
url = {https://www.researchgate.net/profile/Ahmet-Aris/publication/349109071_MINOS_A_Lightweight_Real-Time_Cryptojacking_Detection_System/links/61488e123c6cb310697fba33/MINOS-A-Lightweight-Real-Time-Cryptojacking-Detection-System.pdf},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
booktitle = {In the Processings of 28th the Network and Distributed System Security Symposium (NDSS)},
abstract = {Emerging WebAssembly (Wasm)-based cryptojacking malware covertly uses the computational resources of users without their consent or knowledge. Indeed, most victims of this malware are unaware of such unauthorized use of their computing power due to techniques employed by cryptojacking malware authors such as CPU throttling and obfuscation. A number of dynamic analysis-based detection mechanisms exist that aim to circumvent such techniques. However, since these mechanisms use dynamic features, the collection of such features, as well as the actual detection of the malware, require that the cryptojacking malware run for a certain amount of time, effectively mining for that period, and therefore causing significant overhead. To solve these limitations, in this paper, we propose MINOS, a novel, extremely lightweight cryptojacking detection system that uses deep learning techniques to accurately detect the presence of unwarranted Wasm-based mining activity in real-time. MINOS uses an image-based classification technique to distinguish between benign webpages and those using Wasm to implement unauthorized mining. Specifically, the classifier implements a convolutional neural network (CNN) model trained with a comprehensive dataset of current malicious and benign Wasm binaries. MINOS achieves exceptional accuracy with a low TNR and FPR. Moreover, our extensive performance analysis of MINOS shows that the proposed detection technique can detect mining activity instantaneously from the most current in-the-wild cryptojacking malware with an accuracy of 98.97 percent, in an average of 25.9 milliseconds while using a},
keywords = {Cryptojacking, Machine Learning Security, Malware},
pubstate = {published},
tppubtype = {conference}
}
Emerging WebAssembly (Wasm)-based cryptojacking malware covertly uses the computational resources of users without their consent or knowledge. Indeed, most victims of this malware are unaware of such unauthorized use of their computing power due to techniques employed by cryptojacking malware authors such as CPU throttling and obfuscation. A number of dynamic analysis-based detection mechanisms exist that aim to circumvent such techniques. However, since these mechanisms use dynamic features, the collection of such features, as well as the actual detection of the malware, require that the cryptojacking malware run for a certain amount of time, effectively mining for that period, and therefore causing significant overhead. To solve these limitations, in this paper, we propose MINOS, a novel, extremely lightweight cryptojacking detection system that uses deep learning techniques to accurately detect the presence of unwarranted Wasm-based mining activity in real-time. MINOS uses an image-based classification technique to distinguish between benign webpages and those using Wasm to implement unauthorized mining. Specifically, the classifier implements a convolutional neural network (CNN) model trained with a comprehensive dataset of current malicious and benign Wasm binaries. MINOS achieves exceptional accuracy with a low TNR and FPR. Moreover, our extensive performance analysis of MINOS shows that the proposed detection technique can detect mining activity instantaneously from the most current in-the-wild cryptojacking malware with an accuracy of 98.97 percent, in an average of 25.9 milliseconds while using a
8.
Ege Tekiner, Abbas Acar, A. Selcuk Uluagac, Engin Kirda, Ali Aydin Selcuk
SoK: Cryptojacking Malware Conference Paper
In the Processings of 6th IEEE European Symposium on Security and Privacy (EuroS&P), Virtual, 2021.
Abstract | Links | BibTeX | Tags: Blockchain Security, Cryptojacking, Malware
@conference{tekiner2021,
title = {SoK: Cryptojacking Malware},
author = {Ege Tekiner and Abbas Acar and A. Selcuk Uluagac and Engin Kirda and Ali Aydin Selcuk},
url = {https://ieeexplore.ieee.org/abstract/document/9581251/},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
booktitle = {In the Processings of 6th IEEE European Symposium on Security and Privacy (EuroS&P)},
address = {Virtual},
abstract = {Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryp-tocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through cryptojacking malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable cryptocurrencies (e.g., Monero), cryptojacking malware has become an indispensable tool for attackers. Indeed, the banking industry, major commercial websites, government and military servers (e.g., US Dept. of Defense), online video sharing platforms (e.g., Youtube), gaming platforms (e.g., Nintendo), critical infrastructure resources (e.g., routers), and even recently widely popular remote video conferencing/meeting},
keywords = {Blockchain Security, Cryptojacking, Malware},
pubstate = {published},
tppubtype = {conference}
}
Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryp-tocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through cryptojacking malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable cryptocurrencies (e.g., Monero), cryptojacking malware has become an indispensable tool for attackers. Indeed, the banking industry, major commercial websites, government and military servers (e.g., US Dept. of Defense), online video sharing platforms (e.g., Youtube), gaming platforms (e.g., Nintendo), critical infrastructure resources (e.g., routers), and even recently widely popular remote video conferencing/meeting
9.
Abbas Acar, Long Lu, A. Selcuk Uluagac, Engin Kirda
An Analysis of Malware Trends in Enterprise Networks Conference Paper
In the Proceedings of the Information Security Conference (ISC), 2019.
Abstract | Links | BibTeX | Tags: Enterprise Security, Malware
@conference{Acar2019MalwareTrendsb,
title = { An Analysis of Malware Trends in Enterprise Networks},
author = {Abbas Acar and Long Lu and A. Selcuk Uluagac and Engin Kirda},
url = {https://link.springer.com/chapter/10.1007/978-3-030-30215-3_18},
year = {2019},
date = {2019-01-01},
urldate = {2019-01-01},
booktitle = {In the Proceedings of the Information Security Conference (ISC)},
abstract = {We present an empirical and large-scale analysis of malware samples captured from two different enterprises from 2017 to early 2018. Particularly, we perform threat vector, social-engineering, vulnerability and time-series analysis on our dataset. Unlike existing malware studies, our analysis is specifically focused on the recent enterprise malware samples. First of all, based on our analysis on the combined datasets of two enterprises, our results confirm the general consensus that AV-only solutions are not enough for real-time defenses in enterprise settings because on average 40% of the malware samples, when first appeared, are not detected by most AVs on VirusTotal or not uploaded to VT at all (i.e., never seen in the wild yet). Moreover, our analysis also shows that enterprise users transfer documents more than executables and other types of files. Therefore, attackers embed malicious codes into documents to download and install the actual malicious payload instead of sending malicious payload directly or using vulnerability exploits. Moreover, we also found that financial matters (e.g., purchase orders and invoices) are still the most common subject seen in Business Email Compromise (BEC) scams that aim to trick employees. Finally, based on our analysis on the timestamps of captured malware samples, we found that 93% of the malware samples were delivered on weekdays. Our further analysis also showed that while the malware samples that require user interaction such as macro-based malware samples have been captured during the working hours of the employees, the massive malware attacks are triggered during the off-times of the employees to be able to silently spread over the networks.},
howpublished = {In the proceedings of the Information Security Conference (ISC)},
keywords = {Enterprise Security, Malware},
pubstate = {published},
tppubtype = {conference}
}
We present an empirical and large-scale analysis of malware samples captured from two different enterprises from 2017 to early 2018. Particularly, we perform threat vector, social-engineering, vulnerability and time-series analysis on our dataset. Unlike existing malware studies, our analysis is specifically focused on the recent enterprise malware samples. First of all, based on our analysis on the combined datasets of two enterprises, our results confirm the general consensus that AV-only solutions are not enough for real-time defenses in enterprise settings because on average 40% of the malware samples, when first appeared, are not detected by most AVs on VirusTotal or not uploaded to VT at all (i.e., never seen in the wild yet). Moreover, our analysis also shows that enterprise users transfer documents more than executables and other types of files. Therefore, attackers embed malicious codes into documents to download and install the actual malicious payload instead of sending malicious payload directly or using vulnerability exploits. Moreover, we also found that financial matters (e.g., purchase orders and invoices) are still the most common subject seen in Business Email Compromise (BEC) scams that aim to trick employees. Finally, based on our analysis on the timestamps of captured malware samples, we found that 93% of the malware samples were delivered on weekdays. Our further analysis also showed that while the malware samples that require user interaction such as macro-based malware samples have been captured during the working hours of the employees, the massive malware attacks are triggered during the off-times of the employees to be able to silently spread over the networks.
10.
Enes Erdin, Hidayet Aksu, Selcuk Uluagac, Micheal Vai, Kemal Akkaya
OS Independent and Hardware-Assisted Insider Threat Detection and Prevention Framework Conference Paper
In the Proceedings of the IEEE Military Communications Conference (MILCOM), 2018.
Abstract | Links | BibTeX | Tags: Hardware Security, Malware
@conference{8599719b,
title = {OS Independent and Hardware-Assisted Insider Threat Detection and Prevention Framework},
author = {Enes Erdin and Hidayet Aksu and Selcuk Uluagac and Micheal Vai and Kemal Akkaya},
url = {https://ieeexplore.ieee.org/abstract/document/8599719},
year = {2018},
date = {2018-01-01},
urldate = {2018-01-01},
publisher = {In the Proceedings of the IEEE Military Communications Conference (MILCOM)},
abstract = {Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source for information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious attackers through social attacks is the most impactful one. Malicious insiders or uneducated employees are dangerous for organizations that they are already behind the perimeter protections that guard the digital assets; actually, they are trojans on their own. For an insider, the easiest possible way for creating a hole in security is using the popular and ubiquitous Universal Serial Bus (USB) devices due to its versatile and easy to use plug-and-play nature. USB type storage devices are the biggest threats for contaminating mission critical infrastructure with viruses, malware, and trojans. USB human interface devices are also dangerous as they may connect to a host with destructive hidden functionalities. In this paper, we propose a novel hardware-assisted insider threat detection and prevention framework for the USB case. Our novel framework is also OS independent. We implemented a proof-of-concept design on an FPGA board which is widely used in military settings supporting critical missions, and demonstrated the results considering different experiments. Based on the results of these experiments, we show that our framework can identify rapid-keyboard key-stroke attacks and can easily detect the functionality of the USB device plugged in. We present the resource consumption of our framework on the FPGA for its utilization on a host controller device. We show that the our hard-to-tamper framework introduces no overhead in USB communication in terms of user experience.},
keywords = {Hardware Security, Malware},
pubstate = {published},
tppubtype = {conference}
}
Governmental and military institutions harbor critical infrastructure and highly confidential information. Although institutions are investing a lot for protecting their data and assets from possible outsider attacks, insiders are still a distrustful source for information leakage. As malicious software injection is one among many attacks, turning innocent employees into malicious attackers through social attacks is the most impactful one. Malicious insiders or uneducated employees are dangerous for organizations that they are already behind the perimeter protections that guard the digital assets; actually, they are trojans on their own. For an insider, the easiest possible way for creating a hole in security is using the popular and ubiquitous Universal Serial Bus (USB) devices due to its versatile and easy to use plug-and-play nature. USB type storage devices are the biggest threats for contaminating mission critical infrastructure with viruses, malware, and trojans. USB human interface devices are also dangerous as they may connect to a host with destructive hidden functionalities. In this paper, we propose a novel hardware-assisted insider threat detection and prevention framework for the USB case. Our novel framework is also OS independent. We implemented a proof-of-concept design on an FPGA board which is widely used in military settings supporting critical missions, and demonstrated the results considering different experiments. Based on the results of these experiments, we show that our framework can identify rapid-keyboard key-stroke attacks and can easily detect the functionality of the USB device plugged in. We present the resource consumption of our framework on the FPGA for its utilization on a host controller device. We show that the our hard-to-tamper framework introduces no overhead in USB communication in terms of user experience.
Citations: 8413
h-index: 44
i10-index: 107
