Pub Date : 2023-12-28DOI: 10.1007/s11416-023-00509-7
Rohit Dube
{"title":"Faulty use of the CIC-IDS 2017 dataset in information security research","authors":"Rohit Dube","doi":"10.1007/s11416-023-00509-7","DOIUrl":"https://doi.org/10.1007/s11416-023-00509-7","url":null,"abstract":"","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"31 8","pages":"1-9"},"PeriodicalIF":1.5,"publicationDate":"2023-12-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139149986","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-11-08DOI: 10.1007/s11416-023-00507-9
Santosh Kumar Ravva, K. L. N. C. Prakash, S. R. M. Krishna
RSA is a well-known cryptosystem in public-key cryptography and the strength of the cryptosystem depends on the hardness of factoring large integers. Several attacks have been proposed by using the partial information of the secret parameters, which can be obtained by side-channel attacks. Partial key exposure attacks exploit the information gained by a side-channel attack(s) and identify the potential of the RSA cryptosystem if an attacker knows that partial information. In this paper, we investigate the strength of RSA, if an attacker obtains some blocks of the secret exponent, and by guessing successfully a few most significant bits (MSBs) of any of the primes in RSA. Some blocks of the secret exponent can be extracted by cold boot attack and some MSBs of any of the primes can be guessed correctly. We apply LLL algorithm to attack the RSA and follow the Jochemsz and May approach to construct the lattice.
{"title":"Partial key exposure attack on RSA using some private key blocks","authors":"Santosh Kumar Ravva, K. L. N. C. Prakash, S. R. M. Krishna","doi":"10.1007/s11416-023-00507-9","DOIUrl":"https://doi.org/10.1007/s11416-023-00507-9","url":null,"abstract":"RSA is a well-known cryptosystem in public-key cryptography and the strength of the cryptosystem depends on the hardness of factoring large integers. Several attacks have been proposed by using the partial information of the secret parameters, which can be obtained by side-channel attacks. Partial key exposure attacks exploit the information gained by a side-channel attack(s) and identify the potential of the RSA cryptosystem if an attacker knows that partial information. In this paper, we investigate the strength of RSA, if an attacker obtains some blocks of the secret exponent, and by guessing successfully a few most significant bits (MSBs) of any of the primes in RSA. Some blocks of the secret exponent can be extracted by cold boot attack and some MSBs of any of the primes can be guessed correctly. We apply LLL algorithm to attack the RSA and follow the Jochemsz and May approach to construct the lattice.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"84 2","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135341674","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-10-20DOI: 10.1007/s11416-023-00506-w
Ritik Mehta, Olha Jurečková, Mark Stamp
Many different machine learning and deep learning techniques have been successfully employed for malware detection and classification. Examples of popular learning techniques in the malware domain include Hidden Markov Models (HMM), Random Forests (RF), Convolutional Neural Networks (CNN), Support Vector Machines (SVM), and Recurrent Neural Networks (RNN) such as Long Short-Term Memory (LSTM) networks. In this research, we consider a hybrid architecture, where HMMs are trained on opcode sequences, and the resulting hidden states of these trained HMMs are used as feature vectors in various classifiers. In this context, extracting the HMM hidden state sequences can be viewed as a form of feature engineering that is somewhat analogous to techniques that are commonly employed in Natural Language Processing (NLP). We find that this NLP-based approach outperforms other popular techniques on a challenging malware dataset, with an HMM-Random Forest model yielding the best results.
{"title":"A natural language processing approach to Malware classification","authors":"Ritik Mehta, Olha Jurečková, Mark Stamp","doi":"10.1007/s11416-023-00506-w","DOIUrl":"https://doi.org/10.1007/s11416-023-00506-w","url":null,"abstract":"Many different machine learning and deep learning techniques have been successfully employed for malware detection and classification. Examples of popular learning techniques in the malware domain include Hidden Markov Models (HMM), Random Forests (RF), Convolutional Neural Networks (CNN), Support Vector Machines (SVM), and Recurrent Neural Networks (RNN) such as Long Short-Term Memory (LSTM) networks. In this research, we consider a hybrid architecture, where HMMs are trained on opcode sequences, and the resulting hidden states of these trained HMMs are used as feature vectors in various classifiers. In this context, extracting the HMM hidden state sequences can be viewed as a form of feature engineering that is somewhat analogous to techniques that are commonly employed in Natural Language Processing (NLP). We find that this NLP-based approach outperforms other popular techniques on a challenging malware dataset, with an HMM-Random Forest model yielding the best results.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"29 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135567640","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-10-20DOI: 10.1007/s11416-023-00505-x
Minh Tu Nguyen, Viet Hung Nguyen, Nathan Shone
Detecting zero-day malware in Windows PE files using dynamic analysis techniques has proven to be far more effective than traditional signature-based methods. One specific approach that has emerged in recent years is the use of graphs to represent executable behavior, which can be subsequently used to learn patterns. However, many current graph representations omit key parameter information, meaning that the behavioral impact of variable changes cannot be reliably understood. To combat these shortcomings, we present a new method for malware detection by applying a graph attention network on multi-edge directional heterogeneous graphs constructed from API calls. The experiments show the TPR and FPR scores demonstrated by our model, achieve better performance than those from other related works.
{"title":"Using deep graph learning to improve dynamic analysis-based malware detection in PE files","authors":"Minh Tu Nguyen, Viet Hung Nguyen, Nathan Shone","doi":"10.1007/s11416-023-00505-x","DOIUrl":"https://doi.org/10.1007/s11416-023-00505-x","url":null,"abstract":"Detecting zero-day malware in Windows PE files using dynamic analysis techniques has proven to be far more effective than traditional signature-based methods. One specific approach that has emerged in recent years is the use of graphs to represent executable behavior, which can be subsequently used to learn patterns. However, many current graph representations omit key parameter information, meaning that the behavioral impact of variable changes cannot be reliably understood. To combat these shortcomings, we present a new method for malware detection by applying a graph attention network on multi-edge directional heterogeneous graphs constructed from API calls. The experiments show the TPR and FPR scores demonstrated by our model, achieve better performance than those from other related works.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"22 1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135617035","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-10-20DOI: 10.1007/s11416-023-00508-8
R. Santosh Kumar, K. L. N. C. Prakash, S. R. M. Krishna
RSA is well known public-key cryptosystem in modern-day cryptography. Since the inception of the RSA, several attacks have been proposed on RSA. The Boneh–Durfee attack is the most prominent and they showed that if the secrete exponent is less than 0.292, RSA is completely vulnerable. In this paper, we further investigate the vulnerability of RSA whenever a secret exponent is large and the composite form with a few most significant bits of one of the primes exposed. Having a large secret exponent can avoid the Boneh–Durfee attack, but in this attack, we show that even though the secret exponent is large and has some specialized structure then RSA is still vulnerable. We follow the Jochemsz and May strategy for constructing the lattice, and the LLL algorithm is used for lattice reduction. Our attack outperforms most of the previous attacks.
{"title":"Cryptanalysis of RSA with composed decryption exponent with few most significant bits of one of the primes","authors":"R. Santosh Kumar, K. L. N. C. Prakash, S. R. M. Krishna","doi":"10.1007/s11416-023-00508-8","DOIUrl":"https://doi.org/10.1007/s11416-023-00508-8","url":null,"abstract":"RSA is well known public-key cryptosystem in modern-day cryptography. Since the inception of the RSA, several attacks have been proposed on RSA. The Boneh–Durfee attack is the most prominent and they showed that if the secrete exponent is less than 0.292, RSA is completely vulnerable. In this paper, we further investigate the vulnerability of RSA whenever a secret exponent is large and the composite form with a few most significant bits of one of the primes exposed. Having a large secret exponent can avoid the Boneh–Durfee attack, but in this attack, we show that even though the secret exponent is large and has some specialized structure then RSA is still vulnerable. We follow the Jochemsz and May strategy for constructing the lattice, and the LLL algorithm is used for lattice reduction. Our attack outperforms most of the previous attacks.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"87 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-10-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135569645","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-10-05DOI: 10.1007/s11416-023-00503-z
Grigory Marshalko, Svetlana Koreshkova
We study a randomized variant of one type of biometric recognition algorithms, which is intended to mitigate adversarial attacks. We show that the problem of an estimation of the security of the proposed algorithm can be formulated in the form of an estimation of statistical distance between the probability distributions, induced by the initial and the randomized algorithm. A variant of practical password-based implementation is discussed. The results of experimental evaluation are given. The preliminary verison of this research was presented at CTCrypt 2020 workshop.
{"title":"Protection against adversarial attacks with randomization of recognition algorithm","authors":"Grigory Marshalko, Svetlana Koreshkova","doi":"10.1007/s11416-023-00503-z","DOIUrl":"https://doi.org/10.1007/s11416-023-00503-z","url":null,"abstract":"We study a randomized variant of one type of biometric recognition algorithms, which is intended to mitigate adversarial attacks. We show that the problem of an estimation of the security of the proposed algorithm can be formulated in the form of an estimation of statistical distance between the probability distributions, induced by the initial and the randomized algorithm. A variant of practical password-based implementation is discussed. The results of experimental evaluation are given. The preliminary verison of this research was presented at CTCrypt 2020 workshop.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134977187","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-09-28DOI: 10.1007/s11416-023-00502-0
Akram Khalesi, Zahra Ahmadian
Division property is an effective method for finding integral distinguishers for block ciphers, performing cube attacks on stream ciphers, and studying the algebraic degree of boolean functions. One of the main problems in this field is how to provably find the smallest input multiset leading to a balanced output. In this paper, we propose a new method, using the division property, to find integral distinguishers for permutation functions and block ciphers, with provably-minimum data complexity, in the conventional division property model. The new method is based on a precise and efficient analysis of the target output bit’s algebraic normal form. We examine the proposed method on LBlock, TWINE, SIMON, Present, Gift, and Clyde-128 block ciphers. Although in most cases, the results are consistent with the distinguishers reported in previous work, their optimality is proved, in the conventional division property model. Moreover, the proposed method can find distinguishers for 8-round Clyde-128 with less data complexity than previously reported. Based on the proposed method, we also develop an algorithm capable of determining the maximum number of balanced output bits for integral distinguishers with a certain number of active bits. Accordingly, for the ciphers under study, we determine the maximum number of balanced bits for integral distinguishers with data complexities set to minimum and slightly higher, resulting in improved distinguishers for Gift-64, Present, and SIMON64, in the conventional model.
{"title":"Provably minimum data complexity integral distinguisher based on conventional division property","authors":"Akram Khalesi, Zahra Ahmadian","doi":"10.1007/s11416-023-00502-0","DOIUrl":"https://doi.org/10.1007/s11416-023-00502-0","url":null,"abstract":"Division property is an effective method for finding integral distinguishers for block ciphers, performing cube attacks on stream ciphers, and studying the algebraic degree of boolean functions. One of the main problems in this field is how to provably find the smallest input multiset leading to a balanced output. In this paper, we propose a new method, using the division property, to find integral distinguishers for permutation functions and block ciphers, with provably-minimum data complexity, in the conventional division property model. The new method is based on a precise and efficient analysis of the target output bit’s algebraic normal form. We examine the proposed method on LBlock, TWINE, SIMON, Present, Gift, and Clyde-128 block ciphers. Although in most cases, the results are consistent with the distinguishers reported in previous work, their optimality is proved, in the conventional division property model. Moreover, the proposed method can find distinguishers for 8-round Clyde-128 with less data complexity than previously reported. Based on the proposed method, we also develop an algorithm capable of determining the maximum number of balanced output bits for integral distinguishers with a certain number of active bits. Accordingly, for the ciphers under study, we determine the maximum number of balanced bits for integral distinguishers with data complexities set to minimum and slightly higher, resulting in improved distinguishers for Gift-64, Present, and SIMON64, in the conventional model.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135385328","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-09-27DOI: 10.1007/s11416-023-00501-1
Giovanni Ciaramella, Giacomo Iadarola, Fabio Martinelli, Francesco Mercaldo, Antonella Santone
Globally, the number of internet users increases every year. As a matter of fact, we use technological devices to surf the internet, for online shopping, or just to relax and keep our relationships by spending time on social networks. By doing any of those actions, we release information that can be used in many ways, such as targeted advertising via cookies but also abused by malicious users for scams or theft. On the other hand, many detection systems have been developed with the aim to counteract malicious actions. In particular, special attention has been paid to the malware, designed to perpetrate malicious actions inside software systems and widespread through internet networks or e-mail messages. In this paper, we propose a deep learning model aimed to detect ransomware. We propose a set of experiments aimed to demonstrate that the proposed method obtains good accuracy during the training and test phases across a dataset of over 15,000 elements. Moreover, to improve our results and interpret the output obtained from the models, we have also exploited the Gradient-weighted Class Activation Mapping.
{"title":"Explainable Ransomware Detection with Deep Learning Techniques","authors":"Giovanni Ciaramella, Giacomo Iadarola, Fabio Martinelli, Francesco Mercaldo, Antonella Santone","doi":"10.1007/s11416-023-00501-1","DOIUrl":"https://doi.org/10.1007/s11416-023-00501-1","url":null,"abstract":"Globally, the number of internet users increases every year. As a matter of fact, we use technological devices to surf the internet, for online shopping, or just to relax and keep our relationships by spending time on social networks. By doing any of those actions, we release information that can be used in many ways, such as targeted advertising via cookies but also abused by malicious users for scams or theft. On the other hand, many detection systems have been developed with the aim to counteract malicious actions. In particular, special attention has been paid to the malware, designed to perpetrate malicious actions inside software systems and widespread through internet networks or e-mail messages. In this paper, we propose a deep learning model aimed to detect ransomware. We propose a set of experiments aimed to demonstrate that the proposed method obtains good accuracy during the training and test phases across a dataset of over 15,000 elements. Moreover, to improve our results and interpret the output obtained from the models, we have also exploited the Gradient-weighted Class Activation Mapping.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"41 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135536257","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-09-27DOI: 10.1007/s11416-023-00498-7
Omid Kargarnovin, Amir Mahdi Sadeghzadeh, Rasool Jalili
With the growing use of Deep Learning (DL) to tackle various problems, securing these models against adversaries has become a primary concern for researchers. Recent studies have shown that DL-based malware detectors are vulnerable to adversarial examples. An adversary can create carefully crafted adversarial examples to evade DL-based malware detectors. In this paper, we propose Mal2GCN, a robust malware detection model that uses Function Call Graph (FCG) representation of executable files combined with Graph Convolution Network (GCN) to detect Windows malware. Since the FCG representation of executable files is more robust than the raw byte sequence representation, numerous proposed adversarial example generating methods are ineffective in evading Mal2GCN. Moreover, we use the non-negative training method to transform Mal2GCN into a monotonically non-decreasing function; thereby, making it theoretically robust against appending attacks. Besides, experimental results on a collected dataset of PE executables demonstrate that Mal2GCN can detect malware with 98.15% accuracy, outperforming its counterparts. We then present a black-box source code-based adversarial malware generation approach that can be used to evaluate the robustness of malware detection models against real-world adversaries. This approach injects adversarial code into various locations of malware source code, aiming to evade malware detection models. The experiments indicate that Mal2GCN with non-negative weights achieves high accuracy in detecting Windows malware while also exhibiting robustness against adversarial attacks that add benign features to the malware source code.
{"title":"Mal2GCN: a robust malware detection approach using deep graph convolutional networks with non-negative weights","authors":"Omid Kargarnovin, Amir Mahdi Sadeghzadeh, Rasool Jalili","doi":"10.1007/s11416-023-00498-7","DOIUrl":"https://doi.org/10.1007/s11416-023-00498-7","url":null,"abstract":"With the growing use of Deep Learning (DL) to tackle various problems, securing these models against adversaries has become a primary concern for researchers. Recent studies have shown that DL-based malware detectors are vulnerable to adversarial examples. An adversary can create carefully crafted adversarial examples to evade DL-based malware detectors. In this paper, we propose Mal2GCN, a robust malware detection model that uses Function Call Graph (FCG) representation of executable files combined with Graph Convolution Network (GCN) to detect Windows malware. Since the FCG representation of executable files is more robust than the raw byte sequence representation, numerous proposed adversarial example generating methods are ineffective in evading Mal2GCN. Moreover, we use the non-negative training method to transform Mal2GCN into a monotonically non-decreasing function; thereby, making it theoretically robust against appending attacks. Besides, experimental results on a collected dataset of PE executables demonstrate that Mal2GCN can detect malware with 98.15% accuracy, outperforming its counterparts. We then present a black-box source code-based adversarial malware generation approach that can be used to evaluate the robustness of malware detection models against real-world adversaries. This approach injects adversarial code into various locations of malware source code, aiming to evade malware detection models. The experiments indicate that Mal2GCN with non-negative weights achieves high accuracy in detecting Windows malware while also exhibiting robustness against adversarial attacks that add benign features to the malware source code.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"69 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135476213","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-09-25DOI: 10.1007/s11416-023-00504-y
Hassan Jameel Asghar, Benjamin Zi Hao Zhao, Muhammad Ikram, Giang Nguyen, Dali Kaafar, Sean Lamont, Daniel Coscia
Malware authors often use cryptographic tools such as XOR encryption and block ciphers like AES to obfuscate part of the malware to evade detection. Use of cryptography may give the impression that these obfuscation techniques have some provable guarantees of success. In this paper, we take a closer look at the use of cryptographic tools to obfuscate malware. We first find that most techniques are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. In order to clearly define an obfuscation technique’s potential to evade detection we propose a principled definition of malware obfuscation, and then categorize instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. We find that schemes that are hard to de-obfuscate necessarily rely on a construct based on environmental keying. We also show that cryptographic notions of obfuscation, e.g., indistinghuishability and virtual black box obfuscation, may not guarantee evasion detection under our model. However, they can be used in conjunction with environmental keying to produce hard to de-obfuscate version of programs.
{"title":"Use of cryptography in malware obfuscation","authors":"Hassan Jameel Asghar, Benjamin Zi Hao Zhao, Muhammad Ikram, Giang Nguyen, Dali Kaafar, Sean Lamont, Daniel Coscia","doi":"10.1007/s11416-023-00504-y","DOIUrl":"https://doi.org/10.1007/s11416-023-00504-y","url":null,"abstract":"Malware authors often use cryptographic tools such as XOR encryption and block ciphers like AES to obfuscate part of the malware to evade detection. Use of cryptography may give the impression that these obfuscation techniques have some provable guarantees of success. In this paper, we take a closer look at the use of cryptographic tools to obfuscate malware. We first find that most techniques are easy to defeat (in principle), since the decryption algorithm and the key is shipped within the program. In order to clearly define an obfuscation technique’s potential to evade detection we propose a principled definition of malware obfuscation, and then categorize instances of malware obfuscation that use cryptographic tools into those which evade detection and those which are detectable. We find that schemes that are hard to de-obfuscate necessarily rely on a construct based on environmental keying. We also show that cryptographic notions of obfuscation, e.g., indistinghuishability and virtual black box obfuscation, may not guarantee evasion detection under our model. However, they can be used in conjunction with environmental keying to produce hard to de-obfuscate version of programs.","PeriodicalId":15545,"journal":{"name":"Journal of Computer Virology and Hacking Techniques","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135859173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: