Many malicious programs we encounter these days are armed with their own custom encoding methods (i.e., they are packed) to deter static binary analysis. Thus, the initial step to deal with unknown (possibly malicious) binary samples obtained from malware collecting systems ordinarily involves the unpacking step. In this paper, we focus on empirical experimental evaluations on a generic unpacking method built on a dynamic binary instrumentation (DBI) framework to figure out the applicability of the DBI-based approach. First, we present yet another method of generic binary unpacking extending a conventional unpacking heuristic. Our architecture includes managing shadow states to measure code exposure according to a simple byte state model. Among available platforms, we built an unpacking implementation on PIN DBI framework. Second, we describe evaluation experiments, conducted on wild malware collections, to discuss workability as well as limitations of our tool. Without the prior knowledge of 6029 samples in the collections, we have identified at around 64% of those were analyzable with our DBI-based generic unpacking tool which is configured to operate in fully automatic batch processing. Purging corrupted and unworkable samples in native systems, it was 72%.

Malware sandbox analysis, in which a malware sample is actually executed in a testing environment (i.e. sandbox) to observe its behavior, is one of the promising approaches to tackling the emerging threats of exploding malware. As a lot of recent malware actively communicates with remote hosts over the Internet, sandboxes should also support an Internet connection, otherwise important malware behavior may not be observed. In this paper, we propose a multi-pass sandbox analysis with a controlled Internet connection. In the proposed method, we start our analysis with an isolated sandbox and an emulated Internet that consists of a set of dummy servers and hosts that run vulnerable services, called Honeypots in the Sandbox (HitS). All outbound connections from the victim host are closely inspected to see if they could be connected to the real Internet. We iterate the above process until no new behaviors are observed. We implemented the proposed method in a completely automated fashion and evaluated it with malware samples recently captured in the wild. Using a simple containment policy that authorizes only certain application protocols, namely, HTTP, IRC, and DNS, we were able to observe a greater variety of behaviors compared with the completely isolated sandbox. Meanwhile, we confirmed that a noticeable number of IP scans, vulnerability exploitations, and DoS attacks are successfully contained in the sandbox. Additionally, a brief comparison with two existing sandbox analysis systems, Norman Sandbox and CWSandbox, are shown.

Web-based social engineering (SE) attacks manipulate users to perform specific actions, such as downloading malware and exposing personal information. Aiming to effectively lure users, some SE attacks, which we call multi-step SE attacks, constitute a sequence of web pages starting from a landing page and require browser interactions at each web page. Also, different browser interactions executed on a web page often branch to multiple sequences to redirect users to different SE attacks. Although common systems analyze only landing pages or conduct browser interactions limited to a specific attack, little effort has been made to follow such sequences of web pages to collect multi-step SE attacks. We propose STRAYSHEEP, a system to automatically crawl a sequence of web pages and detect diverse multi-step SE attacks. We evaluate the effectiveness of STRAYSHEEP's three modules (landing-page-collection, web-crawling, and SE-detection) in terms of the rate of collected landing pages leading to SE attacks, efficiency of web crawling to reach more SE attacks, and accuracy in detecting the attacks. Our experimental results indicate that STRAYSHEEP can lead to 20% more SE attacks than Alexa top sites and search results of trend words, crawl five times more efficiently than a simple crawling module, and detect SE attacks with 95.5% accuracy. We demonstrate that STRAYSHEEP can collect various SE attacks, not limited to a specific attack. We also clarify attackers' techniques for tricking users and browser interactions, redirecting users to attacks.

Malware has been recognized as one of the major security threats in the Internet . Previous researches have mainly focused on malware's internal activity in a system. However, it is crucial that the malware analysis extracts a malware's external activity toward the network to correlate with a security incident. We propose a novel way to analyze malware: focus closely on the malware's external (i.e., network) activity. A malware sample is executed on a sandbox that consists of a real machine as victim and a virtual Internet environment. Since this sandbox environment is totally isolated from the real Internet, the execution of the sample causes no further unwanted propagation. The sandbox is configurable so as to extract specific activity of malware, such as scan behaviors. We implement a fully automated malware analysis system with the sandbox, which enables us to carry out the large-scale malware analysis. We present concrete analysis results that are gained by using the proposed system.

Android app developers sometimes copy code snippets posted on a question-and-answer (Q&A) website and use them in their apps. However, if a code snippet has vulnerabilities, Android apps containing the vulnerable snippet could also have the same vulnerabilities. Despite this, the effect of such vulnerable snippets on the Android apps has not been investigated in depth. In this paper, we investigate the correspondence between the vulnerable code snippets and vulnerable apps. we collect code snippets from a Q&A website, extract possibly vulnerable snippets, and calculate similarity between those snippets and bytecode on vulnerable apps. Our experimental results show that 15.8% of all evaluated apps that have SSL implementation vulnerabilities (Improper host name verification), 31.7% that have SSL certificate verification vulnerabilities, and 3.8% that have WEBVIEW remote code execution vulnerabilities contain possibly vulnerable code snippets from Stack Overflow. In the worst case, a single problematic snippet has caused 4,844 apps to contain a vulnerability, accounting for 31.2% of all collected apps with that vulnerability.

In this paper, we developed the latest IoT honeypots to capture IoT malware currently on the loose, analyzed IoT malware with new features such as persistent infection, developed malware removal methods to be provided to IoT device users. Furthermore, as attack behaviors using IoT devices become more diverse and sophisticated every year, we conducted research related to various factors involved in understanding the overall picture of attack behaviors from the perspective of incident responders. As the final stage of countermeasures, we also conducted research and development of IoT malware disabling technology to stop only IoT malware activities in IoT devices and IoT system disabling technology to remotely control (including stopping) IoT devices themselves.

In recent years, cyber attacks against infrastructure have become more serious. Unfortunately, infrastructures with vulnerable remote management devices, which allow attackers to control the infrastructure, have been reported. Targeted attacks against infrastructure are conducted manually by human attackers rather than automated scripts. Here, open questions are how often the attacks against such infrastructure happen and what attackers do after intrusions. In this empirical study, we observe the accesses, including attacks and security investigation activities, using the customized infrastructure honeypot. The proposed honeypot comprises (1) a platform that easily deploys real devices as honeypots, (2) a mechanism to increase the number of fictional facilities by changing the displayed facility names on the WebUI for each honeypot instance, (3) an interaction mechanism with visitors to infer their purpose, and (4) tracking mechanisms to identify visitors for long-term activities. We implemented and deployed the honeypot for 31 months. Our honeypot observed critical operations, such as changing configurations of a remote management device. We also observed long-term access to WebUI and Telnet service of the honeypot.

Considering rapid increase of recent highly organized and sophisticated malwares, practical solutions for the countermeasures against malwares especially related to zero-day attacks should be effectively developed in an urgent manner. Several research activities have been already carried out focusing on statistic calculation of network events by means of global network sensors (so-called macroscopic approach) as well as on direct malware analysis such as code analysis (so-called microscopic approach). However, in the current research activities, it is not clear at all how to inter-correlate between network behaviors obtained from macroscopic approach and malware behaviors obtained from microscopic approach. In this paper, in one side, network behaviors observed from darknet are strictly analyzed to produce scan profiles, and in the other side, malware behaviors obtained from honeypots are correctly analyzed so as to produce a set of profiles containing malware characteristics. To this end, inter-relationship between above two types of profiles is practically discussed and studied so that frequently observed malwares behaviors can be finally identified in view of scan-malware chain.

The increase in phishing attacks through email and short message service (SMS) has shown no signs of deceleration. The first thing we need to do to combat the ever-increasing number of phishing attacks is to collect and characterize more phishing cases that reach end users. Without understanding these characteristics, anti-phishing countermeasures cannot evolve. In this study, we propose an approach using Twitter as a new observation point to immediately collect and characterize phishing cases via e-mail and SMS that evade countermeasures and reach users. Specifically, we propose CrowdCanary, a system capable of structurally and accurately extracting phishing information (e.g., URLs and domains) from tweets about phishing by users who have actually discovered or encountered it. In our three months of live operation, CrowdCanary identified 35,432 phishing URLs out of 38,935 phishing reports. We confirmed that 31,960 (90.2%) of these phishing URLs were later detected by the anti-virus engine, demonstrating that CrowdCanary is superior to existing systems in both accuracy and volume of threat extraction. We also analyzed users who shared phishing threats by utilizing the extracted phishing URLs and categorized them into two distinct groups - namely, experts and non-experts. As a result, we found that CrowdCanary could collect information that is specifically included in non-expert reports, such as information shared only by the company brand name in the tweet, information about phishing attacks that we find only in the image of the tweet, and information about the landing page before the redirect. Furthermore, we conducted a detailed analysis of the collected information on phishing sites and discovered that certain biases exist in the domain names and hosting servers of phishing sites, revealing new characteristics useful for unknown phishing site detection.

The c-Secure CRT code is a collusion-secure fingerprinting code whose code length is reduced by using the Chinese Remainder Theorem. The tracing algorithm for the c-secure CRT code drops its performance of traitor tracing when random errors are added to the codewords. In this paper, we show two approaches to enhance random-error-resilience to the tracing algorithm of the c-secure CRT code. The first approach is introducing thresholds for the distinction of the detected part of the embedded data called detected blocks. We propose a method to derive appropriate values of the thresholds on an assumption that the tracer can estimate the random error rate. This modification extends the capability of traitor tracing to the attacks in which the alteration rate of the detected blocks is not fixed to 0.5. The second approach is extending the scope of the search for the detected blocks. With numerical results by computer simulations, we confirmed an impressive improvement of random-error-resilience of a c-secure CRT code.

In this paper, general definitions of collusion secure codes are shown. Previously defined codes such as frameproof code, secure frameproof code, identifiable parent property code, totally c-secure code, traceability code, and (c,g/s)-secure code are redefined under various marking assumptions which are suitable for most of the fingerprinting systems. Then, new relationships among the combined notions of codes and the marking assumptions are revealed. Some (non)existence results are also shown.

Distributed Denial of Service attacks against the application layer (L7 DDoS) are among the most difficult attacks to defend against because they mimic normal user behavior. Some mitigation techniques against L7 DDoS, e.g., IP blacklisting and load balancing using a content delivery network, have been proposed; unfortunately, these are symptomatic treatments rather than fundamental solutions. In this paper, we propose a novel technique to disincentivize attackers from launching a DDoS attack by increasing attack costs. Assuming financially motivated attackers seeking to gain profit via DDoS attacks, their primary goal is to maximize revenue. On the basis of this assumption, we also propose a mitigation solution that requires mining cryptocurrencies to access servers. To perform a DDoS attack, attackers must mine cryptocurrency as a proof-of-work (PoW), and the victims then obtain a solution to the PoW. Thus, relative to attackers, the attack cost increases, and, in terms of victims, the economic damage is compensated by the value of the mined coins. On the basis of this model, we evaluate attacker strategies in a game theory manner and demonstrate that the proposed solution provides only negative economic benefits to attackers. Moreover, we implement a prototype to evaluate performance, and we show that this prototype demonstrates practical performance.

As the number of new malware has increased explosively, traditional malware detection approaches based on pattern matching have been less effective. Therefore, it is important to develop a detection method which relies on not signatures but characteristic behaviors of malware. Recently, malware authors have been embedding functions for countermeasure against malware analyses and detections into malware. Accordingly, modern malware often changes their runtime behaviors in each execution to tolerate against malware analyses and detections. For example, when malware copies itself on a file system, it can randomly determine its file name for avoiding the detections. Another example is that when malware tries to connect its command and control server, it randomly chooses a domain name from a hard-coded domain name list to avoid being blocked by a static blacklist of malicious domain names. We assume that such evasive behaviors are unnecessary for benign software. Therefore the behaviors can be the clues to distinguish malware from benign software. In this paper, we propose a novel behavior-based malware detection method which focuses attention on such characteristics. Our proposed method conducts dynamic analysis on an executable file multiple times in same sandbox environment so as to obtain plural lists of API call sequences and plural traffic logs, and then compares the lists and the logs to find the difference between the multiple executions. In the experiments with 5,697 malware samples and 819 benign software samples, we can detect about 70% malware samples and the false positive rate is about 1%. In addition, we can detect about 50% malware samples which were not detected by each Anti-Virus Software engine. Therefore we confirm the possibility the proposed method may be able to improve the accuracy of malware detection utilizing in combination with other existing methods.

Fingerprinting is a technique to add identifying marks to each copy of digital contents in order to enhance traceability to a distribution system. Collusion attacks, in which the attackers collect two or more fingerprinted copies and try to generate an untraceable copy, are considered to be a threat for the fingerprinting system. With the aim of enhancing collusion security to the fingerprinting system, several collusion secure codes, such as c-frameproof code, c-secure frameproof code and c-identifiable parent property code, have been proposed. Here, c indicates the maximum number of colluding users. However, a practical construction of the above codes is still an issue because of the tight restrictions originated from their combinatorial properties. In this paper, we introduce an evaluation of frameproof, secure frameproof, and identifiable parent property by the probability that a code has the required property. Then, we focus on random codes. For frameproof and secure frameproof properties, we estimate the average probability that random codes have the required property where the probability is taken over the random construction of codes and random construction of coalitions. For the estimation, we assume the uniform distribution of symbols of random codes and the symbols that the coalitions hold. Therefore, we clarify the adequacy of the assumptions by comparison with numerical results. The estimates and numerical results resemble, which implies the adequacy of the assumption at least in the range of the experiment.

Exploiting vulnerabilities of remote systems is one of the fundamental behaviors of malware that determines their potential hazards. Understanding what kind of propagation tactics each malware uses is essential in incident response because such information directly links with countermeasures such as writing a signature for IDS. Although recently malware sandbox analysis has been studied intensively, little work is done on securely observing the vulnerability exploitation by malware. In this paper, we propose a novel sandbox analysis method for securely observing malware's vulnerability exploitation in a totally isolated environment. In our sandbox, we prepare two victim hosts. We first execute the sample malware on one of these hosts and then let it attack the other host which is running multiple vulnerable services. As a simple realization of the proposed method, we have implemented a sandbox using Nepenthes, a low-interaction honeypot, as the second victim. Because Nepenthes can emulate a variety of vulnerable services, we can efficiently observe the propagation of sample malware. In the experiments, among 382 samples whose scan capabilities are confirmed, 381 samples successfully started exploiting vulnerabilities of the second victim. This indicates the certain level of feasibility of the proposed method.

Along with the proliferation of IoT (Internet of Things) devices, cyberattacks towards them are on the rise. In this paper, aiming at efficient precaution and mitigation of emerging IoT cyberthreats, we present a multimodal study on applying machine learning methods to characterize malicious programs which target multiple IoT platforms. Experiments show that opcode sequences obtained from static analysis and API sequences obtained by dynamic analysis provide sufficient discriminant information such that IoT malware can be classified with near optimal accuracy. Automated and accelerated identification and mitigation of new IoT cyberthreats can be enabled based on the findings reported in this study.

Network monitoring systems that detect and analyze malicious activities as well as respond against them, are becoming increasingly important. As malwares, such as worms, viruses, and bots, can inflict significant damages on both infrastructure and end user, technologies for identifying such propagating malwares are in great demand. In the large-scale darknet monitoring operation, we can see that malwares have various kinds of scan patterns that involves choosing destination IP addresses. Since many of those oscillations seemed to have a natural periodicity, as if they were signal waveforms, we considered to apply a spectrum analysis methodology so as to extract a feature of malware. With a focus on such scan patterns, this paper proposes a novel concept of malware feature extraction and a distinct analysis method named "SPectrum Analysis for Distinction and Extraction of malware features (SPADE)". Through several evaluations using real scan traffic, we show that SPADE has the significant advantage of recognizing the similarities and dissimilarities between the same and different types of malwares.

While the online advertisement is widely used on the web and on mobile applications, the monetary damages by advertising frauds (ad frauds) have become a severe problem. Countermeasures against ad frauds are evaded since they rely on noticeable features (e.g., burstiness of ad requests) that attackers can easily change. We propose an ad-fraud-detection method that leverages robust features against attacker evasion. We designed novel features on the basis of the statistics observed in an ad network calculated from a large amount of ad requests from legitimate users, such as the popularity of publisher websites and the tendencies of client environments. We assume that attackers cannot know of or manipulate these statistics and that features extracted from fraudulent ad requests tend to be outliers. These features are used to construct a machine-learning model for detecting fraudulent ad requests. We evaluated our proposed method by using ad-request logs observed within an actual ad network. The results revealed that our designed features improved the recall rate by 10% and had about 100,000-160,000 fewer false negatives per day than conventional features based on the burstiness of ad requests. In addition, by evaluating detection performance with long-term dataset, we confirmed that the proposed method is robust against performance degradation over time. Finally, we applied our proposed method to a large dataset constructed on an ad network and found several characteristics of the latest ad frauds in the wild, for example, a large amount of fraudulent ad requests is sent from cloud servers.

A drastic increase in cyberattacks targeting Internet of Things (IoT) devices using telnet protocols has been observed. IoT malware continues to evolve, and the diversity of OS and environments increases the difficulty of executing malware samples in an observation setting. To address this problem, we sought to develop an alternative means of investigation by using the telnet logs of IoT honeypots and analyzing malware without executing it. In this paper, we present a malware classification method based on malware binaries, command sequences, and meta-features. We employ both unsupervised or supervised learning algorithms and text-mining algorithms for handling unstructured data. Clustering analysis is applied for finding malware family members and revealing their inherent features for better explanation. First, the malware binaries are grouped using similarity analysis. Then, we extract key patterns of interaction behavior using an N-gram model. We also train a multiclass classifier to identify IoT malware categories based on common infection behavior. For misclassified subclasses, second-stage sub-training is performed using a file meta-feature. Our results demonstrate 96.70% accuracy, with high precision and recall. The clustering results reveal variant attack vectors and one denial of service (DoS) attack that used pure Linux commands.