The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the wid...The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware.Consequently,currently the number of malware targeting Android mobile phones is ever increasing.Therefore,it is a critical task to find and detect malicious behaviors of malware in a timely manner.However,unfortunately,attackers use a variety of obfuscation techniques for malware to evade or delay detection.When an obfuscation technique such as the class encryption is applied to a malicious application,we cannot obtain any information through a static analysis regarding its malicious behaviors.Hence,we need to rely on the manual,dynamic analysis to find concealed malicious behaviors from obfuscated malware.To avoid malware spreading out in larger scale,we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors.In this study,we introduce widely-used obfuscation techniques and propose an effective deobfuscation method,named ARBDroid,for automatically deobfuscating the string encryption,class encryption,and API hiding techniques.Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.展开更多
In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels...In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.展开更多
基金This work was supported as part of Military Crypto Research Center(UD210027XD)funded by Defense Acquisition Program Administration(DAPA)and Agency for Defense Development(ADD).
文摘The smart phone market is continuously increasing and there are more than 6 billion of smart phone users worldwide with the aid of the 5G technology.Among them Android occupies 87%of the market share.Naturally,the widespread Android smartphones has drawn the attention of the attackers who implement and spread malware.Consequently,currently the number of malware targeting Android mobile phones is ever increasing.Therefore,it is a critical task to find and detect malicious behaviors of malware in a timely manner.However,unfortunately,attackers use a variety of obfuscation techniques for malware to evade or delay detection.When an obfuscation technique such as the class encryption is applied to a malicious application,we cannot obtain any information through a static analysis regarding its malicious behaviors.Hence,we need to rely on the manual,dynamic analysis to find concealed malicious behaviors from obfuscated malware.To avoid malware spreading out in larger scale,we need an automated deobfuscation approach that accurately deobfuscates obfuscated malware so that we can reveal hidden malicious behaviors.In this study,we introduce widely-used obfuscation techniques and propose an effective deobfuscation method,named ARBDroid,for automatically deobfuscating the string encryption,class encryption,and API hiding techniques.Our evaluation results clearly demonstrate that our approach can deobfuscate obfuscated applications based on dynamic analysis results.
基金supported by the National Natural Science Foundation of China(No.U1936215)。
文摘In recent years,Power Shell has increasingly been reported as appearing in a variety of cyber attacks.However,because the PowerShell language is dynamic by design and can construct script fragments at different levels,state-of-the-art static analysis based Power Shell attack detection approaches are inherently vulnerable to obfuscations.In this paper,we design the first generic,effective,and lightweight deobfuscation approach for PowerShell scripts.To precisely identify the obfuscated script fragments,we define obfuscation based on the differences in the impacts on the abstract syntax trees of PowerShell scripts and propose a novel emulation-based recovery technology.Furthermore,we design the first semantic-aware PowerShell attack detection system that leverages the classic objective-oriented association mining algorithm and newly identifies 31 semantic signatures.The experimental results on 2342 benign samples and 4141 malicious samples show that our deobfuscation method takes less than 0.5 s on average and increases the similarity between the obfuscated and original scripts from 0.5%to 93.2%.By deploying our deobfuscation method,the attack detection rates for Windows Defender and VirusTotal increase substantially from 0.33%and 2.65%to 78.9%and 94.0%,respectively.Moreover,our detection system outperforms both existing tools with a 96.7%true positive rate and a 0%false positive rate on average.
