JUGAAD: Comprehensive Malware Behavior-as-a-Service
Authors: 
Sareena Karapoola, Nikhilesh Singh, Chester Rebeiro, Kamakoti VeezhinathanAuthors Info & Claims
Pages 39 - 48
Abstract
An in-depth analysis of the impact of malware across multiple layers of cyber-connected systems is crucial for confronting evolving cyber-attacks. Gleaning such insights requires executing malware samples in analysis frameworks and observing their run-time characteristics. However, the evasive nature of malware, its dependence on real-world conditions, Internet connectivity, and short-lived remote servers to reveal its behavior, and the catastrophic consequences of its execution, pose significant challenges in collecting its real-world run-time behavior in analysis environments.
In this context, we propose JUGAAD, a malware behavior-as-a-service to meet the demands for the safe execution of malware. Such a service enables the users to submit malware hashes or programs and retrieve their precise and comprehensive real-world run-time characteristics. Unlike prior services that analyze malware and present verdicts on maliciousness and analysis reports, JUGAAD provides raw run-time characteristics to foster unbounded research while alleviating the unpredictable risks involved in executing them. JUGAAD facilitates such a service with a back-end that executes a regular supply of malware samples on a real-world testbed to feed a growing data-corpus that is used to serve the users. With heterogeneous compute and Internet connectivity, the testbed ensures real-world conditions for malware to operate while containing its ramifications. The simultaneous capture of multiple execution artifacts across the system stack, including network, operating system, and hardware, presents a comprehensive view of malware activity to foster multi-dimensional research. Finally, the automated mechanisms in JUGAAD ensure that the data-corpus is continually growing and is up to date with the changing malware landscape.
References
[1]
Blake Anderson, Andrew Chi, Scott Dunlop, and David McGrew. 2019. Limitless HTTP in an HTTPS World: Inferring the Semantics of the HTTPS Protocol without Decryption(CODASPY ’19). Association for Computing Machinery, New York, NY, USA, 267–278. https://doi.org/10.1145/3292006.3300025
[2]
Blake Anderson and David A. McGrew. 2017. Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non-Stationarity. In Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Halifax, NS, Canada, August 13 - 17, 2017. ACM, 1723–1732. https://doi.org/10.1145/3097983.3098163
[3]
Mohammad Bagher Bahador, M. Abadi, and Asghar Tajoddin. 2014. HPCMalHunter: Behavioral malware detection using hardware performance counters and singular value decomposition. 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE) (2014), 703–708.
[4]
Karel Bartos, Michal Sofka, and Vojtech Franc. 2016. Optimized Invariant Representation of Network Traffic for Detecting Unseen Malware Variants. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016. 807–822. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/bartos
[5]
Terry Benzel 2007. Design, Deployment, and Use of the DETER Testbed. In DETER Community Workshop on Cyber Security Experimentation and Test.
[6]
Davide Canali, Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. 2012. A quantitative study of accuracy in system call-based malware detection. In International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15-20, 2012, Mats Per Erik Heimdahl and Zhendong Su (Eds.). ACM, 122–132. https://doi.org/10.1145/2338965.2336768
[7]
Tanmoy Chakraborty, Fabio Pierazzi, and V. S. Subrahmanian. 2020. EC2: Ensemble Clustering and Classification for Predicting Android Malware Families. IEEE Trans. Dependable Secur. Comput. 17, 2 (2020), 262–277. https://doi.org/10.1109/TDSC.2017.2739145
[8]
Yehonatan Cohen and Danny Hendler. 2018. Scalable Detection of Server-Side Polymorphic Malware. Knowledge-Based Systems 156 (2018), 113–128.
[9]
Da2dalus. 2022. The Malware-Repo. Retrieved March 2, 2022 from https://github.com/Da2dalus/The-MALWARE-Repo
[10]
Sanjeev Das, Yang Liu, Wei Zhang, and Mahinthan Chandramohan. 2016. Semantics-Based Online Malware Detection: Towards Efficient Real-Time Protection Against Malware. IEEE Trans. Inf. Forensics Secur. 11, 2 (2016), 289–302. https://doi.org/10.1109/TIFS.2015.2491300
[11]
John Demme, Matthew Maycock, Jared Schmitz, Adrian Tang, Adam Waksman, Simha Sethumadhavan, and Salvatore J. Stolfo. 2013. On the feasibility of online malware detection with performance counters. In The 40th Annual International Symposium on Computer Architecture, ISCA’13, Tel-Aviv, Israel, June 23-27, 2013. 559–570. https://doi.org/10.1145/2485922.2485970
[12]
Xiyue Deng 2017. Understanding malware’s network behaviors using fantasm. In The {LASER} Workshop: Learning from Authoritative Security Experiment Results ({LASER} 2017). 1–11.
[13]
Farhood Norouzizadeh Dezfouli, Ali Dehghantanha, Ramlan Mahmoud, Nor Fazlida Binti Mohd Sani, and Solahuddin bin Shamsuddin. 2012. Volatile memory acquisition using backup for forensic investigation. In 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic, CyberSec 2012, Kuala Lumpur, Malaysia, June 26-28, 2012. IEEE, 186–189. https://doi.org/10.1109/CyberSec.2012.6246108
[14]
ERNET. 2022. Education & Research Network. Retrieved March 2, 2022 from https://ernet.in/
[15]
Hsien-De Huang, Tsung-Yen Chuang, Yi-Lang Tsai, and Chang-Shing Lee. 2010. Ontology-based intelligent system for malware behavioral analysis. In FUZZ-IEEE 2010, IEEE International Conference on Fuzzy Systems, Barcelona, Spain, 18-23 July, 2010, Proceedings. IEEE, 1–6. https://doi.org/10.1109/FUZZY.2010.5584325
[16]
Impact. 2013. IMPACT CyberTrust. Retrieved March 2, 2022 from https://research.unsw.edu.au/projects/adfa-ids-datasets
[17]
Mohammad Imran, Muhammad Tanvir Afzal, and Muhammad Abdul Qadir. 2015. Using hidden markov model for dynamic malware analysis: First impressions. In 12th International Conference on Fuzzy Systems and Knowledge Discovery, FSKD 2015, Zhangjiajie, China, August 15-17, 2015. IEEE, 816–821. https://doi.org/10.1109/FSKD.2015.7382048
[18]
Jae-wook Jang, Jiyoung Woo, Aziz Mohaisen, Jaesung Yun, and Huy Kang Kim. 2016. Mal-Netminer: Malware Classification Approach based on Social Network Analysis of System Call Graph. CoRR abs/1606.01971(2016). arxiv:1606.01971http://arxiv.org/abs/1606.01971
[19]
Mikhail Kazdagli, Vijay Janapa Reddi, and Mohit Tiwari. 2016. Quantifying and improving the efficiency of hardware-based mobile malware detectors. In 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). IEEE, 1–13.
[20]
K. N. Khasawneh, N. Abu-Ghazaleh, D. Ponomarev, and L. Yu. 2017. RHMD: Evasion-Resilient Hardware Malware Detectors. In 2017 50th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO). 315–327.
[21]
Khaled N. Khasawneh, Meltem Ozsoy, Caleb Donovick, Nael B. Abu-Ghazaleh, and Dmitry V. Ponomarev. 2015. Ensemble Learning for Low-Level Hardware-Supported Malware Detection. In Research in Attacks, Intrusions, and Defenses - 18th International Symposium, RAID 2015, Kyoto, Japan, November 2-4, 2015, Proceedings. 3–25. https://doi.org/10.1007/978-3-319-26362-5_1
[22]
Alexander Küchler, Alessandro Mantovani, Yufei Han, Leyla Bilge, and Davide Balzarotti. 2021. Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes. In 28th Annual Network and Distributed System Security Symposium, NDSS 2021, February 21-25, 2021. The Internet Society. https://dx.doi.org/10.14722/ndss.2021.24475
[23]
Statosphere lab. 2013. The CTU-13 Dataset. Retrieved March 2, 2022 from https://www.stratosphereips.org/datasets-ctu13
[24]
Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. 2010. AccessMiner: using system-centric models for malware protection. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010. 399–412. https://doi.org/10.1145/1866307.1866353
[25]
Chaz Lever, Platon Kotzias, Davide Balzarotti, Juan Caballero, and Manos Antonakakis. 2017. A Lustrum of Malware Network Communication: Evolution and Insights. In IEEE Symposium on Security and Privacy (SP), 2017. IEEE, 788–804.
[26]
Chih-Hung Lin, Hsing-Kuo Pao, and Jian-Wei Liao. 2018. Efficient dynamic malware analysis using virtual time control mechanics. Computers & Security 73(2018), 359–373.
[27]
Chih-Hung Lin, Chin-Wei Tien, Chih-Wei Chen, Chia-Wei Tien, and Hsing-Kuo Pao. 2015. Efficient spear-phishing threat detection using hypervisor monitor. In 2015 International Carnahan Conference on Security Technology (ICCST). IEEE, 299–303.
[28]
Microsoft. 2022. PowerShell. Retrieved March 2, 2022 from https://docs.microsoft.com/powershell
[29]
Microsoft. 2022. Process Monitor. Retrieved March 2, 2022 from https://docs.microsoft.com/procmon
[30]
Microsoft. 2022. tshark. Retrieved March 2, 2022 from https://www.wireshark.org
[31]
Aziz Mohaisen, Omar Alrawi, and Manar Mohaisen. 2015. AMAL: high-fidelity, behavior-based automated malware analysis and classification. computers & security 52(2015), 251–266.
[32]
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In 2007 IEEE Symposium on Security and Privacy (SP’07). IEEE, 231–245.
[33]
Yuval Nativ. 2022. theZoo - A Live Malware Repository. Retrieved March 2, 2022 from https://github.com/ytisf/theZoo/tree/master/malware/Binaries
[34]
Matthias Neugschwandtner, Christian Platzer, Paolo Milani Comparetti, and Ulrich Bayer. 2010. Danubis–dynamic device driver analysis based on virtual machine introspection. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 41–60.
[35]
University of Victoria. 2010. ISOT Botnet and Ransomware Detection Datasets. Retrieved March 2, 2022 from https://www.uvic.ca/ecs/ece/isot/datasets/botnet-ransomware/index.php
[36]
Ori Or-Meir, Nir Nissim, Yuval Elovici, and Lior Rokach. 2019. Dynamic Malware Analysis in the Modern Era - A State of the Art Survey. ACM Comput. Surv. 52, 5 (2019), 88:1–88:48. https://doi.org/10.1145/33297
[37]
Huicheng Peng, Jizeng Wei, and Wei Guo. 2016. Micro-architectural Features for Malware Detection. In Advanced Computer Architecture - 11th Conference, ACA 2016, Weihai, China, August 22-23, 2016, Proceedings(Communications in Computer and Information Science, Vol. 626), Junjie Wuand Lian Li (Eds.). Springer, 48–60. https://doi.org/10.1007/978-981-10-2209-8_5
[38]
Roberto Perdisci, Wenke Lee, and Nick Feamster. 2010. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2010, April 28-30, 2010, San Jose, CA, USA. USENIX Association, 391–404. http://www.usenix.org/events/nsdi10/tech/full_papers/perdisci.pdf
[39]
VirusTotal Premium. 2022. VT Intelligence. Retrieved March 2, 2022 from https://www.virustotal.com/gui/intelligence-overview
[40]
Checkpoint Research. 2022. Evasion Techniques. Retrieved March 2, 2022 from https://evasions.checkpoint.com/
[41]
Hossein Sayadi, Nisarg Patel, Sai Manoj P. D., Avesta Sasan, Setareh Rafatirad, and Houman Homayoun. 2018. Ensemble learning for effective run-time hardware-based malware detection: a comprehensive analysis and classification. In Proceedings of the 55th Annual Design Automation Conference, DAC 2018, San Francisco, CA, USA, June 24-29, 2018. ACM, 1:1–1:6. https://doi.org/10.1145/3195970.3196047
[42]
Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In 2010 IEEE symposium on Security and privacy. IEEE, 317–331.
[43]
Giorgio Severi, Tim Leek, and Brendan Dolan-Gavitt. 2018. Malrec: compact full-trace malware recording for retrospective deep analysis. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3–23.
[44]
Madhu K. Shankarapani, Kesav Kancherla, Subbu Ramamoorthy, Ram S. Movva, and Srinivas Mukkamala. 2010. Kernel machines for malware classification and similarity analysis. In International Joint Conference on Neural Networks, IJCNN 2010, Barcelona, Spain, 18-23 July, 2010. IEEE, 1–6. https://doi.org/10.1109/IJCNN.2010.5596339
[45]
Baljit Singh, Dmitry Evtyushkin, Jesse Elwell, Ryan Riley, and Iliano Cervesato. 2017. On the Detection of Kernel-Level Rootkits Using Hardware Performance Counters. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, Abu Dhabi, United Arab Emirates, April 2-6, 2017. 483–493. https://doi.org/10.1145/3052973.3052999
[46]
Snort. 2022. SNORT. Retrieved March 2, 2022 from https://www.snort.org/
[47]
Joe Sylve, Andrew Case, Lodovico Marziale, and Golden G. Richard III. 2012. Acquisition and analysis of volatile memory from android devices. Digit. Investig. 8, 3-4 (2012), 175–184. https://doi.org/10.1016/j.diin.2011.10.003
[48]
Horizon Data Sys. 2022. Reboot Restore Rx. Retrieved March 2, 2022 from https://horizondatasys.com
[49]
Adrian Tang, Simha Sethumadhavan, and Salvatore J. Stolfo. 2014. Unsupervised Anomaly-Based Malware Detection Using Hardware Features. In Research in Attacks, Intrusions and Defenses - 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings. 109–129. https://doi.org/10.1007/978-3-319-11379-1_6
[50]
Jacob Taylor, Benjamin P. Turnbull, and Gideon Creech. 2018. Volatile Memory Forensics Acquisition Efficacy: A Comparative Study Towards Analysing Firmware-Based Rootkits. In Proceedings of the 13th International Conference on Availability, Reliability and Security, ARES 2018, Hamburg, Germany, August 27-30, 2018, Sebastian Doerr, Mathias Fischer, Sebastian Schrittwieser, and Dominik Herrmann (Eds.). ACM, 48:1–48:11. https://doi.org/10.1145/3230833.3232810
[51]
Vrizlynn L. L. Thing and Zheng Leong Chua. 2013. Smartphone Volatile Memory Acquisition for Security Analysis and Forensics Investigation. In Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Auckland, New Zealand, July 8-10, 2013. Proceedings(IFIP Advances in Information and Communication Technology, Vol. 405), Lech J. Janczewski, Henry B. Wolfe, and Sujeet Shenoi (Eds.). Springer, 217–230. https://doi.org/10.1007/978-3-642-39218-4_17
[52]
UCI. 2017. Dynamic Features of VirusShare Executables Data Set. Retrieved March 2, 2022 from https://archive.ics.uci.edu/ml/datasets/Dynamic+Features+of+VirusShare+Executables
[53]
Jorge Maestre Vidal, Ana Lucila Sandoval Orozco, and Luis Javier García-Villalba. 2017. Alert correlation framework for malware detection by anomaly-based packet payload analysis. J. Netw. Comput. Appl. 97 (2017), 11–22. https://doi.org/10.1016/j.jnca.2017.08.010
[54]
VirusTotal. 2022. VirusTotal. Retrieved March 2, 2022 from https://www.virustotal.com/
[55]
VirusTotal. 2022. VTAPI Getting Started with v2. Retrieved March 2, 2022 from https://developers.virustotal.com/v2.0/reference/getting-started
[56]
Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Junghwan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, and Haifeng Chen. 2020. You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet Society. https://www.ndss-symposium.org/ndss-paper/you-are-what-you-do-hunting-stealthy-malware-via-data-provenance-analysis/
[57]
Xueyang Wang, Sek Chai, Michael Isnardi, Sehoon Lim, and Ramesh Karri. 2016. Hardware Performance Counter-Based Malware Identification and Detection with Adaptive Compressive Sensing. ACM Trans. Archit. Code Optim. 13, 1, Article 3 (March 2016), 23 pages. https://doi.org/10.1145/2857055
[58]
Xueyang Wang and Ramesh Karri. 2013. NumChecker: detecting kernel control-flow modifying rootkits by using hardware performance counters. In The 50th Annual Design Automation Conference 2013, DAC ’13, Austin, TX, USA, May 29 - June 07, 2013. ACM, 79:1–79:7. https://doi.org/10.1145/2463209.2488831
[59]
Xueyang Wang and Ramesh Karri. 2016. Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 35, 3(2016), 485–498. https://doi.org/10.1109/TCAD.2015.2474374
[60]
Zeek. 2022. The Zeek Network Security Monitor. Retrieved March 2, 2022 from https://www.zeek.org/
Index Terms
- JUGAAD: Comprehensive Malware Behavior-as-a-Service
Recommendations
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion DetectionThe execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
The Next Malware Battleground: Recovery After Unknown Infection
Malware has become a natural aspect of Internet computing due to the imperfectness of systems that identify malware and prevent their installation. Our ability to control the volume of unwanted and malicious traffic on the Internet—the spam messages, ...
Ontology for Malware Behavior: A Core Model Proposal
WETICE '14: Proceedings of the 2014 IEEE 23rd International WETICE ConferenceThe ubiquity of Internet-connected devices motivates attackers to create malicious programs (malware) to exploit users and their systems. Malware detection requires a deep understanding of their possible behaviors, one that is detailed enough to tell ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
August 2022
150 pages
ISBN:9781450396844
DOI:10.1145/3546096
Copyright © 2022 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 08 August 2022
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- ISEA project of MeIty
Conference
CSET 2022
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 320Total Downloads
- Downloads (Last 12 months)103
- Downloads (Last 6 weeks)9
Reflects downloads up to 23 Nov 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format