ISKRA: Bare-metal windows malware dynamic analysis framework

Polat, Yusuf Arslan (2020) ISKRA: Bare-metal windows malware dynamic analysis framework. [Thesis]

[thumbnail of 10357172_Polat_Yusuf_Arslan.pdf] PDF
10357172_Polat_Yusuf_Arslan.pdf

Download (1MB)

Abstract

With the proliferation of “cyber-crime as a service” economy, besides gaining new victims, providing permanence on them has been one of the key points of profit for attackers. Thus, hiding malicious presence while operating is now more important for malware than being fully undetectable when it is first distributed. Due to the increasing number of malware attacks1 and prohibitively long hours required for manual inspection, analysts often use dynamic analysis platforms to investigate malware samples. However, these platforms have been repeatedly shown to fail to combat evasion methods that are constantly updated by attackers2 (Jadhav, Vidyarthi & Hemavathy M., 2016). Even if malware is correctly classified by the existing dynamic analysis platforms, which are widely deployed in the cyber security industry, it has been frequently observed that the malware detects the analysis environment and behaves differently to evade inspection; consequently the malicious code targeted by the attacker does not execute. In this case, the inspection, which will make the malicious code run and be examined, has to be done by the analyst manually. In this study, we present the bare metal hypervisor-based framework for dynamic analysis, ISKRA, which facilitates system calls to be collected and analyzed without being detected by malware. ISKRA is a portable and easily modifiable framework and not only allows any system to be easily transformed into an analysis environment, regardless of the virtual machine or bare metal; but also allows for forensics to be run without being detected in live systems. This way, incident response specialists can quickly transform the system under inspection into an analysis environment and can collect evidence, examine and remedy the system without being detected by the attacker. We designed, implemented and experimented with the framework, which employs machine learning algorithms to learn from new attack campaigns. Our work shows that the framework leads to negligibly low overhead and provides a high detection rate for the most current malware campaigns that evade dynamic inspection by other frameworks
Item Type: Thesis
Uncontrolled Keywords: malware. -- hypervisor. -- sandbox. -- dynamic analysis. -- evasion. -- zararlı yazılım. -- dinamik analiz. -- kum havuzu. -- hipervizör. -- antivirüs atlatma.
Subjects: Q Science > QA Mathematics > QA076 Computer software
Divisions: Faculty of Engineering and Natural Sciences
Depositing User: IC-Cataloging
Date Deposited: 03 Nov 2020 16:45
Last Modified: 26 Apr 2022 10:35
URI: https://research.sabanciuniv.edu/id/eprint/41217

Actions (login required)

View Item
View Item