On the (in)security of behavioral-based dynamic anti-malware techniques

Simple item page
dc.contributor.authorErsan, Erkan
dc.contributor.supervisorMalka, Lior
dc.contributor.supervisorKapron, Bruce M. (Bruce Michael)
dc.date.accessioned2017-04-21T14:42:40Z
dc.date.copyright2017en_US
dc.date.issued2017-04-21
dc.degree.departmentDepartment of Computer Science
dc.degree.levelMaster of Science M.Sc.en_US
dc.description.abstractThe Internet has become the primary vector for the delivery of malicious code in cyber attacks, and malware has rapidly become a pervasive critical threat. Anti- malware products offer effective protection from malware threats for servers and endpoint devices using a variety of techniques. Advanced enterprise-level anti-malware products rely on state-of-art behavioral-based detection algorithms, in addition to traditional signature-based mechanisms. These dynamic detection techniques have been around for more than a decade and in response hackers have developed methods to evade them. However, currently known bypass methods require intensive manual labor. Moreover, this manual work has to be repeated whenever a parameter of the environment (such as the payload, operating system, Antivirus version, etc) changes, making these methods impractical. This may lead to the belief that dynamic techniques provide a good deterrence, and hence good protection. In this thesis we evaluate dynamic techniques. Specifically, we build tools to implement generic unhooking and funneling, and using these tools we show how dynamic techniques can be bypassed with considerably less effort than by fully manual methods. We also extend the repertoire of existing bypass methods and introduce a new malicious function call technique which exploits detection techniques that monitor a limited collection of critical system functions, as well as a method for bypassing guard-page protections. We demonstrate the effectiveness of all our techniques by conducting attacks against two enterprise antivirus products. Our results lead us to conclude that that dynamic techniques do not provide sufficient protection.en_US
dc.description.embargo2018-02-07
dc.description.proquestcode0984en_US
dc.description.proquestemailerkanersan@gmail.comen_US
dc.description.scholarlevelGraduateen_US
dc.identifier.urihttp://hdl.handle.net/1828/7935
dc.languageEnglisheng
dc.language.isoenen_US
dc.rightsAvailable to the World Wide Weben_US
dc.subjectMalwareen_US
dc.subjectMalware Detectionen_US
dc.subjectBehavioral-based Dynamic Anti-Malware Techniquesen_US
dc.subjectComputer Securityen_US
dc.subjectAnti-malwareen_US
dc.subjectAntivirusen_US
dc.subjectCyber Attacksen_US
dc.subjectBehavioral-based Detectionen_US
dc.subjectEMETen_US
dc.subjectHookingen_US
dc.subjectUnhookingen_US
dc.subjectGuard Pagesen_US
dc.subjectBypassing Techniquesen_US
dc.subjectEvasion Techniquesen_US
dc.subjectEvasionen_US
dc.subjectfunnelingen_US
dc.subjectControl Flow Integrityen_US
dc.subjectCFIen_US
dc.subjectWeb-based malwareen_US
dc.subjectROPen_US
dc.subjectReturn-Oriented Programmingen_US
dc.subjectShellcodeen_US
dc.subjectPayloaden_US
dc.subjectWindowsen_US
dc.subjectAnti-malware Evaluationen_US
dc.subjectAntivirus Evaluationen_US
dc.subjectAnti-malware Effectivenessen_US
dc.subjectAntivirus Effectivenessen_US
dc.titleOn the (in)security of behavioral-based dynamic anti-malware techniquesen_US
dc.typeThesisen_US

Files

Original bundle
Now showing 1 - 1 of 1
Thumbnail Image
Name:
Ersan_Erkan_MSc_2017.pdf
Size:
3.65 MB
Format:
Adobe Portable Document Format
Description:
Download
License bundle
Now showing 1 - 1 of 1
No Thumbnail Available
Name:
license.txt
Size:
1.74 KB
Format:
Item-specific license agreed upon to submission
Description:
Download

Collections

Electronic Theses and Dissertations (ETD)
 
University of Victoria Libraries

We acknowledge and respect the Lək̓ʷəŋən (Songhees and Esquimalt) Peoples on whose territory the university stands, and the Lək̓ʷəŋən and W̱SÁNEĆ Peoples whose historical relationships with the land continue to this day.