Malware Analysis Techniques Quiz

Questions and Answers

What is one major advantage of dynamic analysis in malware analysis?

It can analyze malware without any user interaction.

It requires minimal system resources.

It allows for quick identification of malicious codes.

It provides an accurate understanding of the malware's behavior. (correct)

Which of the following features is NOT typically associated with malware analysis?

File Metadata

API Import and Export Functions

Memory Addressing Patterns (correct)

Opcode Sequences

What is a critical downside of dynamic malware analysis?

It can only analyze known types of malware.

It does not provide enough data about malware behavior.

It is resource-intensive. (correct)

It is usually less accurate than static analysis.

Which sandbox solution is noted for its ability to run in a VirtualBox environment?

Cuckoo Sandbox

Which resource is primarily associated with automated static and dynamic malware analysis for mobile apps?

Mobile Security Framework (MobSF)

What is the primary characteristic of a virus compared to other types of malware?

It spreads when infected files are executed.

Which type of malware is designed to collect information without user consent?

Spyware

What is a significant limitation of static analysis in malware analysis?

It may overlook advanced or polymorphic threats.

Why are worms considered particularly dangerous compared to other malware types?

They spread without requiring user action.

What distinct feature does ransomware have compared to other malware categories?

It encrypts files and demands payment for decryption.

What type of malware utilizes existing computers to perform malicious tasks like DDoS attacks?

Botnets

Which malware type employs malicious code that activates under specific conditions?

Logic/Time Bombs

Which of the following tools is typically used in static analysis of malware?

Disassemblers

What is a primary criticism of the NSL-KDD dataset?

It provides a limited representation of real-world traffic.

Which of the following datasets is cited as an alternative to the NSL-KDD dataset?

CSE-CIC-IDS2018

Which category does not represent the types of attacks in the NSL-KDD dataset?

w2g

How many general categories of attacks are represented in the NSL-KDD dataset?

4

What is a key characteristic of the data collection for the NSL-KDD dataset?

It contains approximately 4.9 million connection records.

What is the primary goal of anomaly-based detection?

To detect activities that are statistically unusual or abnormal

Which of the following methods can be used as part of statistical approaches for anomaly detection?

Moving Average Deviation

What is the difference between outlier detection and novelty detection?

Outlier detection looks for deviants in current data, while novelty detection seeks unseen instances during training

What does continuous learning in anomaly detection help manage?

Baseline evolution and behavior change

Which type of anomalies are characterized as anomalous individual data instances significantly different from the rest of the dataset?

Point Anomalies

Which aspect is essential for behavioral profiling in anomaly detection?

Continuous observation of user/system behavior

Adaptive models in anomaly detection are necessary to address which of the following?

Changing data trends and seasonality

Which machine learning approach is commonly used for novelty detection?

Isolation forests

What is a characteristic of collective anomalies in data sets?

They need to be considered together to exhibit anomalous behavior.

Which of the following is considered a typical signal for host-based anomaly detection?

Permission changes

What distinguishes traffic metadata from deep packet inspection in network intrusion detection?

Traffic metadata focuses on packet headers rather than payload content.

Which metric is NOT typically considered in feature engineering for host intrusion detection?

Web traffic trends

What is a common use of protocol analyzers in network intrusion detection?

To analyze and visualize traffic data for anomalies.

Which of the following describes the correlation of signals in anomaly detection?

Integrating signals from various sources to enhance detection accuracy.

Which application-level log feature is commonly analyzed for anomaly detection?

Malformed URLs.

What does the term 'system scheduler changes' refer to in the context of anomaly detection metrics?

Alterations in system process prioritize execution.

Which type of malware feature utilizes the analysis of how and when malware accesses specific memory regions to identify behavior?

Memory Access Patterns

What is the main purpose of Control Flow Graph (CFG) in malware analysis?

To determine the flow of control between sections of code

Which feature is typically analyzed to detect deviations from normal behavior in an intrusion detection system?

Behavior-based detection

In the context of the Microsoft Malware Classification Challenge, what is meant by opcode n-grams?

Patterns derived from disassembled machine code

What distinguishes Network-based IDS from Host-based IDS?

Network-based IDS monitors network traffic.

Which of the following features would likely be analyzed to measure malware's communication with remote servers?

Network Traffic Patterns

What role does Random Forest play in malware feature selection as mentioned in the context of the classification challenge?

It ranks the importance of features.

Which type of IDS is designed to take proactive measures against threats?

Intrusion Prevention System (IPS)

What is indicated by a malware sample having 'distinctive visual patterns' when transformed into grayscale images?

It belongs to a recognizable malware family.

Which mechanism would typically be used to ensure a malware’s persistence on a Windows system?

Scheduled Tasks

Study Notes

CYB. Defensive AI (part 3)

• Course: Master in Artificial Intelligence
• Year: 2024/25
• Institution: ESEL – University of Vigo

AI/ML in Malware Analysis

• Malware is malicious software designed to harm, exploit, or compromise computer systems and data.

Malware: Definition and Types

• Malware can be a mixture of different types.
• Self-replicating:
  • Viruses replicate when infected files execute. Examples include Stuxnet.
  • Worms spread across networks without user interaction. (SQL Slammer is an example).
• Auto-hiding malware:
  • Trojans disguise as legitimate but contain malicious code (like backdoors or data theft). Examples include Qbot/Qakbot, TrickBot.
  • Rootkits hide malicious software, making detection or removal difficult. Examples include Linfo, Pandora, HIDEDRV.
• Designed to harm:
  • Ransomware encrypts a victim's files and demands ransom for decryption (e.g., CryptoLocker, Phobos/Dharma).
  • Botnets are networks of compromised computers used for malicious activities (e.g., DDoS attacks, spam, Mirai, Andromeda).
  • Logic/time bombs are malicious code activated under specific conditions causing system damage.
  • Keyloggers record keystrokes to capture sensitive information.
  • Cryptojacking uses computers for cryptocurrency mining. Example: Kinsing, LoudMiner.
  • Spyware collects information without consent (e.g., CoolWebSearch, Gator).
  • Adware shows unwanted advertisements and collects user data. (e.g. Fireball, Appearch).

Malware Analysis

• Understanding the behavior and purpose of suspicious files is key.
• Static analysis:
  • Examines malware code and characteristics without executing it.
  • This involves studying file structure, strings, metadata, and embedded resources.
  • Identifies known patterns, signatures, indicators (like file names, hashes, strings, IP addresses, domains, and file headers).
  • Tools used for static analysis include disassemblers and static rules (example: Yara Rules).
  • Static analysis can effectively detect known malware via signature-based approaches or heuristic analysis.
  • However, static analysis may miss sophisticated or polymorphic threats.
• Dynamic analysis:
  • Executes malware in a controlled environment (sandbox), observing its actual behavior.
  • This is crucial for preventing harm to the host system.
  • Dynamic analysis monitors file system access, changes, network communication (e.g., TCP, DNS), and system calls.
  • Dynamic analysis is helpful for identifying unknown or evolving malware.
  • A drawback is that dynamic analysis is often resource-intensive.

Malware Analysis (III)

• Resources and online sandboxes:
  • MalwareBazaar, VirusShare.com
  • Microsoft Malware Classification Challenge (BIG 2015) (Kaggle).
  • Cuckoo Sandbox,
  • Mobile Security Framework (MobSF)
  • Joe Sandbox & tools reports
  • Hybrid Analysis, VirusTotal (VT APIv3)

Typical features in Malware analysis

• Static features:
  • Opcode Sequences (binary code operation codes).
  • API Import and Export Functions (API calls for malicious tasks).
  • File Metadata (size, creation dates, certificates).
  • String Analysis
  • Control Flow Graph (CFG) (flow of code).
  • File Headers and Sections (e.g., Portable Executable (PE) headers in Windows).
  • Image Representation (visual patterns in malware).
  • Permissions and Manifest Information (Mobile malware).
• Dynamic features:
  • API Call Sequences & Frequencies (malware system calls).
  • Memory Access Patterns.
  • Network Traffic Patterns (e.g., communication with malicious sites).
  • System Call Behavior (specific system calls more frequent in malware than benign programs).
  • Persistence Mechanisms (startup entries, scheduled tasks).
  • Registry Operations

Microsoft Malware Classification Challenge (BIG 2015)

• Data: Contains ≈400GB of raw binary data and metadata.
• Problem: Multiclass problem with 9 types of malware.
• Dataset: Available at https://www.kaggle.com/c/malware-classification
• Paper: Available at https://arxiv.org/pdf/1802.10135.pdf
• 9 types of malware families in the dataset, with number of train samples for each

AI/ML in Intrusion Detection

• Intrusion Detection/Prevention Systems (IDS/IPS) monitor for dangerous activities.
  • IDS detects and alerts (passive).
  • IPS detects and blocks (proactive).
• IDS types:
  • Network-based IDS (NIDS) monitors network traffic (e.g., Snort, Suricata, Zeek).
  • Host-based IDS (HIDS) monitors host activity like file system, system calls, logs (e.g., Fail2Ban, OSSEC/Wazuh).
• Signature-based IDS: based on known attack patterns or signatures.
• Behavior-based (Anomaly-based) IDS: based on deviations from "normal" baseline.

Behavior-based / Anomaly-based IDS/IPS

• Anomalies are unexpected events
• Data exfiltration, malware activity (e.g., ransomware, virus), botnet activity, etc.
• Baseline establishment: define typical/acceptable behavior by analyzing historical data.
• Behavioral profiling: continuously monitors and profiles user/system behavior.
• Monitor data transfer volumes, protocol usage, system resource usage, login times, frequency, ...

Anomaly detection techniques

• Outlier detection: finding data points significantly different from the majority.
• Novelty detection: finding instances significantly different from training data.
• Types of Anomalies:
  • Point Anomalies: Individual data instances.
  • Contextual Anomalies: Abnormal behavior in a specific context.
  • Collective Anomalies: A set of data points exhibiting anomalous behavior.

Anomaly detection techniques (III and IV and V)

• Various techniques and tools are used, including:
  • Features engineering (metrics/signals from host and OS activity).
  • OS instrumentation (e.g., OSquery), Cross platform endpoint instrumentation (e.g. Audit Daemon).
    • OS signals (Running processes, Active/new user accounts, Permission changes, DNS lookups, Network connections, Kernel mods, System scheduler, Startup, Daemon…etc).
  • Network intrusion detection (features from traffic).
  • Traffic metadata, Aggregated info, Protocol analyzers, Web/application intrusion detection (features from logs).

NIDS Datasets

• NSL-KDD Dataset: improved benchmark for intrusion detection.
  • Collected over ~9 weeks on a simulated network.
  • ~4.9M connection records; raw PCAP captures, ~41 processed high level features.
  • 22 attack types categorized into four broad groups (dos, unauthorized access, privilege escalation, and probing attempts).
• Criticisms and limitations of the KDD Cup 1999 dataset: outdated, limited, lack of context.
• Alternative Datasets: UNSW-NB15, CIC-IDS2017, CSE-CIC-IDS2018, and UGR’16. These can offer a more up to date representations of real-world attacks.

Description

Test your knowledge on the various techniques used in malware analysis, including dynamic analysis, static analysis, and sandbox environments. This quiz explores the characteristics of different types of malware, their functionalities, and the tools used for analysis.