Malware Analysis Techniques Quiz

Questions and Answers

What is one major advantage of dynamic analysis in malware analysis?

• It can analyze malware without any user interaction.
• It requires minimal system resources.
• It allows for quick identification of malicious codes.
• It provides an accurate understanding of the malware's behavior. (correct)

Which of the following features is NOT typically associated with malware analysis?

• File Metadata
• API Import and Export Functions
• Memory Addressing Patterns (correct)
• Opcode Sequences

What is a critical downside of dynamic malware analysis?

• It can only analyze known types of malware.
• It does not provide enough data about malware behavior.
• It is resource-intensive. (correct)
• It is usually less accurate than static analysis.

Which sandbox solution is noted for its ability to run in a VirtualBox environment?

Cuckoo Sandbox (A)

Which resource is primarily associated with automated static and dynamic malware analysis for mobile apps?

Mobile Security Framework (MobSF) (D)

What is the primary characteristic of a virus compared to other types of malware?

It spreads when infected files are executed. (B)

Which type of malware is designed to collect information without user consent?

Spyware (C)

What is a significant limitation of static analysis in malware analysis?

It may overlook advanced or polymorphic threats. (A)

Why are worms considered particularly dangerous compared to other malware types?

They spread without requiring user action. (A)

What distinct feature does ransomware have compared to other malware categories?

It encrypts files and demands payment for decryption. (B)

What type of malware utilizes existing computers to perform malicious tasks like DDoS attacks?

Botnets (B)

Which malware type employs malicious code that activates under specific conditions?

Logic/Time Bombs (A)

Which of the following tools is typically used in static analysis of malware?

Disassemblers (B)

What is a primary criticism of the NSL-KDD dataset?

It provides a limited representation of real-world traffic. (B)

Which of the following datasets is cited as an alternative to the NSL-KDD dataset?

CSE-CIC-IDS2018 (A)

Which category does not represent the types of attacks in the NSL-KDD dataset?

w2g (C)

How many general categories of attacks are represented in the NSL-KDD dataset?

4 (C)

What is a key characteristic of the data collection for the NSL-KDD dataset?

It contains approximately 4.9 million connection records. (B)

What is the primary goal of anomaly-based detection?

To detect activities that are statistically unusual or abnormal (B)

Which of the following methods can be used as part of statistical approaches for anomaly detection?

Moving Average Deviation (C)

What is the difference between outlier detection and novelty detection?

Outlier detection looks for deviants in current data, while novelty detection seeks unseen instances during training (D)

What does continuous learning in anomaly detection help manage?

Baseline evolution and behavior change (C)

Which type of anomalies are characterized as anomalous individual data instances significantly different from the rest of the dataset?

Point Anomalies (B)

Which aspect is essential for behavioral profiling in anomaly detection?

Continuous observation of user/system behavior (C)

Adaptive models in anomaly detection are necessary to address which of the following?

Changing data trends and seasonality (C)

Which machine learning approach is commonly used for novelty detection?

Isolation forests (D)

What is a characteristic of collective anomalies in data sets?

They need to be considered together to exhibit anomalous behavior. (C)

Which of the following is considered a typical signal for host-based anomaly detection?

Permission changes (B)

What distinguishes traffic metadata from deep packet inspection in network intrusion detection?

Traffic metadata focuses on packet headers rather than payload content. (C)

Which metric is NOT typically considered in feature engineering for host intrusion detection?

Web traffic trends (C)

What is a common use of protocol analyzers in network intrusion detection?

To analyze and visualize traffic data for anomalies. (B)

Which of the following describes the correlation of signals in anomaly detection?

Integrating signals from various sources to enhance detection accuracy. (B)

Which application-level log feature is commonly analyzed for anomaly detection?

Malformed URLs. (A)

What does the term 'system scheduler changes' refer to in the context of anomaly detection metrics?

Alterations in system process prioritize execution. (A)

Which type of malware feature utilizes the analysis of how and when malware accesses specific memory regions to identify behavior?

Memory Access Patterns (A)

What is the main purpose of Control Flow Graph (CFG) in malware analysis?

To determine the flow of control between sections of code (B)

Which feature is typically analyzed to detect deviations from normal behavior in an intrusion detection system?

Behavior-based detection (D)

In the context of the Microsoft Malware Classification Challenge, what is meant by opcode n-grams?

Patterns derived from disassembled machine code (C)

What distinguishes Network-based IDS from Host-based IDS?

Network-based IDS monitors network traffic. (B)

Which of the following features would likely be analyzed to measure malware's communication with remote servers?

Network Traffic Patterns (A)

What role does Random Forest play in malware feature selection as mentioned in the context of the classification challenge?

It ranks the importance of features. (D)

Which type of IDS is designed to take proactive measures against threats?

Intrusion Prevention System (IPS) (D)

What is indicated by a malware sample having 'distinctive visual patterns' when transformed into grayscale images?

It belongs to a recognizable malware family. (B)

Which mechanism would typically be used to ensure a malware’s persistence on a Windows system?

Scheduled Tasks (D)

Flashcards

Malware

Malicious software designed to harm or exploit computer systems and data. Examples include viruses, worms, Trojans, and ransomware.

Virus

Self-replicating malware that spreads by infecting files and executing them. Examples include Stuxnet.

Worm

Self-replicating malware that spreads across networks without user interaction. Examples include SQL Slammer.

Trojan

Malware that masquerades as legitimate software but contains malicious code. Examples include Qbot and TrickBot.

Ransomware

Malware that encrypts a victim's files and demands a ransom for decryption. Examples include CryptoLocker and Phobos/Dharma.

Botnet

A network of compromised computers used for malicious activities such as DDoS attacks or spam. Examples include Mirai and Andromeda.

Static Malware Analysis

Analyzing malware without executing it, examining its code, structure, strings, and metadata.

Spyware

Software that collects information without the user's consent, often for espionage or targeted advertising. Examples include CoolWebSearch and Gator.

Dynamic Analysis

Running malware in a controlled environment, such as a virtual machine or isolated system, to observe its actual behavior without affecting the host system.

Sandbox

A controlled environment, usually a virtual machine or isolated system, where malware is executed to analyze its behavior without harming the host system.

Malware Behavior Monitoring

Analyzing the behavior of malware by monitoring its actions like file system access, network communication, library loading, and system calls.

Feature Generation

The process of extracting relevant data from malware for analysis, which can be either static (from the malware file itself) or dynamic (from its behavior).

Opcode Sequence

The sequence of operation codes within the binary code of a program, which can reveal patterns and characteristics of the code, especially in malware analysis.

Anomaly-based detection

Detecting activities that deviate significantly from normal behavior.

Baseline establishment

Establishing a baseline of typical behavior for the system or network being monitored.

Behavioral profiling

Profiling users, systems, or traffic to identify any deviations from the established baseline.

Anomaly detection

Statistical and machine learning techniques to assess deviations from the established baseline.

Outlier detection

Identifying individual data points that are significantly different from the majority of the data.

Novelty detection

Identifying data instances that are significantly different from what was observed during training.

Concept drift

Continuous learning to adapt to evolving data patterns and changing behaviors.

Adaptive models/thresholds

Adjusting models or thresholds to account for seasonal variations and changing trends.

Control Flow Graph (CFG)

A graph representing the flow of control between different sections of code, useful for identifying malware patterns.

File Headers and Sections

Characteristics extracted from the header and sections of a file, like the Portable Executable (PE) header in Windows files. Malware often has unique header patterns.

Image Representation

A technique that uses grayscale images to visualize malware samples. Different malware families often have distinct visual patterns.

API Call Sequences and Frequencies

Analyzing the specific system calls a malware makes, in what order and frequency. This helps to differentiate malicious behavior from normal behavior.

Memory Access Patterns

Examining how and when malware interacts with specific memory regions. This can reveal clues about malware behavior, such as attempts to elevate privileges or access sensitive data.

Network Traffic Patterns

Analyzing how malware communicates with remote servers, including DNS requests to known malicious sites. This reveals the malware's command and control (C2) communication.

System Call Behavior

Analyzing specific functions or operations (like file, network, or process operations) used by malware, which are more frequent than those used by benign programs.

Persistence Mechanisms and Registry Operations

Analyzing how malware persists on a system, such as through startup entries, scheduled tasks, or modifications to the registry (primarily for Windows malware).

Microsoft Malware Classification Challenge (MMC) Dataset

A large dataset of malware samples used for multi-class malware classification, including metadata about function calls, strings, and other features.

XGBoost for Malware Classification

A machine learning model that classifies malware based on extracted features such as opcode n-grams, segment names count, and other static analysis data.

Anomaly

An event or data point considered abnormal within a specific context (time, region, conditions). It might not be anomalous in isolation.

Collective Anomaly

A collection of data points that exhibit anomalous behavior when considered together. The anomaly emerges from the relationship between them, not individual points alone.

Anomaly Detection Techniques

Techniques used to detect anomalous behavior in data, often used for security purposes to identify malicious activities.

Feature Engineering for Anomaly Detection

The process of extracting and organizing data from various sources to identify potentially anomalous behavior.

Host Intrusion Detection Metrics

Signals gleaned from host and operating system (OS) activity. For example, running processes, active user accounts, network connections.

Network Intrusion Detection Features

Features derived from network traffic flow between hosts, including metadata and packet content.

Web/Application Intrusion Detection Features

Features extracted from log files generated by web servers and applications, such as login attempts, URL patterns, and error messages.

Correlating Signals for Anomaly Detection

Analyzing signals from different sources (hosts, network, applications) to create a comprehensive picture of potential anomalies.

What is the NSL-KDD dataset?

NSL-KDD is a classic and widely used dataset for training intrusion detection systems (IDS). It's based on real network traffic captured over 9 weeks from a simulated military network.

What kind of information does the NSL-KDD dataset contain?

The NSL-KDD dataset contains information about network connections, captured as 41 features. These features can be either categorical (like the type of protocol used) or numerical (like the number of bytes sent).

How are attacks categorized in NSL-KDD?

The NSL-KDD dataset includes attacks categorized into four main groups: denial of service (DoS), unauthorized access from remote servers (R2L), privilege escalation attempts (U2R), and brute-force probing attacks (Probe).

What are some criticisms of the NSL-KDD dataset?

Critics argue that the NSL-KDD dataset is outdated, doesn't represent modern cyber threats effectively, and has limited real-world traffic. The dataset also struggles with the balance between normal and malicious connections.

What are some alternatives to the NSL-KDD dataset?

Alternative datasets to NSL-KDD include UNSW-NB15, CIC-IDS2017/CSE-CIC-IDS2018, and UGR’16. These datasets offer more current and diverse network traffic, reflecting modern cybersecurity challenges.

Study Notes

CYB. Defensive AI (part 3)

• Course: Master in Artificial Intelligence
• Year: 2024/25
• Institution: ESEL – University of Vigo

AI/ML in Malware Analysis

• Malware is malicious software designed to harm, exploit, or compromise computer systems and data.

Malware: Definition and Types

• Malware can be a mixture of different types.
• Self-replicating:
  • Viruses replicate when infected files execute. Examples include Stuxnet.
  • Worms spread across networks without user interaction. (SQL Slammer is an example).
• Auto-hiding malware:
  • Trojans disguise as legitimate but contain malicious code (like backdoors or data theft). Examples include Qbot/Qakbot, TrickBot.
  • Rootkits hide malicious software, making detection or removal difficult. Examples include Linfo, Pandora, HIDEDRV.
• Designed to harm:
  • Ransomware encrypts a victim's files and demands ransom for decryption (e.g., CryptoLocker, Phobos/Dharma).
  • Botnets are networks of compromised computers used for malicious activities (e.g., DDoS attacks, spam, Mirai, Andromeda).
  • Logic/time bombs are malicious code activated under specific conditions causing system damage.
  • Keyloggers record keystrokes to capture sensitive information.
  • Cryptojacking uses computers for cryptocurrency mining. Example: Kinsing, LoudMiner.
  • Spyware collects information without consent (e.g., CoolWebSearch, Gator).
  • Adware shows unwanted advertisements and collects user data. (e.g. Fireball, Appearch).

Malware Analysis

• Understanding the behavior and purpose of suspicious files is key.
• Static analysis:
  • Examines malware code and characteristics without executing it.
  • This involves studying file structure, strings, metadata, and embedded resources.
  • Identifies known patterns, signatures, indicators (like file names, hashes, strings, IP addresses, domains, and file headers).
  • Tools used for static analysis include disassemblers and static rules (example: Yara Rules).
  • Static analysis can effectively detect known malware via signature-based approaches or heuristic analysis.
  • However, static analysis may miss sophisticated or polymorphic threats.
• Dynamic analysis:
  • Executes malware in a controlled environment (sandbox), observing its actual behavior.
  • This is crucial for preventing harm to the host system.
  • Dynamic analysis monitors file system access, changes, network communication (e.g., TCP, DNS), and system calls.
  • Dynamic analysis is helpful for identifying unknown or evolving malware.
  • A drawback is that dynamic analysis is often resource-intensive.

Malware Analysis (III)

• Resources and online sandboxes:
  • MalwareBazaar, VirusShare.com
  • Microsoft Malware Classification Challenge (BIG 2015) (Kaggle).
  • Cuckoo Sandbox,
  • Mobile Security Framework (MobSF)
  • Joe Sandbox & tools reports
  • Hybrid Analysis, VirusTotal (VT APIv3)

Typical features in Malware analysis

• Static features:
  • Opcode Sequences (binary code operation codes).
  • API Import and Export Functions (API calls for malicious tasks).
  • File Metadata (size, creation dates, certificates).
  • String Analysis
  • Control Flow Graph (CFG) (flow of code).
  • File Headers and Sections (e.g., Portable Executable (PE) headers in Windows).
  • Image Representation (visual patterns in malware).
  • Permissions and Manifest Information (Mobile malware).
• Dynamic features:
  • API Call Sequences & Frequencies (malware system calls).
  • Memory Access Patterns.
  • Network Traffic Patterns (e.g., communication with malicious sites).
  • System Call Behavior (specific system calls more frequent in malware than benign programs).
  • Persistence Mechanisms (startup entries, scheduled tasks).
  • Registry Operations

Microsoft Malware Classification Challenge (BIG 2015)

• Data: Contains ≈400GB of raw binary data and metadata.
• Problem: Multiclass problem with 9 types of malware.
• Dataset: Available at https://www.kaggle.com/c/malware-classification
• Paper: Available at https://arxiv.org/pdf/1802.10135.pdf
• 9 types of malware families in the dataset, with number of train samples for each

AI/ML in Intrusion Detection

• Intrusion Detection/Prevention Systems (IDS/IPS) monitor for dangerous activities.
  • IDS detects and alerts (passive).
  • IPS detects and blocks (proactive).
• IDS types:
  • Network-based IDS (NIDS) monitors network traffic (e.g., Snort, Suricata, Zeek).
  • Host-based IDS (HIDS) monitors host activity like file system, system calls, logs (e.g., Fail2Ban, OSSEC/Wazuh).
• Signature-based IDS: based on known attack patterns or signatures.
• Behavior-based (Anomaly-based) IDS: based on deviations from "normal" baseline.

Behavior-based / Anomaly-based IDS/IPS

• Anomalies are unexpected events
• Data exfiltration, malware activity (e.g., ransomware, virus), botnet activity, etc.
• Baseline establishment: define typical/acceptable behavior by analyzing historical data.
• Behavioral profiling: continuously monitors and profiles user/system behavior.
• Monitor data transfer volumes, protocol usage, system resource usage, login times, frequency, ...

Anomaly detection techniques

• Outlier detection: finding data points significantly different from the majority.
• Novelty detection: finding instances significantly different from training data.
• Types of Anomalies:
  • Point Anomalies: Individual data instances.
  • Contextual Anomalies: Abnormal behavior in a specific context.
  • Collective Anomalies: A set of data points exhibiting anomalous behavior.

Anomaly detection techniques (III and IV and V)

• Various techniques and tools are used, including:
  • Features engineering (metrics/signals from host and OS activity).
  • OS instrumentation (e.g., OSquery), Cross platform endpoint instrumentation (e.g. Audit Daemon).
    • OS signals (Running processes, Active/new user accounts, Permission changes, DNS lookups, Network connections, Kernel mods, System scheduler, Startup, Daemon…etc).
  • Network intrusion detection (features from traffic).
  • Traffic metadata, Aggregated info, Protocol analyzers, Web/application intrusion detection (features from logs).

NIDS Datasets

• NSL-KDD Dataset: improved benchmark for intrusion detection.
  • Collected over ~9 weeks on a simulated network.
  • ~4.9M connection records; raw PCAP captures, ~41 processed high level features.
  • 22 attack types categorized into four broad groups (dos, unauthorized access, privilege escalation, and probing attempts).
• Criticisms and limitations of the KDD Cup 1999 dataset: outdated, limited, lack of context.
• Alternative Datasets: UNSW-NB15, CIC-IDS2017, CSE-CIC-IDS2018, and UGR’16. These can offer a more up to date representations of real-world attacks.