• JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
 
  Bookmark and Share
 
 
Doctoral Thesis
DOI
10.11606/T.3.2018.tde-28022018-105426
Document
Author
Full name
João Marcelo Ceron
E-mail
Institute/School/College
Knowledge Area
Date of Defense
Published
São Paulo, 2017
Supervisor
Committee
Margi, Cíntia Borges (President)
Batista, Daniel Macedo
Cansian, Adriano Mauro
Getschko, Demi
Simplicio Junior, Marcos Antonio
Title in Portuguese
MARS: uma arquitetura para análise de malwares utilizando SDN.
Keywords in Portuguese
Análise de Malware
Arquitetura de software
Arquitetura e organização de computadores
Abstract in Portuguese
Detectar e analisar malwares é um processo essencial para aprimorar os sistemas de segurança. As soluções atuais apresentam limitações no processo de investigação e detecção de códigos maliciosos sofisticados. Mais do que utilizar técnicas para evadir sistemas de análise, malwares sofisticados requerem condições específicas no ambiente em que são executados para revelar seu comportamento malicioso. Com o surgimento das Redes Definidas por Software (SDN), notou-se uma oportunidade para aprimorar o processo de investigação de malware propondo uma arquitetura flexível apta a detectar variações comportamentais de maneira automática. Esta tese apresenta uma arquitetura especializada para analisar códigos maliciosos que permite controlar de maneira unificada o ambiente de análise, incluindo o sandbox e os elementos que o circundam. Dessa maneira, é possível gerenciar regras de contenção, configuração dinâmica de recursos, e manipular o tráfego de rede gerado pelos malwares. Para avaliar a arquitetura foi analisado um conjunto de malwares em dois cenários de avaliação. No primeiro cenário de avaliação, as funcionalidades descritas pela solução proposta revelaram novos eventos comportamentais em 100% dos malwares analisados. Já, no segundo cenários de avaliação, foi analisado um conjunto de malwares projetados para dispositivos IoT. Em consequência, foi possível bloquear ataques, monitorar a comunicação do malware com seu controlador de botnet, e manipular comandos de ataques.
Title in English
MARS: an SDN-based malware analysis solution.
Keywords in English
Dynamic analysis
Malware analysis
Software-defined networking
Abstract in English
Mechanisms to detect and analyze malicious software are essential to improve security systems. Current security mechanisms have limited success in detecting sophisticated malicious software. More than to evade analysis system, many malware require specific conditions to activate their actions in the target system. The flexibility of Software-Defined Networking (SDN) provides an opportunity to develop a malware analysis architecture that can detect behavioral deviations in an automated way. This thesis presents a specialized architecture to analyze malware by managing the analysis environment in a centralized way, including to control the sandbox and the elements that surrounds it. The proposed architecture enables to determine the network access policy, to handle the analysis environment resource configuration, and to manipulate the network connections performed by the malware. To evaluate our solution we have analyzed a set of malware in two evaluation scenarios. In the first evaluation scenario, we showed that the mechanisms proposed have increased the number of behavioral events in 100% of the malware analyzed. In the second evaluation scenario, we have analyzed malware designed for IoT devices. As a result, by using the MARS features, it was possible to block attacks, to manipulate attack commands, and to enable the malware communication with the respective botnet controller. The experimental results showed that our solution can improve the dynamic malware analysis process by providing this configuration flexibility to the analysis environment.
 
WARNING - Viewing this document is conditioned on your acceptance of the following terms of use:
This document is only for private use for research and teaching activities. Reproduction for commercial use is forbidden. This rights cover the whole data about this document as well as its contents. Any uses or copies of this document in whole or in part must include the author's name.
Publishing Date
2018-03-07
 
WARNING: The material described below relates to works resulting from this thesis or dissertation. The contents of these works are the author's responsibility.
  • CERON, JOAO MARCELO, Margi, Cintia Borges, and GRANVILLE, LISANDRO ZAMBENEDETTI. MARS: An SDN-based malware analysis solution [doi:10.1109/iscc.2016.7543792]. In 2016 IEEE Symposium on Computers and Communication (ISCC), Messina, 2016. 2016 IEEE Symposium on Computers and Communication (ISCC)., 2016.
All rights of the thesis/dissertation are from the authors
CeTI-SC/STI
Digital Library of Theses and Dissertations of USP. Copyright © 2001-2019. All rights reserved.