2016-10-21 ../../

Malware Detection, Prevention and Analyses

Table of Contents

1 Abstract

When an exploit/ attack eventually happens, how do we detect it is happening? Has already happened? What is the damage report? How do we recover? What new actions must we take to prevent future attacks? These are the questions the area of exploit detection handles. Does not include neutralizing.

Obviously, we prefer detection before installation. Source code may or may not be available. Includes (blackbox) testing. Fuzzing. May need reversing.

We separate detection from ./malware-analysis.html, and from ./malware-prevention.html Prerequisite: Malware Overview

2 Malware Detection

  1. Attack Detection v Malware Detection
  2. An exploit/ attack is what a malware causes.
  3. Detection techniques of these two can be different.
  4. Ex: Keep a watch on the assets. With fine-grained access control.
  5. ./detection.html

3 Malware Analyses

3.1 Static Analyses

  1. Code audit the APK source.
  2. ./Static-Analysis-Columbia-2014.pdf Required Reading

3.2 Dynamic Detection

  1. After installation.
  2. Dynamically == as the app runs.
  3. Assumption: A malware always behaves badly. Not "moody".
  4. Blackbox testing. Without any knowledge of the internals of the app.
  5. Fuzzing: Construct "devious" but syntactically valid inputs
  6. Run the App under a "microscope": observe the flow of control, what changes are being made, network connections, …
  7. Lecture Notes on ./Analysis/bouncer.html

4 Malware Prevention

  1. Lecture Notes on ./malware-prevention.html

5 Android Malware

  1. Most of the above discussion was not specific to Android.
  2. How is Android malware different from general malware?
  3. Lecture Notes on ./android-malware.html

6 End

Copyright © 2016 pmateti@wright.eduwww.wright.edu/~pmateti 2016-10-21