2022 |
Botacin, Marcus; Moreira, Francis B; Navaux, Philippe O A; Grégio, André; Alves, Marco A Z Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection Breakpoints Journal Article ACM Trans. Priv. Secur., 25 (2), 2022, ISSN: 2471-2566. Abstract | Links | BibTeX | Tags: antivirus, coprocessor, malware @article{10.1145/3494535, title = { Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection Breakpoints}, author = {Marcus Botacin and Francis B Moreira and Philippe O A Navaux and André Grégio and Marco A Z Alves}, url = {https://doi.org/10.1145/3494535 https://secret.inf.ufpr.br/papers/marcus_coproc.pdf}, doi = {10.1145/3494535}, issn = {2471-2566}, year = {2022}, date = {2022-03-01}, journal = {ACM Trans. Priv. Secur.}, volume = {25}, number = {2}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, abstract = {AntiViruses (AVs) are essential to face the myriad of malware threatening Internet users. AVs operate in two modes: on-demand checks and real-time verification. Software-based real-time AVs intercept system and function calls to execute AV’s inspection routines, resulting in significant performance penalties as the monitoring code runs among the suspicious code. Simultaneously, dark silicon problems push the industry to add more specialized accelerators inside the processor to mitigate these integration problems. In this article, we propose Terminator, an AV-specific coprocessor to assist software AVs by outsourcing their matching procedures to the hardware, thus saving CPU cycles and mitigating performance degradation. We designed Terminator to be flexible and compatible with existing AVs by using YARA and ClamAVrules. Our experiments show that our approach can save up to 70 million CPU cycles per rule when outsourcing on-demand checks for matching typical, unmodified YARA rules against a dataset of 30 thousand in-the-wild malware samples. Our proposal eliminates the AV’s need for blocking the CPU to perform full system checks, which can now occur in parallel. We also designed a new inspection breakpoint mechanism that signals to the coprocessor the beginning of a monitored region, allowing it to scan the regions in parallel with their execution. Overall, our mechanism mitigated up to 44% of the overhead imposed to execute and monitor the SPEC benchmark applications in the most challenging scenario.}, keywords = {antivirus, coprocessor, malware}, pubstate = {published}, tppubtype = {article} } AntiViruses (AVs) are essential to face the myriad of malware threatening Internet users. AVs operate in two modes: on-demand checks and real-time verification. Software-based real-time AVs intercept system and function calls to execute AV’s inspection routines, resulting in significant performance penalties as the monitoring code runs among the suspicious code. Simultaneously, dark silicon problems push the industry to add more specialized accelerators inside the processor to mitigate these integration problems. In this article, we propose Terminator, an AV-specific coprocessor to assist software AVs by outsourcing their matching procedures to the hardware, thus saving CPU cycles and mitigating performance degradation. We designed Terminator to be flexible and compatible with existing AVs by using YARA and ClamAVrules. Our experiments show that our approach can save up to 70 million CPU cycles per rule when outsourcing on-demand checks for matching typical, unmodified YARA rules against a dataset of 30 thousand in-the-wild malware samples. Our proposal eliminates the AV’s need for blocking the CPU to perform full system checks, which can now occur in parallel. We also designed a new inspection breakpoint mechanism that signals to the coprocessor the beginning of a monitored region, allowing it to scan the regions in parallel with their execution. Overall, our mechanism mitigated up to 44% of the overhead imposed to execute and monitor the SPEC benchmark applications in the most challenging scenario. |
Botacin, Marcus; Alves, Marco Zanata; Oliveira, Daniela; Grégio, André HEAVEN: A Hardware-Enhanced AntiVirus ENgine to accelerate real-time, signature-based malware detection Journal Article Expert Systems with Applications, pp. 117083, 2022, ISSN: 0957-4174. Abstract | Links | BibTeX | Tags: antivirus, Branch prediction, malware, Performance, Signatures @article{BOTACIN2022117083, title = {HEAVEN: A Hardware-Enhanced AntiVirus ENgine to accelerate real-time, signature-based malware detection}, author = {Marcus Botacin and Marco Zanata Alves and Daniela Oliveira and André Grégio}, url = {https://www.sciencedirect.com/science/article/pii/S0957417422004882 https://secret.inf.ufpr.br/papers/marcus_heaven.pdf}, doi = {https://doi.org/10.1016/j.eswa.2022.117083}, issn = {0957-4174}, year = {2022}, date = {2022-01-01}, journal = {Expert Systems with Applications}, pages = {117083}, abstract = {Antiviruses (AVs) are computing-intensive applications that rely on constant monitoring of OS events and on applying pattern matching procedures on binaries to detect malware. In this paper, we introduce HEAVEN, a framework for Intel x86/x86-64 and MS Windows that combines hardware and software to improve AVs performance. HEAVEN workflow consists of a hardware-assisted signature matching process as its first step (triage), which is fast, and only invokes the software-based AV when the software is suspicious, i.e., with an unknown hardware signature for malignity. We implement a PoC for HEAVEN by instrumenting Intel’s x86/x86-64 branch predictor, which allows for the generation of malware signatures based on branch pattern history. To validate our PoC, we evaluate HEAVEN with a dataset composed of 10,000 malware and 1,000 benign software samples from different categories and accomplished malware detection rates of 100% (no false-positives). The detection occurred before the execution of 10% of the samples’ code. HEAVEN is designed to be memory efficient: it identified unique 32-bit signatures for each sample at the storage cost of only 35KB of SRAM. HEAVEN is also designed with processing efficiency in mind: its hardware extensions present negligible performance overhead and reduces the average workload of the chosen software AV counterpart (ClamWin)—10% for CPU usage, 5.61% for memory throughput, 16.22% for disk writes, and 20.22% for disk reads. With HEAVEN, we may decrease the number of CPU cycles used for malware scanning by 87.5%, which is a promising result regarding the feasibility of our proposal: the combination of hardware-/software-based AVs for practical and effective malware detection that flags suspicious software while posing negligible performance overhead.}, keywords = {antivirus, Branch prediction, malware, Performance, Signatures}, pubstate = {published}, tppubtype = {article} } Antiviruses (AVs) are computing-intensive applications that rely on constant monitoring of OS events and on applying pattern matching procedures on binaries to detect malware. In this paper, we introduce HEAVEN, a framework for Intel x86/x86-64 and MS Windows that combines hardware and software to improve AVs performance. HEAVEN workflow consists of a hardware-assisted signature matching process as its first step (triage), which is fast, and only invokes the software-based AV when the software is suspicious, i.e., with an unknown hardware signature for malignity. We implement a PoC for HEAVEN by instrumenting Intel’s x86/x86-64 branch predictor, which allows for the generation of malware signatures based on branch pattern history. To validate our PoC, we evaluate HEAVEN with a dataset composed of 10,000 malware and 1,000 benign software samples from different categories and accomplished malware detection rates of 100% (no false-positives). The detection occurred before the execution of 10% of the samples’ code. HEAVEN is designed to be memory efficient: it identified unique 32-bit signatures for each sample at the storage cost of only 35KB of SRAM. HEAVEN is also designed with processing efficiency in mind: its hardware extensions present negligible performance overhead and reduces the average workload of the chosen software AV counterpart (ClamWin)—10% for CPU usage, 5.61% for memory throughput, 16.22% for disk writes, and 20.22% for disk reads. With HEAVEN, we may decrease the number of CPU cycles used for malware scanning by 87.5%, which is a promising result regarding the feasibility of our proposal: the combination of hardware-/software-based AVs for practical and effective malware detection that flags suspicious software while posing negligible performance overhead. |
2021 |
Botacin, Marcus; Aghakhani, Hojjat; Ortolani, Stefano; Kruegel, Christopher; Vigna, Giovanni; Oliveira, Daniela; Geus, Paulo Lício De; Grégio, André One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware Journal Article ACM Trans. Priv. Secur., 24 (2), 2021, ISSN: 2471-2566. Abstract | Links | BibTeX | Tags: banking, malware, reverse engineer @article{10.1145/3429741, title = {One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware}, author = {Marcus Botacin and Hojjat Aghakhani and Stefano Ortolani and Christopher Kruegel and Giovanni Vigna and Daniela Oliveira and Paulo Lício De Geus and André Grégio}, url = {https://doi.org/10.1145/3429741 https://secret.inf.ufpr.br/papers/marcus_tops_br.pdf}, doi = {10.1145/3429741}, issn = {2471-2566}, year = {2021}, date = {2021-01-01}, journal = {ACM Trans. Priv. Secur.}, volume = {24}, number = {2}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, abstract = {Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats.}, keywords = {banking, malware, reverse engineer}, pubstate = {published}, tppubtype = {article} } Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats. |
2020 |
Botacin, Marcus; Grégio, André; Alves, Marco Antonio Zanata Near-Memory & In-Memory Detection of Fileless Malware Inproceedings The International Symposium on Memory Systems, pp. 23–38, Association for Computing Machinery, Washington, DC, USA, 2020, ISBN: 9781450388993. Abstract | Links | BibTeX | Tags: antivirus, malware, pattern matching, processing in memory @inproceedings{10.1145/3422575.3422775, title = {Near-Memory & In-Memory Detection of Fileless Malware}, author = {Marcus Botacin and André Grégio and Marco Antonio Zanata Alves}, url = {https://doi.org/10.1145/3422575.3422775 https://secret.inf.ufpr.br/papers/marcus_fileless.pdf}, doi = {10.1145/3422575.3422775}, isbn = {9781450388993}, year = {2020}, date = {2020-01-01}, booktitle = {The International Symposium on Memory Systems}, pages = {23–38}, publisher = {Association for Computing Machinery}, address = {Washington, DC, USA}, series = {MEMSYS 2020}, abstract = {Fileless malware are recent threats to computer systems that load directly into memory, and whose aim is to prevent anti-viruses (AVs) from successfully matching byte patterns against suspicious files written on disk. Their detection requires that software-based AVs continuously scan memory, which is expensive due to repeated locks and polls. However, research advances introduced near-memory and in-memory processing, which allow memory controllers to trigger basic computations without moving data to the CPU. In this paper, we address AVs performance overhead by moving them to the hardware, i.e., we propose instrumenting processors’ memory controller or smart memories (near- and in-memory malware detection, respectively) to accelerate memory scanning procedures. To do so, we present MINI-ME, the Malware Identification based on Near- and In-Memory Evaluation mechanism, a hardware-based AV accelerator that interrupts the program’s execution if malicious patterns are discovered in their memory. We prototyped MINI-ME in a simulator and tested it with a set of 21 thousand in-the-wild malware samples, which resulted in multiple signatures matching with less than 1% of performance overhead and rates of 100% detection, and zero false-positives and false-negatives.}, keywords = {antivirus, malware, pattern matching, processing in memory}, pubstate = {published}, tppubtype = {inproceedings} } Fileless malware are recent threats to computer systems that load directly into memory, and whose aim is to prevent anti-viruses (AVs) from successfully matching byte patterns against suspicious files written on disk. Their detection requires that software-based AVs continuously scan memory, which is expensive due to repeated locks and polls. However, research advances introduced near-memory and in-memory processing, which allow memory controllers to trigger basic computations without moving data to the CPU. In this paper, we address AVs performance overhead by moving them to the hardware, i.e., we propose instrumenting processors’ memory controller or smart memories (near- and in-memory malware detection, respectively) to accelerate memory scanning procedures. To do so, we present MINI-ME, the Malware Identification based on Near- and In-Memory Evaluation mechanism, a hardware-based AV accelerator that interrupts the program’s execution if malicious patterns are discovered in their memory. We prototyped MINI-ME in a simulator and tested it with a set of 21 thousand in-the-wild malware samples, which resulted in multiple signatures matching with less than 1% of performance overhead and rates of 100% detection, and zero false-positives and false-negatives. |
2018 |
Ceschin, Fabrício; Pinage, Felipe; Castilho, Marcos; Menotti, David; Oliveira, Luis S; Gregio, André The Need for Speed: An Analysis of Brazilian Malware Classifiers Journal Article IEEE Security Privacy, 16 (6), pp. 31-41, 2018, ISSN: 1540-7993. Abstract | Links | BibTeX | Tags: Brazilian malware classifers, Feature extraction, invasive software, learning (artificial intelligence), Machine learning, machine-learning systems, malware, malware classification, pattern classification, security, Security of data, Support vector machines @article{8636415, title = {The Need for Speed: An Analysis of Brazilian Malware Classifiers}, author = {Fabrício Ceschin and Felipe Pinage and Marcos Castilho and David Menotti and Luis S Oliveira and André Gregio}, url = {https://secret.inf.ufpr.br/papers/fabricio_needforspeed.pdf}, doi = {10.1109/MSEC.2018.2875369}, issn = {1540-7993}, year = {2018}, date = {2018-11-01}, journal = {IEEE Security Privacy}, volume = {16}, number = {6}, pages = {31-41}, abstract = {Using a dataset containing about 50,000 samples from Brazilian cyberspace, we show that relying solely on conventional machine-learning systems without taking into account the change of the subject's concept decreases the performance of classification, emphasizing the need to update the decision model immediately after concept drift occurs.}, keywords = {Brazilian malware classifers, Feature extraction, invasive software, learning (artificial intelligence), Machine learning, machine-learning systems, malware, malware classification, pattern classification, security, Security of data, Support vector machines}, pubstate = {published}, tppubtype = {article} } Using a dataset containing about 50,000 samples from Brazilian cyberspace, we show that relying solely on conventional machine-learning systems without taking into account the change of the subject's concept decreases the performance of classification, emphasizing the need to update the decision model immediately after concept drift occurs. |
Botacin, Marcus; Geus, Paulo Lício De; Grégio, André ACM Comput. Surv., 51 (4), pp. 69:1–69:34, 2018, ISSN: 0360-0300. Links | BibTeX | Tags: Binary analysis, HVM, introspection, malware, security, SMM @article{Botacin:2018:WWS:3236632.3199673, title = {Who Watches the Watchmen: A Security-focused Review on Current State-of-the-art Techniques, Tools, and Methods for Systems and Binary Analysis on Modern Platforms}, author = {Marcus Botacin and Paulo Lício De Geus and André Grégio}, url = {https://secret.inf.ufpr.br/papers/marcus-survey.pdf http://doi.acm.org/10.1145/3199673}, doi = {10.1145/3199673}, issn = {0360-0300}, year = {2018}, date = {2018-01-01}, journal = {ACM Comput. Surv.}, volume = {51}, number = {4}, pages = {69:1--69:34}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {Binary analysis, HVM, introspection, malware, security, SMM}, pubstate = {published}, tppubtype = {article} } |
Botacin, Marcus; Geus, Paulo Lício De; Grégio, André Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging Journal Article ACM Trans. Priv. Secur., 21 (1), pp. 4:1–4:30, 2018, ISSN: 2471-2566. Links | BibTeX | Tags: branch monitor, debug, malware, ROP @article{Botacin:2018:EBM:3171591.3152162, title = {Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging}, author = {Marcus Botacin and Paulo Lício De Geus and André Grégio}, url = {https://secret.inf.ufpr.br/papers/marcus-branch.pdf http://doi.acm.org/10.1145/3152162}, doi = {10.1145/3152162}, issn = {2471-2566}, year = {2018}, date = {2018-01-01}, journal = {ACM Trans. Priv. Secur.}, volume = {21}, number = {1}, pages = {4:1--4:30}, publisher = {ACM}, address = {New York, NY, USA}, keywords = {branch monitor, debug, malware, ROP}, pubstate = {published}, tppubtype = {article} } |
2022 |
Terminator: A Secure Coprocessor to Accelerate Real-Time AntiViruses Using Inspection Breakpoints Journal Article ACM Trans. Priv. Secur., 25 (2), 2022, ISSN: 2471-2566. |
HEAVEN: A Hardware-Enhanced AntiVirus ENgine to accelerate real-time, signature-based malware detection Journal Article Expert Systems with Applications, pp. 117083, 2022, ISSN: 0957-4174. |
2021 |
One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware Journal Article ACM Trans. Priv. Secur., 24 (2), 2021, ISSN: 2471-2566. |
2020 |
Near-Memory & In-Memory Detection of Fileless Malware Inproceedings The International Symposium on Memory Systems, pp. 23–38, Association for Computing Machinery, Washington, DC, USA, 2020, ISBN: 9781450388993. |
2018 |
The Need for Speed: An Analysis of Brazilian Malware Classifiers Journal Article IEEE Security Privacy, 16 (6), pp. 31-41, 2018, ISSN: 1540-7993. |
ACM Comput. Surv., 51 (4), pp. 69:1–69:34, 2018, ISSN: 0360-0300. |
Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging Journal Article ACM Trans. Priv. Secur., 21 (1), pp. 4:1–4:30, 2018, ISSN: 2471-2566. |