Computer Virus Advancement · John Lynch Division of Science and Mathematics University of...
Transcript of Computer Virus Advancement · John Lynch Division of Science and Mathematics University of...
![Page 1: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/1.jpg)
Computer Virus Advancement
John Lynch
Division of Science and MathematicsUniversity of Minnesota, Morris
Morris, Minnesota, USA
November 12, 2016Morris, Minnesota
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 1 / 29
![Page 2: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/2.jpg)
Overview Abstract
Abstract
Why would we make a virus?
We work at some company that we know isn’tthe greatest.
Long hours, little pay, and Karen keeps takingyour meals out of the fridge.
It’s time for payback with corporate sabotage.
Please don’t actually do this. This is anexample with comedy.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 2 / 29
![Page 3: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/3.jpg)
Overview Outline
Outline
1 Introductions
2 Applications
3 Security
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 3 / 29
![Page 4: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/4.jpg)
Overview Definitions
Background
Malware: Software that is created formalicious purposes against computersystems.Computer Virus: One form of malwarethat self-replicates in a systemGenetic Algorithms: A method for solvingoptimization by mimicking biologicalevolution.Anti-Malware: Software developed tocombat malicious software.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 4 / 29
![Page 5: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/5.jpg)
Introductions
Outline
1 IntroductionsGenetic AlgorithmsComputer viruses
2 Applications
3 Security
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 5 / 29
![Page 6: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/6.jpg)
Introductions Genetic Algorithms
What it looks like
start
generate initial population
evaluate individual fitness,rank individual fitness
time tostop
generate new population
stopyes
no
method of evolution presented by Thomas Back
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 6 / 29
![Page 7: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/7.jpg)
Introductions Computer viruses
Basic virus structure
partstriggerpayloadinfection mechanism
phasesdormant phasepropagation phasetrigger phaseexecution phase
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 7 / 29
![Page 8: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/8.jpg)
Introductions Computer viruses
Our Virus
supahVirus.bat:swarmMeth:mechMethgoal
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 8 / 29
![Page 9: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/9.jpg)
Applications to Viruses
Outline
1 Introductions
2 ApplicationsHiding in plain sightFaster from training
3 Security
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 9 / 29
![Page 10: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/10.jpg)
Applications to Viruses Hiding in plain sight
How :swarmMeth works
This is used during propagation phase.Return the copy of the virus.In Batch this would be creating a newterminal with the same function.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 10 / 29
![Page 11: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/11.jpg)
Applications to Viruses Hiding in plain sight
Simple :swarmMeth
swarmMeth ( ) {i n i t i a l i z e ( t h i s V i r u s ) ;wh i le t r ue do {
r e t u r n copy ( t h i s V i r u s ) ;}
}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 11 / 29
![Page 12: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/12.jpg)
Applications to Viruses Hiding in plain sight
Improving :swarmMeth
swarmMeth ( ) {i n i t i a l i z e ( t h i s V i r u s ) ;wh i le t r ue do {
mutatedVirus = mutate ( t h i s V i r u s ) ;i f mutatedVirus . name != t h i s V i r u s . name{
i n i t i a l i z e ( mutatedVirus ) ;}
}}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 12 / 29
![Page 13: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/13.jpg)
Applications to Viruses Hiding in plain sight
Names to change
Supahvirus.bat
Superbvirus.bat
youGetTheIdea.bat
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 13 / 29
![Page 14: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/14.jpg)
Applications to Viruses Faster from training
Heuristic search
Where do we want to search first?What folders are more likely to have what we’re looking for?We need to sort out priorities.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 14 / 29
![Page 15: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/15.jpg)
Applications to Viruses Faster from training
Training our search
Begin training in offline search environments.Randomly create folders that simulate company computer filestructures.Keep track of folder structures that consistently appear, use thosecommon occurrences.
method of training presented by Sadia Noreen et. al. of next generation intelligent network research
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 15 / 29
![Page 16: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/16.jpg)
Applications to Viruses Faster from training
How :mechMeth works
This is the infection mechanism.We move each new copy that we make with:swarmMeth
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 16 / 29
![Page 17: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/17.jpg)
Applications to Viruses Faster from training
Simple :mechMeth
mechMeth ( ) {wh i le t r ue do {
f o r each f o l d e r f i n f o l d e r s {i f ( f o l d e r . name == " secre tFo lder " ) {
copyAndTransfer ( f ) ;} e lse {
i n t o ( swarmMeth , f ) ;}
}}
}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 17 / 29
![Page 18: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/18.jpg)
Applications to Viruses Faster from training
Improving :mechMeth
mechMeth ( ) {f o l d e r s = new pr i o r i t yMap [ h e u r i s t i c ]wh i le t r ue do {
f o r each f o l d e r f i n f o l d e r s {i f ( f o l d e r . name == " secre tFo lder " ) {
copyAndTransfer ( f )} e lse {
swarmMeth ( )i n t o ( swarmMeth . mutatedVirus , f )i n i t i a l i z e ( mutatedVirus )
}}
}}
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 18 / 29
![Page 19: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/19.jpg)
Applications to Viruses Faster from training
What we can genetically modify
Names, each character that is put into thename of the virus.Payload, different pictures or modifications tofiles.Variations of methods, changing what themethods do and how they do it.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 19 / 29
![Page 20: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/20.jpg)
Security
Outline
1 Introductions
2 Applications
3 SecurityDetecting machine generated malwareDifferent bases of defense
4 Conclusions
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 20 / 29
![Page 21: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/21.jpg)
Security Detecting machine generated malware
Basic anti-malware
Does it have a bad name?Why do these programs have the samename in process and action?Where did the processing power go?If you see something, say something. McGruff the crime dog. all rights reserved.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 21 / 29
![Page 22: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/22.jpg)
Security Detecting machine generated malware
Anti-malware based on signatures
What programs running are doing the same thing?Are the processes using similar power?Are there similar code structures that reappear?Where did all these processes come from?Different name, but we know it’s the same game.
Signature detection based on research by Kandissounon and Chouchane of Columbus University
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 22 / 29
![Page 23: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/23.jpg)
Security Different bases of defense
Defenses
User diligenceCan the user see when andwhere there is a maliciousprocess?How long until a user can takeaction?Does a user have the power tooverride ongoing processes?
Anti-malware diligenceWhen does the anti-malwarenotice something is amiss?Does the anti-malware throttleprocesses that seemmalicious?Can the anti-malware defendagainst its own destruction?Can the anti-malware alert theuser?
Defenses presented by Yang Wang and Chenxi Wang, Carnegie Melon University
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 23 / 29
![Page 24: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/24.jpg)
Conclusions
Outline
1 Introductions
2 Applications
3 Security
4 ConclusionsResultsWhat we’ve learned
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 24 / 29
![Page 25: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/25.jpg)
Conclusions Results
Results
Several studies have been conducted on evolving malware andanti-malware. Both malware and anti-malware are improvable by theseprocesses.
A study introduced evolving malware with basic and signature-basedanti-malware. Evolution based programs significantly improved theefficiency of both malware and anti-malware.
See references for more details on exactness of studies. Sadia Noreenet. al.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 25 / 29
![Page 26: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/26.jpg)
Conclusions What we’ve learned
What we’ve learned
Evolutionary computation may be the cornerstone of improvement tomalware and anti-malware as we make advances in computer science.
Each new generation of viruses and anti-malware will only becomestronger in their efforts to accomplish whatever goals they set.
As a virus is constructed to spread they gain strength by more thanone utility at their disposal.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 26 / 29
![Page 27: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/27.jpg)
Conclusions What we’ve learned
Thanks!
Thank you for your time and don’t do what I just talked about. I mayhave made several watch-lists. Special thanks to Elena Machkasova,Kristin Lamberty, Nic Mcphee, and my reviewer for putting up with me.
Contact:
Questions?
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 27 / 29
![Page 28: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/28.jpg)
References
References
Sadia Noreen, et. al. Evolvable Malware, GECCO ’09 Proceedingsof the 11th Annual conference on Genetic and evolutionarycomputation Pages 1569-1576, Canada
Yang Wang, Chenxi Wang, Modeling the Effects of TimingParameters on Virus Propagation, WORM ’03 Proceedings of the2003 ACM workshop on Rapid malcode Pages 61-66,Washington, DC
Andrea Cani, et. al. Towards Automated Malware Creation: CodeGeneration and Code Integration, SAC ’14 Proceedings of the 29thAnnual ACM Symposium on Applied Computing Pages 157-160,Torino, Italy
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 28 / 29
![Page 29: Computer Virus Advancement · John Lynch Division of Science and Mathematics University of Minnesota, Morris Morris, Minnesota, USA November 12, 2016 Morris, Minnesota Lynch (U of](https://reader033.fdocuments.us/reader033/viewer/2022042103/5e8160944cd5991c01775356/html5/thumbnails/29.jpg)
References
References
Kandissounon, Chouchane, A Method for DetectingMachine-generated Malware, ACM-SE ’11 Proceedings of the 49thAnnual Southeast Regional Conference, Kennesaw, Georgia
Thomas Back, Evolution strategies: basic introduction, GECCO’13 Companion Proceedings of the 15th annual conferencecompanion on Genetic and evolutionary computation Pages265-292, New York, NY
See my senior seminar paper for additional references.
Lynch (U of Minn, Morris) Developing Computer Viruses November 2016, UMM 29 / 29