PhD Dissertation Defense - Kul Prasad Subedi
A Framework for Analyzing Advanced Malware and Software
Kul Prasad Subedi, PhD Candidate
Monday, July 2, 2018, 11:00 am
Dunn Hall 311
Vulnerabilities in software, whether it is malicious or benign are big concern in every sector. My research broadly focused on security testing of software (including malware). Malware is a type of malicious software (which include viruses, trojan horses, rootkits, bootkits, worms, scareware, ransomware, and spyware) that causes harm to computers, networks or users. For last few years, ransomware attacks are becoming prevalent nowadays with the increased use of crypto-currencies. First part of my research covers a strategy to recover from ransomware attacks by backing up critical information in slack space. In this work, I designed RDS3, a novel Ransomware Defense Strategy, in which we Stealthily back up data in the Spare space of a computing device, such that the data encrypted by ransomware can be restored. Key concept is that the unused space can backup critical data, which are fully isolated from the system. In this way, no ransomware be able to “touch” the backup data regardless of what privilege it can obtain. Security analysis and experimental evaluation show that RDS3 can mitigate ransomware attacks with an acceptable overhead.
Next, my research focused on understand ransomware from both structural and behavioral perspectives to design CRDETECTOR, Crypto-Ransomware DETECTOR. Reverse Engineering and static analysis of executables or binary files is the common practice of detecting malware characteristics. Reverse engineering is performed on executables at different levels such as raw binaries, assembly codes, libraries, and function calls to better analysis and interpret the purpose of code segments. In this work, I applied data-mining techniques to correlate multi-level code components (derived from reverse engineering process) for finding unique signatures to identify ransomware families. Such a reverse process and analysis of code structure may not provide dynamic behavior of executables so I used a combined approach to better unveil hidden intent of the program and generate associate rules in detecting ransomware.