* update 2024-01-18 06:17:17

arXiv_db/Malware/2024.md

@@ -78,3 +78,39 @@
 
 </details>
 
+<details>
+
+<summary>2024-01-12 21:14:41 - MALIGN: Explainable Static Raw-byte Based Malware Family Classification using Sequence Alignment</summary>
+
+- *Shoumik Saha, Sadia Afroz, Atif Rahman*
+
+- `2111.14185v3` - [abs](http://arxiv.org/abs/2111.14185v3) - [pdf](http://arxiv.org/pdf/2111.14185v3)
+
+> For a long time, malware classification and analysis have been an arms-race between antivirus systems and malware authors. Though static analysis is vulnerable to evasion techniques, it is still popular as the first line of defense in antivirus systems. But most of the static analyzers failed to gain the trust of practitioners due to their black-box nature. We propose MAlign, a novel static malware family classification approach inspired by genome sequence alignment that can not only classify malware families but can also provide explanations for its decision. MAlign encodes raw bytes using nucleotides and adopts genome sequence alignment approaches to create a signature of a malware family based on the conserved code segments in that family, without any human labor or expertise. We evaluate MAlign on two malware datasets, and it outperforms other state-of-the-art machine learning based malware classifiers (by 4.49% - 0.07%), especially on small datasets (by 19.48% - 1.2%). Furthermore, we explain the generated signatures by MAlign on different malware families illustrating the kinds of insights it can provide to analysts, and show its efficacy as an analysis tool. Additionally, we evaluate its theoretical and empirical robustness against some common attacks. In this paper, we approach static malware analysis from a unique perspective, aiming to strike a delicate balance among performance, interpretability, and robustness.
+
+</details>
+
+<details>
+
+<summary>2024-01-13 20:03:11 - Discovering Command and Control Channels Using Reinforcement Learning</summary>
+
+- *Cheng Wang, Akshay Kakkar, Christopher Redino, Abdul Rahman, Ajinsyam S, Ryan Clark, Daniel Radke, Tyler Cody, Lanxiao Huang, Edward Bowen*
+
+- `2401.07154v1` - [abs](http://arxiv.org/abs/2401.07154v1) - [pdf](http://arxiv.org/pdf/2401.07154v1)
+
+> Command and control (C2) paths for issuing commands to malware are sometimes the only indicators of its existence within networks. Identifying potential C2 channels is often a manually driven process that involves a deep understanding of cyber tradecraft. Efforts to improve discovery of these channels through using a reinforcement learning (RL) based approach that learns to automatically carry out C2 attack campaigns on large networks, where multiple defense layers are in place serves to drive efficiency for network operators. In this paper, we model C2 traffic flow as a three-stage process and formulate it as a Markov decision process (MDP) with the objective to maximize the number of valuable hosts whose data is exfiltrated. The approach also specifically models payload and defense mechanisms such as firewalls which is a novel contribution. The attack paths learned by the RL agent can in turn help the blue team identify high-priority vulnerabilities and develop improved defense strategies. The method is evaluated on a large network with more than a thousand hosts and the results demonstrate that the agent can effectively learn attack paths while avoiding firewalls.
+
+</details>
+
+<details>
+
+<summary>2024-01-15 22:36:56 - The Pulse of Fileless Cryptojacking Attacks: Malicious PowerShell Scripts</summary>
+
+- *Said Varlioglu, Nelly Elsayed, Eva Ruhsar Varlioglu, Murat Ozer, Zag ElSayed*
+
+- `2401.07995v1` - [abs](http://arxiv.org/abs/2401.07995v1) - [pdf](http://arxiv.org/pdf/2401.07995v1)
+
+> Fileless malware predominantly relies on PowerShell scripts, leveraging the native capabilities of Windows systems to execute stealthy attacks that leave no traces on the victim's system. The effectiveness of the fileless method lies in its ability to remain operational on victim endpoints through memory execution, even if the attacks are detected, and the original malicious scripts are removed. Threat actors have increasingly utilized this technique, particularly since 2017, to conduct cryptojacking attacks. With the emergence of new Remote Code Execution (RCE) vulnerabilities in ubiquitous libraries, widespread cryptocurrency mining attacks have become prevalent, often employing fileless techniques. This paper provides a comprehensive analysis of PowerShell scripts of fileless cryptojacking, dissecting the common malicious patterns based on the MITRE ATT&CK framework.
+
+</details>
+