A Framework for Evaluating Malware and Countermeasures with an Analytical Approach based on the Game Theory Case Study: Actors' Actions Based on Environmental Evidence

Document Type : Original Article

Authors

1 Instructor, Faculty of Computer and Cyber Power, Imam Hossein University (AS), Tehran, Iran

2 Assistant Professor, Faculty of Computer and Cyber Power, Imam Hossein University (AS), Tehran, Iran

Abstract

One of the most serious threats to the cyberspace is malware, with multiple actors and diverse targets. Among the most important challenges in malware analysis systems, are the extent of malware and countermeasure actions, action evaluation of the actors, and extraction of the effective actions of actors. In this paper, a four-layer framework for extracting the effective actions of malware actors with a game theory approach is presented. In the first layer, based on environmental evidence, the actions of the attacker and the defender and their parameters are defined and determined; in the second layer, the activities of the actors are extracted based on the abstraction techniques implemented on the actions. In the third and fourth layers, the activities of the actors are modeled and analyzed in a scenario-centric approach based on the game theory. The effective options of the actors and the optimal equilibrium states of the games are extracted based on 13 defined measures. The proposed framework is modeled and evaluated based on a case study involving 12 offensive and 12 defensive activities in three games; the activities of the actors are extracted from their actions. The results show the effective activities of the attacker and the defender to be 3 and 2 activities, respectively, while the participation rate of these activities in the basic and optimal equilibrium states are 83% and 100%, respectively. Reducing the game space, evaluating actions, and extracting effective actions and optimal equilibrium states of the actors are some of the benefits of the proposed framework.

Keywords


Smiley face

[1]  S. Parsa and A. Gooran Oorimi, “An Optimal and Transparent Framework for Automatic Analysis of Malware,” ADST J., vol. 7, pp. 71–80, 2016. (In Persian)
[2]  S. Parsa, H. Saifi, and M. H. Alaeian, “Providing a New Approach to Discovering Malware Behavioral Patterns Based on the Dependency Graph Between System Calls,” J. Electron. CYBER Def., vol. 4, no. 3 (15), pp. 47–59, 2016. (In Persian)
[3]  M. Abbasi, M.S Mohammadi, and M Ghayoori, “Modeling and analysis of competition between malware authors and security analysis, using game theory” , SPP, vol. 7, no. 23, 2017. (In Persian)
[4]  M. Sheikhmohammady, K. W. Hipel, H. Asilahijani, and D. Marc Kilgour, “Strategic analysis of the conflict over Iran’s nuclear program,” in Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, 2009, pp. 1911–1916, doi: 10.1109/ICSMC.2009.5346148.
[5]  M. Abbasi and M. Sheikhmohamadi, “An approach based on game theory in modeling and analysis of inheritance of the deceased couple,” J. Res. Econ. Model, vol. 10, pp. 23-48 2016. (In Persian)
[6]  T. Sandholm, “Abstraction for solving large incomplete-information games,” in Proceedings of the National Conference on Artificial Intelligence, vol. 6, pp. 4127–4131, 2015.
[7]  Kroer and T. Sandholm, “Extensive-form game abstraction with bounds,” in Proceedings of the fifteenth ACM conference on Economics and computation, pp. 621–638, 2014.
[8]  Kroer and T. Sandholm, “Extensive-form game imperfect-recall abstractions with bounds,” arXiv Prepr. http//arxiv. org/abs/1409.3302, 2014.
[9]  F. K. Frantz, “A taxonomy of model abstraction techniques,” in Proceedings of the 27th conference on Winter simulation, pp. 1413–1420, 1995.
[10] P. Beaucamps, I. Gnaedig, and J. Y. Marion, “Behavior abstraction in malware analysis,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 6418 LNCS, pp. 168–182, 2010.
[11] T. Colburn and G. Shute, “Abstraction in computer science,” Minds Mach., vol. 17, no. 2, pp. 169–184, 2007.
[12] N. Basilico and N. Gatti, “Automated abstractions for patrolling security games,” in Proceedings of the National Conference on Artificial Intelligence, vol. 2, pp. 1096–1101, 2011.
[13] Afianian, S. Niksefat, B. Sadeghiyan, and D. Baptiste, “Malware Dynamic Analysis Evasion Techniques: A Survey,” CoRR, vol. abs/1811.0, 2018.
[14] P. Mell, K. Scarfone, and S. Romanosky, “Common vulnerability scoring system,” IEEE Secur. Priv., vol. 4, no. 6, pp. 85–89, 2006.
[15] Common Vulnerability Scoring System SIG.” https://www.first.org/cvss/ (accessed Nov. 03, 2020).
[16] T. Shields, “Anti-debugging–a developers view,” Veracode Inc., USA, 2010.
[17] S. Gao and Q. Lin, “Debugging classification and anti-debugging strategies,” in Fourth International Conference on Machine Vision (ICMV 2011): Computer Vision and Image Analysis; Pattern Recognition and Basic Technologies, vol. 8350, p. 83503C, 2012.
[18] R. Rubira Branco, G. Negreira Barbosa, P. Drimel Neto, R. R. Branco, G. N. Barbosa, and P. D. Neto, “Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti- VM Technologies,” Black Hat, 2012.
[19] Bulazel and B. Yener, “A survey on automated dynamic malware analysis evasion and counter-evasion: PC, Mobile, and Web,” ACM Int. Conf. Proceeding Ser., pp. 1–21, 2017.
[20] M. Botacin et al., “Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malware Scenario,” no. Ic, pp. 1–38, 2017.
[21] Goldberg, D. Wagner, R. Thomas, and E. A. Brewer, “A secure environment for untrusted helper applications: Confining the wily hacker,” in Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, 1996, vol. 6, p. 1.
[22] X. Chen et al., “Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware,” in 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), 2008, pp. 177–186.
[23] M. Mehra and D. Pandey, “Event triggered malware: A new challenge to sandboxing,” in 12th IEEE International Conference Electronics, Energy, Environment, Communication, Computer, Control: (E3-C3), INDICON 2015, 2016.
[24] S. Reeves, “Detecting Malware and Sandbox Evasion Techniques,” Inf. Secur., p. 9, 2016.
[25] N. Miramirkhani, M. P. Appini, N. Nikiforakis, and M. Polychronakis, “Spotless Sandboxes: Evading Malware Analysis Systems Using Wear-and-Tear Artifacts,” in Proceedings - IEEE Symposium on Security and Privacy, 2017, pp. 1009–1024.
[26] “Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study | McAfee Blogs.” [Online]. Available: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/. [Accessed: 29-Oct-2019].
[27] R. Sihwail, K. Omar, and K. A. Z. Ariffin, “A survey on malware analysis techniques: Static, dynamic, hybrid and memory analysis,” Int. J. Adv. Sci. Eng. Inf. Technol., vol. 8, no. 4–2, pp. 1662–1671, 2018.
[28] M. J. Osborne, An introduction to game theory, vol. 3. Oxford University Press New York, 2004.
[29] D. S. Lutz and N. Howard, “Paradoxes of Rationality: Theory of Metagames and Political Behavior,” Technometrics, vol. 15, no. 3, p. 652, 1973, doi: 10.2307/1266876.
[30] N. Howard, “The present and future of metagame analysis,” Eur. J. Oper. Res., vol. 32, no. 1, pp. 1–25, 1987, doi: 10.1016/0377-2217(87)90267-0.
[31] N. M. Fraser and K. W. L. B. Hipel, Conflict analysis: models and resolutions, vol. 11. North-Holland, 1984.
[32] M. A. Takahashi, N. M. Fraser, and K. W. Hipel, “A procedure for analyzing hypergames,” Eur. J. Oper. Res., vol. 18, no. 1, pp. 111–122, 1984, doi: 10.1016/0377-2217(84)90268-6.
[33] N. Howard, “Drama theory and its relation to game theory. Part 1: dramatic resolution vs. rational solution,” Gr. Decis. Negot., vol. 3, no. 2, pp. 187–206, 1994.
[34] S. J. Brams and W. Mattli, “Theory of moves: Overview and examples,” Confl. Manag. Peace Sci., vol. 12, no. 2, pp. 1–39, 1993, doi: 10.1177/073889429301200201.
[35] Gilpin and T. Sandholm, “Lossless abstraction of imperfect information games,” J. ACM, vol. 54, no. 5, p. 25, 2007.
[36] Gilpin, T. Sandholm, and T. B. Sørensen, “Potential-aware automated abstraction of sequential games, and holistic equilibrium analysis of Texas Hold’em poker,” in Proceedings of the National Conference on Artificial Intelligence, 2007, vol. 1, pp. 50–57.
[37] Waugh, D. Schnizlein, M. Bowling, and D. Szafron, “Abstraction pathologies in extensive games,” in Proceedings of the International Joint Conference on Autonomous Agents and Multiagent Systems, AAMAS, 2009, vol. 2, pp. 870–877.
[38] T. Sandholm and S. Singh, “Lossy stochastic game abstraction with bounds,” in Proceedings of the 13th ACM Conference on Electronic Commerce, 2012, pp. 880–897, doi: 10.1145/2229012.2229079.
[39]  S. Balochian, and A. Izadipour, “Importance of Game Theory in Modelling and Solution of Network Centric Weapon Target Assignment with consideration to Target Intelligence”. C4I In Anais do SBSeg'17, XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pp. 250-263, 2019.
[40] Kroer and T. Sandholm, “Extensive-form game abstraction with bounds,” in Proceedings of the fifteenth ACM conference on Economics and computation, pp. 621–638, 2014.
[41] C. Kroer and T. Sandholm, “Extensive-form game imperfect-recall abstractions with bounds,” arXiv Prepr. http//arxiv. org/abs/1409.3302, 2014.
[42] K. Frantz, “A taxonomy of model abstraction techniques,” in Proceedings of the 27th conference on Winter simulation, pp. 1413–1420, 1995.
[43] S. Parsa and S. H. R. Aarabi, “A New Approach to Network Intrusion Detection Based on Hybrid Methods,” J. Electron. CYBER Def., vol. 5, no. 3 (19), pp. 79–93, 2017. (In Persian)
[44] The Cylance Threat Research Team, “threat-spotlight-satan-raas,” 2017. [Online]. Available: https://threatvector.cylance.com/en_us/home/threat-spotlight-satan-raas.html.
[45] P. Ferrie, “The ultimate anti-debugging reference,”, [Online]. Available: internal-pdf://251.172.174.167/The_Ultimate_Anti-Reversing_Reference.pdf, 2011.
[46] Kulchytskyi Oleg, “Anti-Debug Protection Techniques: Implementation and Neutralization,” www.codeproject.com, https://www.codeproject.com/Articles/1090943/Anti-Debug-Protection-Techniques-Implementation-an, 2016.
[47] T. Shields, “Anti-debugging–a developers view,” Veracode Inc., USA, 2010
[48] M. Sikorski, A. Honig, A. Mylonas, and D. Gritzalis, Practical malware analysis: the hands-on guide to dissecting malicious software, vol. 31, no. 6. no starch press, 2012.
[49] “Inkasso trojaner - part 3,” Curesec Security Research, 2013. https://curesec.com/blog/article/blog/Inkasso-Trojaner--Part-3-24.html.
[50] H. Shi and J. Mirkovic, “Hiding debuggers from malware with apate,” in Proceedings of the ACM Symposium on Applied Computing, vol. Part F1280, pp. 1703–1710, doi: 10.1145/3019612.3019791, 2017.
[51] Microsoft, “Acquiring high-resolution time stamps,” https://docs.microsoft.com/en-us/windows/win32/sysinfo/acquiring-high-resolution-time-stamps, 2018. (accessed Jan. 01, 2019)
[52] M. V. Yason and Ncent, “The Art of Unpacking,” Black Hat 2007,https://wikileaks.org/hbgary-emails//fileid/21224/6926, 2007.
[53] P. Ferrie, “Anti-unpacker tricks - part one,” Virus Bull. December, vol. 4, p. 4, doi: 10.1016/j.critrevonc.2016.03.005, 2008.
[54] T. Raffetseder, C. Kruegel, and E. Kirda, “Detecting system emulators,” in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4779 LNCS, pp. 1–18, doi: 10.1007/978-3-540-75496-1_1, 2007.
[55] Blackthorne, A. Bulazel, A. Fasano, P. Biernat, and B. Yener, “AVLeak: fingerprinting antivirus emulators through black-box testing,” in 10th {USENIX} Workshop on Offensive Technologies ({WOOT} 16), 2016.
[56] Pék, B. Bencsáth, L. Buttyán, G. Pek, B. Bencsath, and L. Buttyan, “nEther: In-guest Detection of Out-of-the-guest Malware Analyzers,” in Proceedings of the Fourth European Workshop on System Security, pp. 1-6 , 2011.
[57] C. Spensky, H. Hu, and K. Leach, “LO-PHI: Low-Observable Physical Host Instrumentation for Malware Analysis,” in NDSS, 2017.
[58] T. Garfinkel, K. Adams, A. Warfield, and J. Franklin, “Compatibility is Not Transparency: VMM Detection Myths and Realities,” 2007.
[59] J. A. P. Marpaung, M. Sain, and H.-J. Lee, “Survey on malware evasion techniques: State of the art and challenges,” in 2012 14th International Conference on Advanced Communication Technology (ICACT), pp. 744–749, 2012.
[60] McAfee, “McAfee Labs Threats Report,” https://www.mcafee.com/enterprise/en-us/assets/reports/rp-quarterly-threats-jun-2017.pdf, 2017. (accessed Jan. 01, 2019).
[61] A. Kapravelos, M. Cova, C. Kruegel, and G. Vigna, “Escape from monkey island: Evading high-interaction honeyclients,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 124–143, 2011.
[62] T. Morrow and J. Pitts, “Genetic Malware: Designing Payloads for Specific Targets,” Infiltrate, [Online]. Available: https://infiltratecon.com/archives/Genetic_Malware_Travis_Morrow_Josh_Pitts.pdf, 2016.
[63] D. Kirat, J. Jang, and M. P. Stoecklin, “DeepLocker Concealing Targeted Attacks with AI Locksmithing,” 2018.
B. Bencsáth, G. Pék, L. Buttyán, and M. Felegyhazi, “The cousins of stuxnet: Duqu, flame, and gauss,” Futur. Internet, vol. 4, no. 4, pp. 971–1003, 2012.
Volume 10, Issue 1 - Serial Number 37
Serial No. 37, Spring Quarterly
May 2022
Pages 47-71
  • Receive Date: 03 May 2021
  • Revise Date: 13 August 2021
  • Accept Date: 13 December 2021
  • Publish Date: 22 May 2022