Deception, Digital Forensics, and Malware Minitrack

Permanent URI for this collection

This minitrack will bring together papers from academia and practitioners that address current directions in deception, malware, and digital forensics. Digital forensics involves the exploration and investigation of digital media with the objective of finding evidence. Malware is software intended to damage a computer, mobile device, computer system, or computer network, or to take partial control over its operation. Deception includes technologies that hide their true identity or mission. These three topics are closely related as digital forensics techniques can be used to identify deception in technologies, malware can use deception to disguise what it is doing, digital forensics techniques can be used to identify the “real story” about what has occurred or will occur, digital forensic tools can use deception to “hide” what they are really doing, and attackers can use deception to hide from digital forensics tools.

We solicit papers in the following areas:

  • Deception (phishing, honeynet technologies, etc.),
  • Malware (reverse engineering, sandboxes, obfuscation, static and dynamic analysis, behavioral signatures, etc.)
  • Digital Forensics (tools, techniques, education, research, practice, etc.).
  • Papers that are “forward thinking” and identify approaches to solving the digital forensics challenges of the future.

Minitrack Co-Chairs:

Kara Nance (Primary Contact)
University of Alaska Fairbanks

Matt Bishop
University of California, Davis


Recent Submissions

Now showing 1 - 5 of 5
  • Item
    Implications of Malicious 3D Printer Firmware
    ( 2017-01-04) Moore, Samuel Bennett ; Glisson, William Bradley ; Yampolskiy, Mark
    The utilization of 3D printing technology within the manufacturing process creates an environment that is potentially conducive to malicious activity. Previous research in 3D printing focused on attack vector identification and intellectual property protection. This research develops and implements malicious code using Printrbot’s branch of the open source Marlin 3D printer firmware. Implementations of the malicious code were activated based on a specified printer command sent from a desktop application. The malicious firmware successfully ignored incoming print commands for a printed 3D model, substituted malicious print commands for an alternate 3D model, and manipulated extruder feed rates. The research contribution is three-fold. First, this research provides an initial assessment of potential effects malicious firmware can have on a 3D printed object. Second, it documents a potential vulnerability that impacts 3D product output using 3D printer firmware. Third, it provides foundational grounding for future research in malicious 3D printing process activities.
  • Item
    Discovering Malware with Time Series Shapelets
    ( 2017-01-04) Patri, Om ; Wojnowicz, Michael ; Wolff, Matt
    Malicious software (‘malware’) detection systems are usually signature-based and cannot stop attacks by malicious files they have never encountered. To stop these attacks, we need statistical learning approaches to identify root patterns behind execution of malware. We propose a machine learning approach for detection of malware from portable executable (PE) files. We create an ‘entropy time series’ representation of the content of each file, and then apply a unique time series classification method (called ‘shapelets’) for identifying malware. The shapelet-based approach picks up local discriminative features from the entropy signals. Our approach is file format agnostic, can deal with varying lengths in input instances, and provides fast classification. We evaluate our method on an industrial dataset containing thousands of executable files, and comparison with state-of-the-art methods illustrates the performance of our approach. This work is the first to use time series shapelets for malware detection and information security applications.
  • Item
    Automating the Generation of Enticing Text Content for High-Interaction Honeyfiles
    ( 2017-01-04) Whitham, Ben
    While advanced defenders have successfully used honeyfiles to detect unauthorized intruders and insider threats for more than 30 years, the complexity associated with adaptively devising enticing content has limited their diffusion. This paper presents four new designs for automating the construction of honeyfile content. The new designs select a document from the target directory as a template and employ word transposition and substitution based on parts of speech tagging and n-grams collected from both the target directory and the surrounding file system. These designs were compared to previous methods using a new theory to quantitatively evaluate honeyfile enticement. The new designs were able to successfully mimic the content from the target directory, whilst minimizing the introduction of material from other sources. The designs may also hold potential to match many of the characteristics of nearby documents, whilst minimizing the replication of copyrighted or classified material from documents they are protecting
  • Item
    A Universal Windows Bootkit: An Analysis of the MBR Bootkit "HDRoot"
    ( 2017-01-04) Showalter, William
    In October, 2015 Kaspersky released an analysis of the bootkit “HDRoot”. Their analysis highlighted mistakes in the bootkit, which made it ineffective at performing its task. Upon attempts to replicate that analysis however, it appears that these conclusions were in error and the bootkit works with any Windows version in the last 16 years. HDRoot represents a serious commitment in time and effort to develop, and an in-depth analysis reveals the work of a significantly capable threat actor. The sample analyzed here dates to 2013, and is the same sample Kasperky reports to have analyzed in their post. However, all evidence points to Kaspersky performing analysis with a 2006 sample, likely the reason for their conclusions. Additionally, mistakes made in reporting the capability of offensive software, provided without means to verify, hurt the security industry by misleading practitioners and limiting their ability for informed decision making.
  • Item