Protecting from Malware Obfuscation Attacks through Adversarial Risk Analysis

Authors: Alberto Redondo and David Ríos Insua (ICMAT-CSIC).

Source: Risk Analysis

Date of publication: 21 July 2020



The digital era is bringing along new global threats among which cybersecurity related ones emerge as truly worrisome. The operation of critical cyber infrastructures relies on components which could be cyber attacked, both incidentally and intentionally, suffering major performance degradation. A key concern is malware (an acronym for malicious software) which, according to ENISA, is among the top threats in the cybersecurity landscape. Indeed, malware in its many forms –including trojans, worms, viruses, spyware or adware– affect millions of hosts each year) Moreover, the negative impacts of such threats may include not only purely financial costs, but also deaths and injuries when dealing with cyber-physical systems, going through stolen personal identifiable information or business secrets in enterprise systems.

Detection systems are important components in cybersecurity risk management frameworks. Anti-malware tools based on scanning file signatures used to recognize most malware until relatively recently. However, these tools are much less effective nowadays due to the continuous changes introduced in malware. In particular, a prominent attacking strategy through malware is obfuscation, which designates a group of procedures that make a malware binary more difficult to be detected through anti-malware tools, with current obfuscation techniques having become really sophisticated. A few approaches have been used to detect obfuscation attacks, however they tend to ignore the fact that adaptive adversaries are behind such attacks.

The paper under review proposes a global methodology to protect from obfuscation attacks based on Adversarial Risk Analysis (ARA). First, a general hybrid framework for malware detection is presented serving as an initial benchmark. The authors then illustrate the problems entailed by metamorphic malware which render standard detection methods less effective. Next, the proposed ARA model to detect obfuscation attacks is presented. Its effectiveness and advantages are illustrated over several examples.