Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform

Ahmed Elmesiry; Mirela Sertovic; Mamoun Qasem

doi:10.1007/978-3-030-76352-7_54

Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform

Ahmed Elmesiry, Mirela Sertovic, Mamoun Qasem

Computing, Cybersecurity, Mathematics and Informatics Research and Innovation Group

Research output: Chapter in Book/Report/Conference proceeding › Chapter › peer-review

Abstract

The rising cyber threat puts organizations and ordinary users at risk of data breaches. In many cases, Early detection can hinder the occurrence of these incidents or even prevent a full compromise of all internal systems. The existing security controls such as firewalls and intrusion prevention systems are constantly blocking numerous intrusions attempts that happen on a daily basis. However, new situations may arise where these security controls are not sufficient to provide full protection. There is a necessity to establish a threat hunting methodology that can assist investigators and members of the incident response team to analyse malicious binaries quickly and efficiently. The methodology proposed in this research is able to distinguish malicious binaries from benign binaries using a quick and efficient methodology. The proposed methodology consists of static and dynamic hunting techniques. Using these hunting techniques, the proposed methodology is not only capable of identifying a range of signature-based anomalies but also to pinpoint behavioural anomalies that arise in the operating system when malicious binaries are triggered. Static hunting can describe any extracted artifacts as malicious depending on a set of pre-defined patterns of malicious software. Dynamic hunting can assist investigators in finding behavioural anomalies. This work focuses on applying the proposed threat hunting methodology on samples of malicious binaries, which can be found in common malware repositories and presenting the results

Original language	English
Title of host publication	Lecture Notes in Computer Science
Editors	Hakim Hacid, Fatma Outay, Hye-young Paik, Amira Alloum, Marinella Petrocchi, Mohamed Reda Bouadjenek, Amin Beheshti, Xumin Liu, Abderrahmane Maaradji
Place of Publication	Service-Oriented Computing – ICSOC 2020 Workshops
Publisher	Springer
Pages	627-641
Number of pages	15
Volume	12632
Edition	1
ISBN (Electronic)	978-3-030-76352-7
ISBN (Print)	978-3-030-76351-0
DOIs	https://doi.org/10.1007/978-3-030-76352-7_54
Publication status	Published - 30 May 2021

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12632 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Keywords

Malicious Binaries
Malware
Threat Hunting
Digital Investigations

Access to Document

10.1007/978-3-030-76352-7_54

Cite this

Elmesiry, A., Sertovic, M., & Qasem, M. (2021). Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform. In H. Hacid, F. Outay, H. Paik, A. Alloum, M. Petrocchi, M. R. Bouadjenek, A. Beheshti, X. Liu, & A. Maaradji (Eds.), Lecture Notes in Computer Science (1 ed., Vol. 12632, pp. 627-641). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12632 LNCS). Springer. https://doi.org/10.1007/978-3-030-76352-7_54

Elmesiry, Ahmed ; Sertovic, Mirela ; Qasem, Mamoun. / Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform. Lecture Notes in Computer Science. editor / Hakim Hacid ; Fatma Outay ; Hye-young Paik ; Amira Alloum ; Marinella Petrocchi ; Mohamed Reda Bouadjenek ; Amin Beheshti ; Xumin Liu ; Abderrahmane Maaradji. Vol. 12632 1. ed. Service-Oriented Computing – ICSOC 2020 Workshops : Springer, 2021. pp. 627-641 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inbook{3a6b6cddeaa448e3906c6a4e02aa391d,

title = "Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform",

abstract = "The rising cyber threat puts organizations and ordinary users at risk of data breaches. In many cases, Early detection can hinder the occurrence of these incidents or even prevent a full compromise of all internal systems. The existing security controls such as firewalls and intrusion prevention systems are constantly blocking numerous intrusions attempts that happen on a daily basis. However, new situations may arise where these security controls are not sufficient to provide full protection. There is a necessity to establish a threat hunting methodology that can assist investigators and members of the incident response team to analyse malicious binaries quickly and efficiently. The methodology proposed in this research is able to distinguish malicious binaries from benign binaries using a quick and efficient methodology. The proposed methodology consists of static and dynamic hunting techniques. Using these hunting techniques, the proposed methodology is not only capable of identifying a range of signature-based anomalies but also to pinpoint behavioural anomalies that arise in the operating system when malicious binaries are triggered. Static hunting can describe any extracted artifacts as malicious depending on a set of pre-defined patterns of malicious software. Dynamic hunting can assist investigators in finding behavioural anomalies. This work focuses on applying the proposed threat hunting methodology on samples of malicious binaries, which can be found in common malware repositories and presenting the results",

keywords = "Malicious Binaries, Malware, Threat Hunting, Digital Investigations",

author = "Ahmed Elmesiry and Mirela Sertovic and Mamoun Qasem",

note = "Publisher Copyright: {\textcopyright} 2021, Springer Nature Switzerland AG.",

year = "2021",

month = may,

day = "30",

doi = "10.1007/978-3-030-76352-7_54",

language = "English",

isbn = "978-3-030-76351-0",

volume = "12632",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "627--641",

editor = "Hakim Hacid and Fatma Outay and Hye-young Paik and Amira Alloum and Marinella Petrocchi and Bouadjenek, {Mohamed Reda} and Amin Beheshti and Xumin Liu and Abderrahmane Maaradji",

booktitle = "Lecture Notes in Computer Science",

address = "Germany",

edition = "1",

}

Elmesiry, A, Sertovic, M & Qasem, M 2021, Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform. in H Hacid, F Outay, H Paik, A Alloum, M Petrocchi, MR Bouadjenek, A Beheshti, X Liu & A Maaradji (eds), Lecture Notes in Computer Science. 1 edn, vol. 12632, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12632 LNCS, Springer, Service-Oriented Computing – ICSOC 2020 Workshops, pp. 627-641. https://doi.org/10.1007/978-3-030-76352-7_54

Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform. / Elmesiry, Ahmed; Sertovic, Mirela; Qasem, Mamoun.
Lecture Notes in Computer Science. ed. / Hakim Hacid; Fatma Outay; Hye-young Paik; Amira Alloum; Marinella Petrocchi; Mohamed Reda Bouadjenek; Amin Beheshti; Xumin Liu; Abderrahmane Maaradji. Vol. 12632 1. ed. Service-Oriented Computing – ICSOC 2020 Workshops: Springer, 2021. p. 627-641 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12632 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Chapter › peer-review

TY - CHAP

T1 - Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform

AU - Elmesiry, Ahmed

AU - Sertovic, Mirela

AU - Qasem, Mamoun

PY - 2021/5/30

Y1 - 2021/5/30

N2 - The rising cyber threat puts organizations and ordinary users at risk of data breaches. In many cases, Early detection can hinder the occurrence of these incidents or even prevent a full compromise of all internal systems. The existing security controls such as firewalls and intrusion prevention systems are constantly blocking numerous intrusions attempts that happen on a daily basis. However, new situations may arise where these security controls are not sufficient to provide full protection. There is a necessity to establish a threat hunting methodology that can assist investigators and members of the incident response team to analyse malicious binaries quickly and efficiently. The methodology proposed in this research is able to distinguish malicious binaries from benign binaries using a quick and efficient methodology. The proposed methodology consists of static and dynamic hunting techniques. Using these hunting techniques, the proposed methodology is not only capable of identifying a range of signature-based anomalies but also to pinpoint behavioural anomalies that arise in the operating system when malicious binaries are triggered. Static hunting can describe any extracted artifacts as malicious depending on a set of pre-defined patterns of malicious software. Dynamic hunting can assist investigators in finding behavioural anomalies. This work focuses on applying the proposed threat hunting methodology on samples of malicious binaries, which can be found in common malware repositories and presenting the results

AB - The rising cyber threat puts organizations and ordinary users at risk of data breaches. In many cases, Early detection can hinder the occurrence of these incidents or even prevent a full compromise of all internal systems. The existing security controls such as firewalls and intrusion prevention systems are constantly blocking numerous intrusions attempts that happen on a daily basis. However, new situations may arise where these security controls are not sufficient to provide full protection. There is a necessity to establish a threat hunting methodology that can assist investigators and members of the incident response team to analyse malicious binaries quickly and efficiently. The methodology proposed in this research is able to distinguish malicious binaries from benign binaries using a quick and efficient methodology. The proposed methodology consists of static and dynamic hunting techniques. Using these hunting techniques, the proposed methodology is not only capable of identifying a range of signature-based anomalies but also to pinpoint behavioural anomalies that arise in the operating system when malicious binaries are triggered. Static hunting can describe any extracted artifacts as malicious depending on a set of pre-defined patterns of malicious software. Dynamic hunting can assist investigators in finding behavioural anomalies. This work focuses on applying the proposed threat hunting methodology on samples of malicious binaries, which can be found in common malware repositories and presenting the results

KW - Malicious Binaries

KW - Malware

KW - Threat Hunting

KW - Digital Investigations

U2 - 10.1007/978-3-030-76352-7_54

DO - 10.1007/978-3-030-76352-7_54

M3 - Chapter

SN - 978-3-030-76351-0

VL - 12632

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 627

EP - 641

BT - Lecture Notes in Computer Science

A2 - Hacid, Hakim

A2 - Outay, Fatma

A2 - Paik, Hye-young

A2 - Alloum, Amira

A2 - Petrocchi, Marinella

A2 - Bouadjenek, Mohamed Reda

A2 - Beheshti, Amin

A2 - Liu, Xumin

A2 - Maaradji, Abderrahmane

PB - Springer

CY - Service-Oriented Computing – ICSOC 2020 Workshops

ER -

Elmesiry A, Sertovic M, Qasem M. Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform. In Hacid H, Outay F, Paik H, Alloum A, Petrocchi M, Bouadjenek MR, Beheshti A, Liu X, Maaradji A, editors, Lecture Notes in Computer Science. 1 ed. Vol. 12632. Service-Oriented Computing – ICSOC 2020 Workshops: Springer. 2021. p. 627-641. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-76352-7_54

Efficient Threat Hunting Methodology for Analyzing Malicious Binaries in Windows Platform

Abstract

Publication series

Keywords

Access to Document

Fingerprint

Cite this