Advanced Detection Tool for PDF Threats

Jerome, Quentin; Marchal, Samuel; State, Radu; Engel, Thomas

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Jerome, Quentin; Marchal, Samuel; State, Radu et al.

2013 • In Proceedings of the sixth International Workshop on Autonomous and Spontaneous Security, RHUL, Egham, U.K., 12th-13th September 2013

Peer reviewed

Permalink
https://hdl.handle.net/10993/13062

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

setop2013.pdf

Author preprint (464.79 kB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

PDF files; malware detection; machine learning

Abstract :

[en] In this paper we introduce an efficient application for malicious PDF detection: ADEPT. With targeted attacks rising over the recent past, exploring a new detection and mitigation paradigm becomes mandatory. The use of malicious PDF files that exploit vulnerabilities in well-known PDF readers has become a popular vector for targeted at- tacks, for which few efficient approaches exist. Although simple in theory, parsing followed by analysis of such files is resource-intensive and may even be impossible due to several obfuscation and reader-specific artifacts. Our paper describes a new approach for detecting such malicious payloads that leverages machine learning techniques and an efficient feature selection mechanism for rapidly detecting anomalies. We assess our approach on a large selection of malicious files and report the experimental performance results for the developed prototype.

Research center :

Interdisciplinary Center for Security, Reliability and Trust

Disciplines :

Computer science

Author, co-author :

Jerome, Quentin ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Marchal, Samuel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

State, Radu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Engel, Thomas ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

Language :

English

Title :

Advanced Detection Tool for PDF Threats

Publication date :

13 September 2013

Event name :

The sixth International Workshop on Autonomous and Spontaneous Security - SETOP

Event organizer :

Telecom Bretagne

Event place :

RHUL, Egham, United Kingdom

Event date :

12th-13th September 2013

Audience :

International

Main work title :

Proceedings of the sixth International Workshop on Autonomous and Spontaneous Security, RHUL, Egham, U.K., 12th-13th September 2013

Publisher :

Springer

Peer reviewed :

Peer reviewed

Available on ORBilu :

since 13 December 2013

Statistics

Number of views

710 (5 by Unilu)

Number of downloads

643 (3 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Adobe: PDF reference sixth edition, adobe portable document format, version 1.7 (2006
Filiol, E., Blonce, A., Frayssignes, L.: Portable document format (PDF) security analysis and malware threats. J. Comput. Virol. 3(2), 75-86 (2007
Daniel, M., Honoroff, J., Miller, C.: Engineering heap overflow exploits with JavaScript. In: Proceedings of the 2nd Conference on USENIXWorkshop on Offensive Technologies, WOOT'08, pp. 1:1-1:6. USENIX Association, Berkeley (2008
Rahman, M.A.: Getting owned by malicious PDF-Analysis. Global Information Assurance Certification Paper (2010
Laskov, P., Šrndič, N.: Static detection of malicious JavaScript-bearing PDF documents. In: Proceedings of the 27th Annual Computer Security Applications Conference. ACSAC '11, pp. 373-382. ACM, New York (2011
Šrndic, N., Laskov, P.: Detection of malicious pdf files based on hierarchical document structure. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (2013
Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.: The WEKA data mining software: An update. ACM SIGKDD Explor. Newsl. 11(1), 10-18 (2009
Witten, I., Frank, E., Hall, M.: Data Mining: Practical Machine Learning Tools and Techniques. Morgan Kaufmann, Amsterdam (2011
Akbani, R., Kwek, S., Japkowicz, N.: Applying support vector machines to imbalanced datasets. In: Boulicaut, J.-F., Esposito, F., Giannotti, F., Pedreschi, D. (eds.) ECML 2004. LNCS (LNAI), vol. 3201, pp. 39-50. Springer, Heidelberg (2004
Fan, R., Chang, K., Hsieh, C., Wang, X., Lin, C.: Liblinear: A library for large linear classification. J. Mach. Learn. Res. 9, 1871-1874 (2008
Lowagie, B.: IText in Action: Creating and Manipulating PDF. Dreamtech Press, New Delhi (2006
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. IEEE Secur. Priv. 5, 32-39 (2007
Trinius, P., Willems, C., Holz, T., Rieck, K.: A malware instruction set for behavior-based analysis. In: Proceedings of the Conference Sicherheit Schutz und Zuverlssigkeit SICHERHEIT (TR-2009-07), pp. 1-11 (2011
Tzermias, Z., Sykiotakis, G., Polychronakis, M., Markatos, E.P.: Combining static and dynamic analysis for the detection of malicious documents. In: Proceedings of the Fourth European Workshop on System Security. EUROSEC '11, pp. 4:1-4:6. ACM, New York (2011
Schmitt, F., Gassen, J., Gerhards-Padilla, E.: Pdf scrutinizer: Detecting javascriptbased attacks in pdf documents. In: 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pp. 104-111. IEEE(2012
Rieck, K., Krueger, T., Dewald, A.: Cujo: Efficient detection and prevention of drive-by-download attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 31-39. ACM (2010
Smutz, C., Stavrou, A.: Malicious PDF detection using metadata and structural features. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 239-248. ACM (2012
Frančois, J., Wang, S., State, R., Engel, T.: BotTrack: Tracking botnets using Net-Flow and PageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1-14. Springer, Heidelberg (2011
Wagner, C.,Wagener, G., State, R., Engel, T.: Malware analysis with graph kernels and support vector machines. In: 2009 4th International Conference on Malicious and Unwanted Software (MALWARE), pp. 63-68. IEEE (2009
Abdelnur, H.J., State, R., Festor, O.: Advanced network fingerprinting. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 372-389. Springer, Heidelberg (2008
Kolter, J., Maloof, M.: Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7, 2721-2744 (2006
Li, W., Wang, K., Stolfo, S., Herzog, B.: Fileprints: Identifying file types by n-gram analysis. In: Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop. IAW'05, pp. 64-71. IEEE (2005
Stolfo, S.J., Wang, K., Li, W.J.: Fileprint analysis for malware detection. ACM CCS WORM (2005
Li, W., Stolfo, S., Stavrou, A., Androulaki, E., Keromytis, A.: A study of malcode-bearing documents. Detection of Intrusions and Malware, and Vulnerability, Assessment, pp. 231-250 (2007
Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 1, 67-77 (2006