Architecture for analyzing Potentially Unwanted Applications

Thumbnail Image

Files

master_Geniola_Alberto_2016.pdf (9.72 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2016-10-27

Department

Major/Subject

Computer Science

Mcode

SCI3068

Degree programme

Master’s Programme in Computer, Communication and Information Sciences

Language

en

Pages

149+8

Series

Abstract

The spread of potentially unwanted programs (PUP) and its supporting pay par install (PPI) business model have become relevant issues in the IT security area. While PUPs may not be explicitly malicious, they still represent a security hazard. Boosted by PPI companies, PUP software evolves rapidly. Although manual analysis represents the best approach for distinguishing cleanware from PUPs, it is inapplicable to the large amount of PUP installers appearing each day. To challenge this fast evolving phenomenon, automatic analysis tools are required. However, current automated malware analisyis techniques suffer from a number of limitations, such as the inability to click through PUP installation processes. Moreover, many malware analysis automated sandboxes (MSASs) can be detected, by taking advantage of artifacts affecting their virtualization engine. In order to overcome those limitations, we present an architectural design for implementing a MSAS mainly targeting PUP analysis. We also provide a cross-platform implementation of the MSAS, capable of running PUP analysis in both virtual and bare metal environments. The developed prototype has proved to be working and was able to automatically analyze more that 480 freeware installers, collected by the three top most ranked freeware websites, such as cnet.com, filehippo.com and softonic.com. Eventually, we briefly analyze collected data and propose a first strategy for detecting PUPs by inspecting intercepted HTTP traffic.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Antikainen, Markku

Keywords

PUP, security, PUA, MSAS, potentially unwanted application

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-201611025363

Collections

[dipl] Perustieteiden korkeakoulu / SCI