Commit 374c866e authored by Yonghwi Kwon's avatar Yonghwi Kwon
Browse files

reducing spaces (all cosmetic no semantic changes): tight but fit

parent 95d0f0f8
# Fdb version 3
["bibtex malmax_ccs19"] 1567366920 "malmax_ccs19.aux" "malmax_ccs19.bbl" "malmax_ccs19" 1567366998
["bibtex malmax_ccs19"] 1567368160 "malmax_ccs19.aux" "malmax_ccs19.bbl" "malmax_ccs19" 1567368165
"./ACM-Reference-Format.bst" 1566237166 97471 94d2174e63fb9cd866ec1d0b392ce46c ""
"bibliography.bib" 1567358090 25864 2c59eaf8096125618e7c9823a2ec05d1 ""
"malmax_ccs19.aux" 1567366997 24570 a09b45d77477fcf69be8a6272efd49fb "pdflatex"
"malmax_ccs19.aux" 1567368163 24570 6110d8bb536ea308f2d6eb68cd2ef46b "pdflatex"
(generated)
"malmax_ccs19.bbl"
"malmax_ccs19.blg"
["pdflatex"] 1567366994 "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.tex" "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.pdf" "malmax_ccs19" 1567366998
["pdflatex"] 1567368161 "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.tex" "c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.pdf" "malmax_ccs19" 1567368165
"acmart.cls" 1566237166 79165 9bd9819004b9cbcd198fd558b6385e8a ""
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.aux" 1567366997 24570 a09b45d77477fcf69be8a6272efd49fb ""
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.tex" 1567360728 2059 98cbaa0bb0780f92c22bb970e486c461 ""
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.aux" 1567368163 24570 6110d8bb536ea308f2d6eb68cd2ef46b ""
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.tex" 1567368084 2027 91c6b6f936458888e3ff7518ca7c3f0e ""
"c:/texlive/2019/texmf-dist/fonts/enc/dvips/base/8r.enc" 1564961813 4850 80dc9bab7f31fb78a000ccfed0e27cab ""
"c:/texlive/2019/texmf-dist/fonts/enc/dvips/libertine/lbtn_25tcsq.enc" 1564962551 2921 8ca0eb0831f9bc5da080d3697cfe67bf ""
"c:/texlive/2019/texmf-dist/fonts/enc/dvips/libertine/lbtn_76gpa5.enc" 1564962551 2933 9ad527ce78d7c5fa0a642dead095f172 ""
......@@ -310,33 +310,31 @@
"fig/scanned_files.pdf" 1566237166 27844 35daa5de9c15f348b6245184597b76a1 ""
"fig/total_file_category.pdf" 1566237166 11090 3eb57ca7b23a2abd789ac04c12fc3690 ""
"fig/vttypes.pdf" 1566237166 12913 03c627debe93a0b4215d2b3d6d46c546 ""
"malmax_ccs19.aux" 1567366997 24570 a09b45d77477fcf69be8a6272efd49fb "pdflatex"
"malmax_ccs19.bbl" 1567366920 40253 9d61caf79a2b9f01e7bc67690cd92e23 "bibtex malmax_ccs19"
"malmax_ccs19.out" 1567366997 5338 bd229c1d70aeec79c5b9144a7e01e758 "pdflatex"
"malmax_ccs19.tex" 1567360728 2059 98cbaa0bb0780f92c22bb970e486c461 ""
"malmax_ccs19.aux" 1567368163 24570 6110d8bb536ea308f2d6eb68cd2ef46b "pdflatex"
"malmax_ccs19.bbl" 1567368161 40253 9d61caf79a2b9f01e7bc67690cd92e23 "bibtex malmax_ccs19"
"malmax_ccs19.out" 1567368163 5338 bd229c1d70aeec79c5b9144a7e01e758 "pdflatex"
"malmax_ccs19.tex" 1567368084 2027 91c6b6f936458888e3ff7518ca7c3f0e ""
"sections/abstract.tex" 1567358090 4076 fadbcd1baf271175daf23a728db1a5c1 ""
"sections/appendix-counterfactual.tex" 1567358090 40038 ceab15dcd009424a22f32f82dae8a577 ""
"sections/appendix-functions.tex" 1567358090 16969 deacd629fbbe83c1dc2c0ef2f3c9b5d8 ""
"sections/appendix.tex" 1567358090 9061 eff1debe69fdf435f91269852d8a91ea ""
"sections/background.tex" 1567358090 11524 38e9e907b7f7d541f7b74a3530d8904d ""
"sections/discussion.tex" 1567358090 9657 b15ece179c754004192d4d99d34d3034 ""
"sections/evaluation-casestudy1.tex" 1566237166 1317 50c177e4322fa5affd928bdef8db38b6 ""
"sections/evaluation-casestudy2.tex" 1566237166 6 2228e977ebea8966e27929f43e39cb67 ""
"sections/evaluation-sampleanalysis.tex" 1567358090 6726 8e65c39f740b1a4cd6d9a7db467dc4b5 ""
"sections/evaluation.tex" 1567359215 31583 2591562e03d8bae0c051174cb2d6c2f8 ""
"sections/background.tex" 1567367168 11539 49de1e38b5788fc0c1f8750155af702b ""
"sections/discussion.tex" 1567368063 9674 3655e04ffe84d7c4d12dd166ed2950c8 ""
"sections/evaluation-sampleanalysis.tex" 1567368157 6762 6aea933875d03d02a692d4cacfbd5284 ""
"sections/evaluation.tex" 1567367896 31658 f185eed922249312e3514ef204cd0ba9 ""
"sections/future-work.tex" 1566237166 1793 3f0cd6541049c944d02dbae4083525e3 ""
"sections/introduction.tex" 1567358090 17337 6e5badf8a44a3c179c3a158c4e2f9c0b ""
"sections/method.tex" 1567358542 44172 4ff0a957275aebacabf4eae644184abc ""
"sections/related-work.tex" 1567366993 10188 415cf0d361d3698b1f24bb3d4fea8201 ""
"sections/summary.tex" 1567100002 2197 d7e8c8e5d41c9d9310dda781b7d08d2f ""
"sections/method.tex" 1567367312 44254 3fe1a7adb3bdf971ce6299f7221c8ed7 ""
"sections/related-work.tex" 1567368113 10203 1565ea4f261a83e17f6a1b5f7fe2b904 ""
"sections/summary.tex" 1567368088 2212 f6120f95e7e4a2330665272a9a840109 ""
"table-category.tex" 1567359043 1150 914138172c680826c111b5185b18620e ""
"table-details.tex" 1567358090 16764 4dc16ea4c37e23a0bbe53166c2adeb6c ""
"table-fp.tex" 1567358090 4063 6906fb82a424f51a06da7637524adaad ""
"table-perf.tex" 1567358090 842 fc9c92e6825eca28e313974d7cac082d ""
(generated)
"malmax_ccs19.aux"
"malmax_ccs19.log"
"malmax_ccs19.pdf"
"malmax_ccs19.out"
"malmax_ccs19.pdf"
"malmax_ccs19.log"
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.pdf"
"c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.log"
......@@ -486,16 +486,12 @@ INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/libertine/LinBiolinumT-tlf-t1.
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/libertine/LinBiolinumTI-tlf-t1.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/vf/public/libertine/LinLibertineTB-tlf-sc-t1.vf
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/libertine/LinLibertineTB-tlf-sc-t1--base.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/vf/public/libertine/LinBiolinumTI-tlf-t1.vf
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/libertine/LinBiolinumTI-tlf-t1--base.tfm
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/table-fp.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/table-fp.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/table-perf.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/table-perf.tex
INPUT c:/texlive/2019/texmf-dist/fonts/vf/public/libertine/LinBiolinumTI-tlf-t1.vf
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/libertine/LinBiolinumTI-tlf-t1--base.tfm
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/evaluation-casestudy1.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/evaluation-casestudy1.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/evaluation-casestudy2.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/evaluation-casestudy2.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/evaluation-sampleanalysis.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/evaluation-sampleanalysis.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/fig/case_malware1.pdf
......@@ -515,14 +511,14 @@ INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/future
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/future-work.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/summary.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/sections/summary.tex
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/texlive/2019/texmf-dist/fonts/vf/public/newtx/nxlmi.vf
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/rfxlri-alt.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/txfonts/txmi.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/zxlr-8r.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/zxlri-8r.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/rntxmi.tfm
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/Users/yonghwi kwon/paper/conference_usenix2019_emulware/malmax_ccs19.bbl
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/libertine/LinLibertineTI-tlf-t1.tfm
INPUT c:/texlive/2019/texmf-dist/fonts/vf/public/newtx/nxlmi7.vf
INPUT c:/texlive/2019/texmf-dist/fonts/tfm/public/newtx/fxlri-7alt.tfm
......
No preview for this file type
......@@ -47,10 +47,8 @@
\input{sections/method.tex}
\input{sections/evaluation.tex}
\input{sections/discussion.tex}
\vspace{-0.5em}
\input{sections/related-work.tex}
\input{sections/future-work.tex}
\vspace{-2em}
\input{sections/summary.tex}
......
......@@ -53,6 +53,7 @@ Web server malware is either dropped by an attacker manually or injected into th
\end{newtext}
The malware can be a standalone file in an area that does not raise suspicion (such as the temporary folder, cache folder, uploads folder or library folder), or it can be incorporated into one of the key files of the web application available on the server. The latter makes it harder to detect the malware as the web application must be initiated and executed, and the execution must reach the malware code thereby activating it.
\vspace{-1em}
\subsection{Malware Categorization}\label{subsection:malware-categorization}
Although most web-server malware is unique in what it does and how it does it, they still exhibit common behaviors and can be divided into a few categories based on their ultimate purpose.
% Note that real-world malware may belong to multiple categories.
......
\vspace{-0.5em}
\section{Discussion and Limitations}
\label{section:discussion}
......
......@@ -38,11 +38,13 @@ Note that this sample avoids detection of various network traffic analysis tools
\caption{Exploit Scenario of Malware Sample I}
\label{fig:malware_sample1_scenario}
\centering
\vspace{-0.5em}
\includegraphics[width=0.8\columnwidth]{fig/case_malware1_scenario.pdf}
\vspace{-2em}
\vspace{-1.5em}
\end{figure}
\begin{figure}[ht]
\vspace{-0.5em}
\caption{Obfuscated Evasive Malware Sample II}
\vspace{-0.5em}
\label{fig:malware_sample2}
......
......@@ -7,6 +7,8 @@ We evaluate the performance and effectiveness of \sysname using a large set of r
%describe our benchmark suite. Using this suite, we evaluate Emulware's detection accuracy and compare with existing web-server malware detection tools. We also discuss limitations and threats to validity.
%\vspace{-0.5em}
\subsection{Experimental Setup}
\label{section:experimental_setup}
\noindent
......@@ -223,9 +225,12 @@ The table lists all 63 samples including 53 diverse real-world PHP malware (from
A perfect tool would be able to identify the 58 malware in this set.
%To demonstrate the effectiveness in detecting malware, we create an automated tool leveraging \sysname to expose and detect malicious behaviors from malware. Details of the tool are described in Section~\ref{section:malware-detection-tool}.
Results from existing tools are as follows:
\vspace{-0.5em}
\vspace{-0.3em}
\begin{itemize}
\item Linux Malware Detector (maldet) flags 31 (53\% TP) malware samples and one benign sample as malicious (shaded cell, sb1). s1 is an obfuscated benign program (calculating sum of 1 to 100).
\setlength\itemsep{-0.1em}
\item Linux Malware Detector (maldet) flags 31 (53\% TP) malware samples and one benign sample as malicious (red cell, sb1) which is an obfuscated benign program. % (calculating sum of 1 to 100).
\item BackdoorMan only detects 9 programs as malware where 2 of them are false positives (sb1 and sb3).
sb3 uses a PHP function \code{create\_function()} to create dynamic code and then execute it, although the dynamic code is not from untrusted sources (e.g., external inputs), hence not malicious.
......@@ -354,10 +359,10 @@ Our prototype typically uses about 200MB of memory, although at times it can run
\vspace{-0.5em}
\subsection{Case Study}
\label{section:eval_case_study}
\input{sections/evaluation-casestudy1.tex}
\input{sections/evaluation-casestudy2.tex}
%\input{sections/evaluation-casestudy1.tex}
%\input{sections/evaluation-casestudy2.tex}
\input{sections/evaluation-sampleanalysis.tex}
......@@ -31,6 +31,7 @@ The technique enables (1) discovery of malicious behaviors of highly obfuscated
for malicious behavior discovery.
\end{newtext}
\vspace{-1em}
\inlinetitle{Counterfactual Execution. }
\sysname enables discovering parts of code that would not be accessible in a vanilla dynamic analysis~\cite{schafer2013dynamic} via a concept called {\it counterfactual execution} which forces execution into branches even if the branch conditions are not satisfied, past exit nodes, and into pieces of code that are not normally executed.
Such counterfactual execution relies on state isolation to track changes made to the execution state when exploring counterfactual paths, and supports fine-grained control over state changes (e.g., reversing and backporting).
......@@ -54,12 +55,13 @@ If the correct password is provided, there is a loop to prevent recognition of t
A naive dynamic analysis will be unable to expose the malicious behavior as it will be unable to drive execution past lines 2 and 3, resulting in missing the entire malicious logic.
\begin{figure}[ht]
\vspace{-2em}
\vspace{-1em}
\caption{Evasive Malware Example}
\label{fig:evasivemalware}
\centering
\vspace{-0.5em}
\includegraphics[width=1.0\columnwidth]{fig/counterfactual.pdf}
\vspace{-1em}
\vspace{-2em}
\end{figure}
\begin{comment}
......@@ -115,10 +117,11 @@ If the new execution is successful, we conclude the analysis of the time consumi
We determine a new execution is successful if we discover any new executed statements or execution states compared to those in the first counterfactual execution that covers the same path.
\begin{figure}[ht]
\vspace{-1em}
%\vspace{-1em}
\caption{Control Flow Trimming Example on Fig.~\ref{fig:evasivemalware}}
\label{fig:cfgtrimming}
\centering
\vspace{-0.5em}
\includegraphics[width=1.0\columnwidth]{fig/controlflow_trimming.pdf}
\vspace{-2em}
\end{figure}
......@@ -147,7 +150,9 @@ Fig.~\ref{fig:cft_threshold_adjust}-(a) shows an example. The program has a loop
\caption{Adjusting Threshold in Control-Flow Trimming}
\label{fig:cft_threshold_adjust}
\centering
\vspace{-0.5em}
\includegraphics[width=0.8\columnwidth]{fig/cft_threshold_adjust.pdf}
\vspace{-1em}
\end{figure}
......
\vspace{-1em}
\section{Related Work}
\label{section:related-work}
......
\vspace{-2em}
\section{Conclusion}
\label{section:summary}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment