@incollection{wagner_visual_2017, title = {Visual {Analytics}: {Foundations} and {Experiences} in {Malware} {Analysis}}, isbn = {978-1-4987-7641-7}, abstract = {This chapter starts by providing some background in behavior-based malware analysis. Subsequently, it introduces VA and its main components based on the knowledge generation model for VA (Sacha et al., 2014). Then, it demonstrates the applicability of VA in in this subfield of software security with three projects that illustrate practical experience of VA methods: MalwareVis (Zhuo et al., 2012) supports network forensics and malware analysis by visually assessing TCP and DNS network streams. SEEM (Gove et al., 2014) allows visual comparison of multiple large attribute sets of malware samples, thereby enabling bulk classification. KAMAS (Wagner et al. 2017) is a knowledge-assisted visualization system for behavior-based malware forensics enabled by API calls and system call traces. Future directions in visual analytics for malware analysis conclude the chapter.}, booktitle = {Empirical {Research} for {Software} {Security}: {Foundations} and {Experience}}, publisher = {CRC/Taylor and Francis}, author = {Wagner, Markus and Sacha, Dominik and Rind, Alexander and Fischer, Fabian and Luh, Robert and Schrittwieser, Sebastian and Keim, Daniel A and Aigner, Wolfgang}, editor = {Othmane, Lotfi Ben and Jaatun, Martin Gilje and Weippl, Edgar}, year = {2017}, note = {Projekt: KAVA-Time}, keywords = {FH SP Cyber Security, FH SP Data Analytics \& Visual Computing, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Institut für Creative Media Technologies, Publikationstyp Schriftpublikation, Visual Computing, Visual analytics, Wiss. Beitrag, best, best-lbwagnerm, data, interaction, knowledge generation, malware analysis, model, peer-reviewed, visualization}, pages = {139--171}, } @article{luh_sequin_2018, title = {{SEQUIN}: a grammar inference framework for analyzing malicious system behavior}, url = {http://mc.fhstp.ac.at/sites/default/files/publications/Luh_2018_SEQUIN.pdf}, doi = {10/cwdf}, abstract = {Targeted attacks on IT systems are a rising threat to the confidentiality of sensitive data and the availability of critical systems. The emergence of Advanced Persistent Threats (APTs) made it paramount to fully understand the particulars of such attacks in order to improve or devise effective defense mechanisms. Grammar inference paired with visual analytics (VA) techniques offers a powerful foundation for the automated extraction of behavioral patterns from sequential event traces. To facilitate the interpretation and analysis of APTs, we present SEQUIN, a grammar inference system based on the Sequitur compression algorithm that constructs a context-free grammar (CFG) from string-based input data. In addition to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This automated assessment enables the accurate identification of interesting frequent or anomalous patterns in sequential corpora of arbitrary quantity and origin. On the formal side, we extended the CFG with attributes that help describe the extracted (malicious) actions. Discovery-focused pattern visualization of the output is provided by our dedicated KAMAS VA prototype.}, journal = {Journal of Computer Virology and Hacking Techniques}, author = {Luh, Robert and Schramm, Gregor and Wagner, Markus and Janicke, Helge and Schrittwieser, Sebastian}, year = {2018}, note = {Projekt: TARGET Projekt: KAVA-Time}, keywords = {FH SP Cyber Security, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Forschungsgruppe Secure Societies, Institut für Creative Media Technologies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Visual analytics, Wiss. Beitrag, attribute grammar, best, best-lbwagner, best-rluh, knowledge generation, malware analysis, peer-reviewed, system behavior}, pages = {01 -- 21}, } @inproceedings{luh_sequitur-based_2017, title = {Sequitur-based {Inference} and {Analysis} {Framework} for {Malicious} {System} {Behavior}}, doi = {10/cwdb}, author = {Luh, Robert and Schramm, Georg and Wagner, Markus and Schrittwieser, Sebastian}, year = {2017}, note = {Projekt: TARGET Projekt: KAVA-Time}, keywords = {2017, Department Medien und Digitale Technologien, Department Technologie, FH SP Cyber Security, Forschungsgruppe Digital Technologies, Forschungsgruppe Media Computing, Forschungsgruppe Secure Societies, Institut für Creative Media Technologies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Präsentation, Publikationstyp Schriftpublikation, peer-reviewed}, } @inproceedings{rauchberger_other_2018, address = {Hamburg, Deutschland}, title = {The {Other} {Side} of the {Coin}: {A} {Framework} for {Detecting} and {Analyzing} {Web}-based {Cryptocurrency} {Mining} {Campaigns}}, doi = {10/gh373c}, booktitle = {Proceedings of the 13th {International} {Conference} on {Availability}, {Reliability} and {Security}}, publisher = {ACM}, author = {Rauchberger, Julian and Schrittwieser, Sebastian and Dam, Tobias and Luh, Robert and Buhov, Damjan and Pötzelsberger, Gehard and Kim, Hyoungshick}, year = {2018}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, SP IT Sec System \& Application Security, best, peer-reviewed}, } @inproceedings{luh_llr-based_2017, title = {{LLR}-based {Sentiment} {Analysis} for {Kernel} {Event} {Sequences}}, doi = {10/gh3728}, publisher = {IEEE}, author = {Luh, Robert and Schrittwieser, Sebastian and Marschalek, Stefan}, year = {2017}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, best, peer-reviewed}, } @article{eresheim_evolution_2017, title = {The {Evolution} of {Process} {Hiding} {Techniques} in {Malware} – {Current} {Threats} and {Possible} {Countermeasures}}, doi = {10/gh3722}, journal = {Journal of Information Processing}, author = {Eresheim, Sebastian and Luh, Robert and Schrittwieser, Sebastian}, year = {2017}, note = {Projekt: TARGET}, keywords = {Department Technologie, FH SP Cyber Security, Forschungsgruppe Data Intelligence, Forschungsgruppe Secure Societies, Institut für IT Sicherheitsforschung, Josef Ressel Zentrum TARGET, Publikationstyp Schriftpublikation, peer-reviewed}, }