Sign In

Communications of the ACM

ACM TechNews

Csi: Cyberattack Scene Investigation--a Malware Whodunit

View as: Print Mobile App Share:
Investigating a cyberattack.

It remains difficult to identify the perpetrators of cyberattacks.


Forensic probes of cyberattacks can uncover their modus operandi and severity, but finding perpetrators is a difficult proposition.

"Attribution is a curious beast," notes Morgan Marquis-Boire, a researcher at the University of Toronto's Citizen Lab. "There are a variety of techniques that you can use to make educated assertions about the nature of an attack."

Marquis-Boire says circumstantial evidence can be furnished via an analysis of the refinement of the tools used, the methods, the type of data stolen, and where it was transmitted.

A forensic investigation often starts with investigators analyzing infected computers and the malware that compromised them. Malware that uses a lot of customized code implies a skilled, well-equipped coder with considerable knowledge about the computers and network targeted, while the use of more generic or open source code makes attribution harder because such code lacks distinguishing characteristics that might be traced back to a specific programmer or organization.

Marquis-Boire and colleagues are developing new malware profile-building techniques so they can identify a particular program's formatting styles, how it apportions memory, the ways it attempts to evade detection, and other traits. Other researchers are automating programmer-malware matching via machine learning.

From Scientific American
View Full Article


Abstracts Copyright © 2016 Information Inc., Bethesda, Maryland, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account