|
1. Full name: Tran Nghi Phu 2. Gender: Male
3. Date of birth: 07/11/1987 4. Place of birth: Nghe An
5. Admission decision number: 361/QĐ-ĐT dated 13/06/2014
6. Changes in academic process:
7. Official thesis title: Automatic analyses of malware in embedded devices based on Linux.
8. Major: Software Engineering 9. Code: 9480103.01
10. Supervisors: Assoc. Prof. Nguyen Ngoc Binh, Dr. Nguyen Dai Tho
11. Summary of the new findings of the thesis:
• Firstly, building the IoT dataset which consist of firmware of IoT devices and malware, bennign samples running on IoT devices. The dataset is called Firmware IoT (F-IoT). It is the largest IoT dataset currently available for multi-architectures. To build this database, the dissertation developed F-Toolkit to assist in collecting, analyzing, dissecting firmware.
• Secondly, developing a dynamic analysis environment F-Sandbox and the two frameworks of detecting and classifying embedded malicious code. This is a new kind of sandbox, specialized for IoT devices based on embedded Linux operating system. F-Sandbox is developed based on QEMU, inheriting Firmadyne's techniques that allow simulating NVRAM, the Internet and extracting system calls (syscalls) using the modified Linux 2.6 kernel (instrumented kernel).
• Thirdly, proposing an improved algorithm to extract Control flow-based features. The problem of extracting the Control flow-based features from executable files is converted into the problem of calculating the total number of paths beginning from the root to the leaves on the constructed acyclic directed graph. The weighted graph of number paths is built by a dynamic programing algorithm with a polynomial complexity, instead of the Depth-first search method (as an NP-Hard problem) proposed by Ding et al. This improvement enhances the efficiency of extracting features from large-scale, highly complex executables on traditional computer. The improvement is also well suited for detecting malware on embedded devices that mostly uses the RISC architecture processors instead of the CISC architecture processors in traditional computers.
• Fourthly, proposing a novel feature extraction method to detect cross-architectures malware, CFGVex. The CFGVex was proposed based on combining the previous proposed dynamic programing algorithm and intermediate language Vex, it uses Vex statement instead of opcode statement when extracting information from basic blocks of executables to detect cross-architectures malware. The proposed method allows us to use knowledge of malware on the known architectures to detect malware on the new architecture, which is one of the emerging trends of malware on embedded devices. This dissertation proposed and selected appropriate characteristics to give an excellent ability to detect malware. Our experiments show that CFGVex is capable of detecting high-accurately cross-architecture malware, opening up research directions to determine the transfer relationship between malware on different architectures, between traditional malware on computers to malware on embedded devices.
12. Practical application, if any: The results of the thesis can be applied to develop embedded devices firmware testing products, detect malicious code operating on embedded devices.
13. Further research directions, if any: Continue to improve F-Sandbox to activate specific malicious samples; developing F-Toolkit capable of analyzing images in not full-blown form; improve efficiency of CFDVex to detect multi-architecture malware; developing methods to remove malicious code from the firmware of IoT devices.
14. Thesis-related publications:
1. Tran Nghi Phu, Nguyen Ngoc Binh, Hoang Dang Kien, Ngo Quoc Dung,
Nguyen Dai Tho. A Novel Framework to Classify Malware in MIPS
Architecture-based IoT Devices. Security and Communication Networks,
2019, 13 pages, https://doi.org/10.1155/2019/4073940 (ISI, SCIE index).
2. Tran Nghi Phu, Nguyen Dai Tho, Le Huy Hoang, Nguyen Ngoc Binh. An Efficient Algorithm to Extract Control Flow-based Features for IoT Malware Detection. Computer Journal, 2020 (Accepted, ISI, SCIE index).
3. Tran Nghi Phu, Ngo Quoc Dung, Le Van Hoang, Nguyen Dai Tho,
Nguyen Ngoc Binh. A System Emulation for Malware Detection in
Routers. International Journal of Innovative Technology and Exploring
Engineering (IJITEE) ISSN: 2278-3075, Volume-8, Issue-11, Sep 2019 (Scopus index).
4. Trần Nghi Phú, Ngô Quốc Dũng, Hoàng Đăng Kiên, Nguyễn Đại Thọ, Nguyễn Ngọc Bình. Phát Hiện Mã Độc Trên Các Thiết Bị IoT Dựa Trên Lời Gọi Syscall và Phân Lớp Một Lớp SVM. Tạp chí Thông Tin và Truyền Thông, ISSN 1859-3550, 12-2018.
5. Tran Nghi Phu, Nguyen Ngoc Binh, Ngo Quoc Dung, and Le Van Hoang. Towards Malware Detection in Routers with C500-Toolkit. 5th International Conference on Information and Communication Technology (ICoICT), 1–5, 2017. https://doi.org/10.1109/ICoICT.2017.8074691 (Scopus index).
6. Tran Nghi Phu, Nguyen Ngoc Binh, Nguyen Dai Tho, Nguyen Ngoc Toan, and Le Huy Hoang. CFDVex: A Novel Feature Extraction Method for Detecting Cross-Architecture IoT Malware. The tenth international Symposium on Information and Communication Technology (SoICT 2019), Dec-2019, Hanoi, Vietnam, pp.248-254 (Scopus index).
7. Tran Nghi Phu, Nguyen Ngoc Toan, Le Huy Hoang, Nguyen Dai Tho, Nguyen
Ngoc Binh. C500-CFG: A Novel Algorithm to Extract Control Flow-based Features for IoT Malware Detection. 19th International Symposium on Communications and Information Technologies (ISCIT), 2019, HCM, Vietnam.
8. Trần Nghi Phú, Ngô Quốc Dũng, Nguyễn Huy Trung, Nguyễn Ngọc Bình. Mô Hình Phát Hiện Mã Độc trong Phần Mềm Nhúng trên Thiết Bị Định Tuyến. Hội Thảo Quốc Gia Lần Thứ XIX: Một số vấn đề chọn lọc của CNTT&TT, Hà Nôi, 2016.
9. Trần Nghi Phú, Nguyễn Huy Trung, Ngô Quốc Dũng, Nguyễn Ngọc
Bình, and Nguyễn Đại Thọ. Phát Triển Công Cụ Dịch Ngược Firmware Trên Thiết Bị Định Tuyến. Hội Nghị Khoa Học Hội Thảo Lần Thứ I: Một số vấn đề chọn lọc về An toàn thông tin, 9-2016.
|
