Auswahl der wissenschaftlichen Literatur zum Thema „Sandbox evasion“

Malware analysis is fundamental for defending against prevalent cyber security threats and requires a means to deploy and study behavioural software traits as more sophisticated malware is developed. Traditionally, virtual machines are used to provide an environment that is isolated from production systems so as to not cause any adverse impact on existing infrastructure. Malware developers are fully aware of this and so will often develop evasion techniques to avoid detection within sandbox environments. In this paper, we conduct an investigation of anti-evasion malware triggers for uncovering malware that may attempt to conceal itself when deployed in a traditional sandbox environment. To facilitate our investigation, we developed a tool called MORRIGU that couples together both automated and human-driven analysis for systematic testing of anti-evasion methods using dynamic sandbox reconfiguration techniques. This is further supported by visualisation methods for performing comparative analysis of system activity when malware is deployed under different sandbox configurations. Our study reveals a variety of anti-evasion traits that are shared amongst different malware families, such as sandbox “wear-and-tear”, and Reverse Turing Tests (RTT), as well as more sophisticated malware samples that require multiple anti-evasion checks to be deployed. We also perform a comparative study using Cuckoo sandbox to demonstrate the limitations of adopting only automated analysis tools, to justify the exploratory analysis provided by MORRIGU. By adopting a clearer systematic process for uncovering anti-evasion malware triggers, as supported by tools like MORRIGU, this study helps to further the research of evasive malware analysis so that we can better defend against such future attacks.

Advanced persistent threats (APT) are major threats in the field of system and network security. They are extremely stealthy and use advanced evasion techniques like packing and behaviour obfuscation to hide their malicious behaviour and evade the detection methods. Existing behavior-based detection technique fails to detect the APTs due to its high persistence mechanism and sophisticated code nature. Hence, a novel hybrid analysis technique using Behavior based Sandboxing approach is proposed. The proposed technique consists of four phases namely, Static, Dynamic, Memory and System state analysis. Initially, static analysis is performed on the sample which involves packer detection and signature verification. If the sample is found stealthy and remains undetected, then it is executed inside a sandbox environment to analyze its behavior. Further, memory analysis is performed to extract memory artefacts of the current system state. Finally, system state analysis is performed by correlating clean system state and infected system state to determine whether the system is compromised

Recent work has shown that adversarial Windows malware samples—referred to as adversarial EXE mples in this article—can bypass machine learning-based detection relying on static code analysis by perturbing relatively few input bytes. To preserve malicious functionality, previous attacks either add bytes to existing non-functional areas of the file, potentially limiting their effectiveness, or require running computationally demanding validation steps to discard malware variants that do not correctly execute in sandbox environments. In this work, we overcome these limitations by developing a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks based on practical, functionality-preserving manipulations to the Windows Portable Executable file format. These attacks, named Full DOS , Extend , and Shift , inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section. Our experimental results show that these attacks outperform existing ones in both white-box and black-box scenarios, achieving a better tradeoff in terms of evasion rate and size of the injected payload, while also enabling evasion of models that have been shown to be robust to previous attacks. To facilitate reproducibility of our findings, we open source our framework and all the corresponding attack implementations as part of the secml-malware Python library. We conclude this work by discussing the limitations of current machine learning-based malware detectors, along with potential mitigation strategies based on embedding domain knowledge coming from subject-matter experts directly into the learning process.

Tax credit management system (TCMS) implemented by the State Administration of Taxation (SAT) of China in 2014 is an innovative mechanism of tax collection and management. This paper attempts to incorporate the TCMS into the model of Allingham and Sandmo [Allingham, M. G. and Sandmo, A., Income tax evasion: A theoretical analysis, [Formula: see text]. Public Econ. 1(3–4) (1972) 323–338], and then proposes an agent-based tax compliance model combined with EWA model. In this model, enterprises are divided into three categories: enterprises paying taxes for better credit, paying taxes to avoid a punishment, and not paying taxes. Enterprises can borrow from banks based on their own tax credit rating. The experimental results based on the model show that: (i) When the probability of spot check is low, the actual tax behavior of some enterprises is inconsistent with the results of tax credit publicized by tax authorities. (ii) In order to reduce the proportion of tax evasion, we try to change the parameter variables of integral reward, audit probability, punishment, financial subsidy and loan interest rate. The results show that the punishment of fixed high loan interest rate on tax evasion enterprises can effectively restrain tax evasion and increase the proportion of enterprises with high credit rating.

In this paper, a theoretical model of tax evasion, proposed by Allingham and Sandmo, is briefly presented. This model tries to explain the taxpayer’s decision to reveal only part of the taxable income and to evade taxes in this way. The main parameters of the model are personal income, the rates of tax and penalty, probability of the tax audit. By the method of comparative statics it is possible, at least partially, to evaluate the influence of changes of the model’s parameters on a person’s decision to evade tax.As some of the assumptions of the Allingam–Sandmo model differ from taxation rules in practice or the model’s conclusions do not match the actual taxpayers’ behaviour, in this paper some criticism and improvements of the proposed model are reviewed. A comparison of the model’s assumptions and actual aspects of the tax administration in Lithuania is also provided.This article contains also a model of tax evasion with regard for the peculiarities of tax administration in Lithuania and the possible corrections of tax audit probability function.

This work presents an estimate of social security contribution evasion (SSCE) for different job categories and job sectors in Italy, among 1995 and 2016. The evasion is computed as share of the work-force that did not pay social security contribution, not as monetary evasion. The author finds a stationary trend in the size of the SSCE over time, and some significative differences in the different sectors and in the different Italian regions. The average SSCE for Italy in the 1995-2016 period is 0.149, an evasion of around 15 percent of the workforce in the social security contributions of a representative sample of Italian population, calculated on over 26,000 observations. SSCE is a well-known issue all around the world. It is a highly sensitive topic, and it is been suggested that given the aging of the population and the increasing flexibility of the work, its importance is going to increase. It is particularly interesting in a country such as Italy, where there is a huge underground economy that affects the country. Even though economists have studied the determinant and the effect of tax evasion (Allingham and Sandmo, 1972) since half a century, very few works have specifically focused on the implication of contribution evasion for social security schemes (Bailey, 2001; McGillivray, 2002) and on the determinants of contribution evasion (Bailey, 1997), especially with a quantitative approach. This work aims to contribute to the literature on SSCE, which has his own specificities that makes it different from tax evasion, offering a series of descriptive statistics on SSCE in Italy in the last twenty years. The two main goals of this study are to estimate SSCE in Italy for the different job categories, in different work sectors and in all the Italian regions between 1995 and 2016 and to provide some insights about the main causes of SSCE. In a nutshell, the findings of the author show that the highest SSCE is among self-employed and temporary worker active in the household services, building and agriculture sectors. Instead for the geographical distribution concerns, Southern Italian regions register a higher SSCE than Centre and North of Italy. The trend over the period 1998-2016 of SSC evasion is pretty much stable, while there is a gap with the 1995 estimate.

Abstract Introduction: BCL2 overexpression leading to evasion of apoptosis is common in hematologic malignancies. In DLBCL, 50% of patients (pts) overexpress BCL2 protein, 30% overexpress BCL2 and MYC (double-expressor [DE]) and 5-10% have translocations of BCL2 and MYC (double-hit [DH]), all of which are associated with a poor prognosis. We hypothesized that combination of the BCL2 inhibitor venetoclax (Ven) with chemotherapy would improve DLBCL outcomes based on pre-clinical and early clinical data. The Phase Ib part of the CAVALLI (NCT02055820) study assessed the maximum tolerated dose (MTD) of CHOP + rituximab (R) or obinutuzumab (G) with Ven (200-800mg) in non-Hodgkin lymphoma, recommending 800mg of Ven + R-CHOP for Phase II. The single-arm, multicenter Phase II part of CAVALLI investigated the efficacy of Ven + R-CHOP in all first-line (1L) DLBCL pts, by BCL2 immunohistochemistry (IHC) status within cell-of-origin (COO) subtypes, by BCL2 fluorescence in situ hybridization (FISH) and in DE and DH pts, with the intent to compare against a matched pt population in the R-CHOP arm of the GOYA Phase III study. Here we report the first safety, efficacy and biomarker analyses in all pts from this ongoing Phase II study. Methods: Eligible pts (age ≥18 yrs; Eastern Cooperative Oncology Group performance status ≤2; 1L DLBCL; International Prognostic Index score 2-5; ≥1 measurable lesion >1.5cm) were assigned to receive six 3-weekly cycles of R-CHOP + 800mg Ven daily for 10 days (Days 1-10, except Cycle 1: Days 4-10), followed by two 3-weekly cycles of 800mg Ven on Days 1-10 + R on Day 1. The primary endpoint was PET-CT response 6-8 weeks after the last R dose (EoT), according to a modified version of Lugano 2014 criteria. Secondary endpoints were progression-free survival (PFS) and safety. Biomarker analyses in CAVALLI and GOYA were performed in pre-treatment tumor samples including a BCL2 IHC assay (cutoff: 50% medium/high expression), MYC IHC assay (cutoff 40% signal), BCL2 and MYC FISH, and COO assay (Nanostring). Results: 211 pts were enrolled; 208 received any treatment and were included in efficacy and safety analyses. Overall, pt characteristics were similar for CAVALLI and GOYA, except CAVALLI enrolled more Ann Arbor Stage IV (65.4% vs 47.1%) and BCL2 IHC-positive pts (57.7% vs 50.0%). The EoT complete response rate in all pts did not differ significantly between CAVALLI and GOYA (69.2% vs 62.8%, respectively; Table 1), but was improved in BCL2-positive subgroups, specifically in BCL2 FISH-positive (70.0% vs 47.5%) and DH (71.4% vs 25.0%) pts. With 20 months' median follow-up in CAVALLI, disease progression and death had occurred in 29 and 6 pts, respectively. When compared with GOYA and adjusted for baseline covariates by Cox methodology, PFS improvement was observed in BCL2 IHC-positive pts (HR, 0.53; 95% CI: 0.30-0.93), including within both activated B-cell (ABC; HR, 0.43; 95% CI: 0.19-0.94) and germinal center B-cell (GCB; HR, 0.41; 95% CI: 0.17-0.95) COO subgroups. No PFS benefit was observed in BCL2 IHC-negative GCB pts; the BCL2 IHC-negative ABC subgroup was too small for evaluation (Figure 1). Grade 3-4 adverse events (AEs) occurred in 85% (176/208) of pts in CAVALLI versus 66% (373/574) in GOYA; the majority were cytopenias, infections and febrile neutropenia (Table 2). In CAVALLI, 1% (3/208) of AEs were fatal versus 5% (30/564) in GOYA but follow-up was longer in GOYA (57 vs 20 months). The higher rate of AEs in CAVALLI led to dose interruptions/discontinuations of both Ven and R-CHOP; 61% of pts had >90% relative dose intensity (RDI) of Ven; 73.2% of CAVALLI pts had >90% RDI of each of doxorubicin and cyclophosphamide versus 76.4% for doxorubicin and 77.6% for cyclophosphamide in GOYA. There were no major differences in grade 3-4 AEs or the RDI of R-CHOP across intention-to-treat and BCL2-positive subgroups. GCSF prophylaxis was recommended, but not uniformly delivered. Conclusions: The addition of Ven to R-CHOP in 1L DLBCL treatment resulted in improved efficacy in BCL2 IHC-positive pts compared with matched GOYA controls. Higher rates of cytopenia, infection and febrile neutropenia were observed in CAVALLI versus the R-CHOP arm in GOYA. These data further support exploration of Ven + R-CHOP in a high-risk population of BCL2-positive 1L DLBCL, including DH pts. Disclosures Morschhauser: Epizyme: Consultancy; Servier: Membership on an entity's Board of Directors or advisory committees; BMS: Honoraria, Membership on an entity's Board of Directors or advisory committees; Janssen: Honoraria, Membership on an entity's Board of Directors or advisory committees; Roche/Genentech: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees; Celgene: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees; Gilead: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees. Feugier:Janssen: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; Roche: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; Abbvie: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; Gilead: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding. Flinn:Agios: Research Funding; Verastem: Research Funding; Celgene: Research Funding; Pharmacyclics: Research Funding; Merck: Research Funding; ArQule: Research Funding; Constellation: Research Funding; Curis: Research Funding; Genentech: Research Funding; Forma: Research Funding; Novartis: Research Funding; BeiGene: Research Funding; Pfizer: Research Funding; Forty Seven: Research Funding; TG Therapeutics: Research Funding; Portola: Research Funding; Calithera: Research Funding; Seattle Genetics: Research Funding; Verastem: Consultancy, Research Funding; Trillium: Research Funding; Gilead: Research Funding; Incyte: Research Funding; Infinity: Research Funding; Janssen: Research Funding; Kite: Research Funding; Takeda: Research Funding. Gasiorowski:Novartis: Honoraria; MSD: Honoraria. Greil:Astra Zeneca: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; BMS: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; Janssen: Other: TRAVEL, ACCOMMODATIONS, EXPENSES; Abbvie: Consultancy, Membership on an entity's Board of Directors or advisory committees; MSD: Honoraria, Research Funding; Sandoz: Honoraria, Research Funding; Amgen: Honoraria, Other: TRAVEL, ACCOMMODATIONS, EXPENSES, Research Funding; Novartis: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; Roche: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; Merck: Honoraria, Research Funding; Takeda: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding; Celgene: Consultancy, Honoraria, Membership on an entity's Board of Directors or advisory committees, Research Funding. Illés:Janssen: Membership on an entity's Board of Directors or advisory committees; Novartis: Membership on an entity's Board of Directors or advisory committees; Takeda: Membership on an entity's Board of Directors or advisory committees; Roche: Membership on an entity's Board of Directors or advisory committees. Johnson:Merck: Consultancy, Honoraria; Roche: Consultancy, Honoraria, Other: travel, Research Funding; Bristol-Myers Squibb: Consultancy, Honoraria; Seattle Genetics: Honoraria; Lundbeck: Consultancy, Honoraria, Other: travel, Research Funding; AbbVie Inc.: Consultancy, Honoraria, Research Funding. Lugtenburg:Genmab: Consultancy; Squibb: Consultancy; Takeda: Consultancy, Research Funding; Celgene: Consultancy; Sandoz: Consultancy; Bristol-Meyers: Consultancy; Servier: Consultancy, Research Funding; Roche: Consultancy. Salles:BMS: Honoraria, Other: Advisory Board; Servier: Honoraria, Other: Advisory Board; Servier: Honoraria; Celgene: Honoraria, Other: Advisory Board, Research Funding; F. Hoffmann-La Roche Ltd: Consultancy, Honoraria, Research Funding; Epizyme: Honoraria; Morphosys: Honoraria; Abbvie: Honoraria; Acerta: Honoraria; Amgen: Honoraria; Novartis: Consultancy, Honoraria; Takeda: Honoraria; Merck: Honoraria; Pfizer: Honoraria; Janssen: Honoraria, Other: Advisory Board; Gilead: Honoraria, Other: Advisory Board. Trněný:Morphosys: Membership on an entity's Board of Directors or advisory committees, Other: Advisory board; F. Hoffman-La Roche Ltd: Honoraria, Membership on an entity's Board of Directors or advisory committees, Other: Advisory board, Research Funding; Incyte: Membership on an entity's Board of Directors or advisory committees, Other: Advisory board; Takeda: Honoraria, Membership on an entity's Board of Directors or advisory committees, Other: Advisory board; Gilead: Honoraria; Celgene: Honoraria, Membership on an entity's Board of Directors or advisory committees, Other: Advisory board; Janssen: Membership on an entity's Board of Directors or advisory committees, Other: Advisory board; Sandoz: Honoraria; Abbvie: Honoraria, Research Funding. Mir:F. Hoffmann-La Roche: Employment. Kornacker:F. Hoffmann-La Roche Ltd: Employment. Punnoose:Roche: Equity Ownership; Genentech Inc: Employment. Samineni:Genentech Inc: Employment, Other: Ownership interests non-PLC. Szafer-Glusman:F. Hoffmann-La Roche Ltd: Employment, Other: Ownership interests PLC. Petrich:Abbvie: Employment, Other: Ownership interests PLC. Sinha:F. Hoffmann-La Roche Ltd: Employment. Mobasher:Genentech Inc: Employment; F. Hoffmann-La Roche Ltd: Other: Ownership interests non-PLC. Zelenetz:Celgene: Consultancy; Abbvie: Research Funding; Gilead: Consultancy, Research Funding; AstraZeneca: Consultancy; Genentech/Roche: Consultancy, Research Funding; Novartis/Sandoz: Consultancy; Amgen: Consultancy.

Anaplastic Large Cell Lymphoma (ALCL) is an aggressive subtype of T-cell lymphoma. ALCLs are stratified based on the presence of anaplastic lymphoma kinase (ALK) translocations. ALK negative (ALK-ALCLs) are heterogeneous subtypes characterized by higher aggressiveness and poorer outcome than ALK+ALCL. The molecular and genetic asset of ALK-ALCLs has recently begun to emerge (i.e. JAK/STAT3 activating mutations, DUSP22, TP63, TP53 and IRF4 rearrangements), but an exhaustive picture of the molecular drivers leading to ALK-ALCLs transformation, progression, and immune evasion is still lacking. Long non coding RNAs (LncRNAs) are transcripts longer than 200 nucleotides with different regulatory functions ranging from transcriptional regulation to structural functions, which are emerging as relevant players in many cellular processes including cancer. Using deep RNA-sequencing profiling combined with de novo transcriptome assembly, we explored and validated the potential contribution of non-coding RNAs in a large series of ALCLs. 24 lncRNAs were found specifically enriched in ALCL samples. Among these, a 70Kb chromatin associated lncRNA (BlackMamba) was identified as preferentially associated with the ALK-ALCLs subtypes and was shown to be a target of the JAK/STAT3 signaling. BlackMamba was overexpressed in ALK-ALCL patient samples as well as in patient-derived tumor xenograft (PDTX) models. Its shRNA mediated knockdown (KD) in ALK-ALCL cells reduces cell proliferation and clonogenicity. BlackMamba KD cells also showed a remarkable increase in the number of multinucleated cells (without ploidy alteration) providing evidence that this lncRNA may be required for correct cytokinesis. To better characterize the role of BlackMamba we performed RNA-sequencing profiling in BlackMamba KD ALK-ALCL cells showing that this lncRNA affects primarily the expression of genes involved in cytoskeleton organization and remodeling. Noticeably, the DNA-helicase HELLS emerged among the most relevant BlackMamba target gene in ALK-ALCL cells and patients. Loss of BlackMamba causes profound reduction of HELLS concomitant with a reorganization of chromatin markers (reduction of K4me3 and increase of K27me3) in the HELLS locus. To test whether HELLS enforces BlackMamba-mediated transcription, we silenced HELLS by shRNA approach in ALK-ALCLs. Noticeably, loss of HELLS led to a reduction in cell growth, a delay in the duplication rate and a dramatic drop of clonogenicity potential of ALK-ALCL cells. This phenotype was also associated with an increased number of multinucleated cells, phenocopying the BlackMamba KD cells. We also showed that, HELLS KD causes expression changes in a subset of cytoskeleton-related genes previously identified as BlackMamba targets confirming that HELLS is a crucial mediator of BlackMamba function. Indeed, ectopic over-expression of HELLS in BlackMamba KD cells rescued the cell growth defects induced by the loss of lncRNA mitigated the polynucleation phenotype and restored the baseline expression of BlackMamba target genes. Being established that lncRNAs affect gene expression by recruiting chromatin remodeling complexes to target promoters or enhancers we also investigated whether BlackMamba may associates with HELLS and dictates its chromatin positioning in ALK-ALCL cells. By RNA-immunoprecipitation (RIP) we showed that HELLS binds to BlackMamba at in two distinct regions the 3'-end of the lncRNA. Next, by Chromatin Immunoprecipitation (ChIP) we demonstrated that HELLS is associated to BlackMamba target gene promoters exclusively in ALK-ALCLs in which BlackMamba is expressed. Collectively, these data demonstrate the existence of a new lncRNA-dependent mechanism controlling the recruitment of HELLS on chromatin sites and its expression in lymphomas. The axis BlackMamba-HELLS sustains the neoplastic phenotype of ALK-ALCL representing a potential vulnerability of ALCL cells. Disclosures Merli: Mundipharma: Honoraria; Roche: Honoraria, Membership on an entity's Board of Directors or advisory committees, Other: Travel expenses, Research Funding; Sandoz: Membership on an entity's Board of Directors or advisory committees; Teva: Membership on an entity's Board of Directors or advisory committees; Celgene: Membership on an entity's Board of Directors or advisory committees, Other: Travel Expenses; Janssen: Honoraria; Takeda: Honoraria, Other: Travel Expenses; Gilead: Honoraria.

This Master’s thesis describes reverse engineering with focus on malware analysis. Reader will be informed about theoretical description of static and dynamic analysis. These techniques are later used on analysis of 5 malware families with focus on detection of used anti-sandbox techniques. After that new theoretical improvements are proposed with detection of anti-sandbox techniques or fully avoiding such anti-sandbox evasion techniques. Finally these changes are implemented on main sandbox of Avast Software from which reader can see how effective these improvements are.

Tax evasion is a classic problem in the field of economics and has been intensively studied over the last few decades. So far, research has been focused, and reasonably followed, on extensions from the original model developed by Alligham and Sandmo (1972). This chapter has taken the initiative to analyse and discuss the behaviour of taxpayers and the relation with risk when they act strategically. In this sense, the authors propose to replicate and discuss the three main conceptual functions of the brain (expressed by Spinoza) when agents do their strategic options concerning tax evasion risk. Output results demonstrate a tendency for strategic taxpayers to first react in detriment of structured and complex reasoning. The assumption, commonly used in tax evasion literature, that taxpayers are exclusively rational, is liable of being refuted. Even the strategic taxpayers are reluctant to follow only their reason.

This chapter describes the development of a prototype multi-agent based model – the Tax Compliance Simulator (TCS) – designed to help tax administrators think about ways to reduce tax evasion. TCS allows the user to define unique behavioral, income, and tax enforcement characteristics for one or two distinctive taxpayer populations. The capabilities of the model are demonstrated in a simulation of the deterrent effects of taxpayer audits. The simulation finds that a significant portion of audit-based deterrence may depend on the influence of taxpayers’ social networks rather than the probability of detection or penalty for underreporting as indicated by economic theory (Allingham and Sandmo, 1972).