CSC3059 Malware Analysis Mock Exam 2022 Exam Details Duration 1.5 hours Exam type X + 15 minutes X+15 Format Explained An extra 15 minutes will be given after the exam is finished. This extra time is only to be used to upload your answer document. There will be no late penalties applied for submissions received during this time i.e., up to 1 hour 44 mins 59 seconds. Submissions received after this time will be considered late submissions and a penalty may be applied i.e., after 1 hour 45 mins 0 seconds. ISSA Students who are entitled to extra time are responsible for calculating this themselves Extra time will be based on the standard exam duration, excluding the X + 15 minutes For example, if you are entitled to 50% extra time: 1.5 hours + 45 minutes (50% extra time) = 2 hours 15 minutes total exam duration Submission Instructions Students should upload a typed word document (.doc / .docx) with their answers Scanned handwritten answers will not be accepted unless the student has an ISSA in place Write your name and student number at the top of the first page of your answer document The filename of your answer document should include your name and student number e.g. Ada_Lovelace_10121815.docx There is no limit on submission attempts – Do not wait until the last minute to submit Items Needed to Complete this Assessment Microsoft Word Internet connection [Page 1 of 3, Please turn over] Regulations Normal university regulations apply to this examination Statement of integrity: By submitting the work, I declare that: I have read and understood the University regulations relating to academic offences, including collusion and plagiarism. The submission is my own original work and no part of it has been submitted for any other assignments, except as otherwise permitted; All sources used, published or unpublished, have been acknowledged; I give my consent for the work to be scanned using plagiarism detection software Support / Technical Difficulties If you require technical support or have any queries please send a direct message via Teams or email n.mclaughlin@qub.ac.uk If necessary, class-wide updates will be posted on Canvas announcements so students should periodically check Canvas and their email during the assessment. Ensure Canvas announcements are turned on. Exam Instructions Answer ALL Questions Exam Questions Q1 – 35 Marks Q2 – 35 Marks Q3 – 30 Marks Additional Information This is an open book examination [Page 2 of 3, Please turn over] 1. Automatic Malware Detection (a) The Table below shows the frequency of code-based properties of 1000 samples each of malware and normal Android application code respectively. From the table calculate the following probability values for the code property getNetworkOperator: P(Ri=1), P(Ri=0), P(C=M|Ri=1), P(C=M|Ri=0), P(C=B|Ri=1) and P(C=B|Ri=0) Show your working out. [35 marks] Code Properties Malware Frequency Benign Frequency getSubscriberID 742 42 getSimSerialNumber 455 35 DexClassLoader 152 16 createSubprocess 169 0 .jar (secondary payload) 252 87 KeySpec (code encryption) 254 99 getNetworkOperator 125 754 Chown 107 5 Table 1. Malware and Benign code-based property frequency. (b) The mutual information (MI) value for getSubscriberID is 0.28 Using your answers from part (a), determine whether getNetworkOperator is a more, or less, discriminative feature by calculating its mutual information using the formula: ( ) ( ) ( ) ( ) ( ) 1 2 0 , , log i i i i jr c mal ben P C c R r MI R C P R r P C c R r P C c= = = = = = = = Show your working out. [35 marks] (c) An unknown executable file is analysed and the following features are detected: GetSubscriberID, DexClassLoader, keySpec, GetNetworkOperator and Chown. Using the information in Table 1, calculate the probabilities that this executable file is malware or benign and hence state the final classification decision. Show your working out. [30 Marks] [End of Examination]
