微信客服:xiaoxionga100
微信客服:ITCS521
x86汇编代写-CSC3059
时间:2022-04-25
CSC3059 Malware Analysis Mock Exam 2022
Exam Details
• Duration 1.5 hours
• Exam type X + 15 minutes
X+15 Format Explained
An extra 15 minutes will be given after the exam is finished.
This extra time is only to be used to upload your answer document.
There will be no late penalties applied for submissions received during this time
i.e., up to 1 hour 44 mins 59 seconds.
Submissions received after this time will be considered late submissions and a
penalty may be applied i.e., after 1 hour 45 mins 0 seconds.
ISSA
• Students who are entitled to extra time are responsible for calculating this
themselves
• Extra time will be based on the standard exam duration, excluding the X + 15
minutes
For example, if you are entitled to 50% extra time: 1.5 hours + 45 minutes (50%
extra time) = 2 hours 15 minutes total exam duration
Submission Instructions
• Students should upload a typed word document (.doc / .docx) with their answers
• Scanned handwritten answers will not be accepted unless the student has an
ISSA in place
• Write your name and student number at the top of the first page of your answer
document
• The filename of your answer document should include your name and student
number e.g. Ada_Lovelace_10121815.docx
• There is no limit on submission attempts - Do not wait until the last minute to
submit
Items Needed to Complete this Assessment
Microsoft Word
Internet connection
[Page 1 of 3, Please turn over]
Regulations
• Normal university regulations apply to this examination
• Statement of integrity:
By submitting the work, I declare that:
• I have read and understood the University regulations relating to academic
offences, including collusion and plagiarism.
• The submission is my own original work and no part of it has been submitted for
any other assignments, except as otherwise permitted;
• All sources used, published or unpublished, have been acknowledged;
• I give my consent for the work to be scanned using plagiarism detection
software
Support / Technical Difficulties
• If you require technical support or have any queries please send a direct
message via Teams or email n.mclaughlin@qub.ac.uk
• If necessary, class-wide updates will be posted on Canvas announcements so
students should periodically check Canvas and their email during the
assessment. Ensure Canvas announcements are turned on.
Exam Instructions
Answer ALL Questions
Exam Questions
• Q1 - 35 Marks
• Q2 - 35 Marks
• Q3 - 30 Marks
Additional Information
This is an open book examination
[Page 2 of 3, Please turn over]
1. Automatic Malware Detection
(a) The Table below shows the frequency of code-based properties of 1000 samples
each of malware and normal Android application code respectively. From the table
calculate the following probability values for the code property getNetworkOperator:
P(Ri=1), P(Ri=0), P(C=M|Ri=1), P(C=M|Ri=0), P(C=B|Ri=1) and P(C=B|Ri=0)
Show your working out.
[35 marks]
Code Properties Malware Frequency Benign Frequency
getSubscriberID 742 42
getSimSerialNumber 455 35
DexClassLoader 152 16
createSubprocess 169 0
.jar (secondary payload) 252 87
KeySpec (code encryption) 254 99
getNetworkOperator 125 754
Chown 107 5
Table 1. Malware and Benign code-based property frequency.
(b) The mutual information (MI) value for getSubscriberID is 0.28
Using your answers from part (a), determine whether getNetworkOperator is a more,
or less, discriminative feature by calculating its mutual information using the formula:
( ) ( ) ( )
( )
( )
1
2
0 ,
, log
i
i i i
jr c mal ben
P C c R r
MI R C P R r P C c R r
P C c=
= =
= = = =
=
Show your working out.
[35 marks]
(c) An unknown executable file is analysed and the following features are detected:
GetSubscriberID, DexClassLoader, keySpec, GetNetworkOperator and Chown.
Using the information in Table 1, calculate the probabilities that this executable file is
malware or benign and hence state the final classification decision. Show your
working out.
[30 Marks]
[End of Examination]
Exam Details
• Duration 1.5 hours
• Exam type X + 15 minutes
X+15 Format Explained
An extra 15 minutes will be given after the exam is finished.
This extra time is only to be used to upload your answer document.
There will be no late penalties applied for submissions received during this time
i.e., up to 1 hour 44 mins 59 seconds.
Submissions received after this time will be considered late submissions and a
penalty may be applied i.e., after 1 hour 45 mins 0 seconds.
ISSA
• Students who are entitled to extra time are responsible for calculating this
themselves
• Extra time will be based on the standard exam duration, excluding the X + 15
minutes
For example, if you are entitled to 50% extra time: 1.5 hours + 45 minutes (50%
extra time) = 2 hours 15 minutes total exam duration
Submission Instructions
• Students should upload a typed word document (.doc / .docx) with their answers
• Scanned handwritten answers will not be accepted unless the student has an
ISSA in place
• Write your name and student number at the top of the first page of your answer
document
• The filename of your answer document should include your name and student
number e.g. Ada_Lovelace_10121815.docx
• There is no limit on submission attempts - Do not wait until the last minute to
submit
Items Needed to Complete this Assessment
Microsoft Word
Internet connection
[Page 1 of 3, Please turn over]
Regulations
• Normal university regulations apply to this examination
• Statement of integrity:
By submitting the work, I declare that:
• I have read and understood the University regulations relating to academic
offences, including collusion and plagiarism.
• The submission is my own original work and no part of it has been submitted for
any other assignments, except as otherwise permitted;
• All sources used, published or unpublished, have been acknowledged;
• I give my consent for the work to be scanned using plagiarism detection
software
Support / Technical Difficulties
• If you require technical support or have any queries please send a direct
message via Teams or email n.mclaughlin@qub.ac.uk
• If necessary, class-wide updates will be posted on Canvas announcements so
students should periodically check Canvas and their email during the
assessment. Ensure Canvas announcements are turned on.
Exam Instructions
Answer ALL Questions
Exam Questions
• Q1 - 35 Marks
• Q2 - 35 Marks
• Q3 - 30 Marks
Additional Information
This is an open book examination
[Page 2 of 3, Please turn over]
1. Automatic Malware Detection
(a) The Table below shows the frequency of code-based properties of 1000 samples
each of malware and normal Android application code respectively. From the table
calculate the following probability values for the code property getNetworkOperator:
P(Ri=1), P(Ri=0), P(C=M|Ri=1), P(C=M|Ri=0), P(C=B|Ri=1) and P(C=B|Ri=0)
Show your working out.
[35 marks]
Code Properties Malware Frequency Benign Frequency
getSubscriberID 742 42
getSimSerialNumber 455 35
DexClassLoader 152 16
createSubprocess 169 0
.jar (secondary payload) 252 87
KeySpec (code encryption) 254 99
getNetworkOperator 125 754
Chown 107 5
Table 1. Malware and Benign code-based property frequency.
(b) The mutual information (MI) value for getSubscriberID is 0.28
Using your answers from part (a), determine whether getNetworkOperator is a more,
or less, discriminative feature by calculating its mutual information using the formula:
( ) ( ) ( )
( )
( )
1
2
0 ,
, log
i
i i i
jr c mal ben
P C c R r
MI R C P R r P C c R r
P C c=
= =
= = = =
=
Show your working out.
[35 marks]
(c) An unknown executable file is analysed and the following features are detected:
GetSubscriberID, DexClassLoader, keySpec, GetNetworkOperator and Chown.
Using the information in Table 1, calculate the probabilities that this executable file is
malware or benign and hence state the final classification decision. Show your
working out.
[30 Marks]
[End of Examination]
