NetSpy: Automatic Generation of Spyware Signatures for NIDS

Slides:



Advertisements
Similar presentations
The Internet and the Web
Advertisements

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
By Hiranmayi Pai Neeraj Jain
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Lesson 4: Web Browsing.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
LittleOrange Internet Security an Endpoint Security Appliance.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Norman SecureSurf Protect your users when surfing the Internet.
Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.
Internet. Internet is Is a Global network Computers connected together all over that world. Grew out of American military.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Mr C Johnston ICT Teacher
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
PhishNet: Predictive Blacklisting to Detect Phishing Attacks Pawan Prakash Manish Kumar Ramana Rao Kompella Minaxi Gupta Purdue University, Indiana University.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Detrick Robinson & Amris Treadwell.  Computer viruses- are pieces of programs that are purposely made up to infect your computer.  Examples: › Internet.
APT29 HAMMERTOSS Jayakrishnan M.
Lecturer: Ghadah Aldehim
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 IT-212, How Computers Work Internet Video, Audio, & WWW Electrical and Computer Engineering Spring 2002.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Protecting Students on the School Computer Network Enfield High School.
1 UNIT 13 The World Wide Web Lecturer: Kholood Baselm.
1 3 Computing System Fundamentals 3.4 Networked Computer Systems.
Department of Computer Science and Engineering Applied Research Laboratory Architecture for a Hardware Based, TCP/IP Content Scanning System David V. Schuehler.
XP Browser and Basics COM111 Introduction to Computer Applications.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID
NetTech Solutions Protecting the Computer Lesson 10.
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
1 UNIT 13 The World Wide Web. Introduction 2 Agenda The World Wide Web Search Engines Video Streaming 3.
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
Search Engine and Optimization 1. Introduction to Web Search Engines 2.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Week-3 (Lecture-1). Some Important internet terms: Archie : A program used to search files at FTP sites. There are currently 30 Archie servers in the.
ITS220 – How To Prevent Your PC From Infected by Virus presented by Desmond Ho.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
WEB TESTING
Fundamentals of Information Systems, Sixth Edition
TMG Client Protection 6NPS – Session 7.
Chapter 6 Application Hardening
Lesson 4: Web Browsing.
Create Virtual Directory Windows 8 - IIS 8.5
Conveying Trust Serge Egelman.
INTERNET.
Using SSL – Secure Socket Layer
CS222 Web Programming Course Outline
Information Security Session October 24, 2005
Home Internet Vulnerabilities
What is the World Wide Web (www)
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
HOW DO I KEEP MY COMPUTER SAFE?
Fire-wall.
HTTP and Abstraction on the Internet / The Need for DNS
Lesson 4: Web Browsing.
Station Management System
Exploring DOM-Based Cross Site Attacks
Web Forms.
Presentation transcript:

NetSpy: Automatic Generation of Spyware Signatures for NIDS Hao Wang, Somesh Jha and Vinod Ganapathy {hbwang, jha, vg}@cs.wisc.edu University of Wisconsin-Madison

User is visiting www.google.com What is Spyware? spyware server User is visiting www.google.com 9/23/2018

Stopping Spyware spyware server  NIDS Change stop sign 9/23/2018

Problem: Signature Updates spyware server NIDS Change stop sign Reliance on vendors to provide timely signature updates Cannot detect new spyware or variants of existing spyware 9/23/2018

 NetSpy Overview spyware server NIDS Visit www.google.com  GET /data/...theurl=www.google.com NIDS GET / GET /intl/en/images/log.gif Change the spy 9/23/2018

Detecting and Stopping Spyware Defense Perimeter Detection Mechanism Signature-based Behavior-based Host- based Most commercial solutions A few commercial solutions Network-based NetSpy (Signature Generation) NetSpy (Differential Analysis) contradication 9/23/2018

Outline Motivation NetSpy architecture Inducing spyware activity Differential analysis Signature generation Evaluation 9/23/2018

NetSpy: Automatic Spyware Signature Generation Identify new spyware Detect spyware that operates as plugins to web browser Generate NIDS signature for detected spyware Without relying on vendors to provide updates 9/23/2018

Key Observations Spyware is programmed to monitor certain user activities Spyware must send monitored data to its home server When? To maximize opportunity for profit, many spyware programs send back data immediately 9/23/2018

NetSpy Architecture User inputs System User Activity Injector Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation 9/23/2018

Inducing Spyware Activity An automatic web browser driver Inject synthetic user activities into a web browser http://www.google.com/search?hl=en&q=ps3&btnG=... http://www.apple.com/itunes/ … Trigger spyware that is programmed to monitor the injected activities Induce spyware into sending data to its home server 9/23/2018

Challenge Some spyware only monitor certain events e.g., when a user entered a wrong URL e.g., when a user accesses a banking web site A difficult problem in itself We rely on some heuristics about spyware’s behavior e.g., include invalid URLs in the input 9/23/2018

NetSpy Architecture User inputs System User Activity Injector Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation 9/23/2018

Differential Analysis Goal: identify network packets sent by an untrusted program Idea: compare network traffic from a clean system and from an infected system Input URL Destination Host Network Packets www.google.com GET / GET /intl/en/images/log.gif 9/23/2018

Differential Analysis On a system infected with BrowserAccelerator, IE generated seven packets: Contain input Destination Host Network Packets www.google.com GET / GET /intl/en/images/log.gif data.browseraccelerator.com GET /data/...theurl= client.browseraccelerator.com Four additional packets www.google.com Unseen Hosts 9/23/2018

Network Traffic Characteristics Classifying Spyware Score Spyware? Network Traffic Characteristics Unseen Host Packet Content 3 Most likely Yes Contains input 2 Likely No 1 Least Likely 9/23/2018

NetSpy Architecture User inputs System User Activity Injector Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation 9/23/2018

Signature Generation for NIDS Why? To protect other computers on the same network Once NetSpy identifies a new spyware on one computer, all other systems automatically gain protection Currently generate signatures for Snort 9/23/2018

Signature Requirements Only works when a user visits Google! Not a good signature: GET /data/...theurl=www.google.com Signature needs to be generic Solution: Repeat differential analysis on multiple inputs 9/23/2018

Generating Signatures Inputs: a set of network packets Goal: identify the invariants among these packets Input URL Packet www.google.com GET /data/...theurl=www.google.com www.apple.com GET /data/...theurl=www.apple.com www.slashdot.org GET /data/...theurl=www.slashdot.org … 9/23/2018

Longest Common Subsequence Handle multiple strings Convert the variants into a regular expression Input URL Packet www.google.com GET /data/...theurl= www.google.com www.apple.com GET /data/...theurl= www.apple.com www.slashdot.org GET /data/...theurl= www.slashdot.com … … Signature: GET /data/…theurl= .* 9/23/2018

known spyware programs supposedly benign programs Evaluation Test Case Program Analyzed Detected Behavior Signature Generated 7 known spyware programs Browser Accelerator, Internet Optimizer, SideFind… Monitor URLs visited, hijack error page, download updates  10 supposedly benign programs A9 Toolbar AOL Toolbar Google Toolbar Yahoo Toolbar Monitor URLs visited, hijack error page MSN Messenger extension, MSN Search Toolbar… 9/23/2018

A9 Toolbar Advertised feature: store a user’s browsing history in a central server A user first signs on with A9.com A9 Toolbar sends every URL visited back to a server called client.a9.com The user can access the history from any where Unadvertised feature: A9 Toolbar also sends URLs to another server: siteinfo.a9.com Regardless of whether the user has signed on or not 9/23/2018

AOL Toolbar Hijacks Internet Explorer’s error page Send URL entered by a user to multiple servers Download and display advertisements related to the URL Monitors all queries involving google.com Transmitting data using a SSL connection to a server: snsproxy-vd01.evip.aol.com This behavior only occurs in version 3.0.82 The latest version 4.0 does not 9/23/2018

Limitations Currently only works with browser plugins Assumes that spyware behaves in certain ways: Monitors a user’s activity and immediately sends out data to its home server Cannot detect timer-based spyware Does not encode data to be transmitted 9/23/2018

Conclusion NetSpy: a system that can Detect new spyware by inducing its spying activity Automatically generate NIDS signatures for spyware 9/23/2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.