Executive Director and Endowed Chair

Slides:



Advertisements
Similar presentations
Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.
Advertisements

Countering Trusting Trust with Diverse Double-Compiling (by David A Wheeler) Dan Frohlich.
Slide 1 Adapted from Vitaly Shmatikov, UT Austin Trojans and Viruses.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
1 Plenary Panel on Cloud Security and Privacy: What is new and What needs to be done? Ravi Sandhu Executive Director and Endowed Professor December 2010.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
APT29 HAMMERTOSS Jayakrishnan M.
CIS3360: Security in Computing Chapter 4.2 : Viruses Cliff Zou Spring 2012.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2015.
1 Virtualization Prof. Ravi Sandhu Executive Director and Endowed Chair February 7, © Ravi Sandhu World-Leading.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
1 Cloud Computing and Security Prof. Ravi Sandhu Executive Director and Endowed Chair April 19, © Ravi Sandhu.
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.
CIT 380: Securing Computer Systems Security Solutions Part 2.
1 Security and Privacy in Human-Centric Computing and Big Data Management Prof. Ravi Sandhu Executive Director and Endowed Chair CODASPY 2013 February.
1 Open Discussion PSOSM 2012 Prof. Ravi Sandhu Executive Director and Endowed Chair © Ravi Sandhu.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
Mark Ryan Professor of Computer Security 25 November 2009
MALWARE.
Intrusion Detection Evaluation
LECTURE 6 MALICIOUS SOFTWARE
Executive Director and Endowed Chair
Ilija Jovičić Sophos Consultant.
Symmetric Cryptography
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Vitaly Shmatikov CS Network Security and Privacy Introduction to.
Techniques, Tools, and Research Issues
Countering Trusting Trust through Diverse Double-Compiling
Discretionary Access Control (DAC)
Semantics-Aware Malware Detection
Introduction to Cyber Security
Introduction and Basic Concepts
Cryptography Basics and Symmetric Cryptography
Authentication by Passwords
Executive Director and Endowed Chair
Executive Director and Endowed Chair
Internet Security Threat Status
Cyber Security Research: Applied and Basic Combined*
Challenge-Response Authentication
Mandatory Access Control (MAC)
Asymmetric Cryptography
Public-Key Certificates
Discretionary Access Control (DAC)
Executive Director and Endowed Chair
Attribute-Based Access Control (ABAC)
Cyber Security Research: Applied and Basic Combined*
Security and Privacy in the Age of the Internet of Things:
CSC 382/582: Computer Security
Intersection of Data, Policy and Privacy
Authentication and Authorization Federation
Executive Director and Endowed Chair
Challenges in Building and Detecting Portable Source Code Morphers
Intrusion Detection Evaluation
Cyber Security and Privacy: An Optimist’s Perspective
Big Data and Privacy Panel Prof. Ravi Sandhu
Executive Director and Endowed Chair
CS-3013 Operating Systems Hugh C. Lauer
Challenge-Response Authentication
Malicious Software Slide Set #5 Textbook Chapter 6 Clicker Questions
Cyber Security Research: Applied and Basic Combined*
Attribute-Based Access Control (ABAC)
World-Leading Research with Real-World Impact!
Presentation transcript:

Executive Director and Endowed Chair CS 5323 Malware Detection Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 12 ravi.utsa@gmail.com www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact!

Highlights Virus detection is undecidable Cohen dissertation (1985), paper (1987) Anti-virus (more generally anti-malware) is a great business model Need regular updates Infinite supply of new malware Malware can be stealthy Malware can be really stealthy © Ravi Sandhu World-Leading Research with Real-World Impact! 2

Malware Detection Techniques Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007. © Ravi Sandhu World-Leading Research with Real-World Impact! 3

Malware Detection Techniques Misuse Detection Behavior-Based Detection Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007. © Ravi Sandhu World-Leading Research with Real-World Impact! 4

Signature Limitations S needs regular updates Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007. © Ravi Sandhu World-Leading Research with Real-World Impact! 5

Anomaly Based Training Phase Detection Phase Infer patterns Infer specifications © Ravi Sandhu World-Leading Research with Real-World Impact! 6

Anomaly Based Limitations Blue area is false positives If white area extends outside blue area we have false negatives Nwokedi Idika and Aditya Mathur, A Survey of Malware Detection Techniques, Purdue University, Feb 2007. © Ravi Sandhu World-Leading Research with Real-World Impact! 7

Stealthy Malware Defeat signature-based detection Encrypted malware Polymorphic malware Metamorphic malware Rootkit can misrepresent the existence or content of executable files You, I., and Yim, K. Malware obfuscation techniques: A brief survey. IEEE International Conference on Broadband, Wireless Computing, Communication and Applications, Nov 2010, pp. 297-300. © Ravi Sandhu World-Leading Research with Real-World Impact! 8

Encrypted Malware execute malware Encrypted Main Body Key Decryptor Cleartext Main Body propagate malware Encrypted Main Body Key’ Decryptor © Ravi Sandhu World-Leading Research with Real-World Impact! 9

Encrypted Malware execute malware Encrypted Main Body Key Decryptor Cleartext Main Body propagate malware reveals signature Encrypted Main Body Key’ Decryptor © Ravi Sandhu World-Leading Research with Real-World Impact! 10

Polymorphic Malware execute malware Encrypted Main Body Key Decryptor Cleartext Main Body propagate malware Encrypted Main Body Key’ Obfuscated Decryptor © Ravi Sandhu World-Leading Research with Real-World Impact! 11

Polymorphic Malware execute malware Encrypted Main Body Key Decryptor Cleartext Main Body propagate malware no signature Encrypted Main Body Key’ Obfuscated Decryptor © Ravi Sandhu World-Leading Research with Real-World Impact! 12

Execute in a sandbox and detect the signature after decryption Polymorphic Malware execute malware Encrypted Main Body Key Decryptor Cleartext Main Body propagate malware no signature Encrypted Main Body Key’ Obfuscated Decryptor Execute in a sandbox and detect the signature after decryption © Ravi Sandhu World-Leading Research with Real-World Impact! 13

Polymorphic Malware execute malware Encrypted Main Body Key Decryptor Cleartext Main Body propagate malware no signature Encrypted Main Body Key’ Obfuscated Decryptor Execute in a sandbox and detect the signature after decryption Mutation Engines automate this construction © Ravi Sandhu World-Leading Research with Real-World Impact! 14

Metamorphic Malware execute malware Original Main Body propagate malware execute malware Obfuscated Main Body Obfuscated Main Body propagate malware execute malware Obfuscated Main Body Obfuscated Main Body no signature © Ravi Sandhu World-Leading Research with Real-World Impact! 15

Obfuscation Techniques Dead-Code Insertion Register Reassignment Subroutine Reordering Instruction substitution Code transposition Code Integration © Ravi Sandhu World-Leading Research with Real-World Impact! 16

Really Stealthy Malware Not visible in source code Reappears in binary code due to malware infected compiler In theory could reappear in binary code due to other components in binary execution workflow Loader Linker OS BIOS Ken Thompson. Reflections on trusting trust. Commun. ACM 27, 8 (August 1984), 761-763. © Ravi Sandhu World-Leading Research with Real-World Impact! 17

Malicious Compiler Inserts a Backdoor OS Login module Malicious Compiler Binary Infected Login Binary © Ravi Sandhu World-Leading Research with Real-World Impact! 18

Malicious Compiler Inserts a Backdoor OS Login module Assumption: Malicious behavior cannot be detected in binary, but may be detectable in compiler source Malicious Compiler Binary Infected Login Binary © Ravi Sandhu World-Leading Research with Real-World Impact! 19

Self-Compiler Compiler source for language L Compiler binary for language L Compiler binary for language L © Ravi Sandhu World-Leading Research with Real-World Impact! 20

Malicious Self-Compiler in Binary and Source Malicious Compiler source for language L Compiler binary for language L Malicious Compiler binary for language L © Ravi Sandhu World-Leading Research with Real-World Impact! 21

Malicious Self-Compiler in Binary and Source Source code analysis will reveal malicious behavior Malicious Compiler source for language L Compiler binary for language L Malicious Compiler binary for language L © Ravi Sandhu World-Leading Research with Real-World Impact! 22

Doubly Malicious Self-Compiler in Binary and Source Source code analysis will reveal doubly malicious behavior Doubly Malicious Compiler source for language L Compiler binary for language L Doubly Malicious Compiler binary for language L © Ravi Sandhu World-Leading Research with Real-World Impact! 23

Doubly Malicious Complier Binary Behavior Compiler source for language L OS Login module Doubly Malicious Compiler binary for language L Doubly Malicious Compiler binary for language L Infected Login Binary Doubly Malicious Compiler binary for language L © Ravi Sandhu World-Leading Research with Real-World Impact! 24

Doubly Malicious Complier Binary Behavior Compiler source for language L OS Login module Doubly Malicious Compiler binary for language L Doubly Malicious Compiler binary for language L Infected Login Binary Doubly Malicious Compiler binary for language L No trace of malicious behavior in source code © Ravi Sandhu World-Leading Research with Real-World Impact! 25

Malicious Self-Compiler in Binary but not in Source Compiler source for language L Malicious Compiler binary for language L Malicious Compiler binary for language L partial countermeasure Wheeler, D.A., Countering trusting trust through diverse double-compiling, 21st Annual Computer Security Applications Conference, pp.13-48, 5-9 Dec. 2005. © Ravi Sandhu World-Leading Research with Real-World Impact! 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.