Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Slides:



Advertisements
Similar presentations
Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Advertisements

Polymorphic Malware Detection Connor Schnaith, Taiyo Sogawa 9 April 2012.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
IBinHunt: Binary Hunting with Inter-Procedural Control Flow Jiang Ming, Meng Pan, and Debin Gao College of Information Sciences and Technology, Penn State.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Automated malware classification based on network behavior
EFFECTIVE AND EFFICIENT MALWARE DETECTION AT THE END HOST Presentation by Clark Wachsmuth C. Kolbitsch, P. M. Comparetti, C. Kreugel, E. Kirda, X. Zhou.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October /9/31.
Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Computer Viruses Preetha Annamalai Niranjan Potnis.
APT29 HAMMERTOSS Jayakrishnan M.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
1 Higher Computing Topic 8: Supporting Software Updated
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Hunting for Metamorphic Engines Wing Wong Mark Stamp Hunting for Metamorphic Engines 1.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al 이 승 민.
Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.
CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.
2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Copyright © 2011, A Behavior-based Methodology for Malware Detection Student: Hsun-Yi Tsai Advisor: Dr. Kuo-Chen Wang 2012/04/30.
Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
METAMORPHIC VIRUS NGUYEN LE VAN.
CISC Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Malware Detection XUTONG CHEN & Xin zhou.
Automatic Network Protocol Analysis
Malware Reverse Engineering Process
Chapter 1. Basic Static Techniques
Techniques, Tools, and Research Issues
Outline Overview Development Tools
Chap 10 Malicious Software.
Chap 10 Malicious Software.
Motivation and Problem Statement
Malicious Program and Protection
Introduction to Internet Worm
Presentation transcript:

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Institute Eurecom Xiaoyong Zhou, XiaoFeng Indiana Univ. at Bloominton 1 USENIX Security Symposium ‘09

Outline Motivation System Overview System Details Evaluation Limitation Conclution 2

MOTIVATION Effectiveness & Efficiency 3

Motivation Efficiency – Binary signature based detection – Network-based detection Effectiveness – Behavior-based detection Detection based on malware's behavior Behavior is hard to obfuscate Behavior is hard to randomize Behavior is often stable across various malware version 4

Motivation This Paper proposes… – A behavior-based solution with Efficiency – For end hosts 5

SYSTEM OVERVIEW Modeling Behaviors and Making detection efficient 6

System Overview Malware behaviors – Manifest on system (i.e., survive reboot) (Over-) write system executables, dlls, files Create registry entries Register as Windows (startup) service – Conceal from being detected Restart under some stealthy name (e.g., svchost.exe) Inject into legitimate processes – Replicate Send s Copy to Samba shares, USB drives, etc. Scan and exploit services on LAN or WAN 7

System Overview Detection based on execution characteristics – Execute malware in full system emulator (Anubis) – Monitor interaction with the operating system – Perform detailed taint analysis – Generate detection graphs Describe sequence of required system calls leading to security relevant system activity Include dependencies to related, previous calls (using taint dependencies) Detect described behavior on end host – Log system call activity of unknown executable – Match against behavior graph 8

System Overview Example: Agent (trojan) As part of its system manifestation, it – Reads content from binary image – Decrypts binary content Proprietary decryption routine Simple, XOR based algorithm – Stores binary in system file (C:\Windows\system32\drivers\ip6fw.sys) – Later, restarts IPv6 firewall Turns itself into a system service 9

System Overview 10

SYSTEM DETAILS Generate Behavior Graphs, Match Behavior Graphs 11

System Details Behavior graphs – Directed acyclic graph – Node: system calls – Edges: dependencies Dependencies – Handle dependencies Direct value propagation System provided identifiers Must be constant 12

System Details Data dependencies – Arbitrary data (& control) dependency between system calls – Might modify values between system calls 13

System Details Generate behavior graphs – Analyze executable in Anubis sandbox Obtain instruction level log Obtain program flow log Obtain memory access log Generate precise taint propagation trees – Data/control dependencies – Instructions that access/generate tainted data – Link system calls consuming data with all taint generating calls (sources) 14

System Details Generate behavior graphs (cont.) – Scan logs for security relevant behavior Provided with a list of interesting system calls Extract propagation formulas 15

System Details Match behavior graphs – Active(inactive) node – Simple(complex) function – Security-relevant system calls or the Buttom – Confirmed(deactivate all) 16

System Details 17

System Details 18

EVALUATION Effectiveness, Efficiency 19

Evaluation Effectiveness 20

Evaluation 21

Evaluation False Positive – IE, Firefox, Thunderbird, putty, notepad – 0 22

Evalution Efficiency 23

LIMITATION & CONCLUSION 24

Limitation Evading signature generation – Detect the virtual environment – Delays, time-triggered behavior Modifying the algorithm behavior 25

Conclusion Behavior can be detected Behavior detection is fast enough for end hosts – Approach intrinsically robust against polymorphism and metamorphism – To some extent, behavior graphs are usable across malware variants 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.