Intelligent Detection of Malicious Script Code CS194, 2007-08 Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche.

Slides:

Advertisements

Similar presentations

1 MDV, April 2010 Some Modeling Challenges when Testing Rich Internet Applications for Security Kamara Benjamin, Gregor v. Bochmann Guy-Vincent Jourdan,

Advertisements

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Creating Interactive Games Your trainer today is: Luke Milner Derbyshire County Council Children and Younger Adults Department.

Software Certification and Attestation Rajat Moona Director General, C-DAC.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Abirami Poonkundran 2/22/10.  Goal  Introduction  Testing Methods  Testing Scope  My Focus  Current Progress  Explanation of Tools  Things to.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

Intelligent Detection of Malicious Script Code CS194, Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche.

Presented by Li-Tal Mashiach Learning to Rank: A Machine Learning Approach to Static Ranking Algorithms for Large Data Sets Student Symposium.

Patron Queuing System Team Gong Archit Agarwal Thanh Nguyen Adnan Salam.

B iological S cripting L anguage Jared Eng Jay Kota Igor Marfin Amna Qaiser Jared Eng Jay Kota Igor Marfin Amna Qaiser BSL.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Dr Alejandra Flores-Mosri Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

UML exam advice. Minimal, yet sufficient UML course 80% of modeling can be done with 20% of the UML. Which 20% was that again? We’re supposed to be “Use.

Design, Implementation and Maintenance

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Actionable Process Steps and Focused Mitigation Strategies

United Nations Statistics Division Recoding the business register to ISIC Rev.4.

Optimizing the Placement of Chemical and Biological Agent Sensors Daniel L. Schafer Thomas Jefferson High School for Science and Technology Defense Threat.

Data Structures Introduction Phil Tayco Slide version 1.0 Jan 26, 2015.

LÊ QU Ố C HUY ID: QLU OUTLINE  What is data mining ?  Major issues in data mining 2.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

Intrusion Detection for Grid and Cloud Computing Author Kleber Vieira, Alexandre Schulter, Carlos Becker Westphall, and Carla Merkle Westphall Federal.

Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.

Computer Viruses Preetha Annamalai Niranjan Potnis.

Management Information Systems

CS223 Algorithms D-Term 2013 Instructor: Mohamed Eltabakh WPI, CS Introduction Slide 1.

Build a Free Website1 Build A Website For Free 2 ND Edition By Mark Bell.

What is FORENSICS? Why do we need Network Forensics?

Introduction and Overview Questions answered in this lecture: What is an operating system? How have operating systems evolved? Why study operating systems?

Security Evaluation of Pattern Classifiers under Attack.

Computer Security and Penetration Testing

Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.

Argumentation and Trust: Issues and New Challenges Jamal Bentahar Concordia University (Montreal, Canada) University of Namur, Belgium, June 26, 2007.

Bayesian networks Classification, segmentation, time series prediction and more. Website: Twitter:

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

CourseCrawler Matt Berntsen Don Frehulfer Evan Kaiser.

Universiti Utara Malaysia Chapter 3 Introduction to ASP.NET 3.5.

The Daikon system for dynamic detection of likely invariants MIT Computer Science and Artificial Intelligence Lab. 16 January 2007 Presented by Chervet.

Search engines are the key to finding specific information on the vast expanse of the World Wide Web. Without sophisticated search engines, it would be.

CS370 Spring 2007 CS 370 Database Systems Lecture 4 Introduction to Database Design.

Client: The Boeing Company Contact: Mr. Nick Multari Adviser: Dr. Thomas Daniels Group 6 Steven BromleyJacob Gionet Jon McKeeBrandon Reher.

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

Scenario: Internet Attack Eunice Huang. What is DDoS? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Major Disciplines in Computer Science Ken Nguyen Department of Information Technology Clayton State University.

Intelligent Detection of Malicious Script Code CS194, Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche Sponsored by Symantec.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.

Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Cryptography and Network Security Sixth Edition by William Stallings.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

What is Web Information retrieval from web Search Engine Web Crawler Web crawler policies Conclusion How does a web crawler work Synchronization Algorithms.

The World Wide Web. What is the worldwide web? The content of the worldwide web is held on individual pages which are gathered together to form websites.

8 th Semester, Batch 2009 Department Of Computer Science SSUET.

KNOWLEDGE MANAGEMENT UNIT II KNOWLEDGE MANAGEMENT AND TECHNOLOGY 1.

1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Content Introduction History What is Digital Signature Why Digital Signature Basic Requirements How the Technology Works Approaches.

Some Great Open Source Intrusion Detection Systems (IDSs)

Maitrayee Mukerji. INPUT MEMORY PROCESS OUTPUT DATA INFO.

CSCE 548 Student Presentation Ryan Labrador

Chapter 7: Identifying Advanced Attacks

Cloud Security Research Based On The Internet of Things

Prepared by Rao Umar Anwar For Detail information Visit my blog:

What is a Search Engine EIT, Author Gay Robertson, 2017.

Data Mining Chapter 6 Search Engines

Presentation transcript:

Intelligent Detection of Malicious Script Code CS194, Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche

Introduction 3-quarter project Sponsored by Symantec Main focuses: Web programming Web programming Database development Database development Data mining Data mining Artificial intelligence Artificial intelligence

Overview Current security software catches known malicious attacks based on a list of signatures Current security software catches known malicious attacks based on a list of signatures The problem: New attacks are being created every day The problem: New attacks are being created every day Developers need to create new signatures for these attacks Developers need to create new signatures for these attacks Until these signatures are made, users are vulnerable to these attacks Until these signatures are made, users are vulnerable to these attacks

Overview (cont.) Our objective is to build a system that can effectively detect malicious activity without relying on signature lists Our objective is to build a system that can effectively detect malicious activity without relying on signature lists The goal of our research is to see if and how artificial intelligence can discern malicious code from non-malicious code The goal of our research is to see if and how artificial intelligence can discern malicious code from non-malicious code

Data Gathering Gather data using a web crawler (probably a modified web crawler based on the Heritrix software) Gather data using a web crawler (probably a modified web crawler based on the Heritrix software) Crawler scours a list of known “safe” websites Crawler scours a list of known “safe” websites Will also branch out into websites linked to by these websites for additional data, if necessary Will also branch out into websites linked to by these websites for additional data, if necessary While this is performed, we will gather key information on the scripts (function calls, parameter values, return values, etc.) While this is performed, we will gather key information on the scripts (function calls, parameter values, return values, etc.) This will be done in Internet Explorer This will be done in Internet Explorer

Data Storage When data is gathered it will need to be stored for the analysis that will take place later When data is gathered it will need to be stored for the analysis that will take place later Need to develop a database that can efficiently store the script activity of tens of thousands (possibly millions) of websites Need to develop a database that can efficiently store the script activity of tens of thousands (possibly millions) of websites

Data Analysis Using information from database, deduce normal behavior Using information from database, deduce normal behavior Find a robust algorithm for generating a heuristic for acceptable behavior Find a robust algorithm for generating a heuristic for acceptable behavior The goal here is to later weigh this heuristic against scripts to determine abnormal (and thus potentially malicious) behavior The goal here is to later weigh this heuristic against scripts to determine abnormal (and thus potentially malicious) behavior

Challenges Gathering Gathering How to grab relevant information from scripts? How to grab relevant information from scripts? How deep do we search? How deep do we search? Good websites may inadvertently link to malicious ones Good websites may inadvertently link to malicious ones The traversal graph is probably infinitely long The traversal graph is probably infinitely long Storage Storage In what form should the data be stored? In what form should the data be stored? Need efficient way to store data without simplifying it Need efficient way to store data without simplifying it Example: A simple laundry list of function calls does not take call sequence into account Example: A simple laundry list of function calls does not take call sequence into account Analysis Analysis What analysis algorithm can handle all of this data? What analysis algorithm can handle all of this data? How can we ensure that the normality heuristic it generates minimizes false positives and maximizes true positives? How can we ensure that the normality heuristic it generates minimizes false positives and maximizes true positives?

Milestones Phase I: Setup Phase I: Setup Set up equipment for research, ensure whitelist is clean Set up equipment for research, ensure whitelist is clean Phase II: Crawler Phase II: Crawler Modify crawler to grab and output necessary data so that it can later be stored and begin crawler activity for sample information Modify crawler to grab and output necessary data so that it can later be stored and begin crawler activity for sample information Phase III: Database Phase III: Database Research and develop an effective structure for storing data and link it to webcrawler Research and develop an effective structure for storing data and link it to webcrawler Phase IV: Analysis Phase IV: Analysis Research and develop an effective algorithm for learning from massive amounts of data Research and develop an effective algorithm for learning from massive amounts of data Phase V: Verification Phase V: Verification Using webcrawler, visit a large volume of websites to ensure that heuristic generated in phase IV is accurate Using webcrawler, visit a large volume of websites to ensure that heuristic generated in phase IV is accurate Certain milestones may need to be revisited depending on results in each phase Certain milestones may need to be revisited depending on results in each phase