CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China: Communications Theory and Security (CTS) Author: Wei Yan Speaker: 張鈞閔 Date:2013/10/24 1/28

O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 2/28

O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 3/28

A DVANCED P ERSISTENT T HREAT The past few years have witnessed a significant increase in the number of malware threats. Today’s Anti-virus (AV) industry devotes much effort to combating Advanced Persistent Threat (APT), also as known as the advanced malware. “advanced” here means the use of some new technologies for generating new sophisticated malware to bypass security vendors’ malware scanners. 4/28

C HALLENGES I N O VERCOMING A DVANCED M ALWARE ’ S C OMPLEXITY Need to keep on inserting new virus signatures into the database increasing the size of the signature database consume much of the PC memories and resources Behavior-based detection approaches have been used to detect malware in sandbox, but these approaches have slow scan speeds. 5/28

M OVE I NTO T HE C LOUD To effectively handle the scale and magnitude of new malware variants, anti-virus functionality is being moved from the user desktop into the cloud. For a suspicious file, the AV desktop agent fetches the fingerprint or calculates the hash value of the file, and sends it to the remote cloud server. In this paper, millions of samples have been tested to evaluate CAS’s performance on detection advance malware. 6/28

O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 7/28

C LOUD - BASED A NTI - VIRUS S ERVICE (1/3) 8/28

C LOUD - BASED A NTI - VIRUS S ERVICE (2/3) The cloud agent is a lightweight hybrid desktop solution to resolve the AV resource intensive problem. The agent collects hash values or fingerprints of suspicious files from users. If the hash values or fingerprints are already stored in the cache, the agent just returns the cached results to inform the users whether the requested files are malicious or not. Otherwise, it will search in the local light-weight signature database, or directly send the values or fingerprints into the cloud. 9/28

C LOUD - BASED A NTI - VIRUS S ERVICE (3/3) In order to keep a good workload balance between the desktop and cloud server, the agent requires a lightweight signature database with the size much smaller than that of the traditional one. Virus hackers use binary tools to instigate code obfuscation. An emulator includes programs to execute or emulate suspicious encrypted executables until they are fully decrypted in memory. 10/2 8

O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 11/2 8

F RAMEWORK (1/2) 12/2 8

F RAMEWORK (2/2) The malware type identification is used to recognize the malware file types. Based on a certain file type, advanced malicious sample is forwarded to the corresponding file parser. Afterwards, the stream-based and generic signatures are generated from malware families. These signatures will be applied on high-speed network devices, such as UTM and next generation firewall, to offer cloud-based on-the-fly malware detection. 13/2 8

M ALWARE T YPES S UPPORTED In CAS, to support heterogeneous malware types, the intelligent parser in CAS is able to recognize the input malware file type. Current CAS supports PE (Portable Executable format), packers, non-PE. 14/2 8

PE PE file starts with the DOS executable header, followed by the PE header. Then the optional header is followed by the section table headers. Finally, at the end of the PE file is the section data, which contains the file’s original entry point (OEP). where file execution begins To search a PE file for malware, a scanner typically scans the segments for the known signatures at certain offsets from OEP. 15/2 8

PACKER Packing is an efficient way to obfuscate a file’s original contents, and as of publication time, packers are malware authors’ favored binary tools for obscuring their codes. It mutate headers into new structures and attaches a code segment that the malware will invoke before the OEP. This code is called the stub, and it decompresses the original data and locates the OEP. 16/2 8

N ON -PE Non-PE malware, also known as embedded malware, allows malicious codes to be hidden inside a benign file, such as JPG, GIF and PDF files. CAS uses non-PE parsers to find the hidden malicious payloads and apply signatures to detect the malware. In Fig. 4, CAS parser goes through JPG format and highlights the malicious payloads with red. 17/2 8

O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 18/2 8

O N - THE - FLY DETECTION PERFORMANCE CAS correlation signature database can work with such network devices to capture latest malware. The hardware-based simulation shows that CAS online scanner can achieve more than 15Gbps performance, as shown in Table 2, much higher than other research works. 19/2 8

DETECT ZERO - DAY THREATS (1/2) In our testing, CAS uses 1352 correlation signatures to cover 380 packer and unpacked malware families (total 7 million malicious samples). Fig. 5 shows the detection rate without updating signatures for packer malware families. It is clear that the detection rate still keep high even we didn’t update signatures for a month. 20/2 8

DETECT ZERO - DAY THREATS (2/2) 21/2 8

O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 22/2 8

C ONCLUSION This paper introduces CAS to identify features across malware families that are written in similar ways. Our approach is generic, and the test results have validated the ability and performances. The work are still in the early stages, and several major issues in protecting AV cloud service remain to be addressed. 23/2 8