Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

Slides:



Advertisements
Similar presentations
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Advertisements

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Automated Malware Analysis
Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.
Automated malware classification based on network behavior
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
Computer Viruses Preetha Annamalai Niranjan Potnis.
Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,
Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.
Packet Vaccine: Blackbox Exploit Detection and Signature Generation Authors: XiaoFeng Wang Zhuowei Li Jong Youl Choi School of Informatics, Indiana University.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
PRECIP: Towards Practical and Retrofittable Confidential Information Protection XiaoFeng Wang (IUB), Zhuowei Li (IUB), Ninghui Li (Purdue) and Jong Youl.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Security Issues in Distributed Heterogeneous Systems Somesh Jha Computer Sciences Department University of Wisconsin Madison, WI
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Mining Specifications of Malicious Behavior Mihai Christodorescu (work done at University of Wisconsin) Somesh Jha University of Wisconsin Christopher.
2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.
Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Copyright © 2011, A Behavior-based Methodology for Malware Detection Student: Hsun-Yi Tsai Advisor: Dr. Kuo-Chen Wang 2012/04/30.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
ANTIVIRUS ANTIVIRUS Author: Somnath G. Kavalase Junior Software developer at PBWebvsion PVT.LTD.
Maintaining and Updating Windows Server 2008 Lesson 8.
Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.
Vigilante: End-to-End Containment of Internet Worms Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang and Paul Barham.
Techniques, Tools, and Research Issues
Chapter 1. Basic Static Techniques
Techniques, Tools, and Research Issues
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
TriggerScope Towards detecting logic bombs in android applications
Xutong Chen and Yan Chen
Information Security Session October 24, 2005
Chap 10 Malicious Software.
Chap 10 Malicious Software.
Basic Dynamic Analysis VMs and Sandboxes
Using Software Restriction Policies
Presentation transcript:

Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana University at Bloomington 2 University of North Carolina at Chapel Hill 3 Center for Software Excellence, Microsoft 4 Carnegie Mellon University

Dr. XiaoFeng Wang Exploit signatures vs. infection signatures Exploit Signature Infection Signature

Dr. XiaoFeng Wang How to get infection signatures?  Manually analyze malware infections  Automated analysis  Invariant extraction from replication code  Checksum  Invariance from network traffic   cannot handle even the simplest metamorphism

Dr. XiaoFeng Wang Our solution: AGIS  Automated malware analysis  Run malware in a sandboxed environment  Identify mal-behaviors using generalized polices  Automated infection signature generation  From the code necessary for infections’ missions  “vanilla” infections and regular-expression signatures  Certain resilience to obfuscated infections

Dr. XiaoFeng Wang Differences from prior work  Behavior-based malware detection  Only analyze add-on based infections  No signature generation  Panorama  Finer-grained analysis, but very slow  No signature generation

Dr. XiaoFeng Wang How does AGIS work?

Dr. XiaoFeng Wang Malicious behavior detection  Create an infection graph  Set detection policies  Detection and behavior extraction

Dr. XiaoFeng Wang Infection graph and back tracking downloader.exe keylogger.exe keylogger process run registry hook.dll key.log 1. dowload 2. modify 3. run 4. hook 5. save

Dr. XiaoFeng Wang Detection policies  Specifications for malicious behaviors  Keylogger rule  syscall for hooking keyboard, and  callback function  output syscalls (Writefiles, Sendto…)  Mass-mailing worm rule  loop for searching directories to read file, and  syscall  SMTP servers

Dr. XiaoFeng Wang Infection signature extraction  Dynamic analysis and static analysis  Get instructions necessary for malicious behaviors  Build signatures  from the instructions

Dr. XiaoFeng Wang Analyses  Dynamic analysis  Find API calls for malicious behavior (M-calls)  Identify their call sites through stack walking  Static analysis  Instructions prepares for M-calls’ parameters (chops)

Dr. XiaoFeng Wang Obfuscated code  Metamorphism  Junk-code injection: dealt by chops  Code transposition: dealt by CFG  register assignment, instruction replacement: left for scanner  Polymorphism  Modify code  signature

Dr. XiaoFeng Wang Get signatures  Vanilla malware  Chop  Regular-expression signature  Blocks: consecutive instructions on a chop  Conjunction of blocks

Dr. XiaoFeng Wang Implementation  Kernel driver  Hook SSDT  Static analyzer  Built upon Proview PVDASM

Dr. XiaoFeng Wang Evaluations  Malware  Mydoom (D/L/Q/U)  NetSky (B/X)  Spyware. KidLogger  Invisible KeyLogger  Home Keylogger  Evaluations of detection and signature generation

Dr. XiaoFeng Wang Examples for detection  MyDoom  Loop-read using NtReadFile  Send messages through NtDeviceIOControlFile  Violate the mass-mailing rule  Spyware.KidLogger  Hook using NtUserSetWindowsHookEx  Write through NtWriteFile  Violate the keylogger rule  False positives  Find none from 19 common applications (BiTorrent, browers, MS office, google desktop…)

Dr. XiaoFeng Wang Chop for Mydoom.D

Dr. XiaoFeng Wang Chop for Spyware.KidLogger

Dr. XiaoFeng Wang FP rate vs. sig length

Dr. XiaoFeng Wang Other evaluations  FP of vanilla signatures  Statically checked 1378 normal programs, no match  Obfuscation  Obfuscate code with RPME: extracted right chop  Encode using UPX: found encoding loop  Performance  Detection: around 1 minute  Signature generation: less than 1 minute

Dr. XiaoFeng Wang Limitations  User-land infections only  Not for add-ons  Undecideabiblity of Static obfuscation analysis  Obfuscation of behaviors

Dr. XiaoFeng Wang Conclusions and future work  Achievements  1st infection signature generation approach for host  Work on today’s user-land infections  Future work  Efficient dynamic analytic tools  Better scanning techniques

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.