Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.

Slides:



Advertisements
Similar presentations
Arnd Christian König Venkatesh Ganti Rares Vernica Microsoft Research Entity Categorization Over Large Document Collections.
Advertisements

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection
 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.
Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
A Low-cost Attack on a Microsoft CAPTCHA Yan Qiang,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
Prophiler: A fast filter for the large-scale detection of malicious web pages Reporter : 鄭志欣 Advisor: Hsing-Kuo Pao Date : 2011/03/31 1.
Norman SecureSurf Protect your users when surfing the Internet.
Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,
Fabian Yamaguchi, University of Göttingen Markus Lottmann, Technische Universität Berlin Konrad Rieck, University of Göttingen 28 th ACSAC (December, 2012)
Finding Malware on a Web Scale
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Presented by Xianchen Meng CSCI 680 Advanced System and.
Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st.
Finding Malware on a Web Scale
Jhih-sin Jheng 2009/09/01 Machine Learning and Bioinformatics Laboratory.
An Overview of Intrusion Detection Using Soft Computing Archana Sapkota Palden Lama CS591 Fall 2009.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.
Click to edit Master subtitle style 2/23/10 Time and Space Optimization of Document Content Classifiers Dawei Yin, Henry S. Baird, and Chang An Computer.
Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Xinyu Xing, Wei Meng, Dan Doozan, Georgia Institute of Technology Alex C. Snoeren, UC San Diego Nick Feamster, and Wenke Lee, Georgia Institute of Technology.
Nozzle: A Defense Against Heap Spraying Attacks
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
Grid Defense Against Malicious Cascading Failure Paulo Shakarian, Hansheng Lei Dept. Electrical Engineering and Computer Science, Network Science Center,
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
One-of-its-Kind, SmartCOP.Easy3S is a revolutionary virus removal technology launched by one of India’s rapidly growing companies, Cyber Astro Ltd. With.
CPSC FALL 2015TEAM P6 Real-time Detection System for Suspicious URLs Submitted by T.ANUPCHANDRA V.KRANTHI SUDHA CH.KRISHNAPRASAD Under Guidance.
Network Security Lab Jelena Mirkovic Sig NewGrad presentantion.
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
Adaptive Android Kernel Live Patching
Enterprise Botnet Detection and Mitigation System
Knut Kröger & Reiner Creutzburg
HTML Level II (CyberAdvantage)
AI in Cyber-security: Examples of Algorithms & Techniques
Xutong Chen and Yan Chen
A Fast and Scalable Nearest Neighbor Based Classification
Software Security.
Presentation transcript:

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium (August, 2011)

Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft Microsoft Research Technical Report (November, 2010)

Outline  Introduction  Observation on Offline Nozzle  Design  Experiment  Evaluation 2011/5/243A Seminar at Advanced Defense Lab

Introduction  In the last several years, we have seen mass-scale exploitation of memory- based vulnerabilities migrate towards heap spraying attacks.  But many solutions are not lightweight enough to be integrated into a commercial browser. 2011/5/24A Seminar at Advanced Defense Lab4

About Nozzle  The overhead of this runtime technique may be 10% or higher.  This paper is based on our experience using NOZZLE for offline.  Offline scanning is also not as effective against transient malware that appears and disappears frequently. 2011/5/24A Seminar at Advanced Defense Lab5

About Zozzle  ZOZZLE is integrated with the browser’s JavaScript engine to collect and process JavaScript code that is created at runtime.  Our focus in this paper is on creating a very low false positive, low overhead scanner. 2011/5/24A Seminar at Advanced Defense Lab6

Observation on Offline Nozzle  Once we determine that JavaScript is malicious, we invested a considerable effort in examining the code by hand and categorizing it in various ways.  we investigated 169 malware samples. 2011/5/24A Seminar at Advanced Defense Lab7

Distribution of Different Exploit Samples 2011/5/24A Seminar at Advanced Defense Lab8

Transience of Detected Malicious URLs 2011/5/24A Seminar at Advanced Defense Lab9

Javascript eval Unfolding 2011/5/24A Seminar at Advanced Defense Lab10

Distribution of Context Counts 2011/5/24A Seminar at Advanced Defense Lab11

Design 2011/5/24A Seminar at Advanced Defense Lab12

Training Data Extraction and Labeling  We start by augmenting the JavaScript engine in a browser with a “deobfuscator” that extracts and collects individual fragments of JavaScript. Detours [link]link jscript.dll [link]link Compile function ( COlescript::Compile() ) 2011/5/24A Seminar at Advanced Defense Lab13

Feature Extraction  We create features based on the hierarchical structure of the JavaScript abstract syntax tree(AST). 2011/5/24A Seminar at Advanced Defense Lab14

Feature Selection  χ 2 test  2011/5/24A Seminar at Advanced Defense Lab15 With featureWithout feature maliciousAC benignBD

Classifier Training  Naϊve Bayesian classifier   Assume to be conditionally independent  2011/5/24A Seminar at Advanced Defense Lab16

Naϊve Bayesian classifier   Complexity: linear time 2011/5/24A Seminar at Advanced Defense Lab17

Fast Pattern Matching 2011/5/24A Seminar at Advanced Defense Lab18

Fast Pattern Matching (cont.) 2011/5/24A Seminar at Advanced Defense Lab19

Experiment  Malicious Samples 919 deobfuscated malicious context  Benign Samples Alexa top 50 URLs 7,976 contexts 2011/5/24A Seminar at Advanced Defense Lab20

Feature Selection  hand-picked vs. automatically selected 2011/5/24A Seminar at Advanced Defense Lab21

Evaluation  HP xw4600 workstation Intel Core2 Duo 3.16 GHz 4 GB memory Windows 7 64-bit Enterprise 2011/5/24A Seminar at Advanced Defense Lab22

Effectiveness 2011/5/24A Seminar at Advanced Defense Lab23

Training Set Size 2011/5/24A Seminar at Advanced Defense Lab24

Feature Set Size 2011/5/24A Seminar at Advanced Defense Lab25

Comparison with Other Techniques 2011/5/24A Seminar at Advanced Defense Lab26

Performance: Context Size 2011/5/24A Seminar at Advanced Defense Lab27

Performance: Feature Set 2011/5/24A Seminar at Advanced Defense Lab28

2011/5/24A Seminar at Advanced Defense Lab29

2011/5/24A Seminar at Advanced Defense Lab30

I think these is the all… 2011/5/24A Seminar at Advanced Defense Lab31 unescape(“%48%65%6c%6c%6f%57 %6f%72%6c%64”) “\u0048\u0065\u006C\u006C\u006F \u0057\u006F\u0072\u006C\u0064” document.write(“alert(‘1’)”); eval(“alert(1)”); "H976e246l3l2o19W42o45r7l88d734 ".replace(/[09]/g,"")

If I want to eval …  Fucntion("alert(‘1')")(); setTimeout("alert(‘1')“; execScript("alert(‘1')", "javascript"); [].constructor.constructor('alert(1)')(); window["eval"]("alert(‘1’)");  2011/5/24A Seminar at Advanced Defense Lab32

In the network, I find …  ([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[ ]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[] )[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[ +!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[ +[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[] +!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[] ]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[(![]+[])[+!+[]] +(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+! +[]]+(!![]+[])[+[]]])(+!+[])  2011/5/24A Seminar at Advanced Defense Lab33

2011/5/24A Seminar at Advanced Defense Lab34

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.