Speaker ： Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.

Slides:

Advertisements

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Advertisements

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

By Hiranmayi Pai Neeraj Jain

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

LittleOrange Internet Security an Endpoint Security Appliance.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Department Of Computer Engineering

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Introduction to Honeypot, Botnet, and Security Measurement

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Hacker Zombie Computer Reflectors Target.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

CERN’s Computer Security Challenge

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

Honeypot and Intrusion Detection System

Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:

1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

KFSensor Vs Honeyd Honeypot System Sunil Gurung

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

7.5 Intrusion Detection Systems Network Security / G.Steffen1.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

Intrusion Detection Reuven, Dan A. Wei, Li Patel, Rinku H.

NetTech Solutions Protecting the Computer Lesson 10.

IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Understand Malware LESSON Security Fundamentals.

I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.

Role Of Network IDS in Network Perimeter Defense.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

CloudAV: N-Version Antivirus in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department, University.

Internet Quarantine: Requirements for Containing Self-Propagating Code

Critical Security Controls

Chapter 2. Malware Analysis in VMs

Intrusion Detection system

Using Software Restriction Policies

Presentation transcript:

Speaker ： Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1

Outline Abstract Introduction Related Work Detection Theory Host-Based Detection Network-Based Detection Laboratory Setup Physical Level Virtual Level Experiments and Results Discussion and Further Work Conclusion 2

Abstract 3 This paper presents a novel open-source testbed for behavioural software analysis. designed to meet current trends in the malware community by allowing controlled access to the Internet in the analysis phase. A novel way of using honeypot technology is proposed to build a testbed that is able to analyse current threats.

Introduction (1/2) 4 Malicious code may be spread by introducing malicious hidden functionality. From the more than files they investigated,approximately 15% contained malicious code. However, attackers are constantly improving their code to evade the traditional detection algorithms.

Introduction (2/2) 5 Sandboxing is a relatively new approach to behavioural malware detection. However, a trend among malware authors, presented by Symantec,is to use staged downloads of malware. A modern behavioural analysis environment designed to detect unwanted functionality in downloaded applications.

Related Work 6 Virtual machine technology is proposed as a flexible solution for building the laboratory environment.such as Norman Sandbox and Panda TruPrevent. This paper contributes to existing malware analysis documentation in the following areas: A powerful open-source software analysis testbed is provided The testbed design is based on a number of updated malware detection theories The testbed allows for safe analysis of software,also with malicious content, utilizing staged download techniques.

Detection Theory 7 Most traditional anti-virus systems use signature- based detection,the major drawback being the inability to detect new, unknown malicious code. When new instances of malicious software are found, new signature files have to be written and distributed to the detection tools.

Host-Based Detection(1/2) 8 This section presents techniques that can be used to observe changes in the host operating system,during or immediately after installation of an application. Wang et al.suggest complementing the traditional approaches with a concept they refer to as Auto-Start Extensibility Points. an overwhelming majority of all spyware programs infect a system in such a way that they are automatically started upon reboot and the launch of most commonly used applications.

Host-Based Detection(2/2) 9 Software using the auto-start extensibility points is distinguished by two categories: Standalone applications that are automatically run by registering as an OS auto-start extension, such as a Windows NT service Extensions to existing applications that are automatically run, or extensions to popular applications commonly run by users, like web browsers Wang et al.introduce a concept called cross-view diff to detect stealth software. Cross-time diff aims at comparing the state of a running system with a previous snapshot of the same system. such as Tripwire.

Network-Based Detection(1/4) 10 Network-based detection refers to techniques used to discover the presence of malicious entities by studying properties related to network activity. Router Access Lists is to update routers with records of hosts or network segments of which are allowed or denied access to network resources. In a behavioural analysis scenario, access control lists can be utilized to help detect usage of address spoofing.

Network-Based Detection(2/4) 11 Intrusion detection systems (IDS) are utilities used to inspect both network flow and the content of each packet sent on a network. Mukherjee et al.suggest using IDSs to detect the presence of malware or intruders on a network.Backdoors can be detected and payload fields. Polymorphic worms have proved to make IDS-based detection more difficult. recent research has demonstrated that even such obfuscation techniques are possible to handle

Network-Based Detection(3/4) 12 Spitzner is one of the leaders of the honeypot development. A honeypot is a security resource whose value lies in being probed, attacked, or compromised. Honeypots can be used in production environments to help raising alerts of unauthorized activity on the network and to slow down worms. Honeypots are categorized into three different classes: low-interaction, medium-interaction and highinteraction honeypots.

Network-Based Detection(4/4) 13 Malware enabled to communicate with its environment utilizes different techniques to establish the communication. Skaggs et al.suggest using remote vulnerability scanners to detect the presence of malware on a host.

Laboratory Setup(1/3) 14 Sherlock is configured as a firewall Marple is a “gatekeeper” Horatio acts as a remote vulnerability scanner Drew is a network sniffer Bond is the victim where malicious software is installed.

Laboratory Setup(2/3) 15

Laboratory Setup(3/3) 16

Physical Level 17 It is critical that the physical level has been subject to system hardening so that the probability of unwanted infections is reduced to a minimum. The probability of malware being able to infect both Windows and Linux systems is relatively low, though greater than nil. To further reduce the risk of unwanted infections,the Linux system hardening tool Bastille 、 Administrative tools 、 Samhain.

Virtual Level 18 three roles were identified and included in the behavioural detection environment; a victim, an eavesdropper and an attacker. The victim is the host to be analyzed and where the object to be scrutinized should be installed. The eavesdropper should silently listen in to all traffic to be able to determine if any malicious or unwanted data is sent. The attacker should actively probe the victim for vulnerabilities by simulating attacker behaviour.

Experiments and Results(1/2) 19

Experiments and Results(2/2) 20

Discussion and Further Work 21 look at one example of stealth enabled software. It is therefore difficult to say something about the general detection capabilities of the testbed. None of the existing tools surveyed include aspects from all malware detection approaches. In the future, the quality of the testbed should be validated by running several tests with different categories of malware.

Conclusion 22 This paper has presented a testbed for behavioural analysis of MS Windows software where current malware trends and detection theories are considered. It is demonstrated that analysis environments can be designed without any license cost allowing organizations and students with limited resources to contribute to this important area of research.