Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Slides:

Advertisements

Similar presentations

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Advertisements

Hulk: Eliciting Malicious Behavior in Browser Extensions

1. Intro What is PremiumAV? Antivirus engine Features of PremiumAV. Classification of PremiumAV. PremiumAV LAB Re-Branding or Private Label Why Re- Branding.

KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.

The Web Warrior Guide to Web Design Technologies

Web Canary -- client honey pot UTSA. Architecture of Web canary. 2.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

 Meaning of spyware Spyware is a program that can be installed on computers, and which collects small pieces of information about users without their.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Automated Malware Analysis

Microsoft ® Official Course Monitoring and Troubleshooting Custom SharePoint Solutions SharePoint Practice Microsoft SharePoint 2013.

C o n f i d e n t i a l Developed By Nitendra NextHome Subject Name: Data Structure Using C Title: Overview of Data Structure.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Automated malware classification based on network behavior

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

1 Spyware, Adware, and Browser Hijacking. ECE Agenda What is Spyware? What is Adware? What is Browser Hijacking? Security concerns and risks Prevention,

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

UPC/SHMEM PAT High-level Design v.1.1 Hung-Hsun Su UPC Group, HCS lab 6/21/2005.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.

Lesson 4: The Internet and Outlook. Learning Objectives After studying this lesson, you will be able to:  Use the Search box with Internet Explorer 

Chapter 11: Introduction to the Visual Basic Environment Spreadsheet-Based Decision Support Systems Prof. Name Position (123) University.

1 Malware, Adware, Spyware, Viruses, BHO. 2 Malware A generic term increasingly being used to describe any form of malicious software like viruses, trojan.

WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.

1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.

1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Return to the PC Security web page Lesson 5: Dealing with Malware.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Roberto Paleari,Università degli Studi di Milano Lorenzo Martignoni,Università degli Studi di Udine Emanuele Passerini,Università degli Studi di Milano.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.

Penetrating encrypted evidence Writer ： Hank Wolfe University of Otago, Computer Security, Forensics, Information Science Department, New Zealand Presentation.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.

Lab 2: TCP /IP communication Southern Methodist University Bryan Rodriguez.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

1 Lab 12: Spyware A Window’s User’s Worst Nightmare.

Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe, Gravel Panayiotis, Mavrommatis Niels, Provos.

Spyware, Adware & Malware JEEP HOBSON JEEP HOBSON ITE-130 ITE-130 SPRING 2007 SPRING 2007.

SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.

Erica Larnerd COSC Spyware...  What is it?  What does it do?  How does it get on my computer?  How can I tell if it’s on my computer?  What.

SEMINAR - SCALABLE, BEHAVIOR-BASED MALWARE CLUSTERING GUIDES : BOJAN KOLOSNJAJI, MOHAMMAD REZA NOROUZIAN, GEORGE WEBSTER PRESENTER RAMAKANT AGRAWAL.

Brett Stone-GrossBrett Stone-Gross, Christopher Kruegel, Kevin AlmerothChristopher KruegelKevin Almeroth University of California, Santa Barbara Andreas.

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

What mobile ads know about mobile users

TriggerScope: Towards Detecting Logic Bombs in Android Applications

A lustrum of malware network communication: Evolution & insights

What the App is That? Deception and Countermeasures in the Android User Interface Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio,

TriggerScope Towards Detecting Logic Bombs in Android Applications

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

RHMD: Evasion-Resilient Hardware Malware Detectors

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Real-Time RAT-based APT Detection

Presentation transcript:

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and Richard A. Kemmerer Department of Computer Science University of California, Santa Barbara Presenting : Majed Alhudaib

Introduction Spyware is growing. In a study that I made on campus over 50 students I found that: 6 out of each 10 students encountered some sort of spyware infect over the past three years. Only 3 out of 50 know what a spyware is. 20 asked for help removing what they call a “virus” and we call spyware. some blamed the manufacturer of their computers for adding all these adds in the browser!!.

Overview Current anti-Spyware detectors. Behavior based spyware detection. BHO’s, toolbars and COM. Spyware characterization. The Big picture. Dynamic Analysis. Static Analysis. Evading Detection. Evaluation. Conclusion.

Current anti-Spyware detectors Signature based mechanism.

Behavior based spyware detection a new spyware detection technique that overcomes some of the limitations of existing anti-spyware approaches. This technique is based on an abstract characterization of the behavior of a popular class of spyware programs that relies on Internet Explorer’s Browser Helper Object (BHO) and toolbar interfaces to monitor a user’s browsing behavior. Why Internet Explorer’s BHO and toolbar? How about other web browsers?

BHO’s, toolbars and COM What are BHO’s and Toolbars? What is COM? How do they interact? How can spyware applications take advantage of all this?

Spyware characterization we classify a browser helper object or a toolbar as spyware if the component, in response to browser events: 1. monitors user behavior by interacting with the web browser and 2. Invokes Windows API calls that can potentially leak information about this behavior (e.g., calls to save the data to a file or transmit information to a remote host).

The Big picture Behavior based spyware detection consists of two major parts: 1- Dynamic analysis: exposes a suspicious component to crafted browser events (which simulate user activity) and analyzes the component’s response. In particular, we dynamically record both the browser COM functions and the Windows API functions that the component calls. 2- Static analysis: extracts the control flow graph of all code regions that are responsible for handling events.

Dynamic Analysis The goal of the dynamic analysis step is two things: First, it has to monitor the interaction of the component with the browser and record all the browser’s COM functions that are invoked in response to events. Second, it has to determine the code regions that are responsible for handling events, thereby providing the necessary starting points for the static analysis step.

Dynamic Analysis: Core elements “fake” WebBrowser COM object: which provides the component under analysis with an environment similar to the one that would be present when being hosted by an instance of Internet Explorer. COM object host application: which properly instantiates all involved components and sends the relevant browser events to the BHO or toolbar component under evaluation. A program that traces the execution of our host application to extract those code regions that handle the various browser events that are delivered.

Dynamic Analysis: Locating event- handling code An instruction that handles an event is called “event-specific instruction”. How to get the first event-specific instruction?

Dynamic Analysis: Locating event- handling code Example.

Static Analysis first task: of the static analysis step is to disassemble the target binary and generate a control flow graph from the disassembled code. A control flow graph (CFG) is defined as a directed graph. Next task: Based on the CFG for the entire component, we isolate those parts of the graph that are responsible for handling events. In particular, we are interested in all sub- graphs of the CFG that contain the code to handle the different events. Using the event-specific addresses collected during dynamic analysis. Finally: the event specific lists are merged to obtain a list of all API calls that are invoked in response to events.

Evading Detection How can a spyware bypass this kind of detection? 1- a spyware component could attempt to leak information using means other than API calls, or it could prevent the static analysis process from finding their invocations in the code of the BHO. How? 2- evasion venue is to craft the BHO code such that it can resist static analysis.

Evaluation total of 51 samples (33 malicious and 18 benign); 34 of them were BHOs and 17 were toolbars.

Conclusion This mechanism does need more work, thus, it definitely raises the bar for spyware writers. The potential is very high and the outcome could benefit in deferent malware types detection.

Questions? Thank You