Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen.

Slides:



Advertisements
Similar presentations
LEARNING INFLUENCE PROBABILITIES IN SOCIAL NETWORKS Amit Goyal Francesco Bonchi Laks V. S. Lakshmanan University of British Columbia Yahoo! Research University.
Advertisements

By Hiranmayi Pai Neeraj Jain
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Tools for Text Review. Algorithms The heart of computer science Definition: A finite sequence of instructions with the properties that –Each instruction.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
Improved TCAM-based Pre-Filtering for Network Intrusion Detection Systems Department of Computer Science and Information Engineering National Cheng Kung.
Privacy-Preserving Cross-Domain Network Reachability Quantification
Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.
Catching Accurate Profiles in Hardware Satish Narayanasamy, Timothy Sherwood, Suleyman Sair, Brad Calder, George Varghese Presented by Jelena Trajkovic.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
1 Worm Modeling and Defense Cliff C. Zou, Don Towsley, Weibo Gong Univ. Massachusetts, Amherst.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
5-Stage Pipelining Fetch Instruction (FI) Fetch Operand (FO) Decode Instruction (DI) Write Operand (WO) Execution Instruction (EI) S3S3 S4S4 S1S1 S2S2.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,
Computer Security and Penetration Testing
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.
Carnegie Mellon Selected Topics in Automated Diversity Stephanie Forrest University of New Mexico Mike Reiter Dawn Song Carnegie Mellon University.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Vigilante: End-to-End Containment of Internet Worms Authors : M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham In Proceedings.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.
 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Exact Modeling of Propagation for Permutation-Scanning Worms Parbati Kumar Manna, Shigang Chen, Sanjay Ranka INFOCOM’08.
A Generic Approach to Automatic Deobfuscation of Executable Code Paper by Babak Yadegari, Brian Johannesmeyer, Benjamin Whitely, Saumya Debray.
Detection and Propagation Modeling of Internet Worms Ph.D. research proposal by: Parbati Kumar Manna Co-advised by: Dr. Sanjay Ranka and Dr. Shigang Chen.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Timo O. Korhonen, HUT Communication Laboratory 1 Convolutional encoding u Convolutional codes are applied in applications that require good performance.
Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits H. Wang, C. Guo, D. Simon, and A. Zugenmaier Microsoft Research.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
PEER TO PEER BOTNET DETECTION FOR CYBER- SECURITY (DEFENSIVE OPERATION): A DATA MINING APPROACH Masud, M. M. 1, Gao, J. 2, Khan, L. 1, Han, J. 2, Thuraisingham,
CS5261 Information Security CS 526 Topic 15 Malware Defense & Intrusion Detection Topic 15: Malware Defense.
Exact Propagation Modeling of Permutation-Scanning Worms Parbati Kumar Manna Dr. Shigang Chen Dr. Sanjay Ranka University of Florida.
Chapter 7: Main Memory CS 170, Fall Program Execution & Memory Management Program execution Swapping Contiguous Memory Allocation Paging Structure.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
Shellcode COSC 480 Presentation Alison Buben.
TMG Client Protection 6NPS – Session 7.
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
BYTE AND STRING MANIPULATON
Worm Origin Identification Using Random Moonwalks
ROBTIC : On chip I-cache design for low power embedded systems
Detecting Targeted Attacks Using Shadow Honeypots
Week 2: Buffer Overflow Part 2.
Introduction to Internet Worm
Exploitation Part 1.
Presentation transcript:

Detection of ASCII Malware Parbati Kumar Manna Dr. Sanjay Ranka Dr. Shigang Chen

2 Internet Worm and Malware Huge damage potential  Infects hundreds of thousands of computers  Costs millions of dollars in damage  Melissa, ILOVEYOU, Code Red, Nimda, Slammer, SoBig, MyDoom Mostly uses Buffer Overflow Propagation is automatic (mostly)

3 Recent Trends Shift in hacker’s mindset Malware becoming increasingly evasive and obfuscative Emergence of Zero-day worms Arrival of Script Kiddies

4 Motivation for ASCII Attacks Prevalence of servers expecting text-only input Text-based protocols Presumption of text being benign Deployment of ASCII filter for bypassing text

5 IDS Detecting ASCII Attack? Disassembly-based IDS  All jump instructions are ASCII  Higher proportion of branches  Exponential disassembly cost  High processing overhead for IDS Frequency-based IDS  PAYL evaded by ASCII worm

6 Buffer Overflow

7 Opcode Unavailability  Shellcode requires binary opcodes  Here only xor, and, sub, cmp etc.  Must generate opcodes dynamically Difficulty in Encryption  No backward jump  Can’t use same decrypter routine for each encrypted block  No one-to-one correspondence between ASCII and binary Constraints of ASCII Malware 0mayvary ASCII binary

8 Creation of ASCII Malware

9 Buffer Overflow using ASCII Overflowing a buffer using an ASCII string:

10 Opcode Unavailability  Dynamic generation of opcodes needs more ASCII instructions for each binary instruction Difficulty in Encryption  No backward jump means decrypter block for each encrypted block must be hardcoded  Long sequence of contiguous valid instructions likely  high MEL Detection of ASCII Malware What is this MEL?

11 Indicates maximum length of an execution path  Need to disassemble (and execute) from all possible entry points  All branching must be considered Abstract payload execution  Used for binary worms with sled  Effectiveness dwindled presently Maximum Executable Length

12 Benign Text has Low MEL Contains characters that correspond to invalid instructions  Privileged Instruction (I/O)  Arbitrary Segment Selector  More Memory-accessing instructions – may use uninitialized registers  Long sequence of contiguous valid instructions unlikely  low MEL

13 Proposed Solution Question: How long is “long”? Find out the maximum length of valid instruction sequence If it is long enough, the stream contains a malware

14 Toss a coin n times What is the probability that the max distance between two consecutive heads is ? Probabilistic Analysis Head (H) Invalid Instruction (I) Tail (T) Valid Instruction (v) T H T T H T T T T T H T T TV I V V I V V V V V I V V VT H T T H T T T T T H T T TV I V V I V V V V V I V V V

15 Probabilistic Analysis n = number of coin tosses p = probability of a head X i = R.V.s for inter-head distances X max = Max inter-head distance C.D.F of X max = Prob [ X max ≤ x ] = [1 – p(1-p) x ] n F.P. rate  = 1 - Prob [ X max ≤ τ ] = 1 - [1 – p(1-p) τ ] n

16 Probabilistic Analysis For a fixed N = k (exactly k invalid instructions)

17 Probabilistic Analysis For all possible values of N:

18 Threshold Calculation n, p,  (false positive rate)  (max inter-head distance) Known Unknown Threshold

19 Independence Assumption  2 test contingency table ObservedExpected I 2 is valid I 2 is invalid I 1 is valid I 2 is invalid I 1 is valid I 1 is invalid Validity of an instruction is an independent event All the X i ’s are independent (while  X i = n)

20 Threshold Calculation With increasing n, we must choose a larger  to keep the same rate of false positive 

21 Threshold Calculation With decreasing p, we must choose a larger  to keep the same rate of false positive 

22 Determine n E [ I ] = E [ Prefix chain length ] + E [ core instruction length ] Obtained from character frequency of input data

23 1.Privileged instructions 2.Wrong Segment Prefix Selector 3.Un-initialized memory access Determine p Invalid Instructions Only 1. and 2. can be determined on a standalone basis

24 Experimental Setup

25 Implementation

26 Experimental Setup Benign data setup  ASCII stream captured from live CISE network using Ethereal Malicious data setup  Existing framework used to generate ASCII worm by converting binary worms Promising experimental results for max valid instruction length  Benign: all max values all below threshold   Malicious: values significantly higher than 

27 Experimental Results (DAWN)

28 Experimental Results (APE-L)

29 Contrasting with APE Full content examination Threshold calculation Sled Vs. malware Exploiting text-specific properties

30 Multilevel Encryption Encryption Decryption binary ASCII binary Only Visible decrypter

31 Multilevel Encryption Text 0x20 – 0x3F Text 0x40 – 0x5F Text 0x60 – 0x7E     Binary 

32 Questions

33 Thank you