Yet Another Heapspray Detector Danny Kovach Raytheon SI.

Slides:



Advertisements
Similar presentations
Introduction to Hypothesis Testing
Advertisements

Applications of one-class classification
Estimating Identification Risks for Microdata Jerome P. Reiter Institute of Statistics and Decision Sciences Duke University, Durham NC, USA.
Machine Learning Math Essentials Part 2
Common Cause Variation
Detecting Spam Zombies by Monitoring Outgoing Messages Zhenhai Duan Department of Computer Science Florida State University.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Part V The Generalized Linear Model Chapter 16 Introduction.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Copyright (c) 2009 John Wiley & Sons, Inc.
Chapter 10 Quality Control McGraw-Hill/Irwin
Networks, Lie Monoids, & Generalized Entropy Metrics Networks, Lie Monoids, & Generalized Entropy Metrics St. Petersburg Russia September 25, 2005 Joseph.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Kevin and Kyra Moon EE 670 December 1,  Background ◦ Motivation ◦ Problem  Theoretical model for backscatter  Simulations  Estimators ◦ ML ◦
1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.
Image Enhancement.
Independent Sample T-test Classical design used in psychology/medicine N subjects are randomly assigned to two groups (Control * Treatment). After treatment,
Antivirus Software Detects malware (not just viruses) May eliminate malware as well Often sold with firewalls Two approaches: Dictionary-based - Compares.
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Chapter 8 Introduction to Hypothesis Testing
Audit Sampling 1.
IIT Indore © Neminah Hubballi
Layered Approach using Conditional Random Fields For Intrusion Detection.
Using car4ams, the Bayesian AMS data-analysis code V. Palonen, P. Tikkanen, and J. Keinonen Department of Physics, Division of Materials Physics.
Chapter 6 Probability PowerPoint Lecture Slides Essentials of Statistics for the Behavioral Sciences Eighth Edition by Frederick J. Gravetter and Larry.
Heart Sound Background Noise Removal Haim Appleboim Biomedical Seminar February 2007.
Mining and Visualization of Flow Cytometry Data ANGELA CHIN UNIVERSITY OF HOUSTON RESEARCH EXPERIENCE FOR UNDERGRADUATES JULY 3,
RUNNING HEADER, 14 PT., ALL CAPS, Line Spacing=1 line Trend Micro Confidential 1 Virus/ Trojans/ Worms etc and some Common issues.
Chapter 3: Image Restoration Introduction. Image restoration methods are used to improve the appearance of an image by applying a restoration process.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.
Scenario: Internet Attack Eunice Huang. What is DDoS? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to.
Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
Individual Differences & Correlations Psy 425 Tests & Measurements Furr & Bacharach Ch 3, Part 1.
Probability = Relative Frequency. Typical Distribution for a Discrete Variable.
Amit Malik SecurityXploded Research Group FireEye Labs.
MULTICELL UPLINK SPECTRAL EFFICIENCY OF CODED DS- CDMA WITH RANDOM SIGNATURES By: Benjamin M. Zaidel, Shlomo Shamai, Sergio Verdu Presented By: Ukash Nakarmi.
§ 5.3 Normal Distributions: Finding Values. Probability and Normal Distributions If a random variable, x, is normally distributed, you can find the probability.
Statistics 3502/6304 Prof. Eric A. Suess Chapter 4.
Math 4030 – 9a Introduction to Hypothesis Testing
Lecture#10 Spectrum Estimation
A Sparse Undersea Sensor Network Decision Support System Based on Spatial and Temporal Random Field April 10, 2007 Defense and Security Symposium 2007.
Nozzle: A Defense Against Heap Spraying Attacks
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
EE515/IS523: Security 101: Think Like an Adversary Evading Anomarly Detection through Variance Injection Attacks on PCA Benjamin I.P. Rubinstein, Blaine.
Least Squares Estimate Additional Notes 1. Introduction The quality of an estimate can be judged using the expected value and the covariance matrix of.
Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
10 March 2016Materi ke-3 Lecture 3 Statistical Process Control Using Control Charts.
Chapter 51Introduction to Statistical Quality Control, 7th Edition by Douglas C. Montgomery. Copyright (c) 2012 John Wiley & Sons, Inc.
Test Loads Andy Wang CIS Computer Systems Performance Analysis.
CLASSIFICATION OF ECG SIGNAL USING WAVELET ANALYSIS
STA302/1001 week 11 Regression Models - Introduction In regression models, two types of variables that are studied:  A dependent variable, Y, also called.
DATA MINING and VISUALIZATION Instructor: Dr. Matthew Iklé, Adams State University Remote Instructor: Dr. Hong Liu, Embry-Riddle Aeronautical University.
Shellcode COSC 480 Presentation Alison Buben.
Regression Analysis AGEC 784.
Introduction to Hypothesis Test – Part 2
Introduction to Decision Analysis & Modeling
CSC 495/583 Topics of Software Security Stack Overflows (2)
Maximum Likelihood Estimation
Java Byte Codes (0xCAFEBABE) cs205: engineering software
RAM XI Training Summit October 2018
Machine Learning Math Essentials Part 2
Sampling Distributions
Week 2: Buffer Overflow Part 2.
Parametric Methods Berlin Chen, 2005 References:
Inference Concepts 1-Sample Z-Tests.
Presentation transcript:

Yet Another Heapspray Detector Danny Kovach Raytheon SI

Introduction Our main purpose is to detect malware.

Introduction Currently we monitor an application in a VM for such behavior as: –Loading drivers –Creating executable files –Network activity Heap sprays are very hard to detect.

What is a heapspray? Technique used to put executable code onto the heap. Consists of –NOP sled –Shellcode Goal: direct execution flow to the NOP sled; shellcode.

How to detect a heapspray? Nozzle [1] BuBBle [3] Entropy

Idea! Treat byte values on the heap as a random variable and do math!

Assumptions Bytes on a normal heap should be randomly distributed (white noise) Fourier transform of white noise has constant magnitude.

Visualizing the Heap (normal program operation)

Fourier Transforms of the Heap (normal program operation)

Visualizing the Heap (heap spray)

Fourier Transforms of the Heap (heap spray)

Problem:

Low hanging fruit?

More Analysis Used the open source tool RapidMiner Started by making a decision tree

Results

100% accurate for all our test cases. Rushed into production (without further testing). FAIL!

Next attempt: Statistics Assume that distribution of bytes is Gaussian

Statistics for normal heap About 40 counts > 1 standard deviation Actual measurement: 20 – 30

Statistics for Heapspray NOP slide altered distribution Typically 2 – 8 > 1 standard deviation

Advantages of a Statistical Approach Easy to code Friendly to system resources More general than hard coded approach Theoretically sound

Results Out of over 500 files tested, we had 100% success. 0 false positives 0 false negatives

How to defeat Write shellcode so as to minimally alter normal distribution. Most likely will leave some signature. Invites cat and mouse game.

References /fulltext.pdfhttps://lirias.kuleuven.be/bitstream/ /265421/ 1/fulltext.pdf 4. 0/normal.htmhttp:// 0/normal.htm