Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano.

Slides:



Advertisements
Similar presentations
Polymorphic Malware Detection Connor Schnaith, Taiyo Sogawa 9 April 2012.
Advertisements

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
IBinHunt: Binary Hunting with Inter-Procedural Control Flow Jiang Ming, Meng Pan, and Debin Gao College of Information Sciences and Technology, Penn State.
Scalable, Behavior-Based Malware Clustering Ulrich Bayer,Paolo Milani Comparetti,Clemens Hlauschek,Christopher Kruegel, and Engin Kirda Technical University.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Bug Isolation via Remote Program Sampling Ben Liblit, Alex Aiken, Alice X.Zheng, Michael I.Jordan Presented by: Xia Cheng.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security.
Automated malware classification based on network behavior
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October /9/31.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
Detecting Software Theft via System Call Based Birthmarks Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, Peng Liu ACSAC 2009.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
RELATIONAL FAULT TOLERANT INTERFACE TO HETEROGENEOUS DISTRIBUTED DATABASES Prof. Osama Abulnaja Afraa Khalifah
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC
Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.
Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.
Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi.
Mining Specifications of Malicious Behavior Mihai Christodorescu (work done at University of Wisconsin) Somesh Jha University of Wisconsin Christopher.
CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.
Copyright © 2011, A Behavior-based Methodology for Malware Detection Student: Hsun-Yi Tsai Advisor: Dr. Kuo-Chen Wang 2012/04/30.
Su-ting, Chuang 2010/8/2. Outline Introduction Related Work System and Method Experiment Conclusion & Future Work 2.
Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID
Polygraph: Automatically Generating Signatures for Polymorphic Worms Presented by: Devendra Salvi Paper by : James Newsome, Brad Karp, Dawn Song.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Advanced Anti-Virus Techniques
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
Rigorous Testing by Merging Structural and Behavioral UML Representations Presented by Chin-Yi Tsai.
VMM Based Rootkit Detection on Android
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
1. ABSTRACT Information access through Internet provides intruders various ways of attacking a computer system. Establishment of a safe and strong network.
A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.
Some Great Open Source Intrusion Detection Systems (IDSs)
Constraint Framework, page 1 Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Constraints approach.
Automatic Network Protocol Analysis
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.
Basic Dynamic Analysis VMs and Sandboxes
Presentation transcript:

Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano Drew Davidson,University of Wisconsin Matt Fredrikson,University of Wisconsin Jon Giffin,Georgia Institute of Technology Somesh JhaUniversity of Wisconsin Automatic Generation of Remediation Procedures for Malware Infections 2010 USENIX Security Symposium

2

3

Outline Introduction Related Work System Overview System Details Evaluation Discussion Conclusion 4

Introduction 5 After infection,  Format disk and re-install OS  Data backups  Commercial anti-malware software  *TRIES TO* Revert the effects performed by malware  Unstable, or even failed

Introduction 6 In this work…  Given binary malware  Automatically generate remediation procedures  Do not require the information relating to the infection  98% of the harmful effects reverted 

Related Work 7 Behavior-based malware analysis  Dynamic analysis:  A layered architecture for detecting malicious behaviors, RAID 2008  Panorama: Capturing system-wide information flow for malware detection and analysis, ACM CCS 2007  Behavior-based detection  Effective and efficient malware detection at the end host, USENIX Security Symposium 2009  Clustering  Scalable, behavior-based malware clustering, NDSS 2009

Related Work 8 Execution of Untrusted Applications  Back to the future: A framework for automatic malware removal and system repair, ACSAC 2006  One-way isolation: An effective approach for realizing safe execution environments, NDSS 2005

System Overview 9

10

System Overview 11 High-Level Behavior Extraction  Analyze the semantics of a program to produce a sequence of meaningful behaviors

System Overview 12 Behavior Generalization  Attempt to over-approximate existing paths, thus encompassing future paths  Cluster all instances of the same high-level behavior together  Analyze each cluster to generalize the arguments  c:\windows\po[[:alpha:]]{3}.exe

System Overview 13 Remediation Procedure Generation  Attempt to match each resource (file, process, or registry key) on the system against the constraints associated with each generalized high-level behavior  c:\windows\po[[:alpha:]]{3}.exe

System Details 14 High-Level Behavior Extraction  Use QEMU to monitor a malware for its system call trace

System Details 15 Behavior Clustering

System Details 16 Comparison  isomorphic( )

System Details 17 Behavior Generalization  Probabilistic finite-state automaton (PFSA)  Simulated beam annealing algorithm

System Details 18

System Details 19 Generating Concrete Remediation Procedures  Newly-created resources DropAndAutostart( file, data, key, value, regdata) DropAndAutostart( “c : \windows\po[[: alpha :]]{3}.exe”, data, “...Windows\CurrentVersion\Run”, “(vq|qv)”, “po[[:alpha:]]{3}.exe”)

System Details 20 Generating Concrete Remediation Procedures  Infected Resources  Deleted Resources  Not implemented

Evaluation 21 Over 200 malicious programs Execute a sample 3 times in 5 different environments to collect trace data Infect 25 test environments which are all distinct from those used to collect traces Execute the generated remediation procedure Compare the remediated state to the original state

Evaluation 22

Evaluation 23 False positives  One sample: very general regular expression  *.exe  Future work Context-free grammars

Discussion 24 Limitation  Finding all high-level malicious behaviors can not be guaranteed.  Specific environment is required  Not enough generalizing traces  Evasion techniques

Conclusion 25 Automatically generating malware remediation procedures Dynamic analysis Behavior generalization Effectively remediate many possible executions Good performance Low false rate

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.