Copyright © 2011, A Behavior-based Methodology for Malware Detection Student: Hsun-Yi Tsai Advisor: Dr. Kuo-Chen Wang 2012/04/30.

Slides:

Advertisements

Similar presentations

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Malware Identification and Classification

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

CS Instance Based Learning1 Instance Based Learning.

Software Product Lines Krishna Anusha, Eturi. Introduction: A software product line is a set of software systems developed by a company that share a common.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Automated malware classification based on network behavior

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Ulrich Bayer, Imam Habibi, Davide Balzarotti, Engin Kirda, and Christopher Kruegel Slides by Eric Smith.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October /9/31.

Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Alert Correlation for Extracting Attack Strategies Authors: B. Zhu and A. A. Ghorbani Source: IJNS review paper Reporter: Chun-Ta Li ( 李俊達 )

NATIONAL INSTITUTE OF SCIENCE & TECHNOLOGY Presented by:Manoj Kumar Gantayat CS: Technical Seminar Presentation by MANOJ KUMAR GANTAYAT.

1 Introduction to Artificial Neural Networks Andrew L. Nelson Visiting Research Faculty University of South Florida.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

A System Call Analysis Method with MapReduce for Malware Detection 2011 IEEE 17th International Conference on Parallel and Distributed Systems Shun-Te.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.

Artificial Neural Networks (ANN). Output Y is 1 if at least two of the three inputs are equal to 1.

Analyzing and Detecting Network Security Vulnerability Weekly report 1Fan-Cheng Wu.

Botnets: Yesterday, Today, and Tomorrow CS 598: Advanced Internet Presented by: Imranul Hoque.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al 이 승 민.

Roberto Paleari,Università degli Studi di Milano Lorenzo Martignoni,Università degli Studi di Udine Emanuele Passerini,Università degli Studi di Milano.

Yang, Luyu.  Postal service for sorting mails by the postal code written on the envelop  Bank system for processing checks by reading the amount of.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Copyright © 2011, Performance Evaluation of a Green Scheduling Algorithm for Energy Savings in Cloud Computing Truong Vinh Truong Duy; Sato,

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

Copyright © 2012, Malware Detection Based on Malicious Behaviors Using Artificial Neural Network Student: Hsun-Yi Tsai Advisor: Dr. Kuo-Chen.

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Ensemble Learning for Low-level Hardware-supported Malware Detection

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

IEEE AI - BASED POWER SYSTEM TRANSIENT SECURITY ASSESSMENT Dr. Hossam Talaat Dept. of Electrical Power & Machines Faculty of Engineering - Ain Shams.

SEMINAR - SCALABLE, BEHAVIOR-BASED MALWARE CLUSTERING GUIDES : BOJAN KOLOSNJAJI, MOHAMMAD REZA NOROUZIAN, GEORGE WEBSTER PRESENTER RAMAKANT AGRAWAL.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

October 20-23rd, 2015 FEEBO: A Framework for Empirical Evaluation of Malware Detection Resilience Against Behavior Obfuscation Sebastian Banescu Tobias.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Machine Learning Artificial Neural Networks MPλ ∀ Stergiou Theodoros 1.

Pattern Recognition Lecture 20: Neural Networks 3 Dr. Richard Spillman Pacific Lutheran University.

Active Learning Intrusion Detection using k-Means Clustering Selection

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Prasit Usaphapanus Krerk Piromsopa

Attack and defense on learning-based security system

Botnet Detection by Monitoring Group Activities in DNS Traffic

Presentation transcript:

Copyright © 2011, A Behavior-based Methodology for Malware Detection Student: Hsun-Yi Tsai Advisor: Dr. Kuo-Chen Wang 2012/04/30

Copyright © 2011, Outline Introduction Problem Statement Sandboxes Behavior Rules Prototype Malicious Degree Evaluation Conclusion and Future Works References

Copyright © 2011, Introduction Signature-based detection may fail sometimes –Malware developers may make some changes to evade detection Malware and their variations still share the same behaviors in high level –Malicious behaviors are similar most of the time Behavior-based detection –To detect unknown malware or the variations of known malware by analyzing their behaviors

Copyright © 2011, Problem Statement Given –Several sandboxes –l known malware M i = {M 1,M 2, …, M l } for training –m known malware S j = {S 1, S 2, …, S m } for testing Objective –n behaviors B k = {B 1,B 2, …, B n } –n weights W k = {W 1,W 2, …, W n } –MD (Malicious degree)

Copyright © 2011, Sandboxes Online (Web-based) –GFI Sandbox –Norman Sandbox –Anubis Sandbox Offline (PC-based) –Avast Sandbox –Buster Sandbox Analyzer

Copyright © 2011, Behavior Rules Malware Host Behaviors –Creates Mutex –Creates Hidden File –Starts EXE in System –Checks for Debugger –Starts EXE in Documents –Windows/Run Registry Key Set –Hooks Keyboard –Modifies Files in System –Deletes Original Sample –More than 5 Processes –Opens Physical Memory –Deletes Files in System –Auto Start Malware Network Behaviors –Makes Network Connections DNS Query HTTP Connection File Download

Copyright © 2011, Behavior Rules (Cont.) Ulrich Bayer et al. [13]

Copyright © 2011, Prototype

Copyright © 2011, Malicious Degree

Copyright © 2011, Weight Training Module - ANN Using Artificial Neural Network (ANN) to train weights

Copyright © 2011, Weight Training Module - ANN (Cont.) Neuron for ANN hidden layer

Copyright © 2011, Weight Training Module - ANN (Cont.) Neuron for ANN output layer

Copyright © 2011, Weight Training Module - ANN (Cont.) Delta learning process d: expected target value Mean square error: Weight set :, : learning factor; x: input value

Copyright © 2011, Evaluation – Initial Weights BehaviorWeight Creates Mutex Creates Hidden File Starts EXE in System Checks for Debugger Starts EXE in Documents Windows/Run Registry Key Set Hooks Keyboard Modifies File in System Deletes Original Sample More than 5 Processes Opens Physical Memory Delete File in System Autorun0.24

Copyright © 2011, Evaluation (Cont.) Try to find the optimal MD value makes PF and PN approximate to 0.

Copyright © 2011, Evaluation (Cont.) Training data and testing data Threshold of MD value. MaliciousBenignTotal Training Testing353166

Copyright © 2011, Evaluation (Cont.) With Creates Hidden File, Windows/Run Registry Key Set, More than 5 Processes, and Delete File in System: WeightsAccuracy Frequency98% 192.4% 0.591%

Copyright © 2011, Evaluation (Cont.) Without Creates Hidden File, Windows/Run Registry Key Set, More than 5 Processes, and Delete File in System: WeightsAccuracy Frequency97% 194% %

Copyright © 2011, Conclusion and Future Work Conclusion –Collect several common behaviors of malwares –Construct Malicious Degree (MD) formula Future work –Add more malware network behaviors –Classify malwares according to their typical behaviors –Detect unknown malwares

Copyright © 2011, References [1] GFI Sandbox. [2] Norman Sandbox. [3] Anubis Sandbox. [4] Avast Sandbox. [5] Buster Sandbox Analyxer (BSA). [6] Blast's Security. [7] VX heaven. [8] “A malware tool chain : active collection, detection, and analysis,” NBL, National Chiao Tung University. [9] U. Bayer, I. Habibi, D. Balzarotti, E. Krida, and C. Kruege, “A view on current malware behaviors,” Proceedings of the 2 nd USENIX Workshop on Large-Scale Exploits and Emergent Threats : botnets, spyware, worms, and more, pp , Apr , [10] U. Bayer, C. Kruegel, and E. Kirda, “TTAnalyze: a tool for analyzing malware,” Proceedings of 15 th European Institute for Computer Antivirus Research, Apr [11] P. M. Comparetti, G, Salvaneschi, E. Kirda, C. Kolbitsch, C. Kruegel, and S. Zanero, ”Identifying dormant functionality in malware programs,” Proceedings of Security and Privacy (SP), 2010 IEEE Symposium, pp , May 16-19, [12] M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song, “Dynamic spyware analysis,” Proceedings of USENIX Annual Technical Conference, pp , Jun [13] J. Kinder, S. Katzenbeisser, C. Schallhart, and H. Veith, “Detecting malicious code by model checking,” Proceedings of the 2 nd International Conference on Intrusion and Malware Detection and Vulnerability Assessment (DIMVA’05), pp , 2005.

Copyright © 2011, References (Cont.) [14] W. Liu, P. Ren, K. Liu, and H. X. Duan, “Behavior-based malware analysis and detection,” Proceedings of Complexity and Data Mining (IWCDM), pp , Sep , [15] C. Mihai and J. Somesh, “Static analysis of executables to detect malicious patterns,” Proceedings of the 12 th conference on USENIX Security Symposium, Vol. 12, pp , Dec , [16] A. Moser, C. Kruegel, and E. Kirda, “Exploring multiple execution paths for malware analysis,” Proceedings of 2007 IEEE Symposium on Security and Privacy, pp , May 20-23, [17] J. Rabek, R. Khazan, S. Lewandowskia, and R. Cunningham, “Detection of injected, dynamically generated, and ob-fuscated malicious code,” Proceedings of the 2003 ACM workshop on Rapid malcode, pp , Oct , [18] A. Sabjornsen, J. Willcock, T. Panas, D. Quinlan, and Z. Su, “Detecting code clones in binary executables,” Proceedings of the 18 th international symposium on Software testing and analysis, pp , [19] M. Shankarapani, K. Kancherla, S. Ramammoorthy, R. Movva, and S. Mukkamala, “Kernel machines for malware classification and similarity analysis,” Proceedings of Neural Networks (IJCNN), The 2010 International Joint Conference, pp.1 - 6, Jul , [20] C. Wang, J. Pang, R. Zhao, W. Fu, and X. Liu, “Malware detection based on suspicious behavior identification,” Proceedings of Education Technology and Computer Science, Vol. 2, pp , Mar. 7-8, [21] C. Willems, T. Holz, and F. Freiling. “Toward automated dynamic malware analysis using CWSandbox,” IEEE Security and Privacy, Vol. 5, No. 2, pp , May , 2007.