Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.

Slides:



Advertisements
Similar presentations
Decision Structures - If / Else If / Else. Decisions Often we need to make decisions based on information that we receive. Often we need to make decisions.
Advertisements

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Nick Guo, Ulysses Wang JavaScript De-Obfuscation Engine -- JDOE.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection
Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA.
 Introduction  Related Work  Design Overview  System Implementation  Evaluation  Limitations 2011/7/19 2 A Seminar at Advanced Defense Lab.
Indian Statistical Institute Kolkata
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Chalmers University of Technology Language-based Security Internet Explorer Exploit Christian O. Andersson Jonas Stiborg Andén.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
Failure Prediction in Hardware Systems Douglas Turnbull Neil Alldrin CSE 221: Operating System Final Project Fall
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.
1 HealthSense : Classification of Health-related Sensor Data through User-Assisted Machine Learning Presenter: Mi Zhang Feb. 23 rd, 2009 From Prof. Gregory.
Recap from last time: live variables x := 5 y := x + 2 x := x + 1 y := x y...
Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior
Silvio Cesare Ph.D. Candidate, Deakin University.
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.
Finding Malware on a Web Scale
Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.
FluXOR: Detecting and Monitoring Fast-Flux Service Networks Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi 5th international.
AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.
Detecting Semantic Cloaking on the Web Baoning Wu and Brian D. Davison Lehigh University, USA WWW 2006.
Rozzle De-Cloaking Internet Malware Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft Research.
Yet Another Heapspray Detector Danny Kovach Raytheon SI.
Finding Malware on a Web Scale
Kyushu University Koji Inoue ICECS'061 Supporting A Dynamic Program Signature: An Intrusion Detection Framework for Microprocessors Koji Inoue Department.
Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.
Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.
CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.
Workshop in compile-time techniques for detecting Javascript exploits Shir Landau-Feibish, Shmulik Regev, Noam Rinetzky
Network Programming and Network Security Lane Thames Graduate Research Assistant.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Nozzle: A Defense Against Heap Spraying Attacks
MIT/Determina Application Communities, page 1 Approved for Public Release, Distribution Unlimited - Case 9649 Collaborative learning for security and repair.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Learning to Detect and Classify Malicious Executables in the Wild by J
Unit 20 - Client Side Customisation of Web Pages
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Twitter Augmented Android Malware Detection
TriggerScope Towards Detecting Logic Bombs in Android Applications
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Detecting Targeted Attacks Using Shadow Honeypots
Learning to Classify Documents Edwin Zhang Computer Systems Lab
Week 2: Buffer Overflow Part 2.
Exploring Complexity Metrics as Indicators of Software Vulnerability
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Real-Time RAT-based APT Detection
Presentation transcript:

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection

Road Map Background Architecture and Evaluation

Heap Spraying Create NOP sled/shellcode: ◦ Create the shellcode and precedes the shell code with a block of NOP sled. Spray the NOP sled/shellcode: ◦ Allocate many copies of the NOP sled/shellcode in heap to increase the chance of success. Trigger the vulnerability. ◦ In order to redirect the program to Heap, where it is possible to hit the NOP sled and then shellcode.

Malware Cloaking Generally, two ways to check JavaScript Malware. ◦ Signatures ◦ Machine Learning All Need Source Code

Architecture of Zozzle Deobfuscate Feature Extraction Feature Selection Classifier Training Samples Bayesian Classifier Unknown JavaScript Unknown JavaScript Benign Malicious

De-obfuscated An exploit must unpack itself to run. ◦ That is, before an exploit is executed, it mush show its real source code. Zozzle intercept calls to Compile function in JavaScript Engine. ◦ eval() is called ◦ New code is included in tag

Feature Extraction Flat Features VS Hierarchical Features ◦ Flat Feature: Text from Source Code ◦ 1-level Hierarchical Feature: ◦ n-level Hierarchical Feature: Abstract Syntax Tree function f(){ shellcode… … } for(i=0; i<5000;i++){ … …Shellcode… ⋯ }

Feature Selection Zozzle only selects those features that are most likely to be predictive. Use χ 2 to test correlation

Classifier Training ZOZZLE uses a naïve Bayesian classifier, for its simplicity and efficiency How to calculate P(F k |L i )? Open Questions L i = Benign or Malicious

Feature & Throughput

Feature Extraction Accuracy & Feature False Positive& False Negative

Compare With Others

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.