Download presentation
Presentation is loading. Please wait.
1
NetSpy: Automatic Generation of Spyware Signatures for NIDS
Hao Wang, Somesh Jha and Vinod Ganapathy {hbwang, jha, University of Wisconsin-Madison
2
User is visiting www.google.com
What is Spyware? spyware server User is visiting 9/23/2018
3
Stopping Spyware spyware server NIDS Change stop sign 9/23/2018
4
Problem: Signature Updates
spyware server NIDS Change stop sign Reliance on vendors to provide timely signature updates Cannot detect new spyware or variants of existing spyware 9/23/2018
5
NetSpy Overview spyware server NIDS
Visit GET /data/...theurl= NIDS GET / GET /intl/en/images/log.gif Change the spy 9/23/2018
6
Detecting and Stopping Spyware
Defense Perimeter Detection Mechanism Signature-based Behavior-based Host- based Most commercial solutions A few commercial solutions Network-based NetSpy (Signature Generation) NetSpy (Differential Analysis) contradication 9/23/2018
7
Outline Motivation NetSpy architecture Inducing spyware activity
Differential analysis Signature generation Evaluation 9/23/2018
8
NetSpy: Automatic Spyware Signature Generation
Identify new spyware Detect spyware that operates as plugins to web browser Generate NIDS signature for detected spyware Without relying on vendors to provide updates 9/23/2018
9
Key Observations Spyware is programmed to monitor certain user activities Spyware must send monitored data to its home server When? To maximize opportunity for profit, many spyware programs send back data immediately 9/23/2018
10
NetSpy Architecture User inputs System User Activity Injector
Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation 9/23/2018
11
Inducing Spyware Activity
An automatic web browser driver Inject synthetic user activities into a web browser … Trigger spyware that is programmed to monitor the injected activities Induce spyware into sending data to its home server 9/23/2018
12
Challenge Some spyware only monitor certain events
e.g., when a user entered a wrong URL e.g., when a user accesses a banking web site A difficult problem in itself We rely on some heuristics about spyware’s behavior e.g., include invalid URLs in the input 9/23/2018
13
NetSpy Architecture User inputs System User Activity Injector
Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation 9/23/2018
14
Differential Analysis
Goal: identify network packets sent by an untrusted program Idea: compare network traffic from a clean system and from an infected system Input URL Destination Host Network Packets GET / GET /intl/en/images/log.gif 9/23/2018
15
Differential Analysis
On a system infected with BrowserAccelerator, IE generated seven packets: Contain input Destination Host Network Packets GET / GET /intl/en/images/log.gif data.browseraccelerator.com GET /data/...theurl= client.browseraccelerator.com Four additional packets Unseen Hosts 9/23/2018
16
Network Traffic Characteristics
Classifying Spyware Score Spyware? Network Traffic Characteristics Unseen Host Packet Content 3 Most likely Yes Contains input 2 Likely No 1 Least Likely 9/23/2018
17
NetSpy Architecture User inputs System User Activity Injector
Network packets User inputs System User Activity Injector Differential Analysis Malicious substrate Network packets NIDS Signature Signature Generation 9/23/2018
18
Signature Generation for NIDS
Why? To protect other computers on the same network Once NetSpy identifies a new spyware on one computer, all other systems automatically gain protection Currently generate signatures for Snort 9/23/2018
19
Signature Requirements
Only works when a user visits Google! Not a good signature: GET /data/...theurl= Signature needs to be generic Solution: Repeat differential analysis on multiple inputs 9/23/2018
20
Generating Signatures
Inputs: a set of network packets Goal: identify the invariants among these packets Input URL Packet GET /data/...theurl= GET /data/...theurl= GET /data/...theurl= … 9/23/2018
21
Longest Common Subsequence
Handle multiple strings Convert the variants into a regular expression Input URL Packet GET /data/...theurl= GET /data/...theurl= GET /data/...theurl= … … Signature: GET /data/…theurl= .* 9/23/2018
22
known spyware programs supposedly benign programs
Evaluation Test Case Program Analyzed Detected Behavior Signature Generated 7 known spyware programs Browser Accelerator, Internet Optimizer, SideFind… Monitor URLs visited, hijack error page, download updates 10 supposedly benign programs A9 Toolbar AOL Toolbar Google Toolbar Yahoo Toolbar Monitor URLs visited, hijack error page MSN Messenger extension, MSN Search Toolbar… 9/23/2018
23
A9 Toolbar Advertised feature: store a user’s browsing history in a central server A user first signs on with A9.com A9 Toolbar sends every URL visited back to a server called client.a9.com The user can access the history from any where Unadvertised feature: A9 Toolbar also sends URLs to another server: siteinfo.a9.com Regardless of whether the user has signed on or not 9/23/2018
24
AOL Toolbar Hijacks Internet Explorer’s error page
Send URL entered by a user to multiple servers Download and display advertisements related to the URL Monitors all queries involving google.com Transmitting data using a SSL connection to a server: snsproxy-vd01.evip.aol.com This behavior only occurs in version The latest version 4.0 does not 9/23/2018
25
Limitations Currently only works with browser plugins
Assumes that spyware behaves in certain ways: Monitors a user’s activity and immediately sends out data to its home server Cannot detect timer-based spyware Does not encode data to be transmitted 9/23/2018
26
Conclusion NetSpy: a system that can
Detect new spyware by inducing its spying activity Automatically generate NIDS signatures for spyware 9/23/2018
Similar presentations
