Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real-Time RAT-based APT Detection

Published byἈρταξέρξης Κοτζιάς Modified over 5 years ago

Similar presentations

Presentation on theme: "Real-Time RAT-based APT Detection"— Presentation transcript:

1 Real-Time RAT-based APT Detection

2 High Value Asset Acquisition
Our Focus Initial Compromise Gaining Foothold Lateral Movement High Value Asset Acquisition Malware (e.g. RAT) Phishing Exploit vulnerability Victim Network scan Attacker Code Repo Malware propagation CONFIDENTIAL Malicious Web Database Exploit browser Behavior based Malware detection Design a detection mechanism that targets at the post-compromise steps in the APT life- cycle

3 APT Malware Remote Access Trojan (RAT)
Based on the study of 300+ APT whitepapers, RAT is a core component in an APT attack, and >90% are Windows based. Allows an adversary to remotely control a system Consists of a complex set of potentially harmful functions (PHFs) E.g., keylogger, screengrab, remote shell, audiograb A Windows RAT typically embodies10~40 PHFs.

4 Previous Malware Detection Methods would Fail RAT Detection
Major problems Detection based on the coarse-grained dynamic behavior of a malware. Would fail if a malware performs a part or other behaviors not used for training Do not understand the semantics of the malwares. Existing behavior-based signature graph Our approach PHF1&PHF2 => signature graph. When PHF1 is triggered, it cannot be matched since the two green ancestor node are not matched/activated. In figure 1, the previous method has to match either red triangle or blue triangle to reach an interesting point so that it can detect PHF1 or PHF2. Our approach will divide them into 2 sequences and easily detect it. exhausts all key functionalities contained in a RAT generates finer-grained, per functionality detector Able to untangle the whole behavior graph

5 Basic Idea Observations
# of PHFs possibly embodied in a RAT is limited (10~40). Ways of implementing a PHF are limited too, in terms of Core system calls & parameters , and such sequences to exactly define a PHF  Possible to define each PHF using system call sequences Propose PHF-based RAT detection when a program exhibits A sufficient number of PHFs RAT-specific resource access characteristics function-level, ground truth, supervised training,  is a must for adversaries to implement a PHF A PHF could be exactly defined by a limited set of core system calls. Separation of signatures for PHFs increases the detection specificity by combining different types of signatures In each signature sequence, the core system calls are irreplaceable, and the order must be preserved to implement a p Advantages: evasion-resilient and semantic-aware Hard to evade unless attackers find new ways of implementing PHFs Per PHF detector; semantic-aware; know exactly what activity is going on

6 Approach Design Supervised learning Training data with ground truth …
PHF1 Trace 1 PHF1 Trace 2 PHF1 Trace n Self-repeated gadgets identification and correlation analysis A PHF1 Signatures for each PHF, for determining the functionality B C RAT traces Module 1: Traces based signature generation system (offline) PHFmTrace 1 PHFmTrace 2 PHFm Trace n PHFm U Gadgets identification and correlation analysis V W Feature generation & selection Classifier signatures for differentiating benign from malicious Benign traces function-level, ground truth, supervised training Generated signatures for both determining the functionality and discerning between malicious and benign Characteristic analysis Supervised learning Signature matching PHF1 Detector Score 1 Module 2: Real-time RAT detection system System call traces NtGdiCreateCompatibleDC NtGdiBitBlt NtCreateSection NtQueryInformationProcess NtCreateThread NtResumeThread PHF2 Detector Score 2 Malicious Score PHFn-1 Detector Score n-1 Classifier Detector Score n

7 Perform well on FAROS Stretch Goal (the only data available)
Detection Results Perform well on FAROS Stretch Goal (the only data available) 71,343,906 records in total; 35,650,758 system call events 20 mins processing time, with the throughput of 3,567,195 records/min Our system detected three processes. Specifically, Profile.exe (2) matched with the remote shell detector Prodat.exe matched with the screen grab detector Then applying backtracking with these 3 processes identified all 22 attack processes in the traces (4% out of 529 total processes). Obtain good accuracy on other benign and malicious traces. No false positive for 50+ popular Windows applications (Browsers with download and execution operations; reader; Skype and Pidgin in conversation) Detected all obfuscated RAT traces and simulated injection attack traces Data #Records #System call events I/O(mins) Analysis(mins) Throughput(records/min) Stretch 71,343,906 35,650, ,567,195 FAROS stretch dataset contains about 71 million records, about half of which are system call event records. It took our system about 30 minutes to process all of them. Specically, 11 minutes were spent on I/O and 20 minutes on the real analysis part. The throughput of our system is about 3.5 million records per minute.

Download ppt "Real-Time RAT-based APT Detection"

Similar presentations

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.

Signatures As Threats to Privacy Brian Neil Levine Assistant Professor Dept. of Computer Science UMass Amherst.
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Nemesysco’s SCA1 Automated “Emotional content” & Veracity call analyzer for multi- channel recording systems Targeted at government intelligence and Law.

Nemesysco’s SCA1 Automated “Emotional content” & Veracity call analyzer for multi- channel recording systems Targeted at government intelligence and Law.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC 2009 1.

Identification of Bot Commands By Run-time Execution Monitoring Younghee Park, Douglas S. Reeves North Carolina State University ACSAC
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Ensemble Learning for Low-level Hardware-supported Malware Detection

Ensemble Learning for Low-level Hardware-supported Malware Detection

Similar presentations

Ads by Google