Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Published byBelinda Miller Modified over 9 years ago

Similar presentations

Presentation on theme: "Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda."— Presentation transcript:

1 Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani Comparetti @ TU Vienna Christopher Kruegel @ UCSB Engin Kirda @ Institute Eurecom Xiaoyong Zhou, XiaoFeng Wang @ Indiana Univ. at Bloominton 1 USENIX Security Symposium ‘09

2 Outline Motivation System Overview System Details Evaluation Limitation Conclution 2

3 MOTIVATION Effectiveness & Efficiency 3

4 Motivation Efficiency – Binary signature based detection – Network-based detection Effectiveness – Behavior-based detection Detection based on malware's behavior Behavior is hard to obfuscate Behavior is hard to randomize Behavior is often stable across various malware version 4

5 Motivation This Paper proposes… – A behavior-based solution with Efficiency – For end hosts 5

6 SYSTEM OVERVIEW Modeling Behaviors and Making detection efficient 6

7 System Overview Malware behaviors – Manifest on system (i.e., survive reboot) (Over-) write system executables, dlls, files Create registry entries Register as Windows (startup) service – Conceal from being detected Restart under some stealthy name (e.g., svchost.exe) Inject into legitimate processes – Replicate Send emails Copy to Samba shares, USB drives, etc. Scan and exploit services on LAN or WAN 7

8 System Overview Detection based on execution characteristics – Execute malware in full system emulator (Anubis) – Monitor interaction with the operating system – Perform detailed taint analysis – Generate detection graphs Describe sequence of required system calls leading to security relevant system activity Include dependencies to related, previous calls (using taint dependencies) Detect described behavior on end host – Log system call activity of unknown executable – Match against behavior graph 8

9 System Overview Example: Agent (trojan) As part of its system manifestation, it – Reads content from binary image – Decrypts binary content Proprietary decryption routine Simple, XOR based algorithm – Stores binary in system file (C:\Windows\system32\drivers\ip6fw.sys) – Later, restarts IPv6 firewall Turns itself into a system service 9

10 System Overview 10

11 SYSTEM DETAILS Generate Behavior Graphs, Match Behavior Graphs 11

12 System Details Behavior graphs – Directed acyclic graph – Node: system calls – Edges: dependencies Dependencies – Handle dependencies Direct value propagation System provided identifiers Must be constant 12

13 System Details Data dependencies – Arbitrary data (& control) dependency between system calls – Might modify values between system calls 13

14 System Details Generate behavior graphs – Analyze executable in Anubis sandbox Obtain instruction level log Obtain program flow log Obtain memory access log Generate precise taint propagation trees – Data/control dependencies – Instructions that access/generate tainted data – Link system calls consuming data with all taint generating calls (sources) 14

15 System Details Generate behavior graphs (cont.) – Scan logs for security relevant behavior Provided with a list of interesting system calls Extract propagation formulas 15

16 System Details Match behavior graphs – Active(inactive) node – Simple(complex) function – Security-relevant system calls or the Buttom – Confirmed(deactivate all) 16

17 System Details 17

18 System Details 18

19 EVALUATION Effectiveness, Efficiency 19

20 Evaluation Effectiveness 20

21 Evaluation 21

22 Evaluation False Positive – IE, Firefox, Thunderbird, putty, notepad – 0 22

23 Evalution Efficiency 23

24 LIMITATION & CONCLUSION 24

25 Limitation Evading signature generation – Detect the virtual environment – Delays, time-triggered behavior Modifying the algorithm behavior 25

26 Conclusion Behavior can be detected Behavior detection is fast enough for end hosts – Approach intrinsically robust against polymorphism and metamorphism – To some extent, behavior graphs are usable across malware variants 26

Download ppt "Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda."

Similar presentations

Data-Flow Analysis II CS 671 March 13, 2008. CS 671 – Spring 2008 1 Data-Flow Analysis Gather conservative, approximate information about what a program.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.
Polymorphic Malware Detection Connor Schnaith, Taiyo Sogawa 9 April 2012.

Polymorphic Malware Detection Connor Schnaith, Taiyo Sogawa 9 April 2012.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.

KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
IBinHunt: Binary Hunting with Inter-Procedural Control Flow Jiang Ming, Meng Pan, and Debin Gao College of Information Sciences and Technology, Penn State.

IBinHunt: Binary Hunting with Inter-Procedural Control Flow Jiang Ming, Meng Pan, and Debin Gao College of Information Sciences and Technology, Penn State.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
EFFECTIVE AND EFFICIENT MALWARE DETECTION AT THE END HOST Presentation by Clark Wachsmuth C. Kolbitsch, P. M. Comparetti, C. Kreugel, E. Kirda, X. Zhou.

EFFECTIVE AND EFFICIENT MALWARE DETECTION AT THE END HOST Presentation by Clark Wachsmuth C. Kolbitsch, P. M. Comparetti, C. Kreugel, E. Kirda, X. Zhou.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Similar presentations

Ads by Google