Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:

Published byJosephine Lester Modified over 9 years ago

Similar presentations

Presentation on theme: "CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:"— Presentation transcript:

1 CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China: Communications Theory and Security (CTS) Author: Wei Yan Speaker: 張鈞閔 Date:2013/10/24 1/28

2 O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 2/28

3 O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 3/28

4 A DVANCED P ERSISTENT T HREAT The past few years have witnessed a significant increase in the number of malware threats. Today’s Anti-virus (AV) industry devotes much effort to combating Advanced Persistent Threat (APT), also as known as the advanced malware. “advanced” here means the use of some new technologies for generating new sophisticated malware to bypass security vendors’ malware scanners. 4/28

5 C HALLENGES I N O VERCOMING A DVANCED M ALWARE ’ S C OMPLEXITY Need to keep on inserting new virus signatures into the database increasing the size of the signature database consume much of the PC memories and resources Behavior-based detection approaches have been used to detect malware in sandbox, but these approaches have slow scan speeds. 5/28

6 M OVE I NTO T HE C LOUD To effectively handle the scale and magnitude of new malware variants, anti-virus functionality is being moved from the user desktop into the cloud. For a suspicious file, the AV desktop agent fetches the fingerprint or calculates the hash value of the file, and sends it to the remote cloud server. In this paper, millions of samples have been tested to evaluate CAS’s performance on detection advance malware. 6/28

7 O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 7/28

8 C LOUD - BASED A NTI - VIRUS S ERVICE (1/3) 8/28

9 C LOUD - BASED A NTI - VIRUS S ERVICE (2/3) The cloud agent is a lightweight hybrid desktop solution to resolve the AV resource intensive problem. The agent collects hash values or fingerprints of suspicious files from users. If the hash values or fingerprints are already stored in the cache, the agent just returns the cached results to inform the users whether the requested files are malicious or not. Otherwise, it will search in the local light-weight signature database, or directly send the values or fingerprints into the cloud. 9/28

10 C LOUD - BASED A NTI - VIRUS S ERVICE (3/3) In order to keep a good workload balance between the desktop and cloud server, the agent requires a lightweight signature database with the size much smaller than that of the traditional one. Virus hackers use binary tools to instigate code obfuscation. An emulator includes programs to execute or emulate suspicious encrypted executables until they are fully decrypted in memory. 10/2 8

11 O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 11/2 8

12 F RAMEWORK (1/2) 12/2 8

13 F RAMEWORK (2/2) The malware type identification is used to recognize the malware file types. Based on a certain file type, advanced malicious sample is forwarded to the corresponding file parser. Afterwards, the stream-based and generic signatures are generated from malware families. These signatures will be applied on high-speed network devices, such as UTM and next generation firewall, to offer cloud-based on-the-fly malware detection. 13/2 8

14 M ALWARE T YPES S UPPORTED In CAS, to support heterogeneous malware types, the intelligent parser in CAS is able to recognize the input malware file type. Current CAS supports PE (Portable Executable format), packers, non-PE. 14/2 8

15 PE PE file starts with the DOS executable header, followed by the PE header. Then the optional header is followed by the section table headers. Finally, at the end of the PE file is the section data, which contains the file’s original entry point (OEP). where file execution begins To search a PE file for malware, a scanner typically scans the segments for the known signatures at certain offsets from OEP. 15/2 8

16 PACKER Packing is an efficient way to obfuscate a file’s original contents, and as of publication time, packers are malware authors’ favored binary tools for obscuring their codes. It mutate headers into new structures and attaches a code segment that the malware will invoke before the OEP. This code is called the stub, and it decompresses the original data and locates the OEP. 16/2 8

17 N ON -PE Non-PE malware, also known as embedded malware, allows malicious codes to be hidden inside a benign file, such as JPG, GIF and PDF files. CAS uses non-PE parsers to find the hidden malicious payloads and apply signatures to detect the malware. In Fig. 4, CAS parser goes through JPG format and highlights the malicious payloads with red. 17/2 8

18 O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 18/2 8

19 O N - THE - FLY DETECTION PERFORMANCE CAS correlation signature database can work with such network devices to capture latest malware. The hardware-based simulation shows that CAS online scanner can achieve more than 15Gbps performance, as shown in Table 2, much higher than other research works. 19/2 8

20 DETECT ZERO - DAY THREATS (1/2) In our testing, CAS uses 1352 correlation signatures to cover 380 packer and unpacked malware families (total 7 million malicious samples). Fig. 5 shows the detection rate without updating signatures for packer malware families. It is clear that the detection rate still keep high even we didn’t update signatures for a month. 20/2 8

21 DETECT ZERO - DAY THREATS (2/2) 21/2 8

22 O UTLINE Introduction Cloud-based Security Service CAS: Threat Intelligence As A Service Simulation Conclusion 22/2 8

23 C ONCLUSION This paper introduces CAS to identify features across malware families that are written in similar ways. Our approach is generic, and the test results have validated the ability and performances. The work are still in the early stages, and several major issues in protecting AV cloud service remain to be addressed. 23/2 8

Download ppt "CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:"

Similar presentations

Sample chapter from https://training.zdresearch.com Reverse Engineering Course.

Sample chapter from Reverse Engineering Course.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Technical Architectures

Technical Architectures
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.
1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.
Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Silvio Cesare Ph.D. Candidate, Deakin University.

Silvio Cesare Ph.D. Candidate, Deakin University.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot

Similar presentations

Ads by Google