Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

Published byKelley Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana."— Presentation transcript:

1 Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana University at Bloomington 2 University of North Carolina at Chapel Hill 3 Center for Software Excellence, Microsoft 4 Carnegie Mellon University

2 Dr. XiaoFeng Wang Exploit signatures vs. infection signatures Exploit Signature Infection Signature

3 Dr. XiaoFeng Wang How to get infection signatures?  Manually analyze malware infections  Automated analysis  Invariant extraction from replication code  Checksum  Invariance from network traffic   cannot handle even the simplest metamorphism

4 Dr. XiaoFeng Wang Our solution: AGIS  Automated malware analysis  Run malware in a sandboxed environment  Identify mal-behaviors using generalized polices  Automated infection signature generation  From the code necessary for infections’ missions  “vanilla” infections and regular-expression signatures  Certain resilience to obfuscated infections

5 Dr. XiaoFeng Wang Differences from prior work  Behavior-based malware detection  Only analyze add-on based infections  No signature generation  Panorama  Finer-grained analysis, but very slow  No signature generation

6 Dr. XiaoFeng Wang How does AGIS work?

7 Dr. XiaoFeng Wang Malicious behavior detection  Create an infection graph  Set detection policies  Detection and behavior extraction

8 Dr. XiaoFeng Wang Infection graph and back tracking downloader.exe keylogger.exe keylogger process run registry hook.dll key.log 1. dowload 2. modify 3. run 4. hook 5. save

9 Dr. XiaoFeng Wang Detection policies  Specifications for malicious behaviors  Keylogger rule  syscall for hooking keyboard, and  callback function  output syscalls (Writefiles, Sendto…)  Mass-mailing worm rule  loop for searching directories to read file, and  syscall  SMTP servers

10 Dr. XiaoFeng Wang Infection signature extraction  Dynamic analysis and static analysis  Get instructions necessary for malicious behaviors  Build signatures  from the instructions

11 Dr. XiaoFeng Wang Analyses  Dynamic analysis  Find API calls for malicious behavior (M-calls)  Identify their call sites through stack walking  Static analysis  Instructions prepares for M-calls’ parameters (chops)

12 Dr. XiaoFeng Wang Obfuscated code  Metamorphism  Junk-code injection: dealt by chops  Code transposition: dealt by CFG  register assignment, instruction replacement: left for scanner  Polymorphism  Modify code  signature

13 Dr. XiaoFeng Wang Get signatures  Vanilla malware  Chop  Regular-expression signature  Blocks: consecutive instructions on a chop  Conjunction of blocks

14 Dr. XiaoFeng Wang Implementation  Kernel driver  Hook SSDT  Static analyzer  Built upon Proview PVDASM

15 Dr. XiaoFeng Wang Evaluations  Malware  Mydoom (D/L/Q/U)  NetSky (B/X)  Spyware. KidLogger  Invisible KeyLogger  Home Keylogger  Evaluations of detection and signature generation

16 Dr. XiaoFeng Wang Examples for detection  MyDoom  Loop-read using NtReadFile  Send messages through NtDeviceIOControlFile  Violate the mass-mailing rule  Spyware.KidLogger  Hook using NtUserSetWindowsHookEx  Write through NtWriteFile  Violate the keylogger rule  False positives  Find none from 19 common applications (BiTorrent, browers, MS office, google desktop…)

17 Dr. XiaoFeng Wang Chop for Mydoom.D

18 Dr. XiaoFeng Wang Chop for Spyware.KidLogger

19 Dr. XiaoFeng Wang FP rate vs. sig length

20 Dr. XiaoFeng Wang Other evaluations  FP of vanilla signatures  Statically checked 1378 normal programs, no match  Obfuscation  Obfuscate code with RPME: extracted right chop  Encode using UPX: found encoding loop  Performance  Detection: around 1 minute  Signature generation: less than 1 minute

21 Dr. XiaoFeng Wang Limitations  User-land infections only  Not for add-ons  Undecideabiblity of Static obfuscation analysis  Obfuscation of behaviors

22 Dr. XiaoFeng Wang Conclusions and future work  Achievements  1st infection signature generation approach for host  Work on today’s user-land infections  Future work  Efficient dynamic analytic tools  Better scanning techniques

Download ppt "Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana."

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.

Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.

Dr. XiaoFeng Wang Spring 2006 Packet Vaccine: Black-box Exploit Detection and Signature Generation XiaoFeng Wang, Zhuowei Li Jun Xu, Mike Reiter Chongkyung.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.

KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Computer Viruses (and other “Malicious Programs) Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Automated Malware Analysis

Automated Malware Analysis
Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.

Dr. XiaoFeng Wang © SpyShield: Preserving Privacy from Spy Add-ons Zhuowei Li, XiaoFeng Wang and Jong Youl Choi Indiana University at Bloomington.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

Similar presentations

Ads by Google