1. Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano Drew Davidson,University of Wisconsin Matt Fredrikson,University of Wisconsin Jon Giffin,Georgia Institute of Technology Somesh JhaUniversity of Wisconsin Automatic Generation of Remediation Procedures for Malware Infections 2010 USENIX Security Symposium

2. 2

3. 3

4. Outline Introduction Related Work System Overview System Details Evaluation Discussion Conclusion 4

5. Introduction 5 After infection,  Format disk and re-install OS  Data backups  Commercial anti-malware software  *TRIES TO* Revert the effects performed by malware  Unstable, or even failed

6. Introduction 6 In this work…  Given binary malware  Automatically generate remediation procedures  Do not require the information relating to the infection  98% of the harmful effects reverted  http://pages.cs.wisc.edu/~mfredrik/remediate/ http://pages.cs.wisc.edu/~mfredrik/remediate/

7. Related Work 7 Behavior-based malware analysis  Dynamic analysis:  A layered architecture for detecting malicious behaviors, RAID 2008  Panorama: Capturing system-wide information flow for malware detection and analysis, ACM CCS 2007  Behavior-based detection  Effective and efficient malware detection at the end host, USENIX Security Symposium 2009  Clustering  Scalable, behavior-based malware clustering, NDSS 2009

8. Related Work 8 Execution of Untrusted Applications  Back to the future: A framework for automatic malware removal and system repair, ACSAC 2006  One-way isolation: An effective approach for realizing safe execution environments, NDSS 2005

9. System Overview 9

10. 10

11. System Overview 11 High-Level Behavior Extraction  Analyze the semantics of a program to produce a sequence of meaningful behaviors

12. System Overview 12 Behavior Generalization  Attempt to over-approximate existing paths, thus encompassing future paths  Cluster all instances of the same high-level behavior together  Analyze each cluster to generalize the arguments  c:\windows\po[[:alpha:]]{3}.exe

13. System Overview 13 Remediation Procedure Generation  Attempt to match each resource (file, process, or registry key) on the system against the constraints associated with each generalized high-level behavior  c:\windows\po[[:alpha:]]{3}.exe

14. System Details 14 High-Level Behavior Extraction  Use QEMU to monitor a malware for its system call trace

15. System Details 15 Behavior Clustering

16. System Details 16 Comparison  isomorphic( )

17. System Details 17 Behavior Generalization  Probabilistic finite-state automaton (PFSA)  Simulated beam annealing algorithm

18. System Details 18

19. System Details 19 Generating Concrete Remediation Procedures  Newly-created resources DropAndAutostart( file, data, key, value, regdata) DropAndAutostart( “c : \windows\po[[: alpha :]]{3}.exe”, data, “...Windows\CurrentVersion\Run”, “(vq|qv)”, “po[[:alpha:]]{3}.exe”)

20. System Details 20 Generating Concrete Remediation Procedures  Infected Resources  Deleted Resources  Not implemented

21. Evaluation 21 Over 200 malicious programs Execute a sample 3 times in 5 different environments to collect trace data Infect 25 test environments which are all distinct from those used to collect traces Execute the generated remediation procedure Compare the remediated state to the original state

22. Evaluation 22

23. Evaluation 23 False positives  One sample: very general regular expression  *.exe  Future work Context-free grammars

24. Discussion 24 Limitation  Finding all high-level malicious behaviors can not be guaranteed.  Specific environment is required  Not enough generalizing traces  Evasion techniques

25. Conclusion 25 Automatically generating malware remediation procedures Dynamic analysis Behavior generalization Effectively remediate many possible executions Good performance Low false rate