Upload
hubert-hicks
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
Lorenzo Martignoni , Elizabeth Stinson, Matt Fredrikson , Somesh Jha , John Mitchell
RAID 2008
1
Bot-infected ComputersBotnets are used to perform nefarious tasks,
such as:keystroke logging, spyware installation, denial-of-service (DoS) attacks, hostingphishing web sites or command-and-control
servers, spamming, click fraud, license key theft
2
Disadvantage of Traditional MethodEven the most effective malware detectors fail
to detect more than 30% of malware seen in the wild.
Traditional malware detectors are based on syntactic signaturesMalware producers can easily generate malware
variants capable of evading existing signatures.Malware detectors have a finite set of
syntactic signatures, but malicious programs have in infitely mutable syntax
3
Behavior-based malware detectionDetect high-level actions that financially
motivate malware development & distributionkeystroke loggingdata leakingproxyingprogram download and execute
4
Semantic gap between models and monitored eventsMonitor execution of the program using an emulatorLowest level events in behavior specifications are
system callsMalicious behaviors are described as sequences of
essential actionsE.g. What we see
NtDeviceIo. . . NtOpenFile NtCreateSe. . . NtMapView . . .is dierent from the essential actions we need to identifydownload a file and execute it
Behaviors
Low-level events
5
SolutionsComplex & high-level behaviors are
decomposed into multiple layers.The lowest layer represents system call
invocations.Upper layers have a richer semantics.
E.g. Hierarchy of events used to specify download_exec
6
ContributionsA behavior-speciation language that can be used
to describe novel, semantically meaningful behaviors.
A detector that identifies when a process performs a specified high-level action, regardless of the process's source-code implementation of the action.
Our evaluation demonstrates that our detector candistinguish malicious execution of high-level behaviors from benign.
7
Behavior GraphsA behavior graph is a directed graph of a
form that is adapted from and extends AND/OR graphs.
8
Behavior GraphsInternal nodes represent events (with formal
parameters)
9
Behavior GraphsEdges represent predicates on events
arguments
10
Behavior GraphsORed edges represent events of which at
least one has to occur
11
Behavior GraphsANDed edges represent events that all have
to occur(but can occur in any order)
12
Behavior GraphsAnnihilator and replicator nodes represent
eventsthat destroy and duplicate resources
13
Behavior GraphsAcceptor nodes represent actions taken by
oursystem when behaviors are matched
14
Matching Malicious Behaviors
15OS events are passed to the lowest layer
Construction of behavior graphsThey developed our graphs manually and
iteratively through domain knowledge and analysis of tens of gigabytes of execution traces, obtained from multiple runs of 1. around fifteen standard applications 2. over one hundred specially-crafted
programs,3. several malicious programs.
16
Architecture of the systemCustomized Qemu that instruments the guest
code to monitor system call invocations, to perform taint analysis, and to track local user input.
A behavior matcher that receives events in real-time and tries to match each behavior graph loaded.
17
Spec. of Malicious Behavior RI stands for Remotely Initiated Tainted refers to data received over the network
18
Result on Malicious botsBlank entries denote behaviors not matched
because the bot did not implement them
19
Results on Benign ApplicationsUnder 2 scenarios: UI refers to an
experiment in which user input tracking was not used, and “UI” to one which enabled
User input tracking is very important to distinguish between behaviors triggered by the user and behaviors triggered automatically
20
CommentsFalse Positive Problem!!
E.g. Automatic Windows Update
21