Lorenzo Martignoni , Elizabeth Stinson, Matt Fredrikson , Somesh Jha , John Mitchell

RAID 2008

1

Bot-infected ComputersBotnets are used to perform nefarious tasks,

such as:keystroke logging, spyware installation, denial-of-service (DoS) attacks, hostingphishing web sites or command-and-control

servers, spamming, click fraud, license key theft

2

Disadvantage of Traditional MethodEven the most effective malware detectors fail

to detect more than 30% of malware seen in the wild.

Traditional malware detectors are based on syntactic signaturesMalware producers can easily generate malware

variants capable of evading existing signatures.Malware detectors have a finite set of

syntactic signatures, but malicious programs have in infitely mutable syntax

3

Behavior-based malware detectionDetect high-level actions that financially

motivate malware development & distributionkeystroke loggingdata leakingproxyingprogram download and execute

4

Semantic gap between models and monitored eventsMonitor execution of the program using an emulatorLowest level events in behavior specifications are

system callsMalicious behaviors are described as sequences of

essential actionsE.g. What we see

NtDeviceIo. . . NtOpenFile NtCreateSe. . . NtMapView . . .is dierent from the essential actions we need to identifydownload a file and execute it

Behaviors

Low-level events

5

SolutionsComplex & high-level behaviors are

decomposed into multiple layers.The lowest layer represents system call

invocations.Upper layers have a richer semantics.

E.g. Hierarchy of events used to specify download_exec

6

ContributionsA behavior-speciation language that can be used

to describe novel, semantically meaningful behaviors.

A detector that identifies when a process performs a specified high-level action, regardless of the process's source-code implementation of the action.

Our evaluation demonstrates that our detector candistinguish malicious execution of high-level behaviors from benign.

7

Behavior GraphsA behavior graph is a directed graph of a

form that is adapted from and extends AND/OR graphs.

8

Behavior GraphsInternal nodes represent events (with formal

parameters)

9

Behavior GraphsEdges represent predicates on events

arguments

10

Behavior GraphsORed edges represent events of which at

least one has to occur

11

Behavior GraphsANDed edges represent events that all have

to occur(but can occur in any order)

12

Behavior GraphsAnnihilator and replicator nodes represent

eventsthat destroy and duplicate resources

13

Behavior GraphsAcceptor nodes represent actions taken by

oursystem when behaviors are matched

14

Matching Malicious Behaviors

15OS events are passed to the lowest layer

Construction of behavior graphsThey developed our graphs manually and

iteratively through domain knowledge and analysis of tens of gigabytes of execution traces, obtained from multiple runs of 1. around fifteen standard applications 2. over one hundred specially-crafted

programs,3. several malicious programs.

16

Architecture of the systemCustomized Qemu that instruments the guest

code to monitor system call invocations, to perform taint analysis, and to track local user input.

A behavior matcher that receives events in real-time and tries to match each behavior graph loaded.

17

Spec. of Malicious Behavior RI stands for Remotely Initiated Tainted refers to data received over the network

18

Result on Malicious botsBlank entries denote behaviors not matched

because the bot did not implement them

19

Results on Benign ApplicationsUnder 2 scenarios: UI refers to an

experiment in which user input tracking was not used, and “UI” to one which enabled

User input tracking is very important to distinguish between behaviors triggered by the user and behaviors triggered automatically

20

CommentsFalse Positive Problem!!

E.g. Automatic Windows Update

21