Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection Reporter: 林佳宜

Similar presentations


Presentation on theme: "11 BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection Reporter: 林佳宜"— Presentation transcript:

1 11 BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection Reporter: 林佳宜 /9/13

2 References Brian Bowen, Pratap Prabhu, Vasileios P. Kemerlis, Stelios Sidiroglou, Salvatore Stolfo and Angelos Keromytis. "BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection." RAID

3 3 Outline Introduction BotSwindler Architecture Experiment results Conclusion

4 Introduction[1/2] The creation and rapid growth of an underground economy  rise and up to 9% of the machines in an enterprise are now bot- infected  crime-driven bots that harvest sensitive data  grabbing and key stroke logging, to screenshots and video capture A recent study focused of Zeus  the largest botnet with over 3.6 million PC infections in the US  bypassed up-to-date antivirus software 55% Traditional crimeware detection techniques  comparing signatures  anomaly-based detection 4

5 Introduction[1/2] Drawback of conventional host-based antivirus software  it vulnerable to evasion or subversion by malware  disable defenses such as antivirus A novel system designed for the proactive detection of credential stealing malware on VM-based hosts  BotSwindler 5

6 BotSwindler Relies upon an out-of-host software agent to drive user simulations Convince malware residing within the guest OS  captured legitimate credentials The simulator is tamper resistant and difficult to detect by malware 6

7 Simulation behaviors To generate simulations of human user  BotSwindler relies on a formal language VMSim  provides a flexible way to generate variable simulation behaviors Using various models for  keystroke speed  mouse speed  frequency of errors made during typing One of the challenges in designing an out-of- host simulator  verify the success or failure of mouse and keyboard events that are passed to the guest OS  developed a low overhead approach, called virtual machine verification (VMV) 7

8 VMSim language The language provides a flexible way  generate variable simulation behaviors and workflows  the capturing of mouse and keyboard events of a real user  recorded map to the constructs of the VMSim language 8

9 BotSwindler architecture 9

10 Prototype of BotSwindler BotSwindler using a modified version of QEMU running on a Linux host User simulation is implemented using X11 libraries  VMSim for expressing simulated user behavior  run the simulator outside of a virtual machine  pass its actions to the guest host by utilizing the X-Window subsystem  replayed via the Xorg Record and XTest extension libraries BotSwindler can operate on any guest OS  by the underlying hypervisor or virtual machine monitor (VMM) 10

11 Machine learning distinguish simulations We performed a computational analysis  if attackers could employ machine learning algorithms on keystrokes to distinguish simulations Experiments running Naive Bayes and Support Vector Machine (SVM) classifier  real and generated timing data  nearly identical classification results  Killourhy andMaxion’s benchmark data set In our study with 25 human judges  evaluating 10 videos of BotSwindler actions  the judges’ average success rate was 46% 11

12 Bait credentials decoy The system supports a variety of different types of bait credentials decoy  Gmail  PayPal  banking credentials Our system automatically monitors the decoy accounts  misuse to signal exploitation and thus detect the host infection by credential stealing malware 12

13 Decoy monitor Custom monitors for PayPal and Gmail accounts  the services that provide the time of last login The PayPal and Gmail accounts  the IP address of the last login If there is any activity from IP addresses other than the BotSwindler host IP  an alert is triggered  alerts are also triggered when the monitor cannot login to the bait account 13

14 Experiment results Our results from two separate experiments First experiment with 116 Zeus samples  used 5 PayPal decoys and 5 Gmail decoys  received 14 distinct alerts using PayPal and Gmail decoys Second experiment with 59 different Zeus samples  received 3 alerts from our banking decoys 14

15 Virtual Machine Verification Overhead 15

16 Contributions BotSwindler architecture VMSim language Virtual Machine Verification (VMV) Real malware detection results Statistical and information theoretic analysis Believability user study results Performance overhead results 16

17 17 Conclusion We demonstrate our system with three types of credentials The system can be extended to support any type of credential that can be monitored for misuse We discuss how BotSwindler can be deployed to service hosts  include those which are not VM-based, making this approach broadly applicable

18 Questions 18

19 QEMU 是一套由 Fabrice Bellard] 所編寫的 模擬處理器的自由軟體。它與 Bochs , PearPC 近似,但其具有某些後兩者所不具 備的特性,如高速度及跨平台的特性。經 由 kqemu 這個開源的加速器, QEMU 能模 擬至接近真實電腦的速度 模擬處理器自由軟體 Bochs PearPC kqemu開源 19


Download ppt "11 BotSwindler: Tamper Resistant Injection of Believable Decoys in VM-Based Hosts for Crimeware Detection Reporter: 林佳宜"

Similar presentations


Ads by Google