Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October 2007. 2015/9/31.

Published byEthel Jennings Modified over 8 years ago

Similar presentations

Presentation on theme: "Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October 2007. 2015/9/31."— Presentation transcript:

1 Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October 2007. 2015/9/31

2 Outline Introduction Panorama System Overview Taint Graphs Malware Detection Experiment Results 2015/9/32

3 Introduction Malicious software (i.e., Malware) creeps into users’ computers, collecting users’ private information, wrecking havoc on the Internet and causing millions of dollars in damage Even software provided by reputable vendors may contain code that performs undesirable actions which may violate users’ privacy E.g. Google Desktop, Sony Media Player 2015/9/33

4 Malware Detection signature-based detection cannot detect new malware or new variants. Heuristics-based detection often based on some heuristics such as the monitoring of modifications to the registry and the insertion of hooks into certain library or system interfaces incur high false positive and false negative rates Malware is easy to evade detection 2015/9/34

5 New Approach for malware detection Numerous malware categories share similar fundamental characteristics, which lies in their malicious or suspicious information access and processing behavior. They access, tamper, and (in some cases) leak sensitive information that was not intended for their consumption. Thus, based on this observation, the author have designed and developed an end-to-end system (Panorama) to automatically identify this fundamental trait of malicious/suspicious information. 2015/9/35

6 System Overview 2015/9/36

7 Components of the system Test Engine run a series of automated tests (may be benign or malicious) Taint Engine performs whole-system, fine-grained information flow tracking. Taint Graph a graph representation depicts the system-wide information behavior Malware Detection Engine detect malware from unknown samples Malware Analysis Engine examine the taint graphs, for detailed analysis information 2015/9/37

8 Design and Implementation Hardware-level taint tracking OS-Aware Taint Tracking Automated Testing and Taint Graph Generation 2015/9/38

9 Hardware-level taint tracking Since the source code for commodity software such as the Windows operating system and applications are usually not available, they monitor the whole system execution in a processor emulator and dynamically instrument code to keep track of how tainted data propagates during program execution. Shadow Memory to store the taint status of each byte of the physical memory, CPU’s general purpose registers, the hard disk and the network interface buffer Taint Sources from hardware Panorama supports taint input from hardware, such as the keyboard, network interface, and hard disk. Taint Propagation monitor each CPU instruction and DMA operation that manipulates this data 2015/9/39

10 OS-Aware Taint Tracking Resolving process and module information Resolving filesystem and network information when tainted data is written to the hard disk or sent over the network Identifying the code under analysis and its actions 2015/9/310

11 Automated Testing and Taint Graph Generation Automated Testing without human intervention, Panorama executes a number of test cases that mimic common tasks that a user might perform E.g. editing text in an editor, visiting several websites, and so on Taint Graph Generation The system-wide propagation of tainted input introduced by the test engine forms a graph over the processes/program modules and OS resources. 2015/9/311

12 Taint Graph A taint graph can be represented as g =(V,E), where V is a set of vertices either represent an operating system object (such as a process or module), an OS resource (such as a file), or a taint source (such as keyboard or network input with the appropriate labels) E is a set of directed edges connecting the vertices when tainted data is propagated from the entity that corresponds to vertices. g.root represents the root node of graph g (i.e., the taint source). Currently, Panorama defines the following nine different types of taint sources: text, password, HTTP, HTTPS, ICMP, FTP, document, and directory 2015/9/312

13 Taint Graph Example 1. A user process A reads the character that corresponds to the keystroke 2. When this process later writes the character into a file F 3. File F is then read by process B, we can establish a link from process A to the file, and subsequently from file F to process B. text AFB 2015/9/313

14 Taint-Graph-Based Malware Detection Anomalous information access behavior For some information sources, a simple access performed by the samples under analysis is suspicious. Anomalous information leakage behavior For some other information sources, it is acceptable for the samples to access them locally, but unacceptable to leak the information to third parties. Excessive information access behavior For some information sources, benign samples may access some of them occasionally, while malicious samples will access them excessively to achieve their malicious intent. 2015/9/314

15 Test cases and policies they specify the following policies: text, password, FTP, UDP and ICMP inputs cannot be accessed by the samples URL, HTTP, HTTPS and document inputs cannot be leaked by the samples directory inputs cannot be accessed excessively by the samples. 2015/9/315

16 Automatic Policies Generation It is possible to automatically generate policies by using machine learning techniques. First, they can gather a representative collection of malware and benign samples as our training set. Based on the feature vectors for the benign and malicious samples, standard classification algorithms can be applied to determine a model. Using this model, novel samples can then be classified. We will further explore this approach in our “future work”. 2015/9/316

17 Malware Detection Example This graph reflects the procedure for Windows user authentication. While a password thief is running in the background, it catches the password and saves them to its log file “c:\ginalog.log”. 2015/9/317

18 Detection results against malware and benign samples 2015/9/318

19 Limitation The taint-graph-based detection approach can only identify the information access and processing behavior of a given sample, but not its intent. In real-life, the taint graphs are invaluable for human analysts, as they help them to quickly determine and understand whether an unknown sample is indeed malicious, or whether it is benign software that is exhibiting malware-like behavior. 2015/9/319

20 Comment It’s too arbitrary to asses a behavior as malicious or benign only by few policies. Probabilistic model may help Automatic policy generation is important False positives issues 2015/9/320

Download ppt "Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October 2007. 2015/9/31."

Similar presentations

Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.

Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.
Tutorial 8: Developing an Excel Application

Tutorial 8: Developing an Excel Application
ICS103 Programming in C Lecture 1: Overview of Computers & Programming

ICS103 Programming in C Lecture 1: Overview of Computers & Programming
Lecture 1: Overview of Computers & Programming

Lecture 1: Overview of Computers & Programming
SYSTEM PROGRAMMING & SYSTEM ADMINISTRATION

SYSTEM PROGRAMMING & SYSTEM ADMINISTRATION
FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert

FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Programming & Programming Languages Overview l Machine operations and machine language. l Example of machine language. l Different types of processor.

1 Programming & Programming Languages Overview l Machine operations and machine language. l Example of machine language. l Different types of processor.
Topic 1: Introduction to Computers and Programming

Topic 1: Introduction to Computers and Programming
Computer Systems CS208. Major Components of a Computer System Processor (CPU) Runs program instructions Main Memory Storage for running programs and current.

Computer Systems CS208. Major Components of a Computer System Processor (CPU) Runs program instructions Main Memory Storage for running programs and current.
The Operating System. Operating Systems (F) What you need to know about –operating system as a program; –directory/folder.

The Operating System. Operating Systems (F) What you need to know about –operating system as a program; –directory/folder.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.

Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.

© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Type of Software There are two main types of software They are System software Application software Hardware System Software (OS) Application Software.

Type of Software There are two main types of software They are System software Application software Hardware System Software (OS) Application Software.
Chapter 4 System Software.

Chapter 4 System Software.

Similar presentations

Ads by Google