Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October 2007. 2015/9/31.

Slides:



Advertisements
Similar presentations
Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.
Advertisements

Tutorial 8: Developing an Excel Application
ICS103 Programming in C Lecture 1: Overview of Computers & Programming
Lecture 1: Overview of Computers & Programming
SYSTEM PROGRAMMING & SYSTEM ADMINISTRATION
FIU Chapter 7: Input/Output Jerome Crooks Panyawat Chiamprasert
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 Programming & Programming Languages Overview l Machine operations and machine language. l Example of machine language. l Different types of processor.
Topic 1: Introduction to Computers and Programming
Computer Systems CS208. Major Components of a Computer System Processor (CPU) Runs program instructions Main Memory Storage for running programs and current.
The Operating System. Operating Systems (F) What you need to know about –operating system as a program; –directory/folder.
Automated malware classification based on network behavior
Alternate Version of STARTING OUT WITH C++ 4 th Edition Chapter 1 Introduction to Computers and Programming.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
© Paradigm Publishing Inc. 4-1 Chapter 4 System Software.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Type of Software There are two main types of software They are System software Application software Hardware System Software (OS) Application Software.
Chapter 4 System Software.
CHAPTER 2 OPERATING SYSTEM OVERVIEW 1. Operating System Operating System Definition A program that controls the execution of application programs and.
The Computer Systems By : Prabir Nandi Computer Instructor KV Lumding.
TERMS TO KNOW. Desktop This does not mean a computer desktop vs. a laptop. You probably keep a number of commonly used items on your desk at home such.
Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.
Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines System.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
CS 1308 Computer Literacy and the Internet. Introduction  Von Neumann computer  “Naked machine”  Hardware without any helpful user-oriented features.
CHAPTER FOUR COMPUTER SOFTWARE.
Composition and Evolution of Operating Systems Introduction to Operating Systems: Module 2.
Software. Software or Programs A set of detailed directions telling the computer exactly what to do, one step at a time. Can be one line of code or several.
INVITATION TO COMPUTER SCIENCE, JAVA VERSION, THIRD EDITION Chapter 6: An Introduction to System Software and Virtual Machines.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 3: Operating-System Structures System Components Operating System Services.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
INFORMATION SYSTEM-SOFTWARE Topic: OPERATING SYSTEM CONCEPTS.
SOFTWARE DESIGN. INTRODUCTION There are 3 distinct types of activities in design 1.External design 2.Architectural design 3.Detailed design Architectural.
CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.
Electronic Analog Computer Dr. Amin Danial Asham by.
© Paradigm Publishing, Inc. 4-1 Chapter 4 System Software Chapter 4 System Software.
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
Cryptography and Network Security Sixth Edition by William Stallings.
Digital Computer Concept and Practice Copyright ©2012 by Jaejin Lee Control Unit.
Understand Malware LESSON Security Fundamentals.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Brief Version of Starting Out with C++ Chapter 1 Introduction to Computers and Programming.
Chapter – 8 Software Tools.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Some of the utilities associated with the development of programs. These program development tools allow users to write and construct programs that the.
Programming with Java. Chapter 1 Focuses on: –components of a computer –how those components interact –how computers store and manipulate information.
INTRODUCTION TO COMPUTERS. A computer system is an electronic device used to input data, process data, store data for later use and produce output in.
DISCOVERING COMPUTERS 2018 Digital Technology, Data, and Devices
Introduction to Computing Systems
TriggerScope: Towards Detecting Logic Bombs in Android Applications
An Overview of the Computer System
Software Testing.
System Programming and administration
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
Information Flow Control
A Guide to Unix Using Linux Fourth Edition
Java programming lecture one
Looking Inside the machine (Types of hardware, CPU, Memory)
An Overview of the Computer System
Software Introduction
Topic 5: Communication and the Internet
Operating System Concepts
Presentation transcript:

Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October /9/31

Outline Introduction Panorama System Overview Taint Graphs Malware Detection Experiment Results 2015/9/32

Introduction Malicious software (i.e., Malware) creeps into users’ computers, collecting users’ private information, wrecking havoc on the Internet and causing millions of dollars in damage Even software provided by reputable vendors may contain code that performs undesirable actions which may violate users’ privacy E.g. Google Desktop, Sony Media Player 2015/9/33

Malware Detection signature-based detection cannot detect new malware or new variants. Heuristics-based detection often based on some heuristics such as the monitoring of modifications to the registry and the insertion of hooks into certain library or system interfaces incur high false positive and false negative rates Malware is easy to evade detection 2015/9/34

New Approach for malware detection Numerous malware categories share similar fundamental characteristics, which lies in their malicious or suspicious information access and processing behavior. They access, tamper, and (in some cases) leak sensitive information that was not intended for their consumption. Thus, based on this observation, the author have designed and developed an end-to-end system (Panorama) to automatically identify this fundamental trait of malicious/suspicious information. 2015/9/35

System Overview 2015/9/36

Components of the system Test Engine run a series of automated tests (may be benign or malicious) Taint Engine performs whole-system, fine-grained information flow tracking. Taint Graph a graph representation depicts the system-wide information behavior Malware Detection Engine detect malware from unknown samples Malware Analysis Engine examine the taint graphs, for detailed analysis information 2015/9/37

Design and Implementation Hardware-level taint tracking OS-Aware Taint Tracking Automated Testing and Taint Graph Generation 2015/9/38

Hardware-level taint tracking Since the source code for commodity software such as the Windows operating system and applications are usually not available, they monitor the whole system execution in a processor emulator and dynamically instrument code to keep track of how tainted data propagates during program execution. Shadow Memory to store the taint status of each byte of the physical memory, CPU’s general purpose registers, the hard disk and the network interface buffer Taint Sources from hardware Panorama supports taint input from hardware, such as the keyboard, network interface, and hard disk. Taint Propagation monitor each CPU instruction and DMA operation that manipulates this data 2015/9/39

OS-Aware Taint Tracking Resolving process and module information Resolving filesystem and network information when tainted data is written to the hard disk or sent over the network Identifying the code under analysis and its actions 2015/9/310

Automated Testing and Taint Graph Generation Automated Testing without human intervention, Panorama executes a number of test cases that mimic common tasks that a user might perform E.g. editing text in an editor, visiting several websites, and so on Taint Graph Generation The system-wide propagation of tainted input introduced by the test engine forms a graph over the processes/program modules and OS resources. 2015/9/311

Taint Graph A taint graph can be represented as g =(V,E), where V is a set of vertices either represent an operating system object (such as a process or module), an OS resource (such as a file), or a taint source (such as keyboard or network input with the appropriate labels) E is a set of directed edges connecting the vertices when tainted data is propagated from the entity that corresponds to vertices. g.root represents the root node of graph g (i.e., the taint source). Currently, Panorama defines the following nine different types of taint sources: text, password, HTTP, HTTPS, ICMP, FTP, document, and directory 2015/9/312

Taint Graph Example 1. A user process A reads the character that corresponds to the keystroke 2. When this process later writes the character into a file F 3. File F is then read by process B, we can establish a link from process A to the file, and subsequently from file F to process B. text AFB 2015/9/313

Taint-Graph-Based Malware Detection Anomalous information access behavior For some information sources, a simple access performed by the samples under analysis is suspicious. Anomalous information leakage behavior For some other information sources, it is acceptable for the samples to access them locally, but unacceptable to leak the information to third parties. Excessive information access behavior For some information sources, benign samples may access some of them occasionally, while malicious samples will access them excessively to achieve their malicious intent. 2015/9/314

Test cases and policies they specify the following policies: text, password, FTP, UDP and ICMP inputs cannot be accessed by the samples URL, HTTP, HTTPS and document inputs cannot be leaked by the samples directory inputs cannot be accessed excessively by the samples. 2015/9/315

Automatic Policies Generation It is possible to automatically generate policies by using machine learning techniques. First, they can gather a representative collection of malware and benign samples as our training set. Based on the feature vectors for the benign and malicious samples, standard classification algorithms can be applied to determine a model. Using this model, novel samples can then be classified. We will further explore this approach in our “future work”. 2015/9/316

Malware Detection Example This graph reflects the procedure for Windows user authentication. While a password thief is running in the background, it catches the password and saves them to its log file “c:\ginalog.log”. 2015/9/317

Detection results against malware and benign samples 2015/9/318

Limitation The taint-graph-based detection approach can only identify the information access and processing behavior of a given sample, but not its intent. In real-life, the taint graphs are invaluable for human analysts, as they help them to quickly determine and understand whether an unknown sample is indeed malicious, or whether it is benign software that is exhibiting malware-like behavior. 2015/9/319

Comment It’s too arbitrary to asses a behavior as malicious or benign only by few policies. Probabilistic model may help Automatic policy generation is important False positives issues 2015/9/320

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.