Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute.

Slides:

Advertisements

Similar presentations

Analyzing DNS Activities of Bot Processes Dr. Jose Andre Morales Areej Al-Bataineh Dr. Shouhuai Xu Dr.Ravi Sandhu 4th International Conference on Malicious.

Advertisements

Symptoms-Based Detection of Bot Processes Jose Andre MoralesErhan Kartaltepe Shouhuai XuRavi Sandhu MMM-ACNS – St Petersburg, Russia 2010 ©2010 Institute.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Peer-to-peer and agent-based computing P2P Algorithms.

General Information Software Robot Benri. Characteristics 1. Connect up to 16 cameras. 2. Do six different type of detections. 3. Define sub-areas where.

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I IP ADDRESSING AND SUBNETS Derived From CCNA Network Fundamentals.

1 Wireless and Mobile Networks Part 2 November 25, 2008 Department of Electrical and Computer Engineering University of Western Ontario ECE 436a Networking:

BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections, L. Lu et al. BLADE: An Attack-Agnostic Approach for Preventing Drive-By.

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

TCP/IP MODEL Maninder Kaur

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

11 PhishNet: Predictive Blacklisting to detect Phishing Attacks Reporter: Gia-Nan Gao Advisor: Chin-Laung Lei 2010/4/26.

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Roberto Perdisci, Igino Corona, David Dagon, Wenke Lee ACSAC.

By Hiranmayi Pai Neeraj Jain

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

SYSTEM ADMINISTRATION Chapter 19

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Computer Security and Penetration Testing

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Evaluating Detection & Treatment Effectiveness of Commercial Anti-Malware Programs Jose Andre Morales, Ravi Sandhu, Shouhuai Xu Institute for Cyber Security.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.

Module 7: Configuring TCP/IP Addressing and Name Resolution.

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.

Guide to MCSE , Second Edition, Enhanced1 Windows XP Network Overview Most versatile Windows operating system Supports local area network (LAN) connections.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

What is FORENSICS? Why do we need Network Forensics?

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Guide to TCP/IP, Second Edition1 Guide To TCP/IP, Second Edition Chapter 4 Internet Control Message Protocol (ICMP)

Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.

Retina Network Security Scanner

Intrusion Detection System

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Role Of Network IDS in Network Perimeter Defense.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Introduction to Information Security

CompTIA Security+ Study Guide (SY0-401)

CITA 352 Chapter 5 Port Scanning.

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

CompTIA Security+ Study Guide (SY0-401)

Home Internet Vulnerabilities

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Presentation transcript:

Analyzing and Exploiting Network Behaviors of Malware Jose Andre Morales Areej Al-Bataineh Shouhuai XuRavi Sandhu SecureComm Singapore, 2010 ©2010 Institute for Cyber Security 1 World-Leading Research with Real-World Impact!

Introduction Do malicious and benign processes behave differently from a networking perspective? Can we exploit these differences to identify malware, especially zero-day attacks? Analyzed 1000 malware samples, with 31 not detected by Virustotal.com 01 April 2010 and 123 benign samples Focus on DNS, NetBIOS, TCP, UDP, ICMP ©2010 Institute for Cyber Security 2 World-Leading Research with Real-World Impact!

Introduction - 2 Log file analysis tallied various network event occurrence amounts Along with traffic observations we identified behavior occurring mostly in malware Defined 7 behaviors dealing with specific observed anomalies in network traffic Some behaviors combine network events to form an anomaly These behaviors used to differentiate between malicious and benign processes Clustering and classification ©2010 Institute for Cyber Security 3 World-Leading Research with Real-World Impact!

Contributions Identification of network behaviors occurring mostly in malware usable in behavior based malware detection. Discovery of novel malicious uses of network services by malware. Evaluating the effectiveness of observed network behaviors in identifying malware and benign processes with clustering and classification. ©2010 Institute for Cyber Security 4 World-Leading Research with Real-World Impact!

7 Behaviors B1: Process performs a NetBIOS name request on a domain name that is not part of a DNS or rDNS query B2: Failed connection attempt to an IP address obtained from a successful DNS query B3: Failed connection attempt to the input IP address of a successful rDNS query B4: Connection attempt to the input IP address of a failed rDNS query ©2010 Institute for Cyber Security 5 World-Leading Research with Real-World Impact!

7 Behaviors B5: ICMP only activity, ICMP echo requests for a specific non-local network IP address with no reply or a returned error message. B6: TCP/ICMP activity, TCP connection attempts to non-local IP addresses that received a successful reply to their ICMP echo requests B7: Network activity that is rarely occurring or implemented in an anomalous manner ©2010 Institute for Cyber Security 6 World-Leading Research with Real-World Impact!

Behavior B1 Process performs a NetBIOS name request on a domain name that is not part of a DNS or rDNS query Table shows B1 occurring only in malware, benign NetBIOS used domain names previously used in a DNS query. Several domains in B1 known malicious by Malwareurl.com but others were not ©2010 Institute for Cyber Security 7 World-Leading Research with Real-World Impact!

Behaviors B2, B3 & B4 DNS often used to acquire IP addresses Only B2 occurred, many malware DNS domain names and cannot connect with returned IP, either offline or shutdown, or newly registered and inactive B3, B4 no occurrence, possible less favored by malware authors ©2010 Institute for Cyber Security 8 World-Leading Research with Real-World Impact!

Behaviors B5 & B6 ICMP used by malware (like PING) to acquire active IP addresses, these IPs not part of previous DNS, rDNS or NetBIOS suspicious behavior. B6 dominant in malware B5 almost same in both, very similar to DNS behavior with no request reply ©2010 Institute for Cyber Security 9 World-Leading Research with Real-World Impact!

Behavior B7 Considered suspicious but not necessarily malicious, behaviors were rarely occurring or implemented in non-conventional manner TCP connection attemps most prevalent, IP not acquired via DNS, NetBios or ICMP, possibly hardwired or dynamically generated ©2010 Institute for Cyber Security 10 World-Leading Research with Real-World Impact!

Behavior Evaluation 1000 malware samples from CWSandbox 27 October 2009 upload, diverse set, still active durng testing. – 31 samples from 31 March 2010 upload not detected by Virustotal.com (MD5 search) 1 April benign samples executed 3 times each = 123 total benign samples – FTP, RSS, socnet, P2P, AV, net tools Individual samples run for 10 minutes in VMWare (XP SP2) using Windows network monitor, proprietary netwok layer filters Results revealed behaviors differentiate malicious from benign including 31 unidentified malware ©2010 Institute for Cyber Security 11 World-Leading Research with Real-World Impact!

Clustering & Classification - 01 Weka data mining software Clustering used complete malware and benign data set Classification training set used 1 st 700 malware samples and 40 benign, testing used the remaining samples 31 unknown samples not part of training set ©2010 Institute for Cyber Security 12 World-Leading Research with Real-World Impact!

Clustering & Classification - 02 ©2010 Institute for Cyber Security 13 World-Leading Research with Real-World Impact!

Clustering Results ©2010 Institute for Cyber Security 14 World-Leading Research with Real-World Impact! If majority of cluster was malware then benign samples assumed FP, If majority of cluster was benign then malware samples assumed FN Xmeans perfect, DBScan & EM encouraging All 31 unknown malware correctly identified FP video streamers known to be unreliable networks EM FN mostly malware downloaders

Classification Results ©2010 Institute for Cyber Security 15 World-Leading Research with Real-World Impact! FN and FP very low, 2 malware flagged as FN by all 4, only 2 video streams flagged as FP 29 unknown malware correctly identified by all 4

Discussion B1, B2 & B7 most dominant behaviors B1,B5 & B6 considered novel behaviors used by malware to find active remote hosts Classification & clustering produced excellent results with minimal FN & FP 31 malware not identified by virustotal.com on 1 April 2010 were correctly detected with minimal exceptions ©2010 Institute for Cyber Security 16 World-Leading Research with Real-World Impact!

Conclusions Network behaviors can be exploited to differentiate between malicious and benign Discovered 3 novel network behaviors Our approach can be combined with other perspectives to enrich detection accuracy The behaviors detected a diverse set of malware inlcuding 31 unknown samples with minimal FP and FN ©2010 Institute for Cyber Security World-Leading Research with Real-World Impact! 17