Forensic Analysis of Toolkit-Generated Malicious Programs Yasmine Kandissounon TSYS School of Computer Science Columbus State University 2009 ACM Mid-Southeast.

Slides:

Advertisements

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Advertisements

CPSC 502, Lecture 15Slide 1 Introduction to Artificial Intelligence (AI) Computer Science cpsc502, Lecture 15 Nov, 1, 2011 Slide credit: C. Conati, S.

Data Mining Classification: Alternative Techniques

1. Intro What is PremiumAV? Antivirus engine Features of PremiumAV. Classification of PremiumAV. PremiumAV LAB Re-Branding or Private Label Why Re- Branding.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

Dual-domain Hierarchical Classification of Phonetic Time Series Hossein Hamooni, Abdullah Mueen University of New Mexico Department of Computer Science.

1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.

Polymorphic Viruses A brief survey Joseph Hamm Shirlan Johnson.

Arun Lakhotia, Professor Andrew Walenstein, Assistant Professor University of Louisiana at Lafayette AVAR (New Delhi)1.

CS 590M Fall 2001: Security Issues in Data Mining Lecture 3: Classification.

Robust Real-time Object Detection by Paul Viola and Michael Jones ICCV 2001 Workshop on Statistical and Computation Theories of Vision Presentation by.

Metamorphic Malware Research

METAMORPHIC SOFTWARE FOR GOOD AND EVIL Wing Wong & Mark Stamp November 20, 2006.

Recommender systems Ram Akella February 23, 2011 Lecture 6b, i290 & 280I University of California at Berkeley Silicon Valley Center/SC.

Aprendizagem baseada em instâncias (K vizinhos mais próximos)

HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.

Recommender systems Ram Akella November 26 th 2008.

Pairwise Alignment of Metamorphic Computer Viruses Student:Scott McGhee Advisor:Dr. Mark Stamp Committee:Dr. David Taylor Dr. Teng Moh.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

CHURN PREDICTION MODEL IN RETAIL BANKING USING FUZZY C- MEANS CLUSTERING Džulijana Popović Consumer Finance, Zagrebačka banka d.d. Consumer Finance, Zagrebačka.

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Automated malware classification based on network behavior

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Jay Stokes, Microsoft Research John Platt, Microsoft Research Joseph Kravis, Microsoft Network Security Michael Shilman, ChatterPop, Inc. ALADIN: Active.

Computer Viruses Preetha Annamalai Niranjan Potnis.

Virus & Anti-Virus Itthiwat Phiphopsukhawadee M.2/7 No.5 Saranpat Prasertthum M.2/7 No.17 Korakrit Laotrakul M.2/7 No.23 Pesan Kasemkitjanuwat M.2/7 No.25.

Department of Computer Science Yasmine Kandissounon.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

WHAT IS VIRUS? NAE GRAND CHALLENGE SECURE CYBERSPACE.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

Carleton University School of Computer Science Detecting Intra-enterprise Scanning Worms based on Address Resolution David Whyte, Paul van Oorschot, Evangelos.

Copyright © 2007 AV-Test GmbH The WildList is Dead, Long Live the WildList! Andreas Marx & Frank Dessmann AV-Test GmbH, Magdeburg, Germany

Hunting for Metamorphic Engines Wing Wong Mark Stamp Hunting for Metamorphic Engines 1.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al 이 승 민.

To Protect What Matters!! Protection Against Computer Virus Unit portfolio presentation by Saira Imtiaz.

Statistical Tools for Linking Engine-generated Malware to its Engine Edna C. Milgo M.S. Student in Applied Computer Science TSYS School of Computer Science.

Recent Internet Viruses & Worms By Doppalapudi Raghu.

Get rid of troubles with Dr.Web CureNET! (Quick Start) If your house is on fire, you call for a fire brigade. When malware ravages through your network,

Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.

Intelligent Database Systems Lab 國立雲林科技大學 National Yunlin University of Science and Technology 1 Virus Pattern Recognition Using Self-Organization Map.

Scripting AntiVirus Signature File Updates and Testing Randy Abrams Andreas Marx Microsoft Corporation AV-Test GmbH

Normalizing Metamorphic Malware Using Term Rewriting A. Walenstein, R. Mathur, M. R. Chouchane, and A. Lakhotia Software Research Laboratory The University.

CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.

PHMMs for Metamorphic Detection Mark Stamp 1PHMMs for Metamorphic Detection.

Using Engine Signature to Detect Metamorphic Malware Mohamed R. Chouchane and Arun Lakhotia Software Research Laboratory The University of Louisiana at.

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.

Printing: This poster is 48” wide by 36” high. It’s designed to be printed on a large-format printer. Customizing the Content: The placeholders in this.

Ensemble Learning for Low-level Hardware-supported Malware Detection

CISC 849 : Applications in Fintech Namami Shukla Dept of Computer & Information Sciences University of Delaware iCARE : A Framework for Big Data Based.

Simple Substitution Distance and Metamorphic Detection Simple Substitution Distance 1 Gayathri Shanmugam Richard M. Low Mark Stamp.

Security Threats Caela Harris. What is a Virus A computer virus or a computer worm is a malicious software program that can self replicate on computer.

Robodog Frontal Facial Recognition AUTHORS GROUP 5: Jing Hu EE ’05 Jessica Pannequin EE ‘05 Chanatip Kitwiwattanachai EE’ 05 DEMO TIMES: Thursday, April.

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Techniques, Tools, and Research Issues

Honeypot in Mobile Network Security

Enterprise Botnet Detection and Mitigation System

Techniques, Tools, and Research Issues

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

K Nearest Neighbors and Instance-based methods

Walter J. Scheirer, Samuel E. Anthony, Ken Nakayama & David D. Cox

Challenges in Building and Detecting Portable Source Code Morphers

Presentation transcript:

Forensic Analysis of Toolkit-Generated Malicious Programs Yasmine Kandissounon TSYS School of Computer Science Columbus State University 2009 ACM Mid-Southeast Conference Gatlinburg, Tennessee November 12-13, 2009

State of the Threat (Jan – Jun 2009) Microsoft Security Intelligence Report : – 115,854,807 infections in first half 2009 – 94,985,967 infections in second half 2008  An increase of about 22% (2008) AVTest Labs – 15,000 to 20,000 new specimens analyzed each day. (4 times as many as in 2006, 15 times as many as in 2005) (ESET ) Talented teams of programmers Automated Malware Creation: – W32.Evol, W32.Simile, W32.NGVCK, W32.VCL, etc.

What Does the AV Industry Need? Automation – (Szor 2005) The need for analysis by humans is a major bottleneck! Ability to quickly and accurately detect new malware. – (Team Cymru, 2008) 1000 new samples submitted, only 37% detected by commercial AV products! Badly needs “good” Generic Signatures – (Kaspersky Lab 2008) Windows Explorer was flagged as malicious – AVIEN’s HARLEY (On average, current detection(using generic signatures) rates are no better than 70%-80%)

Our Problem: Engine Generated Malware ENGINE VIRUS SAMPLE Variant1 Variant2 Variant nVariant3 Network Too many signatures challenge the detector Malware detector Signature Database (Virus Definitions) In Out

Solution: Use Engine Signature ENGINE VIRUS SAMPLE Variant1 Variant2 Variant nVariant3 Internet Use one small piece of info about the engine to detect all of the variants. Malware detector Engine Signature In Out Network

MALWARE GENERATION AS A HIDDEN MARKOV MODEL NOP * CALL JMP MOV Transition Matrix = Engine Signature (Choice of relevant instructions = 5 most frequent instructions) NOP MOV PUSH CALL JMP * NOP MOV PUSH CALL JMP * PUSH MOV JNZ MOV PUSH MOV NOP MOV NOP ADD JMP MOV NOP PUSH JZ PUSH MOV CALL MOV CALL SUB MOV PUSH MOV CALL POP MOV Transition matrix is n+1 by n+1 and represents the engine  Problem: Find smallest n that will induce best accuracy MOV * MOV PUSH MOV NOP MOV NOP * JMP MOV NOP PUSH * PUSH MOV CALL MOV CALL * MOV PUSH MOV CALL POP MOV Take only the n most frequent instructions, for some n

Subjects and Preparation 100 malware samples of W32.Evol and W32.Simile (Metamorphic viruses) 100 malware samples generated by NGVCK 100 malware samples generated by VCL – Source: benign samples – Source: sourceforge.net, download.com, installation of Windows Vista.

Classification Method For each sample – Identify a training subset of size 30 – Compute the transition matrix for each trainer – Take the average of these. – This average is the engine signature for the sample. For each instance not used for training – Compute the transition matrix of the instance – Compute the Euclidian Distance between the instance and each of the engine signatures generated in the above stage – The signature that is found to be closest to this instance’s transition matrix is declared to be the instances’ family. If there are ties, choose one at random.

Average Matrix Classifier (1 st Order Markov Chain) Results: RELEVANT INSTRUCTIONSMISCLASSIFICATIONS % % 108% 1511%

K-Nearest Neighbor Classification Concept Results Limitations: – Time – Space

Discussion Average Matrix vs Knn – Time and space efficiency – Accuracy – Behavioral characteristics not taken into account RIs: ideal RI in the vicinity of 20

Conclusion and Further Work Conclusion – Good Accuracy (8% misclassifications) – Small Signature (11 by 11 matrix) – Fast Detection (12 min for 150 tests) Further Work – 2 nd order – Work with more samples – Work with other families of malware – Different ways of choosing the relevant instructions – Try a different distance measure

References dyn/content/article/2008/03/19/AR html J euralNets.html. Last retrieved April 12, 2009 M.R. Chouchane. “Approximate Detection of Machine- morphed Malicious Programs”. Ph.D. Dissertation. (2008) Using Engine Signature to Detect Metamorphic Malware. Chouchane and Lakhotia, WORM 2006.

References Ivan Krsul and Eugene H. Spafford, Authorship Analysis: Identifying the Author of a Program. Computers & Security (1997) Peter Szor, The Art of Computer Virus Research and Defense. (Chapter 7) 2005 Wing Wong and Mark Stamp, Hunting for Metamorphic Engines. J Comput Virol (2006) last retrieved April 12, 2009