Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real-Time RAT-based APT Detection

Published byShawn Shepherd Modified over 6 years ago

Similar presentations

Presentation on theme: "Real-Time RAT-based APT Detection"— Presentation transcript:

1 Real-Time RAT-based APT Detection

2 High Value Asset Acquisition
Our Focus Initial Compromise Gaining Foothold Lateral Movement High Value Asset Acquisition Malware (e.g. RAT) Phishing Exploit vulnerability Victim Network scan Attacker Code Repo Malware propagation CONFIDENTIAL Malicious Web Exploit browser Database Behavior-based Malware Detection Behavior based Malware detection Provenance based Analytics Design a detection mechanism that targets at the key step (gaining foothold) in the APT life-cycle

3 APT Malware Remote Access Trojan (RAT)
Based on the study of 300+ APT whitepapers, RAT is a core component in an APT attack, and >90% are Windows based. Allows an adversary to remotely control a system A complex set of potentially harmful functions (PHFs) E.g., keylogger, screengrab, remote shell, audiograb A Windows RAT typically embodies10~40 PHFs.

4 Previous Malware Detection Methods would Fail RAT Detection
Major problems Do not understand the semantics of the malwares. Build detector based on the coarse-grained dynamic behavior of a malware. Would fail if a malware performs a part or other behaviors not used for training Whole behavior-based signature graph Our approach PHF1&PHF2 => signature graph. When PHF1 is triggered, it cannot be matched since the two green ancestor node are not matched/activated. In figure 1, the previous method has to match either red triangle or blue triangle to reach an interesting point so that it can detect PHF1 or PHF2. Our approach will divide them into 2 sequences and easily detect it. exhausts all the functionalities contained in a RAT generates finer-grained, per functionality detector Able to untangle the whole behavior graph

5 Basic Idea Observations Propose PHF-based RAT detection
# of PHFs possibly embodied in a RAT is limited (10~40). Ways of implementing a PHF are limited too, in terms of Core system calls, and system call sequences to exactly define a PHF  Possible to define each PHF using system call sequences Propose PHF-based RAT detection Determine if a program is a RAT, by Detecting its functionalities, and Pinpointing RAT-specific resource access characteristics function-level, ground truth, supervised training,  is a must for adversaries to implement a PHF A PHF could be exactly defined by a limited set of core system calls. Separation of signatures for PHFs increases the detection specificity by combining different types of signatures In each signature sequence, the core system calls are irreplaceable, and the order must be preserved to implement a p Advantages: fine-grained, evasion-resilient and semantic-aware Per PHF detector; semantic-aware; know exactly what activity is going on; Hard to evade unless attackers find new ways of implementing PHFs

6 Approach Design Supervised learning Training data with ground truth …
PHF1 Trace 1 PHF1 Trace 2 PHF1 Trace n Self-repeated gadgets identification and correlation analysis A PHF1 Signatures for each PHF, for determining the functionality B C RAT traces Module 1: Traces based signature generation system (offline) PHFmTrace 1 PHFmTrace 2 PHFm Trace n PHFm U Gadgets identification and correlation analysis V W Feature generation & selection Classifier signatures for differentiating benign from malicious Benign traces function-level, ground truth, supervised training Generated signatures for both determining the functionality and discerning between malicious and benign Characteristic analysis Supervised learning Signature matching PHF1 Sig Score 1 Module 2: Real-time RAT detection system System call traces NtGdiCreateCompatibleDC NtGdiBitBlt NtCreateSection NtQueryInformationProcess NtCreateThread NtResumeThread PHF2 Sig Score 2 Malicious Score PHFn-1 Sig Score n-1 Classifier Sig Score n

7 Automatic Signature Extraction Algorithm
Observation: A small set of system calls (termed as gadget) exist in traces to define a PHF. Such gadget has two main characteristics: Frequent occurrence - most malicious activities require frequent probes of input devices. Temporal and spatial locality: each standalone PHF happens quickly and locally. Sequence Alignment Algorithms: Typically used in bioinformatics to align protein or nucleotide sequences. Both local alignment and global alignment are used. Local alignment - for extracting regions of similarity within large context. Global alignment – for extracting similar sequences globally. change “With some prior knowledge” to “Such sigs can be automatically extracted from the traces because they are the common part in the system call graphs” such as keylogger and screengrab Strength: consider all categories of system calls, unlike previous approaches which consider only system call categories that seem intuitively informative, such as file systems and registry calls. Separation of PHF-based signatures allows us to increase the detection specificity by combining different types of signatures. NtProtectVirtualMemory NtGdiCreateCompatibleDC NtGdiCreateDIBSection NtGdiStretchBlt NtGdiDeleteObjectApp NtGdiExtGetObjectW NtDelayExecution NtGdiCreateCompatibleDC NtGdiCreateDIBSection NtGdiStretchBlt NtGdiDeleteObjectApp NtGdiExtGetObjectW NtDelayExecution

8 General Detection Results
Simulate the injection attack by merging a RAT trace and a benign trace TPR FPR FAROS-benign-load FAROS-stretch-goal 1 Popular Windows App PHF Traces 0.95 .exe & .dll files

9 Popular Windows Applications Detail
Tested on 50+ popular Windows applications, and zero false positive Classification Benign Applications Operations Windows Built-in applications notepad, calculator, cmd, audio recorder, snipping tool, paint commonly used operations PDF Software PDFTK Builder, Adobe Reader open "test.txt" on desktop & split it Browser IE, Chrome, Firefox download + execute Download Tools Filezilla, FlashGet connect to Remote Server + download a file + upload a file Client foxmail, Thunderbird, Outlook get Communication Tools Skype, Pidgin start a chat or a call Files & Drives winscp, 7-Zip, MultiCommander, TeraCopy connect, upload "test.txt", and download it back; open floder and compress it; move file from one floder to another Backup & Sync + Online File Storage Tools DropBox, Box, FreeFileSync, Google Drive, OneDrive Sync, upload, and download Video players vedioLAN,quicktime player select sample vedio + play it Audio tools foobar2000, MediaMonkey, Spotify play some music Text Editing notepad++, Kingsoft WPS Office open a file and edit Image Viewers and Editors GIMP, IrfanView, XnView, FastStone Image Viewer open the "test' img on desktop, and some operation .exe & .dll files

10 Evasion Attack Evaluation - Obfuscated Malware
Comparison of detection results before and after obfuscation C&C server DOTFUSCATOR .exe & .dll files RAT sample Control Flow Obfuscation Dummy Code Insertion Instruction Pattern Transformation Obfuscated RAT sample TPR FPR 100% TPR FPR 77.8% 0.056 Our system

11 Evasion Attack Evaluation - Injection Attack
Simulate the injection attack by merging a RAT trace and a benign trace Original RAT trace Merged trace TPR FPR 100% TPR FPR 77.8% 0.056 Our system .exe & .dll files

12 Fine-Grained, Evasion-Resilient and Real-time RAT Detection
Conclusion We proposed a fine-grained, evasion-resilient and real-time RAT detection approach. Our approach has been evaluated to work well in the engagement 1 and traces collected by ourselves. Fine-Grained, Evasion-Resilient and Real-time RAT Detection

Download ppt "Real-Time RAT-based APT Detection"

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
ONLINE DATA STORAGE & DOCUMENTS Lesson 3. Lesson 3 – Online documents In this lesson we will be covering:  Online documents  Compression and expansion.

ONLINE DATA STORAGE & DOCUMENTS Lesson 3. Lesson 3 – Online documents In this lesson we will be covering:  Online documents  Compression and expansion.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Practical PC, 7 th Edition Chapter 9: Sending E-mail and Attachments.

Practical PC, 7 th Edition Chapter 9: Sending and Attachments.
Chapter Objectives Explain Web page multimedia issues

Chapter Objectives Explain Web page multimedia issues
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
David Halpin Carilion Clinic Carrie Cao Virginia Western Community College.

David Halpin Carilion Clinic Carrie Cao Virginia Western Community College.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
Nemesysco’s SCA1 Automated “Emotional content” & Veracity call analyzer for multi- channel recording systems Targeted at government intelligence and Law.

Nemesysco’s SCA1 Automated “Emotional content” & Veracity call analyzer for multi- channel recording systems Targeted at government intelligence and Law.
AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Similar presentations

Ads by Google