Presentation is loading. Please wait.

Presentation is loading. Please wait.

Xutong Chen and Yan Chen

Published byAngèline Ledoux Modified over 5 years ago

Similar presentations

Presentation on theme: "Xutong Chen and Yan Chen"— Presentation transcript:

1 Xutong Chen and Yan Chen
Detecting Missing RAT Attacks with Semantics on Windows Xutong Chen and Yan Chen Northwestern University

2 Motivation (comparison with 5D) Keylogging case study
Outline Overview (APT and RAT) Motivation (comparison with 5D) Keylogging case study Overall flowchart graphs (already have) System Design: API + discriminative sigs Evaluation Keylogging for accuracy: API only, API+discri results Overhead: speed and memory/CPU consumption

3 High Value Asset Acquisition
Overview Initial Compromise Gaining Foothold Lateral Movement High Value Asset Acquisition Malware (e.g. RAT) Phishing Exploit vulnerability Victim Network scan Attacker Code Repo Malware propagation CONFIDENTIAL Malicious Web Database Exploit browser Behavior based Malware detection Design a detection mechanism that targets at the post-compromise steps in the APT life-cycle

4 Overview Remote Access Trojan (RAT)
Based on the study of 300+ APT whitepapers, RAT is a core component in an APT attack, and >90% are Windows based. Allows an adversary to remotely control a system A complex set of potentially harmful functions (PHFs) E.g., keylogger, remote desktop, remote shell, audio grab A Windows RAT typically embodies10~40 PHFs.

5 Motivation Observations
Ways of implementing a PHF are limited too, in terms of Core APIs & security-relevant events , and such sequences to exactly define a PHF Propose PHF-based RAT detection when a program exhibits A sufficient number of PHFs RAT-specific resource access characteristics function-level, ground truth, supervised training,  is a must for adversaries to implement a PHF A PHF could be exactly defined by a limited set of core system calls. Separation of signatures for PHFs increases the detection specificity by combining different types of signatures In each signature sequence, the core system calls are irreplaceable, and the order must be preserved to implement a p Advantages: evasion-resilient and semantic-aware Hard to evade unless attackers find new ways of implementing PHFs Know exactly what activity is going on

6 Motivation Keylogging Case Study NU Data(API) 5D Data GetKeyState
Process of Keylogging Data NU Data(API) 5D Data GetKeyState GetKeyboardState GetKeyboardLayout ToUnicodeEx GetForegroundWindow GetWindowTextW GetWindowThreadProcessId WriteFile Capture keystrokes Missing Capture foreground window information Missing Save results to file WriteFile

7 Motivation Deficiency of Traditional Malware Detection
Even if traditional detection tool captures all artifacts left by the attack, administrators still cannot understand consequences of the attack.

8 Motivation Advantage of Our Method
With our semantic-aware detection system, administrators can easily identify fine-grained semantic behaviors and understand consequences of the attack.

9 System Design

10 System Design Discriminative Features
Discriminative features is used to reduce False Positive, we propose several Discriminative features as follows: API Types: Assume that a sequence matches a behavior graph, we consider the number of unique APIs, except APIs included in the behavior graph, occurring in the same sequence. User Interaction: When a process matches a behavior graph, we judge whether there are user interactions on this process. Network Pattern: The frequency and the payload size of network traffic.

11 System Design Discriminative Feature Example on Keylogging Y axis :
Normalized # of API Types X axis : Graph Matching Score Point with other colors is Benign Red point is RAT

12 Evaluation

13 TPR(with discriminative features) FPR(with discriminative features)
Evaluation Deploy the system on three physical machines, which last three days. TPR(API only) TPR(with discriminative features) FPR(API only) FPR(with discriminative features) Keylogging 89.9% 3.2% 0.05% RemoteDesktop 84.6% WIP 4% RemoteShell 1.5% Download&Exec % 2.3% Score = 0.8 Api types = 20

14 Evaluation The throughput and the overhead of the detection system
The average # of APIs generated per host is 6K-10K APIs/sec, after filtering ( ? ) The average matching speed of all API behavior graphs per core is 38K APIs /sec and the memory consumption is 7GB (without optimization) Intel(R) Xeon(R) CPU E GHz Thus a 16 core server can support 100 hosts

15 Conclusions

16 Disk size after compression
Evaluation To test the space overhead of out collector, we deploy our collector in two individuals' computer for several days. One is an officer who frequently uses text editing applications (Word, Excel, PowerPoint), communication tools (Outlook and Skype) and Browsers (Chrome and Firefox). The other is a software developer who often uses IDE (Visual Studio), Browsers (Chrome and Firefox) and command line tools (CMD and PowerShell). Top-layer API Original Data Size 14 GB / hour Disk size after compression 2 MB / hour

Download ppt "Xutong Chen and Yan Chen"

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.

Detecting Computer Intrusions Using Behavioral Biometrics Ahmed Awad E. A, and Issa Traore University of Victoria PST’05 Oct 13,2005.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University

Life in a Dangerous World: Developing effective strategies against Virus, Worms and Other Threats Marshall Breeding Vanderbilt University
Security Evaluation of Pattern Classifiers under Attack.

Security Evaluation of Pattern Classifiers under Attack.
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Similar presentations

Ads by Google