Presentation is loading. Please wait.

Presentation is loading. Please wait.

Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1.

Published byAmos Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1."— Presentation transcript:

1 Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1

2 Outline Abstract Introduction Related Work Detection Theory Host-Based Detection Network-Based Detection Laboratory Setup Physical Level Virtual Level Experiments and Results Discussion and Further Work Conclusion 2

3 Abstract 3 This paper presents a novel open-source testbed for behavioural software analysis. designed to meet current trends in the malware community by allowing controlled access to the Internet in the analysis phase. A novel way of using honeypot technology is proposed to build a testbed that is able to analyse current threats.

4 Introduction (1/2) 4 Malicious code may be spread by introducing malicious hidden functionality. From the more than 500.000 files they investigated,approximately 15% contained malicious code. However, attackers are constantly improving their code to evade the traditional detection algorithms.

5 Introduction (2/2) 5 Sandboxing is a relatively new approach to behavioural malware detection. However, a trend among malware authors, presented by Symantec,is to use staged downloads of malware. A modern behavioural analysis environment designed to detect unwanted functionality in downloaded applications.

6 Related Work 6 Virtual machine technology is proposed as a flexible solution for building the laboratory environment.such as Norman Sandbox and Panda TruPrevent. This paper contributes to existing malware analysis documentation in the following areas: A powerful open-source software analysis testbed is provided The testbed design is based on a number of updated malware detection theories The testbed allows for safe analysis of software,also with malicious content, utilizing staged download techniques.

7 Detection Theory 7 Most traditional anti-virus systems use signature- based detection,the major drawback being the inability to detect new, unknown malicious code. When new instances of malicious software are found, new signature files have to be written and distributed to the detection tools.

8 Host-Based Detection(1/2) 8 This section presents techniques that can be used to observe changes in the host operating system,during or immediately after installation of an application. Wang et al.suggest complementing the traditional approaches with a concept they refer to as Auto-Start Extensibility Points. an overwhelming majority of all spyware programs infect a system in such a way that they are automatically started upon reboot and the launch of most commonly used applications.

9 Host-Based Detection(2/2) 9 Software using the auto-start extensibility points is distinguished by two categories: Standalone applications that are automatically run by registering as an OS auto-start extension, such as a Windows NT service Extensions to existing applications that are automatically run, or extensions to popular applications commonly run by users, like web browsers Wang et al.introduce a concept called cross-view diff to detect stealth software. Cross-time diff aims at comparing the state of a running system with a previous snapshot of the same system. such as Tripwire.

10 Network-Based Detection(1/4) 10 Network-based detection refers to techniques used to discover the presence of malicious entities by studying properties related to network activity. Router Access Lists is to update routers with records of hosts or network segments of which are allowed or denied access to network resources. In a behavioural analysis scenario, access control lists can be utilized to help detect usage of address spoofing.

11 Network-Based Detection(2/4) 11 Intrusion detection systems (IDS) are utilities used to inspect both network flow and the content of each packet sent on a network. Mukherjee et al.suggest using IDSs to detect the presence of malware or intruders on a network.Backdoors can be detected and payload fields. Polymorphic worms have proved to make IDS-based detection more difficult. recent research has demonstrated that even such obfuscation techniques are possible to handle

12 Network-Based Detection(3/4) 12 Spitzner is one of the leaders of the honeypot development. A honeypot is a security resource whose value lies in being probed, attacked, or compromised. Honeypots can be used in production environments to help raising alerts of unauthorized activity on the network and to slow down worms. Honeypots are categorized into three different classes: low-interaction, medium-interaction and highinteraction honeypots.

13 Network-Based Detection(4/4) 13 Malware enabled to communicate with its environment utilizes different techniques to establish the communication. Skaggs et al.suggest using remote vulnerability scanners to detect the presence of malware on a host.

14 Laboratory Setup(1/3) 14 Sherlock is configured as a firewall Marple is a “gatekeeper” Horatio acts as a remote vulnerability scanner Drew is a network sniffer Bond is the victim where malicious software is installed.

15 Laboratory Setup(2/3) 15

16 Laboratory Setup(3/3) 16

17 Physical Level 17 It is critical that the physical level has been subject to system hardening so that the probability of unwanted infections is reduced to a minimum. The probability of malware being able to infect both Windows and Linux systems is relatively low, though greater than nil. To further reduce the risk of unwanted infections,the Linux system hardening tool Bastille 、 Administrative tools 、 Samhain.

18 Virtual Level 18 three roles were identified and included in the behavioural detection environment; a victim, an eavesdropper and an attacker. The victim is the host to be analyzed and where the object to be scrutinized should be installed. The eavesdropper should silently listen in to all traffic to be able to determine if any malicious or unwanted data is sent. The attacker should actively probe the victim for vulnerabilities by simulating attacker behaviour.

19 Experiments and Results(1/2) 19

20 Experiments and Results(2/2) 20

21 Discussion and Further Work 21 look at one example of stealth enabled software. It is therefore difficult to say something about the general detection capabilities of the testbed. None of the existing tools surveyed include aspects from all malware detection approaches. In the future, the quality of the testbed should be validated by running several tests with different categories of malware.

22 Conclusion 22 This paper has presented a testbed for behavioural analysis of MS Windows software where current malware trends and detection theories are considered. It is demonstrated that analysis environments can be designed without any license cost allowing organizations and students with limited resources to contribute to this important area of research.

Download ppt "Speaker : Hong-Ren Jiang A Novel Testbed for Detection of Malicious Software Functionality 1."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.

The Case for Tripwire® Nick Chodorow Sarah Kronk Jim Moriarty Chris Tartaglia.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.

Honeynet/Honeypot Project - Leslie Cherian - Todd Deshane - Patty Jablonski - Creighton Long May 2, 2006.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.

Computer Security Fundamentals by Chuck Easttom Chapter 9: Computer Security Software.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google